79

I just discovered that my university alumni's login page is just plain HTTP. Wireshark confirmed that the credentials are sent using an HTTP POST message. I did a bit of research and, as I thought, HTTPS should always be used on the login page (See Is it secure for a site to serve the login page with HTTP, but have the actual site in HTTPS?).

First of all, I'd like to do my university a favour, but how can I make them to take some actions? It's highly probable that my personal data, such as degree and year graduated, is store on the alumni database. It's not surprising that some organizations don't take such a report seriously (See How do I report a vulnerability to a large organization that doesn't believe it has a problem?). I've emailed the university's IT helpdesk using my alumni email account, but the personnel asked me to direct my inquiry to a general alumni inquiry email.

On top of the technical details, how can I make sure that no police will arrest me for hacking? I have not attempted to steal any personal information. I am not interested to report this vulnerability to some security forum before the university takes some action.

P.S. I'm embarrassed that my CS degree was from that school.

Community
  • 1
  • 5
    I agree with @schroeder in that I don't think you have to worry about charges. You are looking at un-encrypted traffic on your own network. Plus this is your college. Even if they charged you, A) that case would be tossed out with any competent lawyer B) the vulnerability would become public in the proceedings which the college wouldn't want. It sucks that they don't care but you can't force them to care. :-/ – Paraplastic2 Oct 29 '14 at 15:36
  • 40
    This isn't even a little bit like hacking. – Andrew Hoffman Oct 29 '14 at 18:41
  • 12
    Are you in contact with any of your former professors? They are quite likely to care (for professional pride if nothing else), and they'd be in a better position to influence the IT department. – SáT Oct 29 '14 at 19:13
  • @AndrewHoffman there might be jurisdictions that prohibit the capturing of packets from a source that you do not own (like the uni's website). It allows you to see the inner workings of the site, which could be used to then hack the site. In Canada, where the OP is from, there isn't that danger, but it's not cut and dried world-wide. – schroeder Oct 29 '14 at 20:06
  • Did you also notify the general alumni inquiry email as instructed? – Mooing Duck Oct 30 '14 at 00:22
  • @MooingDuck Not yet. How can I phrase the message for a non-computer person saying I didn't intrude the servers but notified a vulnerability? –  Oct 30 '14 at 01:06
  • @SáT The university's IT unit and CS dept is so disjointed that they each do their own thing....(don't get there) :( –  Oct 30 '14 at 01:18
  • Offtopic: The school's CS dept website doesn't do HTTPS. –  Oct 30 '14 at 03:16
  • Just use social media to blow the whistle like your university's Facebook page. As many had already pointed out, discovery of HTTPS non-usage on a website's public login page is not tantamount to hacking. – Question Overflow Oct 30 '14 at 03:31
  • @QuestionOverflow I'm not interested in report the vulnerability to the public. My personal data is highly likely to be in the database. –  Oct 30 '14 at 13:52
  • @schroeder - but this doesn't even require capturing the packets (which, btw, you have to do to see a page). It only requires looking and seeing http:// instead of https:// when you mouse over the link submission or viewing the source of the page. It can be done right from the browser. – AJ Henderson Oct 30 '14 at 14:59
  • @AJHenderson I completely understand, but the OP mentioned that he ran Wireshark and that seems to be the thrust of his concern about being perceived as a 'hacker'. He can, of course, simply mention that the protocol is incorrect, but to 'prove' it by showing his credentials in the clear in a packet dump can, potentially, cause some people some concern. – schroeder Oct 30 '14 at 15:16
  • @schroeder - fair enough, I would concur that it is probably best to make the most understandable and simplest explanation possible. People are less likely to freak out (justifiably or not) if you are using tools they understand instead of stuff that goes over their heads. – AJ Henderson Oct 30 '14 at 15:19
  • 2
    Why are you concerned about being regarded as a hacker? Some of the most respected people in the field of Computer Science (and I suspect almost all of the respected people in Security) are proud to be called hackers. You haven't done anything criminal. – corsiKa Oct 30 '14 at 16:33
  • Running a packet sniffer to sniff your own traffic is not a crime, especially if you are doing it to verify a suspicion that your transmission is not encrypted. I use Fiddler at work frequently to intercept my own HTTP traffic to see what is going over the line for troubleshooting purposes. If that was a crime, developers would all be in jail :) – Brandon Oct 30 '14 at 17:33
  • @lacampane11a, this is how I see it. As long as you do not log in during this period of time, your personal data will remain safe in the database. But as long as your university do not fix this issue with urgency, everybody's login will be unsafe. A public disclosure is the most effective way to force their hand on this issue. – Question Overflow Oct 31 '14 at 01:58
  • 2
    You'll get called a "hacker" by someone no matter what. On the bright side, it's not your employer. On the dark side, the reaction of the university in question (and their lawyers) is highly unpredictable. Stupid people do stupid things (them, not you). – Carl Witthoft Oct 31 '14 at 12:38
  • 1
    When university emails and people's IP is being leaked out to China, *then* the university will suddenly care about security. Source: experience (not naming any particular university here) – Mark K Cowan Nov 02 '14 at 12:04

10 Answers10

62

Simply reporting that it is using HTTP rather than HTTPS for login and that that is insecure shouldn't get you accused of hacking. It is something immediately publicly visible from looking at the site.

There are many ways of detecting vulnerabilities which could actually be considered hacking (for example, running a vulnerability scanner against a target you aren't authorized to run it against), but I'm not aware of any jurisdictions that would consider looking at the page and recognizing a flaw that is immediately visible to be hacking. It would be a bit like walking by a house, noticing that someone was leaving their door open when they were leaving and being accused of being a thief when you pointed out to them they left the door open (while you aren't even standing on their property.)

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • 8
    For whatever reason, this post appears to be drawing a lot of comments that aren't 'for the purpose of clarifying or requesting updates' but instead appear to be focusing on anecdotes and vaguely related news articles. Rather than let this escalate into argument, I'm just going to delete them all. Feel free to discuss the topic in [chat] as we do like discussion in there :-) – Rory Alsop Oct 30 '14 at 14:32
28

If they ignore your emails, you may try reporting them to organisation responsible for enforcing Data Protection Act. I don't know where are you from, in UK it would be http://ico.org.uk/concerns

They have a responsibility to keep your data safe.

Gustek
  • 389
  • 2
  • 4
  • Thanks for pointing out such an organization, but I'm in Canada. Let me see if I can find anything equivalent. –  Oct 29 '14 at 15:48
  • 13
    For Canada it is The federal Privacy Commissioner, http://uk.practicallaw.com/6-502-0556#a588373 – Gustek Oct 29 '14 at 15:52
  • 3
    The provincial privacy agencies would be a better fit (privacy laws vary by province). – schroeder Oct 29 '14 at 18:33
  • I don't think this answers the question, as nothing prevents the Privacy Commissioner from also accusing the asker of being a hacker. (I know now likely, but that was his question) – Douglas Held Nov 03 '14 at 15:29
  • As far I know, when you report someone to Privacy Commissioner they will make their own investigation to confirm your concerns but they will not dig into how you got to know it. It is reported party that may accuse you for hacking them. – Gustek Nov 03 '14 at 16:05
13

First, you cannot make anyone do anything. As an alum, you can raise your own personal concerns that your credentials are exposed, but that's about it.

I'm not sure how anyone would regard your stated actions as hacking, but that is dependent on your jurisdiction. In mine, capturing your own packets is not illegal at all.

It is unfortunate that the IT support shuttled you off to the general email bin, but you have to follow their procedures.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 2
    Are there any places where capturing your own packets is illegal? o_O It sounds crazy… – Display Name Oct 30 '14 at 20:04
  • I've tried to verify my memory, but perhaps the discussion was more relevant long ago. The legal theory fell under the scope of "viewing the code" without allowing the 'compiler' (the browser) to render it, and thereby was considered "unauthorized access". At this point, I cannot find evidence that capturing your own packets to a server over the Internet is illegal. – schroeder Oct 30 '14 at 20:41
  • remember criminal intent, ignorance of the law can actually be the most sound legal defense (not legal advice) United States criminal law – mchid Nov 01 '14 at 22:28
  • 1
    Capturing your own packets is often one of the first phases of reverse engineering, and in many places reverse engineering may have negative legal implications. – Flimzy Nov 02 '14 at 12:35
8

Here is my approach:

Try to find out if your University has a person who is responsible for security. Maybe they have a company which does that or they have a department. If so, try to contact these people. They often know what you're talking about.

When contacting them, you don't need to tell them about wireshark. Say "I noticed that the site uses HTTP and, since I work in computer security, I know that means my name and password will be sent over the Internet without any protection of any kind. Any malicious person in any network between you and me could steal my identity this way. Are you aware of this?"

So the first goal is: "I found a risk and I know what I'm talking about". Then see how they respond. This isn't a life-threatening situation. It's OK if it takes a couple of days to resolve. You can use several mails to make your point.

If they refuse to believe you, then give them a recipe how they can see for themselves (install Wireshark, use this rule, do the login, look back what Wireshark shows you). That way, they run the "bad" tool. At no time, you need to tell them what you did on your own computer. If pressed, you can say "I used the security tools of my company to capture the data which my browser sends to you and I saw that ..."

Aaron Digulla
  • 365
  • 1
  • 8
7

TL;DR - Being professional and humble will go a long way. Being secretive, prideful, or malicious will obviously not end so well. If you calmly and privately work with them, they're likely to do the same.

This sounds almost cut and paste to how I started finding issues with my university's security. My university was putting the student's ID in a cookie and that's who you were signed in as. If you manipulated the cookie, you signed in as whoever you wanted. It was the discovery that led me to look deeper into their security. They also had an insecure mail server that would relay anything without authentication. The filenames of the images in the school directory were just a weird encoding of that student's ID. At one point, I could look up an SSN and get a student's name.

I found these bugs a little at a time. It started with a sense of "My information needs to be safe and it's not" and I would point out the latest flaw I discovered to IT. After about the 3rd time I reported something, I began feeling both angry and superior to the department. Every other week I'd be in the Vice President's of Technologies office pointing out a new way to get SSNs or financial records of students as far back as 1995 or some stalker technique to determine somebody's entire class schedule (including their letter grade in that class). The VP also began to get hostile with me. I admit I may not have had the best attitude after the 6 month mark. At one point I was expelled for about 3 weeks when they heard I was trying to reverse engineer their encoding (linked above). I wanted to show them what holes were vulnerable when an individual wasn't working with them and they were in the dark. Eventually we sorted it out, but there was a lot of anger, paperwork, and ego going around in the mean time on both sides.

The point I'm trying to make is that the IT department worked with me despite me being a jerk. They fixed the problems and the school is better off for it. As long as I was upfront about my intentions and open about what I was doing, they didn't threaten me or hinder me. It wasn't until I was working in secret that they took disciplinary action. I was all over the board with things that absolutely could be considered hacking including injection attacks, social engineering, reverse engineering, packet sniffing, port scanning, custom software exploits, and more. Since I never changed anything and always (well... usually) reported my findings quietly and directly to them, they worked with me. I have no doubt that if I wasn't an ass then I wouldn't have been temporary expelled.

Community
  • 1
Corey Ogburn
  • 732
  • 5
  • 15
6

There is a service provided by Hewlett-Packard Tipping Point called the Zero Day Initiative. http://www.zerodayinitiative.com/

Here's how it works.

  1. They BUY the vulnerability from you
  2. HP Tipping Point gives protection to its customer base of smart firewall users
  3. ZDI works out with the vendor to try to get the issue fixed (this typically can take 6 months)
  4. If the vendor won't respond or budge, then ZDI reports the vulnerability publicly.

As you can see, you're done at step 1, and you get money, and you get to stay anonymous.

Douglas Held
  • 241
  • 1
  • 7
1

At times it's very difficult to explain the importance of security to people. Some people just do not understand security and others feel that their system won't ever get compromised. Reporting a security threat at times get ignored or takes a very long time to be fixed. From my experience to get your point across to improve security, I would demo the attack. When you demo an attack, I would suggest you use your own box where you can setup a similar environment. Doing this you can show people visually how data can be stolen.

SLEZ
  • 11
  • 2
  • 3
    A demo would work for people within your own organization, but for the OP's situation, it might not be possible. – schroeder Oct 29 '14 at 18:34
  • 1
    @schroeder Agree. In addition, the authorities may misunderstood my motives and arrest me. This heart bleed hacker did find vulnerabilities but others didn't take them well. http://motherboard.vice.com/en_ca/blog/the-mounties-are-wrong-about-canadas-heartbleed-hacker –  Oct 30 '14 at 01:26
1

This is a fairly difficult issue, as companies and universities have a long and proud history of reacting with hostility and shooting the messenger in cases like this. And there's no guarantee that you won't be prosecuted for nothing more than noticing their insecurity. They might not have a case against you, but that doesn't mean they can't make you miserable.

So here's a few ideas that might help.

  • Remain Anonymous: There are many ways to protect your identity. I won't go in to them here, but for the most part you don't have to identify yourself to disclose a vulnerability. If you're worried about retaliation, it may be best that you don't.

  • Don't disclose directly: While it would be ideal for you to deal with the issue privately, doing so affords you little to no protection if they decide to retaliate. Disclosing the vulnerability through a trusted third party shields you somewhat from direct action by preventing them from controlling the story. Often indirect disclosure is a way to maintain anonymity.

  • Focus on their negligence rather than their vulnerability: If you preemptively assume moral high ground, attacking you would paint them as more negligent, rather than less so. It is extremely difficult (and extremely rare) for a service that has been accused primarily of negligence to paint their whistleblower as a criminal. Simply pointing out their poor security doesn't afford you any moral superiority, and give them the opportunity to paint themselves as the victims by accusing you of criminal misconduct. Don't give them that out.

tylerl
  • 82,225
  • 25
  • 148
  • 226
0

Judging by what you said there's no evidence of you attempting to hack. You simply monitored the incoming and outgoing requests of your own network.

If you're still sticky on the situation, try contacting the Privacy Commissioner in Canada to see what they recommend. https://www.priv.gc.ca/

Stephen Punwasi
  • 319
  • 2
  • 5
-2

This seems more like a psychology/sociology question than a security one, as the issue seems to be how to best communicate with another party and convince them to take a specific action. I can't believe that any 'hacking' charge could have real legal ramifications for the reasons other answers have explained.

An alternative approach to those above is to practice a strong offense. If they refuse to acknowledge your emails, send a semi-threatening one in a polite but firm tone explaining that if they do not address this security vulnerability to protect your personal data, you may need to take legal action to protect yourself. This may or may not be practical, depending on what personal information they actually store of yours.

This approach naturally sets up a confrontational interaction, so consider carefully before heading down this road.

Nicholas
  • 113
  • 1
  • 3
    As Info Sec pros, we deal with this situation a lot, and it is a valid Info Sec question on it's own merits: knowing the technical details of a vulnerability is only half the battle, communicating it to those responsible for fixing it, and working with them, is the other half. This cannot be discounted. Threatening legal action is not going to get a lot of traction. – schroeder Oct 29 '14 at 21:03
  • @schroeder Can you provide evidence of that assertion? I'm surprised at the downvotes. The OP listed better options, but they have been tried and failed. I don't suggest a legal threat as the first thing to try, but given the absence of other viable options that have not already been tried and failed, this provides one more possible way to effect change. Organizations and companies act selfishly, and often don't change unless they see a threat to themselves. This provides what is needed to initiate a change. – Nicholas Oct 30 '14 at 12:35
  • I would also add that the accepted answer on the first linked question is essentially this same advice. Harm the business through removing profit, creating bad publicity, or reporting employees to the CEO. That doesn't seem very different than (in fact, it seems less severe than) threatening the removal of profit by leveraging the judicial system. – Nicholas Oct 30 '14 at 12:38
  • I made 2 assertions, which would you like evidence of? – schroeder Oct 30 '14 at 14:14
  • 1
    If the "legal action/traction" assertion: the OP is from Canada, and I can assure you from personal experience, that legal action would only be taken seriously if there was actual loss (i.e. an actual compromise). The general public threatening lawsuits where there is no loss is regarded as noise. – schroeder Oct 30 '14 at 14:17
  • @schroeder yes, either liability for a loss or a criminal act of "bad intent". – mchid Nov 01 '14 at 22:34