http://www.roanoke.com/news/roanoke/wb/wb/xp-33313 By Cody Lowe The Roanoke Times September 23, 2005 Every student, faculty member and staffer in the Virginia Community College System is being alerted to a significant threat to its online access system. A Virginia Western Community College student contacted The Roanoke Times this week about the potential for outsiders to gain easy access to students' e-mail addresses and default passwords - their birth dates - through a national online directory called Facebook. After the newspaper contacted the statewide system's administrators in Richmond, they began pushing up the implementation of new login procedures for all of the state's 23 community colleges. "The student who reported this to you did us quite a service," said David Harrison, head of Technical Support Services at Virginia Western. It wasn't that the system's administrators weren't aware of the potential problem, said Neil Matkin, Richmond-based vice chancellor for information technology for the 350,000-student statewide system. But the knowledge that word was spreading about the chink in the system's armor prompted immediate action, rather than waiting for spring, he said. The system's technology council, with representatives from each school, is scheduled to vote in a conference call today on implementing changes to help reduce the risks. Among the options would be to compel students to change their passwords the first time they enter the system. In the meantime, Harrison said, everyone with a Virginia community college e-mail address is being alerted to the potential problem. "We're highly advising anybody using their default password to change it immediately," Harrison said. "We're also putting messages out on all the home pages of the services we offer." He's also recommending students remove their addresses from the Facebook Web site. Facebook - www.thefacebook.com - provides a way for college students to meet each other by posting a picture and personal profile online, accessible by others who have legitimate college e-mail addresses. It now has 3 million users nationwide at 800 colleges. The Roanoke student who noticed the problem, Joe Swindell, might be called an anti-hacker. When he found the vulnerability, he worried that it was distressingly easy for a hacker - even the most unsophisticated one - to gain access to students' personal accounts. He decided to contact the newspaper. Swindell worked as a security technician assistant as a student at Lees-McRae College in North Carolina last year, he said, so when he noticed the flaw in the Virginia Western system, "I ran off with that." Swindell confirmed that most of the users included their birth dates in their profiles. That's when the red flag went up. The Virginia Community College System automatically assigns students their birth dates as their passwords to access all their college accounts online. While students are "strongly encouraged" to change the passwords once they enter the system, Harrison said, many do not. So anyone with access to Facebook could look up other students at Virginia Western, get, their e-mail addresses and birth dates, then access their personal accounts. A hacker could wreak havoc by changing the password, submitting bogus e-mail, or - at the right time of the year - even enroll or drop the other student from classes. Swindell's concern was "very well founded," conceded Matkin, even though it is difficult to determine exactly how many of the system's students also use Facebook or have their birth dates listed there. Matkin said the computer code to fix the problem has been ready for months. The colleges delayed implementing it this fall, however, because they were upgrading a group of other major systems for students and hoped to minimize confusion and pressure on each college's help desk. "We were trying to make [the entire process] student friendly, making the password something that was easily remembered," but wouldn't be commonly known, Matkin said. "You don't wear it on your forehead." However, "Facebook has caused unprecedented problems," he said. "We didn't expect that." Harrison said he believes students are sometimes too lax about what they post. "It's a case of providing a little too much personal information" in a place where it can be seen by millions of people, Harrison said. "With the Internet, people don't have to fish for information; a lot of times you just give it to them." "Somehow we have to get out to students good security practices. A lot of the information they put on internet, they don't realize can be used for bad things. This is one of those things." "There is a chance absolutely nothing will happen, but it's one that we're concerned about," Harrison said. "It's very important to us that we maintain data integrity." Swindell said he just wanted to help. "I'm only trying to point out the problem. Something needed to be changed. ... I think this is great." _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Sep 25 2005 - 21:19:51 PDT