Student Attempting To Improve School Security Suspended 282
TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"
in use for seven months (Score:2, Informative)
University of Portland (Score:4, Informative)
CCA (Score:3, Informative)
If your CCA isn't acceping an antivirus scanner you like, why not go through the proper channels to find out *why* it's not supported and see about getting that fixed?
Re:This summer? (Score:4, Informative)
I take back what I said before.
The idea that he was about to tell Cisco about it is a pretty weak cover story, given his behaviour.
A look inside (Score:1, Informative)
the article doesnt mention.... (Score:2, Informative)
From the misleading headline department (Score:4, Informative)
* He used the software to bypass the security check for seven months
* He distributed the software to several other students and a professor
* He did not disclose the vulnerability to the vendor before releasing his exploit
* He did not ask permission
Now, this is not to say that the University's use of CCA is wise or it's reaction was reasonably proportionate to the damage done. (If the damage and the policy violation is as minimal as the article claims, a 1-year suspension is insane.) But Mr. Maass did not do a good job of covering his ass, either.
Let this be a lesson to the next guy.
Re:Cisco Clean Access Agent... (Score:2, Informative)
At this university the rules only enforce that you've got McAfee and the EPO agent installed, that your patterns are up-to-date, and that you're at a reasonably recent patch level for Windows. They're only set to restrict systems we can reasonably expect to enforce policies on. Macs and Linux machines obviously are exempt, as was Vista for a while. (it wasn't supported properly by McAfee)
Re:Cisco Clean Access Agent... (Score:2, Informative)
Re:This program was overkill. (Score:2, Informative)
Re:RTFA before commenting... (Score:3, Informative)
Put that in your smug pipe and smoke it.
How Clean Access Works (Score:2, Informative)
Typical University IT people not knowing what the hell they are dealing with. Think this "breach" was a big deal? Think again.
Know how to use the Windows Registry? You'll love how simple this is...
Cisco Clean Access looks for several registry keys that determine which Windows patches are installed and which are not. It also looks for registry info to give the system a look at what anti-virus package they are running and which DAT file they have. Basically, all his program would need to do is create entries in the registry in the locations where Clean Access would look. It would defeat the security check and the remediation process very easily.
This is not a vulnerability, it is the means in which the system works.
1. User connects to the network. When a browser is launched, the user is redirected and prompted to install the Clean Access Agent from the Clean Access Server.
2. The user is presented with a login box where he/she would log into the system.
3. The Clean Access Agent checks for several registry flags to determine which Windows Updates are installed and what anti-virus/anti-spyware is installed. It will also check the registry for anti-virus/anti-spyware DAT/REG file date and versions.
4. If the system is not up to date, they are passed to a temporary role (remediation stage) where they are only permitted to selected sites to download the updates they need.
5. Users are left in the temporary role until they fulfill the logon requirements. Once the requirements have been completed, they are passed to the main role allowing full access to the network.
Now...for the easy part...
Wanna get around the CCA check without installing patch KB918439? Create the following registry keys ending with Filelist.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\W
How about getting around AV installation (McAfee VirusScan Enterprise as an example)? Create the following registry keys ending with VirusScan Enterprise.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\]
How about getting around a forced DAT update? Create the following registry keys ending with CurrentVersion. Also create a string value called szVirDefVer with the value greater than 5018.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\]
Heh...that wasn't so bad...was it?