Well That Was Easy: Misdirecting Respondus LockDown Browser for Fun and Profit.

Presenter Information

Donald Moncrief
Ramsey Foster

Document Type

Oral Presentation

Campus where you would like to present

SURC 271

Start Date

17-5-2012

End Date

17-5-2012

Abstract

Respondus LockDown Browser is the specialized web browser which many students are forced to use. It is intended to provide a secure testing environment and discourage cheating. It is also trivially easy to manipulate into loading an attack page which could steal a student’s CWU login credentials. The information collected by such an attack would give the attacker access to the student’s Novell, Safari and GroupWise accounts. This would allow them to: view the student’s name, address, telephone number, and any other contact information which they had on file in Safari. The attacker could alter a compromised student’s course registrations; financial aid acceptance; send email messages as though they were the student; or use the school network for nefarious purposes which would then be traced back to the compromised student’s account. Further, since an attacker would have access to the student’s GroupWise email account, they would be able to compromise any accounts on services for which the student had used their cwu.edu email address as a password reset contact. This could include, bank, credit card, online bill payment, social networking, job search sites, or even additional email accounts from other providers. During this presentation we will demonstrate how difficult Respondus LockDown Browser makes it for a user to determine if a site is legitimate before entering their credentials. We will also provide guidance on how students can spot and avoid such an attack.

Faculty Mentor(s)

Chet Claar

Additional Mentoring Department

ITAM

This document is currently not available here.

Share

COinS
 
May 17th, 9:10 AM May 17th, 9:30 AM

Well That Was Easy: Misdirecting Respondus LockDown Browser for Fun and Profit.

SURC 271

Respondus LockDown Browser is the specialized web browser which many students are forced to use. It is intended to provide a secure testing environment and discourage cheating. It is also trivially easy to manipulate into loading an attack page which could steal a student’s CWU login credentials. The information collected by such an attack would give the attacker access to the student’s Novell, Safari and GroupWise accounts. This would allow them to: view the student’s name, address, telephone number, and any other contact information which they had on file in Safari. The attacker could alter a compromised student’s course registrations; financial aid acceptance; send email messages as though they were the student; or use the school network for nefarious purposes which would then be traced back to the compromised student’s account. Further, since an attacker would have access to the student’s GroupWise email account, they would be able to compromise any accounts on services for which the student had used their cwu.edu email address as a password reset contact. This could include, bank, credit card, online bill payment, social networking, job search sites, or even additional email accounts from other providers. During this presentation we will demonstrate how difficult Respondus LockDown Browser makes it for a user to determine if a site is legitimate before entering their credentials. We will also provide guidance on how students can spot and avoid such an attack.