Student Attempting To Improve School Security Suspended

TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

Not impressed

[Adam Zweimiller]

When I started at as a freshman at the University of South Carolina 2 years ago, they were already using CCA. It's main intrusion was the fact that the University demanded that we use McAffee regardless of any other (superior) software we may have already purchased. Personally, I used Symantec Antivirus (Corporate) that I got through my internship. Regardless, it forced McAffee down my throat. I couldn't use the two side by side, as XP would freeze on startup with both installed. I noticed that the policy for CCA usage only applied to Windows computers, and that Linux and Mac users were exempt. So I booted my SuSe installation and launched Firefox to discover a web-gate type login, a form that I had to put my CCA user and pass into. Once entered, it said I was logged in for 7 days. I thought, well there's really only one way they're seperating out Windows, Mac's and Linux boxes: the user-agent. All it took to bypass was a custom Firefox deployment package pre-configured with User Agent Switcher. You didn't even need CCA installed. Every 7 days you got the web-gate login. All you had to do was switch to the pre-configured Linux user-agent and login, upon which you could change back to the default and continue on your merry way for 7 days. In about a week everyone in my dorm was using it, and it still works today. They just ban the user-agent when they catch on, and we come up with new ones. I'm not sure this guy's University may differ, but it really shouldn't take any kind of sexy software hackery to bypass it. PS. wtf is up with slashdot's server? It took me like 15 minutes to get this posted

Cisco Clean Access Agent...

[TheGreatHegemon]

The article goes over it pretty well, but Cisco Clean Access Agent, in my experience at my college is more of a headache than it's worth. If someone has the slightest problem with Anti-virus updates, they get locked out every week, (I actually have to download the smart installer for them, and then patch it manually). Plus, a lot of good antiviruses aren't recognized by CCA agent as being acceptable. I currently run Windows 2003 server as a desktop, and CCA agent doesn't play nice with me either - I have to trick CCA agent by using a virtual machine for logins. Frankly, if there was a link to this program, I'd be using it right now...

Am I Nitpicking

[Soporific]

Maybe it's just me but isn't the statement that he was going to inform Cisco sometime this summer pretty vague? What was holding him back?

~S

lets just suspend ALL students and save time

[TheGratefulNet]

story after story, its "this student scared us - lets git 'em!".

why is this country SO AFRAID of students and so into controlling them? I'm not sure I could survive in a modern high school or even college environment now. I'd be too angry all the time at how badly they are mismanaging our youth.

I am quickly losing all my faith and trust in the so-called 'education system' we have in the US. its becoming not much more than babysitting and nannying.

and I fear for the kind of young adults we are going to produce from this brainwashing factory we call 'school'.

anyway, what good is there in suspending this kid? what does that accomplish? the fact that he found YOUR security flaw embarassed you? is that a reason to punish him?

perhaps the school does not DESERVER your funding. yes, YOU fund the school - they work FOR YOU. its not the other way around. YOU are the consumer. if school-A is giving you crap, why not take your business elsewhere? yes, school IS a business - very much so.

Re:Not impressed

[bahwi]

Well, there's not really just one way to split up the OS'es, see nmap TCP/IP OS fingerprinting, but it's kind of disheartening that Cisco is using the UA for that, as it's the least secure thing you could possibly do. Kind of a name badge, "Hi My name is: CEO of Your Company" and security letting him pass without a card swipe or ID check because he says it so it must be true. Nmap OS Fingerprinting [insecure.org] is really very cool if you haven't checked it out before. OpenBSD hides itself pretty well and FreeBSD does ok with certain switches turned on. But of course the detection just gets better each time too.

wow, excellent points

[JohnnyComeLately]

Your reply hits many points, dead on (pardon the pun when combined with the guns reference). Technically, I "broke" Sprint PCS security policy by showing them a hole in 3G data services (around 98/99). The security guys were certain they were applying the layers of security but forgot about a fundamental shift in types of traffic (tunneling within a tunnel) used in 3G. I said, "OK, if it's secure, how is it I can ping the billing server from my "public" computer".....I could technically have been in the same boat as some others (not this kid...he was clever).

Which brings up your main, and correct, point. It's sad when we penalize so harshly for students just being clever. Would they have suspended him for a year for putting a penny in the dorm elevator (in effect locking it on a single floor during early morning rush time)??? I often joke, and I'm sadly accurate: If I did half of what I did 20 years ago in highschool and later college....today...I'd be a multiple strike felon...and yet no one or any property was really ever hurt

Re:Do schools have a policy about this?

[acidrain69]

I don't get it. Is this a client that runs on your personal machine? Or something installed on University machines?

If the former, then yeah, the kid had it coming. You don't bypass security on computers that aren't yours. Punishment was too harsh, but it sounds like he did break policy, and the university is in the right to do something. If he didn't have permission to bypass security on their network for research, then he has no excuse.

Now if it was the latter, and he did this on his OWN machine on the university network, then unless they state somewhere specifically that you "MUST BE RUNNING CCA TO ACCESS OUR CRAPPY NETWORK!!" then the university doesn't really have a case.

IANAL, but I am in IT. We are slightly lax about what we allow our employees to do with their machines, since we have less than 200 employees. But if they bypassed security? Break of usage policy, case closed.

The article is vague, how exactly did he "patch some holes" by bypassing CCA?

Re:University doing a favor

[cheater512]

I'm not sure exactly what the Cisco software does so I could be on the wrong track.

At my uni we are given a pathetic 150mb/month internet quota and we are charged $7/gig extra.
I naturally found a way to get free net and I really dont have any problem using it for personal use.
I dont abuse it or anything either.

If the Cisco software put constrains on how the guy could use the computer then I would hire him in a instant.
The more you try to lock something down, the more people try to fight back.

You'd be stupid not to hire the people who beat the system - especially since we are talking about a Cisco system.

Re:Not impressed

[logan@bitsmart.com]

Heh... I reported this via Bugtraq on August 19, 2005, and CISCO responded to it 3 days later...

http://www.securityfocus.com/archive/1/408603/30/0 /threaded [securityfocus.com]

As in, they've known about this for at least 20 months...

My experience with CCA

[Christophotron]

My university imposed this crapola on all dorm residents during the summer to test it out. I wasn't there, but my girlfriend's computer suffered the consequences of it. They forced her to uninstall the AVG antivirus and Comodo firewall that I configured, and during the transition her computer was massively hijacked. I'll admit, the dorm networks there are atrocious and this type of software might have been a good idea. Worms/viruses were absolutely rampant; two or three times a day AVG would popup saying it found a threat in some random temporary folder, and the firewall would report numerous "intrusion attempts". However, they didn't even warn people that they would be COMPLETELY unprotected while they are installing the new protection software. If I was there I would have unplugged the network cable during all this. Opening the ports for even five minutes proved disastrous. Needless to say I ended up reformatting.

They never did implement CCA after the trial. Now, the dorm network is simply bandwidth-throttled and packet-shaped to oblivion. Dial-up is faster, I am sure. It's still a security risk, but so slow that no one gives a shit.

Re:lets just suspend ALL students and save time

[Anonymous Coward]

That reminds me of something that happened back in sixth grade.

I was fortunate that in the early 80's, Apple had donated some computers to my school district. I was in the "gifted" program, so we got to use the Apple computer lab at the junior high school once a week. My mother was a teacher in the local district, so she was able to borrow a computer during the summer, and at about the same time my father bought a TRS-80 from Radio Shack. The end result was that at about the age of five, I started learning to program these computers.

Fast forward to sixth grade. By now I had plenty of experience with Apple computers and was starting to learn some of the more advanced things you could do: peeking and poking memory, getting programs to boot from floppy disk, etc. Well, one of my science classes studied computers for a few weeks and we used the computer lab on a regular basis. Being the type of person I was, intelligent and all too happy to question authority and mess with adults, I wrote a program that when booted from floppy made a bunch of beeps on the computer and flashed some bogus alert/warning message.

I set the teacher up such that when he sat down on a machine and powered it up, he'd get this scary warning message. Sure enough it worked, and the teacher got freaked out. Unfortunately, when he learned that it was just something I had rigged up, he got mighty pissed and banned me from the lab for a while.

One thing you can count on is for adults to misunderstand the youth and fear that which they don't understand. Rather than having to acknowledge a youngster on a personal level and try to understand their motivations, they simply react and try to punish the kid like you would a "bad" dog.

Re:wow, excellent points

[ScrewMaster]

When I was in college thirty-odd years ago, my University only allocated 2,000 minutes per quarter per student of mainframe time. Not enough (obviously) and they refused to give me any more. So I wrote a simple fake-login program that would log the user's name and password, and cough up a realistic "system is down" message. Matter of fact, I exactly duplicated the normal logon procedure, including any nominal pauses and delays that occurred. Even fooled the system operators a couple of times. I ran the thing on forty or fifty terminals simultaneously, and I would watch in case someone called one of the admins over to ask why the system wasn't working. Whenever that happened, I'd hit a key on my terminal that would immediately log all the other systems off, so it would work normally at the next login attempt. It wasn't often: most people just shrugged, got up and left to go about their business. Occasionally some busybody would call an administrator over, so I had to keep an eye on things.

In under a week I had captured the accounts of every active student user on the system, plus all the supervisory accounts. It was pretty unbelievable (as in, "holy SHIT Jesus Mary mother of God" unbelievable) and I couldn't understand why there were no precautions taken against that sort of thing. Needless to say I had no problems with account time after that. That was on the one mainframe: there was another guy, pretty sharp coder, that figured out what I was doing. At first I thought I was screwed, but he was delighted by the idea and duplicated it on the bigger system (this was years before the word "pwned" came in to the popular lexicon but it's no less applicable.) No surprise, a few days later and he had the run of that machine. So far as I'm aware, nobody ever figured out what we'd done. The big system was the one that had everything administrative on it from student grades to paper clips and we could have wreaked havoc if we'd wanted to. As it was, though, we just wanted more computer time to do our homework.

A couple of years later my father testified in front of my State's legislature regarding a new "computer crime" bill they were shopping around. It was one of those ridiculous "zero tolerance" laws that make the lawmakers look "tough on crime" but end up shafting a lot of people that don't deserve it. Dad pointed out to these idiots that, if passed, their brain-child would immediately criminalize 90% of the best and brightest students in our engineering and computer science curricula. They backed off in a hurry and came back with a more reasonable bill, which never got passed anyway.

That was then. Nowadays, I don't think our lawmakers would bat an eye if they put half our smartest engineering students in jail. They're just engineers, after all, and ... who the fuck needs those.

Re:University doing a favor

[hazem]

Many university researchers sit on loads of proprietary and/or highly sensitive data with confidentiality and nondisclosure agreements up the yingyang.

Believe me, UP is a nice school, but it's not one of those.

Having worked with some of these particular IT people, they're mostly ignorant and get very nasty about any who tries to point it out. They are only coming down on him so hard because he made them look bad. It's being done to make him an example to anyone else who might make them look bad.

They really don't care about security - only the illusion of it.

Re:RTFA before commenting...

[Score Whore]

There was a much better approach that I'm sure Mr. Maass would have been pleased to be subjected to. In the exact same fashion that he developed this software and kept the whole situation to himself until his "planned" notification to Cisco this summer, the university could have let him finish out his degree then "planned" on releasing the confirmation that he had done so until sometime in 2020. I'm sure that would fit perfectly within Maass' code of ethics.

And, btw, university code of conduct, aups and the like are meant to be vague. Not so they can stick it to anybody they don't like, but because it's impossible to enumerate the entirety of stupid behavior. University students should have the brains to not need an itemized list of good and acceptable behavior.

All in all it sounds like their being pretty nice to the guy. He's just been suspended, he could have been expelled.

Re:University doing a favor

[arminw]

......a piece of software that clearly violates University Policy.......

Does that mean that a student who owns a Mac won't be allowed on the University Network since Macs don't need, or at least very few of them have any anti-malware crap? Does that mean Mac users, or even Windows users are forced to run all sorts of garbage software, just so they may use the University's precious network? I'd find myself a more enlightened place to spend precious education dollars. What business is is of anybody to search my PERSONAL computer for whatever software or data it contains? Let them install a decent firewall and spend a few dollars on educating users how to avoid malware by not clicking OK on every dialog box and opening every email.