Security hole exposed in college.. what would you do?

_underscore

Hey,

So i've been doing a little experiment over the last few days in college. It turns out that my "hack" works and could mean the college losing out on money.

So, my dilemma is what to do now!? Should I

(a) Tell nobody
(b) Tell the college about the hole so it can be fixed, how though? Also, i'm worried the college might not look too kindly on this and punish me.. i'm in final year so can't risk any shenanigans.

Cheers

The Outside Agency

If you don't tell them and try to profit from it, you'll be caught eventually and the consequences could be more severe than if you just told them straight away.

As for how to report it, probably through one of your lecturers, presumably they'll understand

My guess is you found some internal site used for controlling access to college services which doesn't require authentication -- printing for example, being able to top up your account without paying...

UDP

Thread very carefully since you have hacked a resource belonging to the college and it depends on the person you tell as to how they will see it. Some might freak out and suspend you for hacking college systems which they may be entitled to do so as to discourage others from even attempting to hack a service.

Your safest bet is to say nothing and dont use the hack for your own gain. If you really want them to know then send an annonymous email from a newly created email account on gmail/hotmail/yahoo telling them about the hack telling them that you want to remain annonymous for fear of getting in trouble.

I suspect you are proud of finding the security hole and in some way would like praise for letting them know but this is a risky way to go and could completely back fire on you.

End of the day you looked for a security hole and exploited it in their system when you found it. They might want to set an example so that people wont even look for the security holes.

schrodinger

I'd go with Full Disclosure, risky but keeping secrets leads to distrust.

The fact that you have posted here looking for a safe way to tell your college means that you're actually, at least it seems, genuinely interested in making sure you're college isn't being exploited - I don't mean security vulnerabilities there.

It's a valid question of how to approach it. Some institutions may come down very heavily on you and yes make an example of you but that's the risk when anyone produces a "Gotcha" to someone. One would hope that they would be grateful that you're bringing this their attention and may seek advice from you, but we live in a fearful world and now you're an "evil h4x0r"

You could try to submit the information anonymously, but that might lead to more questions and images in people's minds of a dark showy character who can't be trusted.

If there is a member of staff you can trust in your college and who knows, I can only assume, that you're not some malicious twat trying to be destructive then they may be able to introduce you to the appropriate people that need to be informed.

Best of luck and keep us posted. Tell your college you have the support of a reputable on-line community™

_underscore

Ok, well I told my lecturer yesterday evening, who also happens to be director of my course (need I mention that's computer science :P).

He basically laughed it off, told me to tell the email the IT department. He was pretty sure they wouldn't do anything about it and continued to tell me not to be doing that..

I'll email the college today and let them know about it. I highly doubt they'll punish me as this exploit is directly related to my final year project that I am currently researching.

More info for you guys:

Obviously i'm not going to tell you which college i'm in but the student cards are Mifare Classic 1K's. These cards can be topped up with cash from two points in the college.

Student cards can then be used to pay library fines, and buy anything (including beer!) in the student restaurant!

I would in no way consider myself a proper hacker. All I did was follow this tutorial: http://www.backtrack-linux.org/wiki/index.php/RFID_Cooking_with_Mifare_Classic

All you need is a compatible NFC reader. I have an ACR122U. Bought it and 3 Mifare cards online for approx 70 euro.

infodox

I have not examined the cards in my college (NUIG) but if you are there and uncover a security hole... Best bet is to keep quiet. I consistently uncover flaws (printing credit systems wide open, various SSL cert bugs, Phractal's sidejacking bug, some horrible PXE bugs...) and from experience. Mentioning it will just cause you hassle. Though I think our cards aint the mifare ones... And I cannot buy beer with it!

If it is ISS that manage the network, steer clear!

_underscore

I'm not in NUIG.

Also, submitted a ticket to the college IT section. Was auto notified about it's escalation to management.. not a word from them since.

That's it from me on the matter anyway, not gonna exploit it. Next time i'm gonna bring it up will be as an Appendix in my project thesis