[ISN] Virginia Western student prompts quick fix of computer security

InfoSec News isn at c4i.org
Mon Sep 26 00:04:31 EDT 2005


By Cody Lowe
The Roanoke Times 
September 23, 2005

Every student, faculty member and staffer in the Virginia Community
College System is being alerted to a significant threat to its online
access system.

A Virginia Western Community College student contacted The Roanoke
Times this week about the potential for outsiders to gain easy access
to students' e-mail addresses and default passwords - their birth
dates - through a national online directory called Facebook.

After the newspaper contacted the statewide system's administrators in
Richmond, they began pushing up the implementation of new login
procedures for all of the state's 23 community colleges.

"The student who reported this to you did us quite a service," said
David Harrison, head of Technical Support Services at Virginia

It wasn't that the system's administrators weren't aware of the
potential problem, said Neil Matkin, Richmond-based vice chancellor
for information technology for the 350,000-student statewide system.  
But the knowledge that word was spreading about the chink in the
system's armor prompted immediate action, rather than waiting for
spring, he said.

The system's technology council, with representatives from each
school, is scheduled to vote in a conference call today on
implementing changes to help reduce the risks. Among the options would
be to compel students to change their passwords the first time they
enter the system.

In the meantime, Harrison said, everyone with a Virginia community
college e-mail address is being alerted to the potential problem.

"We're highly advising anybody using their default password to change
it immediately," Harrison said. "We're also putting messages out on
all the home pages of the services we offer."

He's also recommending students remove their addresses from the
Facebook Web site.

Facebook - www.thefacebook.com - provides a way for college students
to meet each other by posting a picture and personal profile online,
accessible by others who have legitimate college e-mail addresses. It
now has 3 million users nationwide at 800 colleges.

The Roanoke student who noticed the problem, Joe Swindell, might be
called an anti-hacker.

When he found the vulnerability, he worried that it was distressingly
easy for a hacker - even the most unsophisticated one - to gain access
to students' personal accounts. He decided to contact the newspaper.

Swindell worked as a security technician assistant as a student at
Lees-McRae College in North Carolina last year, he said, so when he
noticed the flaw in the Virginia Western system, "I ran off with

Swindell confirmed that most of the users included their birth dates
in their profiles. That's when the red flag went up.

The Virginia Community College System automatically assigns students
their birth dates as their passwords to access all their college
accounts online. While students are "strongly encouraged" to change
the passwords once they enter the system, Harrison said, many do not.

So anyone with access to Facebook could look up other students at
Virginia Western, get, their e-mail addresses and birth dates, then
access their personal accounts.

A hacker could wreak havoc by changing the password, submitting bogus
e-mail, or - at the right time of the year - even enroll or drop the
other student from classes.

Swindell's concern was "very well founded," conceded Matkin, even
though it is difficult to determine exactly how many of the system's
students also use Facebook or have their birth dates listed there.

Matkin said the computer code to fix the problem has been ready for
months. The colleges delayed implementing it this fall, however,
because they were upgrading a group of other major systems for
students and hoped to minimize confusion and pressure on each
college's help desk.

"We were trying to make [the entire process] student friendly, making
the password something that was easily remembered," but wouldn't be
commonly known, Matkin said. "You don't wear it on your forehead."

However, "Facebook has caused unprecedented problems," he said. "We
didn't expect that."

Harrison said he believes students are sometimes too lax about what
they post.

"It's a case of providing a little too much personal information" in a
place where it can be seen by millions of people, Harrison said. "With
the Internet, people don't have to fish for information; a lot of
times you just give it to them."

"Somehow we have to get out to students good security practices. A lot
of the information they put on internet, they don't realize can be
used for bad things. This is one of those things."

"There is a chance absolutely nothing will happen, but it's one that
we're concerned about," Harrison said. "It's very important to us that
we maintain data integrity."

Swindell said he just wanted to help.

"I'm only trying to point out the problem. Something needed to be
changed. ... I think this is great."

More information about the ISN mailing list