Examining Student Databases (Winter, 2001-2002) ----------------------------------------------- By Screamer Chaotix For the longest time I've been obsessing over an issue that is of the utmost importance to me: privacy. People should have the right to decide what sort of information about them is given out and what is not. For example, if you don't want your number in the phone book you must pay to keep it out (unless you go through the hassle of putting in a false name). But at least there you have a choice. What about your personal records? How many times, and to how many people, have those been given out just so they could "build a demographic" and make more money? If you think about it long enough, it's quite sickening, especially when you consider how many people feel hackers are the ones invading privacy. With this in mind, I felt it was important to point out something I noticed while visiting a friend of mine at his university. And while naming the school may be a great help to getting the problem solved, it would also imply that this happens exclusively at this school alone. Rather, I'd like to explain the problem and let the world do with the information what it will. You've probably seen them if you attend a large university. They're called email stations and are commonly lower end machines that are meant to be used exclusively for, you guessed it, email. In this case they were iMacs and, given my inexperience with Macs (and all Apple machines for that matter), I was a little uneasy about using them. Nonetheless, I was going to obey the large sign above the machines and use them for their intended purpose. But after doing so, I noticed something that caught my eye and raised my interest. It was a small icon that read "xxxxx Mainframe" (where xxxxx is the school name). As a hacker I was blown away by such an icon, but also knew not to expect too much from something that could have been nothing more than an image file under a different name. Upon clicking on it, I was taken aback by what occurred. I was immediately presented with a warning, stating the usual "Unauthorized access is strictly prohibited blah blah blah." But rather than take me to a login prompt, it dumped me right into the middle of what appeared to be a specially designed system. A machine with a purpose if you will, and not your common UNIX shell. The machine liked to call itself the "Student Database" and had several options that any user (including a person who didn't go to the school) could use. I chose the student records and was presented with a new screen asking for a student or faculty name. Out of pure curiosity I entered in my friend's name and voila: I was presented with a screen that listed his name, email address, an ID number (which I believe to be a type of student ID, although I may be mistaken), and, perhaps the most noticeable entry, his address. Right there, clear as day I could see ID information, his email address, and even the place where he currently resided. Like the good little hacker/citizen I am, I showed this to him, much to his disgust. Having seen one too many hacker movies he automatically assumed I had "hacked into" the school's database, but after walking over to his machine and doing the same thing he was shocked beyond belief. Both of us started throwing around possibilities, such as how anyone could use his ID to obtain his grades, send him emails (even if he didn't want someone in particular to have his email address), and worst of all... come visit him at his home on campus. Technologically there was little to it, which is what makes it so frightening. Typically when we see sensitive information out in the open it's found by a hacker who had to use some sort of skill to obtain it. But this could have very easily been obtained by anyone! And if you think you need some form of ID to use the machines, or even get into the building, you re sadly mistaken. Student IDs are only required for the cafeteria and to purchase books. Anyone, including your worst enemy, could go onto one of these machines and find out where you live, what your email address is, and perhaps even use your ID for malicious purposes. And all of this is made available without your permission. Upon closing the terminal connection I was able to view the location of the database on the Internet. When I got back home the first thing I did was telnet to the location, but fortunately there was a login screen that wouldn't let me in. The purpose of this article is not how you can get in from home however. It s how anyone can get in just by walking into a public building and using a computer. To suggest that this information would be difficult to get from the outside would be ridiculous however, especially considering the login screen gives you tips on how to log in. Hopefully this article has given the reader some idea of just how insecure their private information is, and how anyone can walk up to any machine and open up a connection into the mainframe. If your school, or anyplace that stores your information for that matter, uses these techniques, I strongly suggest you write to the people in charge and tell them how uncomfortable you are. Or maybe you could even use one of the terminals to obtain their home address and send them a letter. I'm sure they ll be quite surprised. Shout outs to Panther for letting me test out my theories using his private information, and to Dash Interrupt for his constant support.