Universities around the world are the breeding grounds for the future professionals of the world. Their attendees conduct research that solves the problems of tomorrow, start businesses that reach billions of people, and create relationships that wouldn't thrive anywhere else. It is easy to say that the experience of going university is beneficial to people everywhere; however, those same institutions have a common, negative characteristic. Universities generally need to take their security more seriously. Recently, the world of spying and espionage has begun to infect the world of academia as nations and businesses are trying to further research in less time. From professors harvesting academic research and feeding it to nation-states (https://nypost.com/2020/01/28/harvard-professor-charged-for-lying-about-1-5m-chinese-research-scheme/) to physically stealing research samples (https://www.nytimes.com/2019/12/31/us/chinese-scientist-cancer-research-investigation.html), we're beginning to see a shift in academia. I, personally, wouldn't find it bizarre for universities to start using SCIFs or secure facilities and networks to conduct their research in the near future as opposed to the typical student vs guest network with a "locked" door setup most schools have now. Protecting the research that will be used to change the world of tomorrow is a necessity. For certain high-value projects, if it were to get into the wrong hands, not only could an individual or group take credit for another's hard work, but the research could be weaponized to devastate masses of people.
This article is to talk about a hobby my girlfriend and I share. This hobby is of exploring universities and seeing how close we can get to entering the computer science labs. We understand it's a bit different, but we both like to live life a bit on the wild side and push the limits. Since both of us have Computer Science backgrounds, it's always interesting to check out what labs different schools have created. It started when she took me through her alma mater and I noticed her school had this sweet drone lab with nets and turf. I thought, "Yo... Dawg, I need this." Naturally, I went straight to my department head and said, "Yo... Dawg, we need this." Obviously, there's more to this story, but it worked and he allocated funding for all the proper equipment to create a sweet drone lab. Unfortunately, I graduated before I got to set it up or use it :( . Needless to say, my girlfriend and I started hitting other universities every time we went somewhere new. I move around the US fairly frequently, so it gives us a nice excuse to explore the local areas. To this day, we have hit 19 schools. They are as follows: MIT, Harvard, Yale, Marist, Vassar, Villanova, University of Maryland, Towson, Georgetown, Washington & Lee, University of South Carolina, Clemson, University of Georgia, Georgia Tech, Tulane, Loyala University New Orleans, University of Southern California, UCLA, and James Madison.
Before I start jumping into security vulnerabilities and fun that was had, let's talk legal. "But Brian, isn't this illegal... meh meh meh" First off, i'm gonna boo the narks out there. You're whack, yo. Secondly, We did our due diligence in looking for no trespassing signage. We were never asked to leave on any of the campuses we visited. We did not break anything or force our way into any facilities at any of these universities. All of accesses were gained through common physical oversight on the either IT or physical admin side. I'm going to try to not to attach any university names to individual experiences, but these experiences were from the list of 19 schools provided previously.
Initially, I want to shout out University of Southern California for being the only school where we couldn't access their CS labs. In our defense, we went on a Sunday. Had we gone during the week they probably would've gotten toasted and roasted, but either way kudos. I proudly wear their, surprisingly, comfortable hoodie even though I have no affiliation with this school.
Now what are some common security features we see at schools? Well cameras are usually a given. Within the last five years, it's become common to have RFID door locks. Sometimes rotund security guards patrol the school grounds. These are all pretty easy to get passed though. Slap a backpack on and carry some Starbucks then BOOM! You're now a student at __insert_university_here__ university. If you're older, wear business casual and BAM! You're now a new adjunct professor at your local college. Now just tailgate a student to get passed the door, then you're in. Pretty easy, sure. However, there isn't too much a university can do about this as they've implemented semi-proper preventative, detective, and deterrent security controls (Wow, that's about all CISSP is good for right there). They could issue cyber awareness training, but realistically how much does a student or faculty member pay attention during those? Answer: not very much. Now what if they were regularly targeted by mock social engineering attacks? Some companies do this and the results have proven to be extremely beneficial. Maybe give it a try?
I will say that all the security in the world can't stop stupid. One school, on the ground floor of their CS building, had their server room for the entire building in an outer room with a 10-foot clear window in front of it with servers in direct line of sight. BIG OOF, dude. For those who don't know, you typically want to keep critical infrastructure like this near or as close to the center of the building as possible. You definitely don't want windows near it either. If I really wanted to, I could place a camera outside and record the flashes the lights on the server are making and steal the data it's processing. Beyond that, if I get into the building, I now have a clear target where I can work my way to quickly gain physical access.
Some of the "nicer" schools have museum-like areas integrated into their academic environments. Though pretty cool, since it's open to the public, it gave us a pretty easy initial foothold while also making us more curious. We would check out what they wanted the public to see, but at one school we ended up at a weird pre-school made for robots to learn how to use children's toys and conduct mundane tasks like put square blocks in round holes. Definitely took on a cyber punk-y vibe pretty fast. After trying to understand the strange robot children, we continued upstairs where the professors' offices were located. Typically, professors like to show off research papers just outside of their door on a small bulletin board, which we genuinely find interesting from time to time. The issue at this top-tier school though was that professors were leaving their doors open while away for extended periods of time (we like to read a lot). Great, now we have access to individual, faculty work stations where it is guaranteed research material or discussions there of are flowing. Whether you're teaching an hour long class or heating up your lunch, at least log out of your computer and lock your cabinets. At another top-tier school, the museum-type exhibits led us to their labs. We ended up accidentally walking into an ongoing class where we just dipped up the stairs into the nearest bathroom. The classroom was two floors tall as it was a machine lab, but the professor and students didn't seem to care that we were there. It was a bit strange, but I get it. Students get lost from time to time; however, this gave us access to the upper levels of the building where there were a few more labs. In this building, the CS lab was located on the 8th or 9th floor. We got up to that floor and to the computer lab where a student spotted us and started asking questions. I just acted casual. Earlier I had bought a small bag to carry a bunch of free red bulls we got on campus, so I blended in a bit more. I told him that we were newer business students trying to check out what the CS department does. The student asked us if we wanted a tour to which I declined. A nice gesture of him, but he should've questioned if we were actually students first. Half of this whole social engineering skill is looking like you belong if you haven't caught on yet. He let us on our way from there and continued with whatever we were doing.
Blending is a key trait that plays to our advantage since my girlfriend and I both still look pretty young. People assume a lot about others and choose not to question things due to social norms. At one of the southern schools, we were on a mission to try to tailgate into a building for practice. My girlfriend and I started up a conversation outside one of the doors to the CS building that were locked and just hung out for a bit, waiting for a student. Once one walked by, she announced, "Hey, I gotta go" and ran over behind the student asking him to hold the door. Sure enough he did and let her right in. She held the door for me and KABLAM! <<NINJA ACCESS>> From here, all the lab doors that were supposed to be closed and locked were left wide open for students studying for finals to come and go as they pleased. Hey Chad, I know you're stressed about that Data Structures final, but you're being a real blue falcon to your senior and grad-school counterparts who just finished up a TON of awesome research. At another school, we were able to blend in with the school band that was walking to practice, even though we didn't have instruments, to get into the school's stadium. Now we definitely don't look like typical band kids, but I think they were a bit too shy to say anything. Oh well, your social anxiety is now my advantage, Sheldon. This touches on teaching faculty/students that if they see something out of place, say something. People shouldn't be afraid to act in favor of the security their organization. Another time we wanted to attempt blending in, we pretended to be photographers at a university's concert for a very fake Doja Cat. We we're told Doja Cat was performing and we got dontcha nat, yo. That's just false advertising. Nonetheless, it allowed us to get up to the front of the crowd and semi-backstage. On several other occasions, we rolled up on Chinese exchange student seminars where we had to pretend we spoke or knew Chinese to get into a building. I'm still not sure if it's coincidence we stumbled upon so many events like this or if schools just regularly hold seminars for the Chinese exchange students. At one school, we were also able to get into a student only poster sale at this small poster shop inside the school at their student center. Just act cool, look cool, and be cool and you're good to go in most environments.
We tried some straight forward methods of checking if a door is just unlocked. Not all schools have RFID door locks and still work off of keys, so guards or faculty need to go to every door in every building to lock them. At a school up North, we found the front door of the CS building to be locked, so we moved to another door on the side of the building. Sure enough it was open. We then moved to the elevator which also didn't have any authentication and rode it to the top. Easy. This really relies on having dependable guards or custodians to be honest. If you don't want to spend the money on increased physical security, you have to accept that risk as well.
Construction, unfortunately, causes an absurd security risk as well. Anytime an organization brings in a third-party, security risk increases exponentially. In the deep south we were at a school that was redoing their cafeteria, which was still open for the summer session. After exploring the area a bit, we had achieved access to a couple of the faculty lounges and some of the kitchen facilities. In my security focused mind, this seemed like a great place to use a long-term plant to embed a raspberry pi. I would totally just slap an "IT PROPERTY DO NOT TOUCH" sticker on it and put it in a cabinet or in the drop ceiling. Things like this do happen in the real world. From here, the construction led us to a neighboring school campus where we noticed the worst network setup I had ever seen. They had two networks, one for guests and one for students. The student network had no authentication though. Presumably it was just a faster network. Another issue was that the printers on the guest network had default configurations. The admin page was wide open and no password was set. Users from the student network could also print to the printers on the guest network meaning there was a nice, large pivot point to access an internal network (had they chosen to lock down the student network). Printers in academic environments are scary. Almost every school we've been to had printers on the guest network. This is bad because if students regularly print to them we can possibly 1.) steal images/scans of the files they print 2.) harvest their credentials to the network and other personally identifiable information 3.) spoof emails to them for advanced phishing 4.) pivot to other networks, machines, or users. I can do all this off of my phone sitting in the lobby. If anyone who works at a university is reading this, please tighten up your printer security. Change your passwords like you change your underwear. Update the firmware on your printers. Require authentication. Segregate printers from networks properly. Also actually segregate your networks.
Security is no joke and people still don't seem to take it seriously in academia. From students to faculty, over the last three years my girlfriend and I have noticed quite a bit of oversight on this. If an attacker can get physical access to a machine in the network, consider that machine and network toast. It doesn't take much to move laterally or privilege escalate from there, especially if I initially get onto a privileged account. If an attacker can physically touch your infrastructure, (servers, routers, switches, etc.), it's GG BB. The stakes are high in this environment and the effects of cyber war and espionage can be devastating whether your ready for it or not. I, personally, think as more events of this type begin to happen in the near future, we'll start to see schools invest more in their IT infrastructure and hire security consultants more often to beef up their defenses. If not, they're willfully endangering their students and their research. I find it crazy that there are high schools with better security than private university. Your university's security sucks, buyer beware.