Monday, January 17, 2011

Students Hacking Campus Networks

I teach a telecommunications course to Verizon technicians one morning a semester. On the last day of class in December we were finishing up the final exam and some group presentations. During a break one of the Verizon students went out in the hall to make a phone call and noticed what looked like a guy sitting outside the door trying to hack into the classroom wireless network. He came in and told me so I went out (with a couple of Verizon guys following me) and took a look - sure enough - the guy was sitting outside the door running BackTrack, trying to hack the Verizon classroom wireless access point password.

I asked him what he was doing and he was honest, telling me what he was up to. The odd thing was his attitude - I think he thought I would be impressed. I told him it was against campus policy and could get him kicked out of the college. I also said if he did not stop I would call campus police. And, I told him he was hacking into an access point that was part of a corporate (Verizon) sponsored program and may be breaking the law. He packed up and left quickly.

So - what could happen to students that do this kind of stuff? This is from the Information Technology Resources Unacceptable Uses section of our College Student Handbook:

The following uses of STCC’s Information Technology Resources are unacceptable uses. This list of unacceptable uses is not exhaustive. It is unacceptable to use STCC Information Technology Resources (I’ve only selected a couple that apply in this case):

  • to gain, or attempt to gain, unauthorized access to any computer or network;
  • to intercept communications intended for other persons;
Here’s a piece from the User Responsibilities section of the handbook:

Users must comply with all applicable College policies and procedures and state and federal law. The use of STCC Information Technology Resources is a privilege, not a right, and failure to observe this policy may subject individuals to disciplinary action, including, but not limited to, loss of access rights, expulsion from the College and/or termination of employment. Further, failure to observe this policy may result in violation of civil and/or criminal laws.

Technically, if he was a student, it looks like he could have been kicked out of the college. Was he also breaking any laws? The National Conference of State Legislatures has a section of their website with Computer Hacking and Unauthorized Access Laws listed. Here’s a piece from their site:

"Unauthorized access" entails approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent. These laws relate to either or both, or any other actions that interfere with computers, systems, programs or networks.

In Massachusetts, Gen. Laws Ann. ch. 266, § 33A states:

Whoever, with intent to defraud, obtains, or attempts to obtain, or aids or abets another in obtaining, any commercial computer service by false representation, false statement, unauthorized charging to the account of another, by installing or tampering with any facilities or equipment or by any other means, shall be punished by imprisonment in the house of correction for not more than two and one-half years or by a fine of not more than three thousand dollars, or both. As used in this section, the words “commercial computer service” shall mean the use of computers, computer systems, computer programs or computer networks, or the access to or copying of the data, where such use, access or copying is offered by the proprietor or operator of the computer, system, program, network or data to others on a subscription or other basis for monetary consideration.

So many of us are using tools like BackTrack in our classes. It is critical we let our students know this stuff, if used the wrong way, can get them in a lot of trouble.

I think the guy trying to hack the Verizon classroom network learned a lesson. Three Verizon students ended up following him out of the building (without me knowing), not saying a word. They said when he got out the door he was sprinting across the campus.

No comments: