College folks wanna help me out here... please
02-27-2004, 06:47 AM
#1
Senior Member
Thread Starter
Join Date: Jun 2002
Posts: 13,634
Likes: 0
Received 0 Likes
on
0 Posts
College folks wanna help me out here... please
I am thinking about submitting an article to the IEEE Security magazine of issues with security and privacy at the college level. What I need from you guys is... you know if you want to help...
Name of college
Is the college directory private or public - what I mean is that can I search for you and get a boat load of info like what your major is, where you live, email addy, etc or do I get a little form that says "Fill me out if you want to contact so and so."
Is your email address tagged with anything important like school records or do they use SSNs.
Are the passwords you guys use generic, or do they allow you to create your own alpha numeric ones
Any help will be appreciated, I have it up to 2 pages right now and used my school as an example. But I think maybe using a few more and showing whether the systems are the same or different will add weight to my article.
Edit... you can PM me the info that way no one else knows. I'll post what I have written so far...
Name of college
Is the college directory private or public - what I mean is that can I search for you and get a boat load of info like what your major is, where you live, email addy, etc or do I get a little form that says "Fill me out if you want to contact so and so."
Is your email address tagged with anything important like school records or do they use SSNs.
Are the passwords you guys use generic, or do they allow you to create your own alpha numeric ones
Any help will be appreciated, I have it up to 2 pages right now and used my school as an example. But I think maybe using a few more and showing whether the systems are the same or different will add weight to my article.
Edit... you can PM me the info that way no one else knows. I'll post what I have written so far...
I just use the password on my ID.
02-27-2004, 07:13 AM
#3
Old School Crew
Join Date: May 2000
Posts: 5,251
Likes: 0
Received 0 Likes
on
0 Posts
public records - you could find out where I live and my phone number, etc.
the email password can be reset to what we wish, but the password to get into the system to get into the email is pre-set.
the email password can be reset to what we wish, but the password to get into the system to get into the email is pre-set.
02-27-2004, 07:20 AM
#4
I eat plastic.
Join Date: Dec 2002
Location: Detroit, MI
Posts: 15,177
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by ManInCamo
public records - you could find out where I live and my phone number, etc.
the email password can be reset to what we wish, but the password to get into the system to get into the email is pre-set.
the email password can be reset to what we wish, but the password to get into the system to get into the email is pre-set.
02-27-2004, 07:36 AM
#5
nelson rules
Join Date: Sep 2001
Location: the best coast
Posts: 36,124
Likes: 0
Received 0 Likes
on
0 Posts
California State Polytechnic University, Pomona
Directory is public, but the only thing you can find is Name, email address, and major.
to view my academic records it's my SSN and a generic PW that is made up of my birthdate, but they do advise you to change the password once you are enrolled in the school.
Directory is public, but the only thing you can find is Name, email address, and major.
to view my academic records it's my SSN and a generic PW that is made up of my birthdate, but they do advise you to change the password once you are enrolled in the school.
__________________
no sig
no sig
02-27-2004, 09:47 AM
#6
Senior Member
Thread Starter
Join Date: Jun 2002
Posts: 13,634
Likes: 0
Received 0 Likes
on
0 Posts
Thanks guys... :kiss: 
h:
So far my article... got a lot of cleanup to do, but this is only a first draft.
I am an undergraduate student at the Lane Department of Computer Science and Electrical Engineering at West Virginia University. Over the last 4 years I have witnessed many changes in the methods the university uses to keep student and faculty identities private from unwanted parties. But, it seems as though the changes have compromised the level of security one would expect from an institution of higher education. Our school is not the only one having these issues, there are hundreds maybe thousands of universities with similar policies that need changed.
The university has an open directory, viewable and searchable by anybody from anywhere in the world. A search on the directory can be done with the name of a student or faculty member. The search reveals their major, address and email address. The email address is part of the new Mountaineer Information eXpress (MIX) system that was created a few years back to enable better communication between faculty and students, to enable students to have easier access to resources they need for their classes and extracurricular activities.
So now a malicious user is equipped with the @mix address of a faculty member or student. Now the malicious user can go to the MIX homepage to wreak havoc on the life of a student or faculty member. A visit to MIX reveals some interesting information. In order to access the MIX system all a user needs is their Social Security Number (SSN) or MIX user name – which we just obtained from the directory. Now the MIX system is not only a mail client, but also linked directly to the Office of Admissions and Records and allows students to have control over their course schedule, pay tuition, access financial aid information, etc. The MIX main page clearly states the password is “The two digit day of birth and the last 4 digits of the students SSN.”
Now all that lies between this malicious user and the student/faculty member’s university records is a 6 digit number. Lets say the user knows a little about the person whose account they are trying to break into and already knows the day of birth. Now all that remains is a 4 digit number from 0000 to 9999.
Assuming the person checks one number a second with brute force and without using any script files it would take them (10000/60*60) = 2.7 hrs to break into the account. Once into the account they can access student records that should be private and not meant to be seen by others.
The means do exist for changing the PIN that is used to access the MIX system, but how many students or faculty members actually care to take the extra time to change the PIN. Even if they change the PIN it only becomes another 6 digit number that can be easily broken by any person given the time and resources.
This problem doesn’t just exist at WVU, but at many universities around the world. In this day and age when everything is done over the Internet steps must be taken to ensure the security and privacy of the user. Some of the solutions I can see are as follows:
1. A completely private directory that only shows certain information. If a person searches for a name they should only find the matches for that name and no other information. Sure the question may come up about long lost friends/relatives wanting to contact these individuals. The solution is again simple, a secure form should be available that the searcher can fill out with their information and the system automatically mails it to the person in question. Privacy is maintained, the person searching knows who they are searching for but can only receive the information once the other person gets the form with their information and decides to reveal their identity.
2. Use of alternate identities instead of generic first letter of first name and first seven letters of last name for email addresses. A student or faculty member should be able to create their own user name that they can use to access the different systems. This protects their identity by preventing malicious users from simply using common sense to find out email addresses or user names for important systems.
3. Passwords/PINS should be alpha numeric, having pure digits makes it too easy for someone with time and resources to break. Having uppercase and lower case alphanumeric passwords with special characters and a minimum character length of 8 characters makes it very difficult to guess a password. The argument can be the storage taken in the repository for such passwords, well that’s a sacrifice that must be made to ensure security and privacy.
4. SSN shouldn’t be used in tests and assignments. Many students simply throw away papers that a passerby can pick up and obtain the SSN from. Yes it makes it easier for faculty members to assign grades, but taking an extra 5 minutes to create a new identity for the student protects them in the long run.
The solutions to this problem are out there, but the question remains how many people will actually take the time to implement them to better serve the clients. I only hope that by the time this article is finished I am still in school and haven’t been dropped from my classes by someone nosing around and finding my records.
h:So far my article... got a lot of cleanup to do, but this is only a first draft.
I am an undergraduate student at the Lane Department of Computer Science and Electrical Engineering at West Virginia University. Over the last 4 years I have witnessed many changes in the methods the university uses to keep student and faculty identities private from unwanted parties. But, it seems as though the changes have compromised the level of security one would expect from an institution of higher education. Our school is not the only one having these issues, there are hundreds maybe thousands of universities with similar policies that need changed.
The university has an open directory, viewable and searchable by anybody from anywhere in the world. A search on the directory can be done with the name of a student or faculty member. The search reveals their major, address and email address. The email address is part of the new Mountaineer Information eXpress (MIX) system that was created a few years back to enable better communication between faculty and students, to enable students to have easier access to resources they need for their classes and extracurricular activities.
So now a malicious user is equipped with the @mix address of a faculty member or student. Now the malicious user can go to the MIX homepage to wreak havoc on the life of a student or faculty member. A visit to MIX reveals some interesting information. In order to access the MIX system all a user needs is their Social Security Number (SSN) or MIX user name – which we just obtained from the directory. Now the MIX system is not only a mail client, but also linked directly to the Office of Admissions and Records and allows students to have control over their course schedule, pay tuition, access financial aid information, etc. The MIX main page clearly states the password is “The two digit day of birth and the last 4 digits of the students SSN.”
Now all that lies between this malicious user and the student/faculty member’s university records is a 6 digit number. Lets say the user knows a little about the person whose account they are trying to break into and already knows the day of birth. Now all that remains is a 4 digit number from 0000 to 9999.
Assuming the person checks one number a second with brute force and without using any script files it would take them (10000/60*60) = 2.7 hrs to break into the account. Once into the account they can access student records that should be private and not meant to be seen by others.
The means do exist for changing the PIN that is used to access the MIX system, but how many students or faculty members actually care to take the extra time to change the PIN. Even if they change the PIN it only becomes another 6 digit number that can be easily broken by any person given the time and resources.
This problem doesn’t just exist at WVU, but at many universities around the world. In this day and age when everything is done over the Internet steps must be taken to ensure the security and privacy of the user. Some of the solutions I can see are as follows:
1. A completely private directory that only shows certain information. If a person searches for a name they should only find the matches for that name and no other information. Sure the question may come up about long lost friends/relatives wanting to contact these individuals. The solution is again simple, a secure form should be available that the searcher can fill out with their information and the system automatically mails it to the person in question. Privacy is maintained, the person searching knows who they are searching for but can only receive the information once the other person gets the form with their information and decides to reveal their identity.
2. Use of alternate identities instead of generic first letter of first name and first seven letters of last name for email addresses. A student or faculty member should be able to create their own user name that they can use to access the different systems. This protects their identity by preventing malicious users from simply using common sense to find out email addresses or user names for important systems.
3. Passwords/PINS should be alpha numeric, having pure digits makes it too easy for someone with time and resources to break. Having uppercase and lower case alphanumeric passwords with special characters and a minimum character length of 8 characters makes it very difficult to guess a password. The argument can be the storage taken in the repository for such passwords, well that’s a sacrifice that must be made to ensure security and privacy.
4. SSN shouldn’t be used in tests and assignments. Many students simply throw away papers that a passerby can pick up and obtain the SSN from. Yes it makes it easier for faculty members to assign grades, but taking an extra 5 minutes to create a new identity for the student protects them in the long run.
The solutions to this problem are out there, but the question remains how many people will actually take the time to implement them to better serve the clients. I only hope that by the time this article is finished I am still in school and haven’t been dropped from my classes by someone nosing around and finding my records.
02-27-2004, 10:02 AM
#7
.
Join Date: Mar 2002
Posts: 10,995
Likes: 0
Received 0 Likes
on
0 Posts
univ of calif., irvine (http://www.uci.edu/)
sid# + personal pin# = access your info via telnet or web
username + your own password = access to your @uci.edu email
directory listing by default lists your address, name, major, ph#
can be changed to list none
i dont remember my socsec# on anything besides finaid paperwork.
we did however turn in papers/homework/tests with only our student id# (8digit-assigned by school) instead of our names for grading anonymity
sid# + personal pin# = access your info via telnet or web
username + your own password = access to your @uci.edu email
directory listing by default lists your address, name, major, ph#
can be changed to list none
i dont remember my socsec# on anything besides finaid paperwork.
we did however turn in papers/homework/tests with only our student id# (8digit-assigned by school) instead of our names for grading anonymity
02-27-2004, 10:09 AM
#8
Push to shock!
Join Date: Sep 2002
Location: Palo Alto, CA
Posts: 4,583
Likes: 0
Received 0 Likes
on
0 Posts
U of Michigan Ann Arbor
directory.umich.edu by default lists your name, major, school and home address, school and home phone number, but can be changed to not display those things.
Access to information is based on a login which is identical to email address. Password is set initially by IT services, but password changes require a password that does not look like a word, and contains letters and numbers.
Stanford Univ
stanfordwho.stanford.edu lists only the information you want it to. You must log in to get more information.
Access to information is also based on a login identical to an email address. Password is set by you, but can be anything greater than 6 characters.
directory.umich.edu by default lists your name, major, school and home address, school and home phone number, but can be changed to not display those things.
Access to information is based on a login which is identical to email address. Password is set initially by IT services, but password changes require a password that does not look like a word, and contains letters and numbers.
Stanford Univ
stanfordwho.stanford.edu lists only the information you want it to. You must log in to get more information.
Access to information is also based on a login identical to an email address. Password is set by you, but can be anything greater than 6 characters.
02-27-2004, 10:14 AM
#9
Moderator
Join Date: Jun 2001
Posts: 11,776
Likes: 0
Received 0 Likes
on
0 Posts
Want to hear something scary? Eastern Michigan University uses telnet for all computer science logins onto the alpha cluster and linux servers, students and profs both, for compiling purposes.
What do you think the chances are that all of the professors actually have seperate passwords for their grade administration and their telnet login?
What do you think the chances are that all of the professors actually have seperate passwords for their grade administration and their telnet login?
02-27-2004, 10:17 AM
#10
The deer had to die!
Join Date: Jun 2002
Location: Fussa, Japan
Posts: 39,835
Likes: 0
Received 0 Likes
on
0 Posts
Pennsylvania State University
http://www.psu.edu/ph/ - Directory is public
username in school email address accesses everything. passwords are assigned using alphanumerics, but can be custom with alphanumerics
http://www.psu.edu/ph/ - Directory is public
username in school email address accesses everything. passwords are assigned using alphanumerics, but can be custom with alphanumerics