23rd January
latest news: Anna's sweet and sticky pork buns

latest news

App Challenge Logo

Photo Diary app wins York prize

Friday, 20th January 2012

A group of York students has won the opportunity to have their very own I-phone application developed after winning The App Challenge final, held at the Ron Cooke Hub on Wednesday, January 18.

computer

Students warned about loans scam

Thursday, 19th January 2012

YUSU Welfare officer Bob Hughes has warned students to be vigilant after a student loans phishing scam has been revealed.

Her Most Gracious Majesty

Queen Comes to York

Wednesday, 18th January 2012

Her Majesty the Queen will be visiting York on Maundy Thursday, 5th April, as part of the 800th anniversary of York’s Charter for the traditional “Royal Maundy” ceremony.

Berrick Saul

Flooding Triggers Network Outage On Eve Of Exams

Saturday, 14th January 2012

A flood caused by a heating system “failure” forced the university IT services to shut down many essential systems on Sunday night, causing problems for many students on the eve of their exams and assignment due-dates.

more news

Red Phone
King's Manor
Aimee and Kevin the Cow
Bomb Disposal Unit
Central Hall & North side of the lake
King's Manor
The Yorker Logo
christmas
Central Hall & North side of the lake

e:Vision security breach

Computer Mouse
Wednesday, 12th March 2008
The e:Vision records system used by the university has been exposed as a security risk by a Yorker reporter.

Co-written by Richard Mitchell

Our reporter has discovered that since at least January 2007 it has been possible to access any former student's account with just a student's date of birth. This meant that a person's address, telephone number, course modules, degree class and university number could all be seen.

Even after a student reported the fault, 14 days passed before the system was disabled, with it finally being rectified on 4th March.

Student Administrative Services had decided to allow continued access for graduates after their Computing Service user accounts had expired.

The problem with the graduate account had been known for some time. Student Administrative Services had suggested that access should be retained until an alternative could be found.

Head of Information Systems Kay Mills-Hicks said: "The university introduced the online access procedure to e:Vision to make it easier for leaving students to complete graduation and DLHE questionnaires."

Graduates now have to telephone or email the department to complete a series of security questions for access.

The problem also affected current students' accounts. It was possible to log in to an account with a username and date of birth and view the following details: the undergraduate's address, telephone number, course modules, supervisors, university number and examination number. The address and telephone number could also be edited.

The undergraduate problem arose at the time that graduate access was enabled and was not known to Computing Services until 29th February. It has been explained as a "configuration error". This had been tested by the Computing Service, showing a gap in the testing procedure.

The problem has been described by Mills-Hicks and Manager of Student Administrative Services Rosemary Royds as "very serious" and "unacceptable". Mills-Hicks said that Computing Service is "embarrassed" by the issue whilst Student Administrative Services are "concerned".

With the advent of social networking sites, such as Facebook, the information required to access an e:Vision account is often readily available, as many students, past and present, publish both their email address and date of birth.

An investigation by the university's Data Protection Officer, Charles Fonge, will look into both the handling of the problem and how it arose in the first place.

Mills-Hicks said: "The university is conducting a detailed investigation into the circumstances, the results of which will be published, subject to legal provisions."

This suggests that the results of the investigation may not be made public due to the naming of specific employees, although certain members of the YUSU executive might have access to the findings.

The investigation will seek to identify if a student's account has been unlawfully accessed, although it may be impossible to do so unless students know that someone else has had access. If it is discovered that there was illegal access, charges could be brought under the Computer Misuse Act, as well as internal disciplinary proceedings.

e:Vision was developed by the Tribal Group and is in use at over 30 academic institutions worldwide.

Who? What? When? How? The timeline of events

  • 18th Feb: Student Matt Burke discovers and reports the graduate issue, accidentally to the wrong person as the email address on the e:Vision website was wrong.
  • 28th Feb: Richard Mitchell presses student about details.
  • 29th Feb: Mitchell re-reports the graduate issue again to the Computing Service.
  • 29th Feb Aimee Phillips discusses the graduate issue with Arthur Clune (IT Security Specialist) and re-assigns case
  • 29th February: Both Burke and Mitchell discover and report undergraduate issue to Computing Services.
  • 3rd March: 17:00: With no resolution in sight, Mitchell reports the issue to Mike Jinks, Director of Computing Services.
  • 3rd March: 6.30pm: Kay Mills-Hicks is notified of the problem and shuts down e:Vision.
  • 4th March: Late morning: The issues are resolved, graduate login is disabled and undergraduate login is only possible with Computing Service password. e:Vision is put back online.
Check out The Yorker's Twitter account for all the latest news Go to The Yorker's Fan Page on Facebook
#1 Chris Northwood
Tue, 11th Mar 2008 3:59pm

Sounds like Computing Services also have no clear policy on what to do with security disclosures and also troublesome internal communication.

Also, from a technical point-of-view, the SITS server seems to be running a standard Apache server. Surely that has logs that can be analysed to discover anyone who has logged in through that method? Keeping audit logs should be part of any data leak prevention policy. If it's used in America, I'd be heavily surprised if SITS didn't have a built in transaction auditing mechanism (it seems to be able to be used to handle financial information, and so will have to comply with Sarbanes-Oxley)

#2 Richard Mitchell
Tue, 11th Mar 2008 4:21pm

Clearly page accesses are logged, but not the passwords used to login, Chris. There would be no way to separate fraudulent logins using the method described above from legitimate ones.

#3 Chris Northwood
Tue, 11th Mar 2008 4:36pm

I assumed that it would go through a different sequence of pages to log in, rather than a standard login page. That was just a guess though!

Plus, at least using that method the University could identify which users were potentially compromised (surely most users don't check their eVision all that regularly, so only a certain subset would have logged in during the time the vulnerability was present) and notify all users who supposedly logged in of the details of when a login happened and ask them to verify if it was them or not? The University should be at the very least notifying all users that this breach has occurred and asking them to verify that no-one's edited their details, and to be aware that their details may have been compromised.

#4 Richard Mitchell
Tue, 11th Mar 2008 11:15pm

Nothing that could stand as admissible evidence though Chris. I agree, the students (especially the graduates) should have been informed. It was public knowledge for some considerable period that the graduate accounts could be accessed with date of birth. Hopefully the undergrad issue was not discovered by anyone else prior to us notifying Computing Services.

#5 Richard Mitchell
Tue, 11th Mar 2008 11:16pm

Can't help but notice that this article doesn't appear in the archive, the RSS feed or the comments list on the main page. Is it still subject to review?

#6 Chris Northwood
Wed, 12th Mar 2008 6:17am
  • Wed, 12th Mar 2008 6:19am - Edited by the author

I wondered where it disappeared to! The date has also changed from being last Wednesday (I remember thinking how I could have missed this) to today, and it's just popped back up on my RSS feed!

I guess that it was still up for review and got published early as the article's changed since the first time it appeared on the site and I read it. Therefore making some of my comments above look silly because they're now addressed in the article!

#7 James Hogan
Wed, 12th Mar 2008 2:03pm

Saying it took computing services 14 days to sort the issue out is slightly misleading since the initial contact was with the wrong person (admitidly the fault of computing services) and contact with the correct person wasn't made until 10 days later.
Was the initial contact another person in computing services (in which case they should have known to take immediate action)?
It is still pretty unacceptable that such a major breech wasn't acted upon for 3 days until somebody higher was informed.

#8 Dominic Freeston
Wed, 12th Mar 2008 2:05pm

The article had indeed been published early by accident. Thankfully the article didn't appear on the main page and so we were able to remove it before too many people noticed it.

Apologies for the confusion.

Dominic and Ruth
The Yorker Editors

#9 Anonymous
Wed, 12th Mar 2008 4:28pm

What a shambles

#10 Chris Northwood
Wed, 12th Mar 2008 8:58pm

The Yorker Exclusive banner is a little bit alarmist, don't you think?

Perhaps a link to some guide about protecting your personal information on Facebook to make your date of birth a bit harder to harvest may also be useful? Something like http://www.sophos.com/security/best-practice/facebook.html (disclaimer: I work for Sophos).

Add Comment

You must log in to submit a comment.