A group of York students has won the opportunity to have their very own I-phone application developed after winning The App Challenge final, held at the Ron Cooke Hub on Wednesday, January 18.
YUSU Welfare officer Bob Hughes has warned students to be vigilant after a student loans phishing scam has been revealed.
Her Majesty the Queen will be visiting York on Maundy Thursday, 5th April, as part of the 800th anniversary of York’s Charter for the traditional “Royal Maundy” ceremony.
A flood caused by a heating system “failure” forced the university IT services to shut down many essential systems on Sunday night, causing problems for many students on the eve of their exams and assignment due-dates.
Co-written by Richard Mitchell
Our reporter has discovered that since at least January 2007 it has been possible to access any former student's account with just a student's date of birth. This meant that a person's address, telephone number, course modules, degree class and university number could all be seen.
Even after a student reported the fault, 14 days passed before the system was disabled, with it finally being rectified on 4th March.
Student Administrative Services had decided to allow continued access for graduates after their Computing Service user accounts had expired.
The problem with the graduate account had been known for some time. Student Administrative Services had suggested that access should be retained until an alternative could be found.
Head of Information Systems Kay Mills-Hicks said: "The university introduced the online access procedure to e:Vision to make it easier for leaving students to complete graduation and DLHE questionnaires."
Graduates now have to telephone or email the department to complete a series of security questions for access.
The problem also affected current students' accounts. It was possible to log in to an account with a username and date of birth and view the following details: the undergraduate's address, telephone number, course modules, supervisors, university number and examination number. The address and telephone number could also be edited.
The undergraduate problem arose at the time that graduate access was enabled and was not known to Computing Services until 29th February. It has been explained as a "configuration error". This had been tested by the Computing Service, showing a gap in the testing procedure.
The problem has been described by Mills-Hicks and Manager of Student Administrative Services Rosemary Royds as "very serious" and "unacceptable". Mills-Hicks said that Computing Service is "embarrassed" by the issue whilst Student Administrative Services are "concerned".
With the advent of social networking sites, such as Facebook, the information required to access an e:Vision account is often readily available, as many students, past and present, publish both their email address and date of birth.
An investigation by the university's Data Protection Officer, Charles Fonge, will look into both the handling of the problem and how it arose in the first place.
Mills-Hicks said: "The university is conducting a detailed investigation into the circumstances, the results of which will be published, subject to legal provisions."
This suggests that the results of the investigation may not be made public due to the naming of specific employees, although certain members of the YUSU executive might have access to the findings.
The investigation will seek to identify if a student's account has been unlawfully accessed, although it may be impossible to do so unless students know that someone else has had access. If it is discovered that there was illegal access, charges could be brought under the Computer Misuse Act, as well as internal disciplinary proceedings.
e:Vision was developed by the Tribal Group and is in use at over 30 academic institutions worldwide.
Who? What? When? How? The timeline of events
Sounds like Computing Services also have no clear policy on what to do with security disclosures and also troublesome internal communication.
Also, from a technical point-of-view, the SITS server seems to be running a standard Apache server. Surely that has logs that can be analysed to discover anyone who has logged in through that method? Keeping audit logs should be part of any data leak prevention policy. If it's used in America, I'd be heavily surprised if SITS didn't have a built in transaction auditing mechanism (it seems to be able to be used to handle financial information, and so will have to comply with Sarbanes-Oxley)
Clearly page accesses are logged, but not the passwords used to login, Chris. There would be no way to separate fraudulent logins using the method described above from legitimate ones.
I assumed that it would go through a different sequence of pages to log in, rather than a standard login page. That was just a guess though!
Plus, at least using that method the University could identify which users were potentially compromised (surely most users don't check their eVision all that regularly, so only a certain subset would have logged in during the time the vulnerability was present) and notify all users who supposedly logged in of the details of when a login happened and ask them to verify if it was them or not? The University should be at the very least notifying all users that this breach has occurred and asking them to verify that no-one's edited their details, and to be aware that their details may have been compromised.
Nothing that could stand as admissible evidence though Chris. I agree, the students (especially the graduates) should have been informed. It was public knowledge for some considerable period that the graduate accounts could be accessed with date of birth. Hopefully the undergrad issue was not discovered by anyone else prior to us notifying Computing Services.
Can't help but notice that this article doesn't appear in the archive, the RSS feed or the comments list on the main page. Is it still subject to review?
I wondered where it disappeared to! The date has also changed from being last Wednesday (I remember thinking how I could have missed this) to today, and it's just popped back up on my RSS feed!
I guess that it was still up for review and got published early as the article's changed since the first time it appeared on the site and I read it. Therefore making some of my comments above look silly because they're now addressed in the article!
Saying it took computing services 14 days to sort the issue out is slightly misleading since the initial contact was with the wrong person (admitidly the fault of computing services) and contact with the correct person wasn't made until 10 days later.
Was the initial contact another person in computing services (in which case they should have known to take immediate action)?
It is still pretty unacceptable that such a major breech wasn't acted upon for 3 days until somebody higher was informed.
The article had indeed been published early by accident. Thankfully the article didn't appear on the main page and so we were able to remove it before too many people noticed it.
Apologies for the confusion.
Dominic and Ruth
The Yorker Editors
What a shambles
The Yorker Exclusive banner is a little bit alarmist, don't you think?
Perhaps a link to some guide about protecting your personal information on Facebook to make your date of birth a bit harder to harvest may also be useful? Something like http://www.sophos.com/security/best-practice/facebook.html (disclaimer: I work for Sophos).
You must log in to submit a comment.
Report