NEWS Disgruntled IT staff at Oxford University have hit back after two students working for the university newspaper claimed to have hacked its network and exposed security flaws last week.
The Oxford Student said the pair used free software to access a database of university students' email passwords and other personal details, spy on MSN Messenger conversations and look at some of the CCTV network.
But a source from the University's IT staff who wished to remain anonymous contacted silicon.com to "put the record straight".
"These students didn't hack anything. All they did was sniff some tcp/ip traffic. That they could only do because it was the last hub left to upgrade in college," the source said. "None of the college's administration systems were compromised in any way. None of the student servers were compromised. There is simply no such thing as the database referred to above. The emails and passwords they compromised were not the official university ones, and if they were, it is because the email clients were not configured properly."
The source said the main issue raised by the story is user awareness, not security failings, but admitted that gaining access to the CCTV network was worrying.
"I'd like to point out, though, that being able to access a security camera in a public area is not exactly a breach of privacy, and that the unit was installed without proper conference with the IT officer in that college."
Was the student newspaper hack genuine whistle-blowing or have the university's IT staff been unfairly criticised? Post your Reader Comment below.
Comments
There are 4 comments. Join the discussion
1. anonymous
So, just to be clear.. this techie suggests their SMTP server doesn't store e-mail addresses and passwords (or hashes of them)?
His comments about no such database exists are silly and nonsensical because such information must exist somewhere.
The point about the cameras is that they got access, not what was on the other end. I also don't much care for this guys attitude towards security one little bit and such an attitude could lead to further problems.
2. anonymous
Student hackers are so cliche, for HIGH SCHOOL. These kids need to be expelled, just for bullshitting around. Good Lord they obviously have no creativity and get no respect from fellow hackers because they are script kiddies. Look that up ;).
http://trilogy-group.tk
3. anonymous
Where's the students prosecution under the computer misuse act ?? You've got a confession right there in black and white. And it doesn't matter what the proctors think, the police should and can proceed without their say-so.
Sniffing IP traffic may be petty and childishly easy but it could also yield credit card numbers, passwords and confidential data.
Unless the IT staff truly are stupid there should never have been a database containing passwords. email addresses and personal details I can understand. I can also understand their need to rubbish the report - they're looking at a prosecution under the data protection act for failing to adequately secure personal data.
4. Barnendu Goswami
This is certainly an interesting one (and could perhaps make someone a good case study?).
There are two sides to this, as with all stories. I have to admit; I was siding with the IT Staff initially, but by the end it becomes clear that there is certainly a element of complaicancy on their part. It's possibly true that none of the University's primary servers were breached, but this does not mean there was no breach of security. Network security can be every bit as important as conventional server security, and if someone has had the ability extract user data from an unauthorized point on the network (be it by sniffing, brute-forcing, spoofing, or any other technique), then there has indeed been a successful breach of security.
A high-profile university of this calibre should at least review security in the light of such a public airing.
The student article has succeeded in raising awareness of the issues involved, and has demonstrated that there are some areas of security which are yet to be addressed.
Somewhat ironically, the hard-handed approach by the University has created a larger PR nightmare than the original mischief.