Educause Security Discussion mailing list archives
Re: University credentials used by third parties
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Tue, 17 Aug 2010 12:05:41 -0700
I will reserve comment on the gambling portion of the question because that is just bizarre and I don't have much to say about that. Regarding a third-party website having a student's credentials cached, this is certainly true of RIM for the unmanaged Blackberry IMAP Service and Gmail for anyone who wants to download their campus mail to a Gmail account (unless they set up forwarding, which I think a fair number our students do instead). If you are publishing IMAPS or POPS services to the world, then there's a high chance that someone will use some outside email provider to connect to your campus email server with POPS or IMAPS and download their mail (and have their credentials cached in the process). Unfortunately, this could include http://www.haxor_bobs_email_emporeum.com or some similarly shady service provider with very lax security. This is really only a major problem if your email credentials are the same as your campus login/SSO credentials (which they are for us). However, for people that run wireless networks that require authentication you also need to look out for companies like this: http://devicescape.com/ which allows people to cache their wireless credentials on their server so that your mobile devices can automatically log in to wireless networks with a captive portal. This is from the Devicescape FAQ: "Are my hotspot passwords stored on my device? No, the username and password used to log in to a public hotspot is not stored on your device. Instead, our web service stores this information and supplies it to your device on-demand when the device wants to log on. Note, however, that information about your personal networks, such as security keys, is stored on your device." I'm not sure what the answer to this problem is but I definitely agree that it's a problem. I don't like the idea of RIM (the maker of Blackberry devices) caching usernames and passwords but I like it a lot more than some random website built around gambling on grades. Part of this could probably be solved via policy and training (explicitly telling students not to cache their credentials on outside websites) with maybe some technical controls (firewalling off certain service providers), but ultimately it is out of our control. It will be almost impossible to tell the difference between some web application logging in on behalf of the student versus the student doing it themselves. I definitely recommend separating email credentials from login credentials whenever possible simply because it is more likely that email credentials would get cached in more places (not only in online service providers but also on mobile devices with email functionality, desktop email applications (Outlook etc.) ). -Adam Justin Sherenco wrote:
Hello, Recently a local on-line news site (http://www.annarbor.com/news/university-of-michigan-students-can-wager-on -grades-via-website/) wrote an article about a new website that lets students bet on their own grades. The betting aspect aside I was intrigued by this line "they have to register and upload their schedules to grant the site access to school records." To investigate further I went through the account set up process and found that the student has the option to allow the site to automatically download their student records (see attached ultinsic2.jpg). It actually asks for their academic user name and password! EMU is currently not on their list of supported schools but they mention will be rolling out nationally. We have policies and standards in place that say don't give out you password and in my opinion giving credentials to this site would violate them. Are there any other Universities investigating the use of usernames and passwords used by third party web applications not sanctioned by the University? Any talk on actually blocking a site like this from automatically logging in (system stability/privacy/security issues?) or is this more of users choice? Regards, Justin ------------------------------------- Justin Sherenco, CISSP Easten Michigan University Security Analyst http://it.emich.edu/security ------------------------------------------------------------------------
-- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Email: ajcarlson () berkeley edu "Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis
Current thread:
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties, (continued)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Semmens, Theresa (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Eric Case (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Adam Carlson (Aug 25)
- Experience with EPO and endpoint encryption David Grisham (Aug 25)
- Re: Experience with EPO and endpoint encryption Gibson, Nathan J. (HSC) (Aug 25)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Jesse Thompson (Aug 25)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Mike Porter (Aug 25)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Darren Fallis (Aug 24)
- Re: University credentials used by third parties Greg Schaffer (Aug 17)
- Re: University credentials used by third parties Flynn, Gary - flynngn (Aug 17)
- Re: University credentials used by third parties Paul Kendall (Aug 18)
- Re: University credentials used by third parties Bradley, Stephen W. Mr. (Aug 18)
- Re: University credentials used by third parties Bristol, Gary L. (Aug 18)
- Re: University credentials used by third parties Ken Connelly (Aug 18)
- Re: University credentials used by third parties Guy Pace (Aug 18)
- Re: University credentials used by third parties Nate johnson (Aug 18)
- Re: University credentials used by third parties Allison Dolan (Aug 18)
- Re: University credentials used by third parties Mark Boolootian (Aug 18)