This work is licensed under a Creative Commons License
Created by Tony Meyer, 15th January 2004.
Interestingly, an email was sent out today including a draft of the university's new electronic password policy. The policy requires all users (including both staff and students) to have passwords that are (among other things) at least 6 characters long and include both characters and digits. Either they're finally going to fix this system that was stupidly in place for two years, or all students will be in breach of that policy.
Opps. I could have sworn I updated this a while back. Some improvements have been made, and while the system is still clearly suboptimal, it's reached a threshold past which the lack of quality is worth the hassle of trying to get it improved. See also my IIMS News article about this.
Well, still nothing. It seems ITS have a definition of "very soon" that covers over two months. Perhaps simple security is proving difficult! I'm having a meeting (about something unrelated) with the Albany head of ITS in the near future, so I'll bring it up then.
Hmm...still nothing. Oh well, I'm sure it'll be done soon, although the semester starts next Monday...
I've just (4:55pm) received a call from the director of Information Technology Services at Massey, who has just arrived back at the job (this is day two). He assures me that he agrees that there is a problem, and that, in fact, there was meant to be a more secure system than this, and very soon there will be. All good news, and nice to see that things can get changed for the better.
With Massey's new "single sign on" system for access to student accounts, only one four digit PIN is required to access a student's library account, computer lab account, Univoice account, and MyMassey account (through which contact details, examination results, statistical information, and more, can be accessed). Fantastically convenient!
Wait a minute. Read through that list again. Would you want just anyone to have access to all your accounts? That's what the new system is providing, thanks to Massey's Information Technology Services (ITS) department's attitude to security.
Four digits mean that there are ten thousand possible PINs, from 0000 through to 9999.
Any student PIN can be obtained
in less than 15 seconds.
Permission was obtained from three students to log into their account. In less than five minutes, a script was created to automate the process of logging in with all ten thousand PINs. The student's PINs were determined in around three minutes each. After another five minutes refining the script, the PINs could be determined in less than fifteen seconds.
Yes, 15 seconds.
The idea behind this wasn't to attack the system - on the contrary, it was to ensure that it was sufficiently good enough to avoid being attacked. As such, when the deficiencies in the system were confirmed, ITS were informed, so that they could improve the system (and no, no more details will be provided about the method used, and the code is not available). Unfortunately, they believe that the issue of security was reviewed as part of this project and that the system implemented will provide adequate security.
ITS: the system implemented will
provide adequate security
According to ITS, no 'critical' systems are accessible via a student account. They admit, however, that 'damage' would [include] exposure of the students [sic] address and contact details [and] students' grades. True, it would be difficult to call this "critical", although their claim that most of the contact details can be obtained via the white pages is debatable.
They appear to have missed the point, unfortunately. There are two issues worth mentioning:
Interestingly, ITS also claimed that a script has been written to notify ITS of any hacking activities [so that] this activity can be halted. This was a week and a half after three accounts had been 'hacked' as part of this research, however, and, as yet, nothing has been done to halt the activity.
Sooner or later
this will cost you money.
Alright, so you don't care if someone else can look at all your grades and contact details - does this matter to you? Yes:
The goal of a single sign on for all Massey systems is a worthy one, and this article does not mean to disparage it. However, with a single sign on, it is even more important than otherwise to make the sign on secure. The problem here arises from the tiny number of combinations that four digits provide. Even if case sensitive alphanumeric characters ('a' to 'z', 'A' to 'Z' and '0' to '9') were used instead, four characters provide 14,776,336 combinations, compared to 10,000. Using the same 'naive' brute force method to determine a pin would take six hours, rather than fifteen seconds. Secure? No. Reasonable security? Perhaps, and certainly a vast improvement.
Let your Students' Association know
this is not good enough!
Sadly, the position of ITS is that the system is adequate. To change this, as many students (and staff, ideally) need to let ITS know that this is simply not adequate, and must be changed, as soon as possible.
As far as I can determine, ITS don't make their contact details, even an email address, open to students, so you it's difficult to let them know about this. If you're the paper type, of course, you could write to them. Otherwise, my best solution is that you should let your student representatives (ASA for Albany Students, MUSA for Palmerston North students, M@WSA for Wellington students, and EXMSS for extramural students) know about the problem, and have them handle it. Please let me know if you can think of a better course of action, or if you have any comments about this article.
Read comments about this article
This work is licensed under a Creative Commons License
Created by Tony Meyer, 15th January 2004.
Last updated 3rd May 2005.