FirstClass Hacking
by Cristian
The idea to write this article came from reading this magazine for a while.
I noticed that lots of people were writing in about the (in)security of the place they were studying. Having read all these articles/letters very thoroughly, I decided to look into the security in the place I go to study.
I go to an English CEGEP, which is basically a hybrid of year 12 in school and the first couple of years of university. When you first enroll into the CEGEP you are given a Student ID (SID) card, which has a magnetic strip, your picture, and your student ID number.
The magnetic strip contains the SID number too, as well as a "charge" of $4.00 CDN in order to be able to print in certain computer labs throughout the campus. Using a combination of methods, we will obtain both the SID number and the corresponding password, thereby showing how vulnerable this system really is.
This of course should be taken as an educational guide and not to be used for your own gain.
The Student ID Number
The student ID number is used to log into your FirstClass (www.firstclass.com) account, which is the piece of software used all over the campus for pretty much any class related tasks.
We use FirstClass for everything, from viewing our assessments to communicating with the teachers. Teachers, on the other hand, use it to actually put our grades into the system, calculate class averages, etc. We also use this SID to log into our "For Students Only" section where it shows us all our grade history, our current schedule for the semester, our CRC score (a sort of GPA), and a couple of other features.
It is also used for the Omnivox service. We use this web-based service to view our grades with more details (class averages, graphs, etc.), pay our student fees for the semester, get a tax receipt for being a student, or change our home address and phone number.
Lastly, we use the SID to be able to make our schedules a couple of weeks prior to the semester starting. The system is phone based, so you simply call and follow the instructions given to log in.
Vulnerabilities
The Birthdate
There are various vulnerabilities in the system, so I will go in the order I discovered them.
Upon your first entry to the college, they tell you that your PIN (to be used in FirstClass, "For Students Only," Omnivox, and course registration system) is your birthday, in the form of DDMMYY, including the 0s if the day or month has it.
Social engineering, anyone? If you are able to engage a conversation with someone, it should be quite easy to obtain their date of birth. Even worse, the CEGEP I attend is chock full of people who use the infamous MySpace.com web site, so even if they don't tell you their date of birth, asking them for their MySpace page is another option.
Simply looking at their description may reveal this bit of information or, if not, look at the comments other people leave. There might be messages wishing a happy birthday and then you can deduce the date of birth of the person.
The Student ID Number
Knowing the birth date is only half the information we need since the SID number is the next important part.
The SID number is seven digits and has the format YYXXXXX, where YY is the year you first enrolled into the CEGEP and the remaining Xs are generated at random (to my knowledge). Finding this number is quite easy and there are actually various ways to find it.
For one thing, everyone must carry their SID card inside the campus or they will be kicked out by the security guards as well as fined $50 CDN. Again, social engineering can be applied here and simply asking someone you know to show you their ID card to see how goofy they look in their picture will give you full access to the SID, so memorizing it shouldn't be that big of a problem.
Another way to find it is by looking in the recycling bins. The students over here print like crazy, and in all essays/lab reports, etc. you must provide your name and SID number so the teacher can then input the grade into the FirstClass system. Usually you can find old lab reports or pages that have mistakes in them with the student's name and SID number fully viewable in the page's header.
The third way to find it is directly via the FirstClass system. Upon logging into the system, you will be greeted by the "Desktop" of your FirstClass account, which has links to your mailbox, address book, calendar, current semester registration process, conferences, uploaded files, help, news, and student body forum. To your left you have the FirstClass menu system, which has links to logout, who's online in the system at the time, instant message menu, preferences, and, more importantly, the directory.
The directory is a search engine that takes in a name (or part of a name) and searches matches across the student body and the faculty/teachers. Now if you search for someone (let's say Smith), it will return anyone with the surname Smith in it (both student and teacher).
Once the matches appear, it will provide links to their FirstClass shared files folders. For teachers, this is quite useful since they can provide class notes, PowerPoint presentations, etc. for everyone to download.
For students, well, I haven't met anyone that actually uses that service yet. The important part here is the list of links that is provided when a match is found. If the person is a teacher (let's say we found a teacher named John Smith), then pointing to the link will provide an address such as the following in the status bar of your browser:
There isn't very much to work with in that link, right?
Well, now let s say that the list of matches is greater than a single result and that at least one of the matches is a student.
If you point to that link, the status bar will display the following address:
Recognize something there?
Lo and behold, the link provides the SID number of the student we searched for, without even knowing the student in real life.
It is also worth noting that when you change your password for the "For Students Only" page, it only applies to that individual system. Your birth date will still be the password for the Omnivox, FirstClass, and phone registration systems.
Even worse, in order to actually change these passwords, you cannot do it via the actual system. You must physically go to the IT Administrator's office (which very few students know how to find) with two pieces of ID in order to change them. Making it this hard to change a password is very unreasonable.
Students are lazy and they have work to do. They aren't going to go through the trouble of finding out where the office is just to change their password. They'd rather just keep it as it is and just forget about the potential consequences that could happen.
Combining these two pieces of information gives us literally access to anything related to that particular student. You are able to change their address, their phone number, and once schedule-making time comes, you can easily delete all his/her courses and have him/her be charged $50 CDN for registering late, as well as leaving an empty spot in the classes he/she took (which, if you need that course, can be taken by you).
It's very surprising that they have such an elaborate system for managing your stay at the CEGEP, but it can be very easily bypassed with a few simple clicks and a little bit of social engineering.
Even worse is the terrible method that they have to perform a simple task like changing a password.
If you ask me, it's a very small price to pay for your privacy.