Home
Saturday, June 24, 2017
1:36:34 PM
Users online: 0   You are here >> Home > Security

Forums | Security Forums search
Forum FAQ
   
  1 | 2 Next Page 
School security failure... What now? (moral question)
nnelson 
7/3/08 2:51:03 PM
Serf

While (carefully :D) messing around on the school computers today I managed to get the system-wide local administrator password through a fairly convoluted method involving booting into the network boot/install feature so I could read the pre-set configuration files.

Armed with this information I logged on as the local admin, dumped the wireless password to my USB and, just out of interest, checked to see if the internet would work without a network user being logged on. (it didn't)

The school homepage was still available though...
Again out of curiosity, I clicked the "Synergy" logo (Synergy is the database software my school uses to store student details/photos/grades).
I was amazed to find that it was possible to log into Synergy, personal details and all, with a local administrator password (which coincidentally was based on a dictionary word).
As I'm a responsible person I didn't browse / mess around with it but immediately logged out.

I feel like I should tell someone (I'm on good terms with one of the computer guys) about this possible security risk / breach of privacy but I'm worried that I could be putting myself at risk which I'd rather not do considering that this is my last year.

What would you recommend that I do?

-----
Pentium 4 3.06 Northwood @ 3.8
Asus P4PE
1024MB 333mhz RAM
128MB Radeon 9200SE
Soundblaster Audigy 2
Dual 19 inch monitors
Windows Vista Professional Edition

Redhatter 
7/3/08 4:01:58 PM
Hero
Titan


Well... mentioning you did this on a public forum is a great start.

I'd suggest documenting what you did... and then present this to the network administrator.

-----
Stuart Longland (aka. Redhatter, VK4FSJL)
I haven't lost my mind it's backed up on a tape somewhere...
http://atomicdoc.yi.org <-- AtomicDOC Wiki
Resident Coolie-hatted Gentoo geek. (Gentoo MIPS & Mozilla herd member)

bowiee 
7/3/08 5:29:32 PM
Hero
Guru


On the other hand you may be accused of hacking, this is what happens when you poke into places you should'nt.(not sure why you would do this in your last year of school)

But you say you have a good relationship with one of the IT guys. If this is the case then I would do what Redhatter suggests.

But I would suggest in future you stay out of systems you are not authorised to use at admin level.

If you left any kind of trail behind in your wanderings it would be even more in your best interests to come forward, before they come to you.

-----
"You do not really understand something unless you can explain it to your grandmother" - Albert Einstein.
"Note to self....Don't feed the trolls"




Mister_T 
8/3/08 3:41:32 PM
Hero
Titan


Document the security vulnerabilities and deliver the details thereof _ANONYMOUSLY_ to someone who cares and is capable of rectifying the situation.

t

-----
http://frase.id.au/

 
--- http://folding.stanford.edu ---
MozillaZine Folding Team
http://weblogs.mozillazine.org/folding/
--- Team 39340 - JOIN US!! ---

Cynic* 
9/3/08 1:15:04 PM
Banned

for the love of christ don't tell them who you are

-----

 
.__
____ ___.__. ____ |__| ____
_/ ___< | |/ \| |/ ___\
\ \___\___ | | \ \ \___
\___ > ____|___| /__|\___ >
\/\/ \/ \/

bnew 
10/3/08 11:05:30 AM
Guru

Quote by Mister_T
Document the security vulnerabilities and deliver the details thereof _ANONYMOUSLY_ to someone who cares and is capable of rectifying the situation.

t



You win the thread.

-----

chome 
10/3/08 10:59:27 PM
Champion

Def put it all in writing and let em know secretly

-----
http://folding.stanford.edu/English/Science

bnew 
12/3/08 2:10:32 PM
Guru

So, what did you end up doing?

-----

bowiee 
12/3/08 10:05:10 PM
Hero
Guru


Quote by bnew
So, what did you end up doing?



He told them,he's been executed R.I.P ;)

-----
"You do not really understand something unless you can explain it to your grandmother" - Albert Einstein.
"Note to self....Don't feed the trolls"




chome 
13/3/08 12:00:19 PM
Champion

really... if you have physical access to a PC you can get local admin PW's. Nothing administrators can do really, except have 14+ complex PW's.

As for having admin applications installed on student PC's, thats pretty careless. We used to have 2 separate networks here. One for admin one for curriculum, now they have been merged. The department now runs 10 domains accross the entire state.

Everyone is linked to everyone else, although it could be tightened down a bit, who am i to judge.

anyway, back to my 82 laptops! damn you computers for teachers program!!!

-----
http://folding.stanford.edu/English/Science

robzy 
13/3/08 9:41:06 PM
Hero
Immortal


Quote by chome
really... if you have physical access to a PC you can get local admin PW's. Nothing administrators can do really, except have 14+ complex PW's.


How do you figure? A 14 digit case sensitive with special characters password is damn near impossible to crack.

Rob.

-----
&#1506;&#1501; &#1497;&#1513;&#1512;&#1488;&#1500; &#1495;&#1497;

err0r 
15/3/08 7:38:11 PM
Overlord

You can easily reset the password hash to something known, or you can dump the password hash to disk, submit it online, and have someone perform a rainbow table style lookup on it. You can get Windows passwords emailed to you in under 48h for free, and instantly for a fee.

-----
----------
-----

MANB3ARPiG 
19/3/08 4:52:12 PM
Banned
Quote by nnelson
While (carefully :D) messing around on the school computers today I managed to get the system-wide local administrator password through a fairly convoluted method involving booting into the network boot/install feature so I could read the pre-set configuration files.

Armed with this information I logged on as the local admin, dumped the wireless password to my USB and, just out of interest, checked to see if the internet would work without a network user being logged on. (it didn't)

The school homepage was still available though...
Again out of curiosity, I clicked the "Synergy" logo (Synergy is the database software my school uses to store student details/photos/grades).
I was amazed to find that it was possible to log into Synergy, personal details and all, with a local administrator password (which coincidentally was based on a dictionary word).
As I'm a responsible person I didn't browse / mess around with it but immediately logged out.

I feel like I should tell someone (I'm on good terms with one of the computer guys) about this possible security risk / breach of privacy but I'm worried that I could be putting myself at risk which I'd rather not do considering that this is my last year.

What would you recommend that I do?



What's the domain name, the admin user name and password?
I'll log in from here

-----
ManBearPig: the animal for gamers by gamers

phantomreaper 
19/3/08 10:27:29 PM
Overlord

I'd say if you trust the person and have a damn good reason for doing it tell them. Else Anonymous is your friend ;)

-----
Look to the future! The future of at0mic.
phantomreaper for Mayor 08'

Darth Kram 
21/3/08 3:52:26 PM
Serf

I was recently in a similar situation as you, i.e. I'm in my last year at school and while playing around on a computer I managed to gain access to some rather sensitive areas on the network as well as a few other things (well considering the network admin had left the passwords to most of the hardware running the network as "admin" he should be blamed).

I mulled it over for a few days (basically I wondered should I bring his precious network crashing down around his knees or should I tell him). I eventually told him and it was all fine, he just thanked me then fixed the problem.

Obviously the admin's reaction will depend on what he/she is like but I would advise telling them face to face and if any strife occurs then just say that you heard about it from a friend.

-----
Core 2 Duo E6750, Gigabyte GA-P35-DS3R, Seagate 7200.11 500GB HDD, XFX 8800GT, G.Skill 2x1GB RAM, Silverstone 500W PSU, Vista Home Premium, AOC 210V 22", Pioneer 212 DVD Writer, Cooler Master CM690.

.:Cyb3rGlitch:. 
21/3/08 3:59:39 PM
Titan

Quote by MANB3ARPiG
What's the domain name, the admin user name and password?
I'll log in from here


Yeah, because he's stupid enough to give those details out... -.-

-----
Tutorial: Overclock your CPU and RAM http://preview.tinyurl.com/2jz4ft

Tutorial: How to Tweak XP and Vista http://preview.tinyurl.com/2q5w2k

The Atomic revolution is near... VOTE #1 .:Cyb3rGlitch:. for Mayor in 2008

Cynic* 
27/3/08 3:55:52 PM
Banned

Quote by err0r

You can easily reset the password hash to something known, or you can dump the password hash to disk, submit it online, and have someone perform a rainbow table style lookup on it. You can get Windows passwords emailed to you in under 48h for free, and instantly for a fee.




Not if the password is 20 characters long.

-----

 
.__
____ ___.__. ____ |__| ____ *
_/ ___< | |/ \| |/ ___\
\ \___\___ | | \ \ \___
\___ > ____|___| /__|\___ >
\/\/ \/ \/

MANB3ARPiG 
28/3/08 5:16:11 PM
Banned
Why is this a moral question?

-----
ManBearPig: the animal for gamers by gamers

.:Cyb3rGlitch:. 
28/3/08 5:19:34 PM
Titan

Quote by MANB3ARPiG
Why is this a moral question?


Maybe because it's based on morals? Nah, that can't be it...

-----
Being a fanboy has many pitfalls:
- People lose respect for you
- You miss out on the better product
- You get nothing in return for your "loyalty"

TheSecret 
2/6/08 11:09:35 AM
Serf
Dont do anything.

I was kicked out of highschool for a similar thing, and I did not do anything malicious. It didnt hurt me, I went on to get higher education and travel the world, but if you want to finish school don't risk it.

Being on good terms won't matter, I knew the administrator/it teacher quite well, but they take it to the principal, who makes the decision.

-----

  1 | 2  | Next Page 
Forums | Security