Home

Hacking

When I was younger I was extremely impressed by what I later learned was simply scriptkiddie hacktivism. It was around the time of the Snowden Revelations and I was terrified of the NSA's power, or, more likely, just wanted an enemy. So I installed Tor, encrypted a couple useless files, and that was about it.

Fast forward to this year, and I had a resurgence in concern over privacy after getting in trouble with my university's IT department and watching the movie Citizenfour. I also read The Art of Deception and competed in a cyber security CTF which made me realize that what could be termed as "hacking" was broader than I initially imagined. Hacking is not always a malevolent breach of a banking system, it is really just exploiting a flaw in a system to achieve a result the system's designers didn't intend to be possible.

I've carried out a couple of "hacks" (using the broader definition) in the last year that I thought others might find interesting.

Hack 1: University Directory

I wrote a script to login and scrape my university's directory using Selenium. I was then going to use this data to create a more useful directory for students, but the school traced my IP and requested that I shut it down (despite me making sure in advance that I was not breaking any part of their Network Usage Policy or broader Student Handbook).

After I took down the original posting of the directory data, I started looking more closely into how the data was organized. I noticed that everyone's ID photos were stored at a URL that ended in what appeared to be an md5 hash (university.edu/[md5hash]). An educated guess using my own information revealed that it was a hash of our student ID numbers.

Since an md5 hash of a string always returns the same value, if you know the range of ID numbers, you can find the md5 hashes of all the possible ID #'s and plug those into the URL and see which ones return student photos.

To test this, I wrote a script that checked to see if the hash of a range of numbers corresponded with a student's photo. If it did correspond to a student's photo, it returned that student's name with their ID number (their name coming from the directory data I had previously scraped). Finding the photos and ID numbers could be done without logging into the directory as was usually required to access student information.

I suspected that finding student photos and IDs was not really a security concern since those were not protected under FERPA unless they explicitly requested total confidentiality.

However, this method could actually be used to discover the photos and student ID numbers of students who requested total confidentiality. Someone could brute force check all of the ID numbers over a given range and see the photos of all Biola's students, current and former, regardless of their confidentiality level. Since the school normally isn't allowed to confirm whether a student who has requested total confidentiality attends the school, the fact that you could find the photos of all the total confidentiality students (by comparing the photos that normally appear in the directory against those that show up in the brute force URL search) seemed problematic.

I reported the the vulnerability to my university's IT department, and they are trying to have it fixed within a year.

Hack 2: BIOS Lock Workaround

Most of the BIOSs are locked on my university's computers in the library and labs. If they weren't locked, you could boot from USB. I wanted to be able to run Tails on them because I wasn't comfortable with the university tracking my every keystroke (since you have to sign in using your university account).

It turns out you can disconnect the ethernet cable so it's not able to connect to the central servers to boot into their VM version of Windows or whatever it is (some sort of thin client I guess). At this point you can plug in your USB and boot from it. So far I have been able to boot into Ubuntu and Tails this way.

Hack 2.5: Expired Domain

I recently bought a domain (this one in fact) and as soon as I set the MX redirect I started receiving emails that clearly were not intended for me. It turns out that a company had used this email at some point and had let the domain expire. I was getting emails for Adobe, Amazon, and Facebook accounts. I actually tried logging into the Adobe account (at first I thought it was some sort of phishing attempt) and it let me send a password reset to the email I now controlled.

I contacted the company and let them know about the situation in case they wanted to get the domain back from me, but they were apparently disinterested. They thanked me for letting them know about the Adobe account (which I transferred back to them) but so far haven't done anything about the other accounts I still could gain access to.

Buying domains that people previously used to sign up for third-party accounts is apparently a known method of attack, as I learned on Reddit when I asked about it on r/Hacking. I don't intend to pursue this, but it seems you could also do this to conduct market research or gain leads by buying a bankrupt competitor's expired domain and seeing who had been emailing them.

I'll keep this page updated with any future hacks that I stumble across.

6.14.2020