All your passwords are belong to everyone

When one sees the security measures employed and the way the network is maintained, one starts doubting the legitimacy of the word “Technology” in IIT Madras. One gets angry seeing the neglect, seeing the competence of the technical staff and wonders whether IITM is so poor that they can’t even afford to hire ‘real’ sysadmins and technical staff. As examples, let us look at three places where it is a real messed-up situation:
  1. Anyone could have changed anyone else’s LDAP password with just a few clicks.
  2. LDAP passwords float on the network in plain text, un-encrypted.
  3. Root permissions were granted to undergraduate juniors and sophomores on CS department’s lab computers, which ended up in keyloggers being installed on those.
For those who don’t know what is the ‘LDAP password’, it is “the one password to rule them all” as far as a student’s IITM related stuff is concerned. This password is used for…
  1. Accessing internet from the campus network.
  2. Logging into institute student mail account.
  3. Logging into ‘moodle’ — a course-content management software.
  4. Accessing and filling out preference forms for mess allocation every month.
  5. Accessing ‘workflow’ — from where one registers for various courses, sees their grades etc.
  6. Now sure about the zillion other things they might be using it!
Changing password is easier than changing “Mamy Poko Pants
The other day, a friend of mine (he doesn’t want to be named, so let’s call him Vikesh Ram Banerjee) pinged me and announced “I can change your LDAP password!”. At first I thought he was kidding. Then came fear, shock and anger.
There was glaring flaw in the way the ‘reset password’ feature worked. We all were using it routinely, without fuss, oblivious to the problem. It took the keen Banerjee-eyes to finally spot the problem!
Enter username and current password. This takes you to another screen where you change password. Smell something wrong here?
Once you ‘log in’, another form comes up in which the roll-number field seems un-editable. Here is where you can see how clumsily the website was designed. While you and I didn’t bother much about it, Vikesh tinkered with the form a bit…
Really surprising to see that they had used the ‘readonly’ attribute as a security feature! I guess they obtained their degree/diploma by some illegal means and got into IITM’s technical staff by some ‘black magic’. I mean, look! It is such a simple thing, a well established and much easier way to design a ‘reset password’ feature — have four fields:
  1. Username
  2. Current password
  3. New password
  4. Repeat new password
If the first two match with the database entries and the last two are the same, change the password, otherwise, report a failure. An obvious thing, which one sees on zillions of sites! But no! These people had to implement something fancy! Result?
With built-in developer tools or addons like firebug, it is very simple to change the HTML on any page!
Once you figure out that by simply editing the value of the readonly field, passwords of others can really be changed. Wrecking havoc is just one 5-line script away! As proof of concept, Vikesh did just that and pranked a couple of friends. Then he did the sensible thing — he mailed the faculty in-change of the network and related issues about it only to receive a vague reply about priorities and how this issue isn’t at the top of priorities. For a couple of days after that, the buggy password-reset-system was still online and functional. So many times did I feel like running a script to change everyone’s password and mailing him back: “Now, go figure!” Then it was taken down for ‘maintenance’. Now more than a month has passed, it is still down with the message “Maintance Mode. We will be back shortly.” Hmm… I guess there’s a slight mismatch of our concepts of ‘shortly’. Finally, before putting this post up, I emailed the professor giving a heads up so that when it comes up, it won’t have the problem shown above.

Just imagine! For more than a year, there was this system, using which, anyone could have changed anyone else’s password! Given that the password is kind of a ‘master password’, the sloppiness just becomes intolerable.

Passwords passwords everywhere
Literally, that is the case with the institute intranet. When one authenticates with the LDAP password, it is sent over the network in plain text, without encryption! So much debate happened over this, yet it wasn’t fixed. Instead, the concerned technical staff member asked students whether they could help him fix it!

Keyloggers and root privileges
This one is specific to Computer Science department. I still remember, in our freshman year, we were told that we didn’t even need our own computers as for all academic purposes, computers in the Software lab and Systems lab were sufficient. Yes, they really were. I liked the AC, the big screens, the presence of people. But no, they couldn’t keep it nice that way! As pinnacle of sloppiness, some teaching assistants for OS and Computer Organization courses created accounts with super user privileges on all those computers and gave away the password to all their students!

I would rather trust a my glasses with monkeys than those root accounts with undergraduate students! Invariably, someone installed keyloggers (just a matter of running a command) on a bunch of computers there. And boy, is this serious! There are people like me who do some of their banking online, on those lab computers. Not to mention that even our email accounts contain valuable information (if not interesting gossip) like university application details, other academic documents etc.

To top it all, the concerned technical staff had no clue whatsoever how to get rid of those keyloggers, nor had they grasped the gravity of the situation. As soon as I found out that there were keyloggers, I sent a mail to one of the professors alerting him of the situation. I alerted my entire class, and others whom I could contact, only to find out that some of my classmates didn’t even bother to read that mail! We were basically sitting ducks for some prankster juniors!

Although for me it shouldn’t really matter; I hope it gets better. After all, it’s my alma mater…

No comments :

Post a Comment

Note: Only a member of this blog may post a comment.