|
Internet
not seen as fool-proof to hackers
By
Brian Brannon
Online Forty-Niner
As
Cal State Long Beach builds more links to
the information superhighway with programs
like My CSULB and Beachboard, the university
and its vendors must remain constantly vigilant
to protect students, staff and faculty from
intellectual and identity theft. The computer
industry has long recognized that no Web-based
system is completely invulnerable to hackers,
so any information that is available over
the Internet could eventually fall prey
to someone determined enough to find it.
Beachboard
is currently in use as a teaching tool at
the university while My CSULB serves as
a portal to the campus Common Management
System Student Administration system, which
contains an abundance of personal information
on students.
CMS
Project Director Janet Foster said, "The
CMS Student Administration system stores
all aspects of a student's academic career
at CSULB, including academics and enrollment,
finances and aid, and personal information
such as address, phone number, and email
address."
Multiple
layers of security are in place to protect
students' personal information, she said,
including application security, logon security,
database security, encryption, secure sockets
layers and network security.
"In
addition, the campus has stringent security
plans and procedures for granting access
to the system and are rigorously adhered
to," she said.
The
My CSULB system is powered by software from
PeopleSoft of Pleasanton. Hoovers Online,
a database of business information. The
entire CSU system is slated to eventually
use PeopleSoft's CMS.
A
March 2003 report by the California State
Auditor found that the system would exceed
its estimated cost by $200 million, for
a total of $662 million, the Daily Forty-Niner
reported last year.
A non-profit corporation called MITRE works
in partnership with the federal government
to maintain the Computer Vulnerabilities
and Exposures database on computer programs.
The database lists a history of security
problems in software designed by the companies
that power My CSULB and Beachboard. The
CVE database found six security vulnerabilities
within PeopleSoft software, ranging in severity
from high to low.
SecuriTeam
is a group of computer vulnerability experts
from Beyond Security, an organization that
provides security assessment technologies.
The team found problems with PeopleTool's
software, which is used in a number of applications,
including PeopleSoft's Human Capital Management,
Customer Relationship Management, Enterprise
Performance Management and Financial Management
Solutions programming.
The
report states: "Attackers can use an
XML External Entities (XXE) attack to read
any file on the vulnerable PeopleSoft application
server under the security context of the
Web server process. This attack may lead
to the exposure of confidential information
stored in vulnerable PeopleSoft installations."
Upon
discovering the vulnerabilities, the team
contacted PeopleSoft and reports that the
company addressed all of the issues in version
8.19 of the PeopleTools software.
A
report on the CVE Web site published prior
to November 17, 2003, was rated with a severity
level of high. It reads: "Cross-site
scripting vulnerabilities in Blackboard
5 allow remote attackers to execute arbitrary
web script via (1) the course_id parameter
in a link to login.pl, (2) the CTID parameter
in ProcessInfo.cgi, or (3) the Message parameter
in index.cgi."
The
other CVE report on Blackboard rated with
a high severity level was published prior
to July 18, 2000, and reads: "Blackboard
CourseInfo 4.0 stores the local and SQL
administrator user names and passwords in
cleartext in a registry key whose access
control allows users to access the passwords."
Blackboard
6.0 is currently in use by the CSU. The
system is an improvement on earlier versions
and likely takes the published vulnerabilities
into account. SecuriTeam contacted Blackboard
after finding vulnerability in the 5.0 version
of the system and says it was impressed
with the response.
"The
Blackboard team was concerned, quick to
respond, open to suggestions, professional,
and even took the time to teleconference,"
the SecuriTeam Web site states.
However,
an April 18, 2003, article published in
the Washington Post shows a security flaw
in another Blackboard product, a smart card
system reportedly in use on 200 college
campuses.
The
Blackboard Transaction System is used at
Georgia Tech to provide university debit
cards for access to laundry and vending
machines. Two students, Billy Hoffman, a
computer science major at Georgia Tech,
and Virgil Griffith, a student at the University
of Alabama, found out how to access the
system for free use of laundry machines
and were served court orders to prevent
them from speaking at a hackers' convention
about the vulnerabilities they discovered.
Since
both Hoffman and Griffith were not allowed
to share their findings, computer scientist
John R. Hall published the information on
the edifyingfellowship.org Web site. He
said, "BTS relies mainly on physical
security; that is, it makes very little
effort to protect its data electronically.
The physical security of the data lines
is critical. Trouble is, this physical security
is often incredibly weak."
Greg
Baker, vice president of product development
for the Blackboard Transaction System, said
in an April 18, 2003, Washington Post article
that the court orders were necessary to
maintain public confidence in the product.
"We
weren't really worried about security of
the system. We were worried about the reputation
of the system," he said.
|
