Senior Thomas Ring found a vulnerability in DePauw University’s E-Services website, accidentally unearthing a database of student mailbox combinations. The campus community was notified of the situation by email on Sept. 4, 11 days after its exposure.
According to Carol Smith, chief information officer, the breach in the system was discovered on Aug. 24. “We took immediate action and by the end of the day the vulnerability had been fixed,” Smith said.
Ring said he was poking around the E-Services page and just happened to find a vulnerability in the database containing student mailbox numbers and combinations associated with the UB mailroom. “I was sitting in a 400 level computer science class, bored, so I decided to look around the website,” Ring said.
The vulnerability in the system allowed someone who knew another student’s ID number to look at their mailbox and combination.
After noticing the hole, Ring emailed his advisor, Maria Schwartzman, professor of computer science, to determine what he should do next. “She told me to email Carol Smith and the help desk,” said Ring. “In the email, I outlined what I did, how I did it, and why I thought it worked.”
Crissy Osmialowski, client information specialist at DePauw’s Help Desk, said they were notified of the vulnerability. After being notified, they identified where the information should go next. “The Help Desk is the first tier of the the IT department and once we recorded the incident, we sent it to the next group of people,” Osmialowski said.
Smith said once they were notified of the hole, the team was able to adjust the system to fix the code. “The information we received was really helpful so we were able to look into it right away,” Smith said.
Ring said once he forwarded the information to the University, he was expecting them to be more appreciative. “Instead they were pretty mad and they told me they could get me into a lot of trouble for this,” Ring said.
Ring said he had meetings with three people following his report of the incident. He met with someone in the IT department, Carol Smith and Alan Hill, vice president of student academic life. Ring has one more meeting pending with the University and is still waiting to see if it will go to community standards, DePauw’s judicial body for determining disciplinary action.
The DePauw could not confirm the meeting with the IT department and Hill took place.
According to Ring, Hill said he was in violation of the student code of conduct. The code of conduct states, “The following list includes examples of conduct that may subject a student to University action… 18. Unauthorized use of University or other computer systems or programs or the information contained therein.” Ring said he was informed there was a possibility local authorities could be involved and he could be legally charged for illegally accessing this information. This could not be confirmed nor denied by Hill or DePauw administration.
Smith said she is working with student academic life to decide what may happen. “I don’t believe this was a situation with malicious intent behind it because the student came forward with the information,” said Smith. “We had to act on the situation as if it had malicious intent because of the information that was exposed.”
Ring said he was put off by the University’s response because he felt he was helping the University by telling them about the vulnerability. “They’re acting like I’m the one who created and exploited the vulnerability,” said Ring. “In reality, I’m the one who exposed it. People could have been using this for however long E-Services has existed.”
Smith said they were unaware of the hole in their system. Once they realized it was there they did two things. “We reviewed all system logs which allows us to track everything that happens on the site,” said Smith. “Then we looked for other vulnerabilities which is standard protocol.”
Smith said she is grateful Ring came forward and shared the information. Smith said, “Looking at network security today in the world not only requires technical support but also the support of the community at large.”’
The University changed mailbox combinations as an added security precaution. Students can access their new combinations on their E-Services webpage.