February 8, 2008

Pre-Enrollment Site Hacked by Students

Print More

Last semester, as most Cornellians raced to submit their pre-enrollment choices online at 6:30 a.m. sharp, a few students might have already reached the finish line before the starting gun was fired.
According to a student who works at the Cornell Information Technologies help desk, at least 10 students in the past two years have successfully hacked into the Just The Facts desktop application to pre-enroll themselves in classes before the 6:30 a.m. starting time.
Most of the people interviewed — due to their roles in the incident or their positions at CIT — wished to remain anonymous.
The main source and two others who have graduated claim that the school was aware of the hacking. One alumnus expressed his surprise at the persistence of the JTF application’s loophole.
“I’m really surprised the issue wasn’t taken care of earlier. I assumed it was fixed,” he said.
The alumnus told The Sun that the hacking method was not difficult at all.
“You don’t need much more than Computer Science 100 [Introduction to Computer Programming] and a little bit of patience,” said another alumnus.
The JTF application comes with its source code, which is the written instruction of the program. According to the main informant, a student could pre-enroll at an unauthorized time by editing the source code, hence changing the JTF application’s requests to the Cornell server.
The principal informant assured that other students’ files and private information in JTF would still be off-limits to the student hackers as they were, in a way, “hacking their own files.”
She also said that the student hackers tried to stay “low-key” and did not tell many people about this security flaw. Perhaps this relatively small number of students involved did manage to escape the attention of the school, as official sources from CIT claimed that they were unaware of the issue.
“I have not heard or seen any evidence of this happening … While I believe it’s possible to reverse engineer [the application,] I don’t think it’s probable,” said David Schuster, director of information technology security.
He stressed that pre-enrollment before 6:30 a.m. would be improbable because the JTF was a time-based application. This means that the Cornell server, not the JTF application client, would be checking if the time was valid for pre-enrollment.
However, he acknowledged that in the computer world, “anything is possible.”
On a more positive note, Spring 2007 might be the last semester when student hackers could pre-enroll prematurely because the JTF application will soon be abolished altogether. For the Fall 2008 pre-enrollment, a new JTF website will replace the current desktop application. In the future, since all students will pre-enroll their courses on the website, both Schuster and the main informant believed that the security of pre-enrollment would be greatly enhanced.
“It’s pretty hard to hack into the [JTF] website,” the main source said.
“When you’re on a website, [everything] is contained within the browser, so there’s another layer of security,” Schuster said.
However, he also stressed that the revamp of JTF was not a consequence of a possibly vulnerable system, but of redesigning and increasing efficiency.
Although the student hackers will no longer be able to enjoy their unfair advantage in the future, Schuster said that CIT would still investigate this case by looking into the logs, which are the records of network activities.
“I don’t know if I’ll actually find anything or not… [but] finding out who did it should be trivial,” Schuster said.
In a follow-up interview yesterday, Schuster said that both the Registrar and CIT were looking into the matter, but the results would be kept confidential.
Cornell’s Code of Conduct states that an attempt to “maliciously interfere with … computer or network resources or computer data, files, or other information” is a violation.
If evidence is found, the student hackers might have to face grave consequences.
“A successful hacking attempt, while uncommon, would be considered a serious violation of the Code of Conduct … It will definitely be the type of case where we will be considering suspension, probation, or the more serious, expulsion,” said Mary Beth Grant, Judicial Administrator, who would be responsible for determining the penalties or the student hackers if evidence arises.
However, she stressed that the penalties would depend on the facts emerged.
While intentional and malicious hacking attempts are unacceptable, Schuster encouraged students who found flaws in Cornell’s system to notify him.
“If there’re students who feel a particular system is vulnerable, the best thing they could do is to contact me and not exploit the system and do so before the exploitation actually happens,” Schuster said.