Student Attempting To Improve School Security Suspended

TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

in use for seven months

[arabagast]

TFA says he was running this program for seven months, and was planning on alerting cisco "this summer", and he also spread the program to his friends. Doesn't really sound like security research to me, more like bypassing the security for your own convenience. You really don't "research" a security flaw for seven months, and even spread it to other people.

University of Portland

[pclminion]

U of P is a Catholic school with no particular engineering focus. I think he would have stood a better chance of a reasonable response had he been attending a "real" engineering school. There's nothing wrong with Catholic school, or in studying engineering at such a school, but I think this poor guy should have seen it coming... If you're going to do research like this, do it at home. If he wanted to inform Cisco of the problems, he should have just done so directly. I feel bad for the guy but it's not surprising.

CCA

[michrech]

To those who are saying "CCA doesn't recognize perfectly good antivirus packages" (and other sorts of comments). Most, if not all, of that is configurable on the backend. If your school forces McAfee, they likely removed (or never added) other products to the CCA server. The college for which I work supports Symantec, McAfee (which we give away to students), AVG, and at least a few others.

If your CCA isn't acceping an antivirus scanner you like, why not go through the proper channels to find out *why* it's not supported and see about getting that fixed?

Re:This summer?

[mark-t]

....or.... I could *READ* the TFA and discover he had been using it for seven months and given copies to his friends.

I take back what I said before.

The idea that he was about to tell Cisco about it is a pretty weak cover story, given his behaviour.

A look inside

[Anonymous Coward]

http://www.mgridley.com/rogueUP/Rogue_Blog/Archive .html [mgridley.com]

the article doesnt mention....

[Anonymous Coward]

I just finished working with the CCIE who implemented the CCA at U of P today and he said the student wasn't suspended for circumventing the CCA but rather distributing it to other students, which in my book is malicious. And for the record I work for a University around 30 miles away from U of P.

From the misleading headline department

[peacefinder]

Many of the arguments we use to - justly - defend security researchers seem like they may not apply in this case.

* He used the software to bypass the security check for seven months
* He distributed the software to several other students and a professor
* He did not disclose the vulnerability to the vendor before releasing his exploit
* He did not ask permission

Now, this is not to say that the University's use of CCA is wise or it's reaction was reasonably proportionate to the damage done. (If the damage and the policy violation is as minimal as the article claims, a 1-year suspension is insane.) But Mr. Maass did not do a good job of covering his ass, either.

Let this be a lesson to the next guy.

Re:Cisco Clean Access Agent...

[pathological liar]

That's not a problem with Cisco Clean Access, it's a problem with whoever setup the policies it's using, and their decision that if you don't have antivirus X, you get locked out. Complain to your admin staff, but don't hold your breath.

At this university the rules only enforce that you've got McAfee and the EPO agent installed, that your patterns are up-to-date, and that you're at a reasonably recent patch level for Windows. They're only set to restrict systems we can reasonably expect to enforce policies on. Macs and Linux machines obviously are exempt, as was Vista for a while. (it wasn't supported properly by McAfee)

Re:Cisco Clean Access Agent...

[NNland]

http://kevin.sourceforge.net/ [sourceforge.net]

Re:This program was overkill.

[Christophotron]

Who says you even need a plugin? Just go to about:config, right-click and enter a new string that is named "general.useragent.override" and for the value enter anything you like. Examples of user agent strings can be found here. [user-agents.org]

Re:RTFA before commenting...

[pallmall1]

In the exact same fashion that he developed this software and kept the whole situation to himself...

Read the article. He did tell a Professor. I'll bet they don't "stick it" to him/her.

Put that in your smug pipe and smoke it.

How Clean Access Works

[iMouse]

What a crock-o-blank,

Typical University IT people not knowing what the hell they are dealing with. Think this "breach" was a big deal? Think again.

Know how to use the Windows Registry? You'll love how simple this is...

Cisco Clean Access looks for several registry keys that determine which Windows patches are installed and which are not. It also looks for registry info to give the system a look at what anti-virus package they are running and which DAT file they have. Basically, all his program would need to do is create entries in the registry in the locations where Clean Access would look. It would defeat the security check and the remediation process very easily.

This is not a vulnerability, it is the means in which the system works.

1. User connects to the network. When a browser is launched, the user is redirected and prompted to install the Clean Access Agent from the Clean Access Server.
2. The user is presented with a login box where he/she would log into the system.
3. The Clean Access Agent checks for several registry flags to determine which Windows Updates are installed and what anti-virus/anti-spyware is installed. It will also check the registry for anti-virus/anti-spyware DAT/REG file date and versions.
4. If the system is not up to date, they are passed to a temporary role (remediation stage) where they are only permitted to selected sites to download the updates they need.
5. Users are left in the temporary role until they fulfill the logon requirements. Once the requirements have been completed, they are passed to the main role allowing full access to the network.

Now...for the easy part...

Wanna get around the CCA check without installing patch KB918439? Create the following registry keys ending with Filelist.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wi ndows XP\SP3\KB918439\Filelist\]

How about getting around AV installation (McAfee VirusScan Enterprise as an example)? Create the following registry keys ending with VirusScan Enterprise.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\]

How about getting around a forced DAT update? Create the following registry keys ending with CurrentVersion. Also create a string value called szVirDefVer with the value greater than 5018.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\]

Heh...that wasn't so bad...was it? ;-)