Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label student information system. Show all posts

How a Simple Vulnerabilty Turned Out to be University Campus 'Master Key'

When Erik Johnson couldn't make his university's mobile student ID app work properly, he found a different way to get the job done. The app seems to be important, as it lets students in the university paying meals, get into events, and lock/unlock dormitory rooms, labs, and other facilities across campus. The app is known as getting Mobile, made by CBORD, it is a tech company that assists hospitals and universities by bringing access control and payment systems. 

However, Johnson, and other students who gave the app "1 star" due to poor performance, said that it was very slow in terms of loading time. It can be improvised. After studying the app's network data while unlocking his dorm room door, Johnson realized a way to mirror the network request and unlock doors via a one-tap shortcut button on the iPhone. To make it work, the shortcut needs to send an accurate location with the door unlock request, or the doors won't open. For security purposes, students have to be in certain proximity for unlocking doors via the app. 

It is done to avoid accidental door openings on the campus. To make it even better, Johnson decided to take his talents elsewhere too. CBORD has a list of API commands that can be used via student credentials. (API allows two things to interact, in our case, it's a mobile app and university servers that store data). Johnson identified a problem, here the API wasn't checking in case of valid student credentials. It meant that anyone could interact with the API and take control of other students' accounts, without having the need for passwords. 

As per Johnson, the API only looked for student ID (unique). Tech Crunch reports "Johnson described the password bug as a “master key” to his university — at least to the doors that are controlled by CBORD. As for needing to be in close proximity to a door to unlock it, Johnson said the bug allowed him to trick the API into thinking he was physically present — simply by sending back the approximate coordinates of the lock itself." As the bug was discovered in the API, it could affect other universities too. Johnson found a way to report the bug to CBORD, and it was resolved after a short time.

Lancaster University students' data stolen in cyberattack





A "sophisticated and malicious phishing attack" has resulted in the  leak of personal data of 12,500 students and applicants at the Lancaster University.

The University admitted that records and ID documents of some undergraduate applicant  for the years 2019 and 2020 had been accessed, and  fraudulent invoices were sent to them. 

In a statement released, the university said that they got to know about the breach on Friday, and they have  set up an incident team who is working to secure its systems.

“Lancaster University has been subject to a sophisticated and malicious phishing attack which has resulted in breaches of student and applicant data,” it said.

“The matter has been reported to law enforcement agencies and we are now working closely with them.”

Data leaked includes name of the student, their addresses, telephone numbers and email addresses. 

A university spokesman said: “Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected. This work of our incident team is ongoing, as is the investigation by law enforcement agencies.”


Students Hack Student Information System; Change Attendance, Grades, and Lunch Balance Data


Two students at Bloomfield Hills High School are the main suspects of a hack into the school’s Student Information System called MISTAR. The students are believed to have made changes to the grades, attendance records, and lunch balances of about twenty students and themselves.

The hack was discovered when an employee logged into his account and noticed an error, after which the school investigated the issue and learned about the attack.

The students are suspected to have exploited a now-resolved vulnerability in the school systems to gain access.

“With the assistance of a forensic investigator, we determined that a report that may have contained the usernames and passwords for the Parent Portal may have been run,” the school said in an FAQ on its website after the attack. “As a precaution, a letter will be mailed to all parents detailing how to change their Parent Portal credentials. Should we determine that additional information contained within MISTAR was accessed without authorization, we will provide impacted individuals with notification.”

The school has announced that it will be resetting all Parent Portal passwords on Monday, May 21, 2018, which will then require all parents/guardians to reset their individual password upon returning to the system.

While the investigation is ongoing and the school is still reviewing its digital security, it has said that, “Modifications will be made as necessary to our internal practices and the district plans to conduct internal staff and student training in addition to what has been provided in the past or is normal, ongoing training.”

“We are committed to using this unfortunate incident to teach our students about digital citizenship and help support them in making better digital decisions,” the school further announced.


In a YouTube video, Bloomfield Hills High School superintendent Robert Glass said that the punishment for the culprits of the attack is likely to be severe.

“Cyber hacking is a federal crime and we're working with the proper authorities to determine the appropriate discipline and legal ramifications," he said. "Due to student privacy laws, we're not able to disclose more information but we can assure you that we're working within the full extent of the Student Code of Conduct and the full extent of the law."

The school has also established a support hotline, aside from their FAQ page, where parents can reach out to learn more or have their questions about the hack answered.