Techski: A simple experiment easily bypasses UCLA login protection levels

With only his last name, university ID number and birth date, I reset and changed a friend’s password to gain access to his UCLA law school email account Thursday.

I then told Eric Bollens, a software architect at the Office of Information Technology and a fifth-year computer science student, about this “exploit.” Bollens relayed the information and within an hour, the IT security department had disabled the reset password feature for LawNET.

While researching this column, I attended DEF CON, an annual hacker convention, in Las Vegas this summer. The convention scared me into caring about online security.

On Wednesday, Luke Chu, a fourth-year applied mathematics student, told me he wasn’t satisfied with security standards for resetting a UCLA account password.

So I decided to check it out. I asked my friend Ben Shea, a first-year law student, for consent to “hack” his email account.

He laughed about it, until I emailed him from his own account.

At UCLA, login credentials are universal. We access our email, URSA, myUCLA, Arthur Ashe Student Health and Wellness Center messages and more with one user name and password.

Plenty of undesirable or malicious activities are possible if an account gets compromised ““ reading private correspondences, dropping your classes, accessing your grades, impersonating you.

Because some people use their UCLA email account as identity verification for other Web services, such as online banking, a compromised email account might just be the start of an online identity theft avalanche.

But damage wouldn’t be limited to a user alone. A hacked email account can be used to spam other contacts for fraudulent purposes.

In fact, 1,000 compromised student and faculty accounts were flagged with a new technology to monitor unauthorized access through campus libraries over 28 different days in the last eight months, said Ross Bollens, director of IT security and Campus Information Security Office and Eric Bollen’s father.

These compromised UCLA credentials can be used for illegally downloading masses of journals’ articles and other publications’ content, said Todd Grappone, an associate university librarian for digital initiatives and information technology.

Often, this activity is traced back to China, where there’s a black market online for people to buy and sell compromised accounts, Grappone said.

Until now, I didn’t realize how easily my password could be changed by someone else and how protective I should be with some of my information.

I’ve written down my name, UID number and email address ““ which contains my login user name ““ on class sign-up sheets. One quick cell phone picture and my first line of defense for my UCLA login would already be broken.

And what if you lose your BruinCard? A search on the campus directory might reveal your UCLA email address, which is enabled by default. Facebook also eliminates one piece of the puzzle if your birthday is public.

Apart from your user name, university ID and birthday, there’s one more line of defense ““ a security question.

The default security questions, however, ask for basic information that may be easy to find out, such as “What is your favorite color?” or “What is the city you were born in?”

“When doing security questions, do not use information that is publicized whatsoever,” Eric Bollens said.

Aside from the fact that guessing someone’s favorite color is probably trivial, the password reset system doesn’t stop a user from guessing multiple answers for these questions.

When trying to reset another consenting friend’s account through URSA, I was allowed to guess potential passwords over and over again, resorting to entering junk and pressing enter repeatedly just to see if the system noticed. It didn’t.

With the help of a program, or script, it appears a hacker can generate a list to guess the answer to your question indefinitely. This is commonly known as a “brute force” attack.

Blue, black, green, red. Los Feliz Elementary School, Castle Heights, Warner Avenue. Unauthorized access achieved.

There’s also an option to ask your own security question, which I’d recommend. To avoid brute force attacks, make your answer a phrase or a sentence ““ no one-word responses.

And to avoid all of this in the first place, protect your information. Your university ID number is your UCLA social security number.

To protect yourself, you can disable the password reset feature on your UCLA login, opting for an in-person verification instead. You can also remove your email address from being visible on the campus directory through URSA, but I’d suggest just substituting with a non-UCLA email address.

Ross Bollens said the IT department is in discussions to change password resets. He also said he wants to implement a geolocation feature for logging in, so if someone suddenly accesses their account from a different region, they’ll be flagged and notified to change their password.

For more information, visit www.itsecurity.ucla.edu. To express concerns, email [email protected].

Bruin news columnist and resident tech-head Damien Sutevski reports on technological news, trends and tips, as well as life as a UCLA graduate student, in this bi-weekly column. Email Sutevski at

[email protected].

You can also follow him on Twitter, @dsutevski.