What to do if you notice...

Printable View

January 29th, 2004, 01:49 AM
TheTempest

What to do if you notice...

Hey,

At the college I currently attend, they have an E-Portal, which students may use to access there online quizes and checkup on their progress in some of there courses. however, the system is designed to ask you for a user/pass combo before allowing you access to the site.

the problem is that in order to obtain this user/pass combo, you need to enter in your social security number over an uncrypted connection (no SSL) =(

My question is simple: How do I get them (the IT department) to take me seroiusly about this security threat?

To me it would be EXTREAMLY simple to exploit this weakness because they also use a wireless network, with no encrpytion or authentication, thus, allowing any average job the ability to sniff the connection on the schools end.

Any information would be greatly appricated
Thanks
January 29th, 2004, 02:01 AM
Tedob1

screw the IT dept, they are not going to cover your losses if you get ripped off. look for articles to show the administration what kind of coverage they'll get if it happens to them and a letter explaining the reasons you have for sending them

http://www.wired.com/news/culture/0,1284,44501,00.html

http://www.wsusignpost.com/vnews/dis.../3e6eb930e8812

http://iml.jou.ufl.edu/projects/Spri...tybreaches.htm

<google using 'social security college network hacked'>

if you get no response gather this info this and print up hand outs to pass out to everyone. find someone (or more) that shares your disdain for this practice to help you

...you were expecting maybe i should say "go ahead and hack it"...not a chance
January 29th, 2004, 02:54 AM
groovicus

You might want to anonymously "tip off" the local press... in light of the current worm traffic, they might be interested...

Then again, on the other hand, if the paper decides to print the story, it may tip off unscrupilous vermin and actually make the school network more of a target.

Can you just go into the IT office, or admissions, or wherever, to pick up your user name password combo? That's what they do here.
January 29th, 2004, 08:44 PM
Lansing_Banda

Actually they are trying to pass a bill right now in congress which wouldn't allow colleges to use SS numbers so freely. In Alabama, your SS number is dubbed your "Student ID" and you use it for everything. I think it is stupid as hell seeing as your SS number is basically a portal into your information. Who's bright idea was this anyways? Anyways, article here:

http://www.chron.com/cs/CDA/ssistory...lature/1812769

(that isn't the story I read but it is an example)
January 29th, 2004, 09:09 PM
phishphreek

Quote:

In Alabama, your SS number is dubbed your "Student ID" and you use it for everything.

Same at my college too. They even post the SSN's on grade sheets hanging outside the classrooms! I'd rather someone know what I got in my class, rather than someone knowing which SSN got the 'A'.

Lets see... there are 4 'A's on this test. (Me sits there with a huge smile along with three others)... someone goes out and looks a the grade sheet. Hmm... they can guess my SSN. Chances are 1 in 4. And seeing that I don't hide the fact that I wasn't born in the same state as everyone else... One of these SSNs don't belong here... which one is it? Duh!

I request that my professors email me my grade rather than including my info on the sheets they post and for the reason I explained above.

I really hope that they pass this bill.

Just like they used to make you put your SSN on your drivers license... How stupid is that?

Oops! I lost my wallet. Now they have my name, address, and SSN. What more do they need?
January 29th, 2004, 09:20 PM
TheTempest

does anyone know of any articles or press releases of things like this that have been comprised before, such as UT Austin Jan, 2003.

I'm looking for some technicaly oriented articles and tutorials. Thanks