Re: University credentials used by third parties

[Sam Hooker <samuel.hooker () UVM EDU>]

This, too, is charming:

    http://www.ultrinsic.com/grade_insurance.html


-sth

-- 
Sam Hooker | samuel.hooker () uvm edu
Systems Architecture and Administration
Enterprise Technology Services
The University of Vermont


On 20100817 14:19 , Bob Bayn wrote:
> No support from this quarter either.  But it does look like Ultrinsic.com does need to make arrangements for each 
> individual school to automate the process of using the student-provided credentials to get to the schedules and 
> grades.  Now, I wonder if those individual arrangements include individual approval from each school.  The list of 
> schools is currently:
>
> American University (undergraduate)
> Boston College (undergraduate)
> Boston University (undergraduate)
> Brigham Young University (undergraduate)
> Columbia University (undergraduate)
> CUNY Queens College (undergraduate)
> Duke University (undergraduate)
>
> George Washington University (undergraduate
> Georgetown University (undergraduate)
> Harvard University (undergraduate)
> Howard University (undergraduate)
> Indiana University-Bloomington (undergraduate)
> Massachussets Institute of Technology (undergraduate)
> Michigan State University (undergraduate)
> North Carolina State University (undergraduate)
> NYU (undergraduate)
>
> Pennsylvania State University (undergraduate)
> Princeton University (undergraduate)
> Rutgers University (undergraduate)
> St. Johns University (undergraduate)
> Stanford University (undergraduate)
> SUNY Binghamton (undergraduate)
> Syracuse University (undergraduate)
> Texas A&M University (undergraduate)
>
> Texas Tech University (undergraduate)
> University of California-Berkeley (undergraduate)
> University of California-Los Angeles (undergraduate)
> University of Conneticut (undergraduate)
> University of Michigan-Ann Arbor (undergraduate)
> University of North Carolina (undergraduate)
> University of Pennsylvania (undergraduate)
> University of Pittsburgh (undergraduate)
> University of Southern California (undergraduate)
>
> University of Texas-Austin (undergraduate)
> University of Wisconsin-Madison (undergraduate)
> Wake Forest University (undergraduate)
>
> Nope, I doubt those are all the results of explicit collaborations with each school's administration.  So, you may 
> have to block Ultrinsic if they can get any of your student credentials and snoop around to figure out how to extract 
> the data they need.
>
>
> Bob Bayn        (435)797-2396      Security Team coordinator
>              http://tinyurl.com/I-Need-a-Kidney
> Office of Information Technology   at  Utah State University
> ________________________________________
> From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Walter 
> Petruska [wpetruska () USFCA EDU]
> Sent: Tuesday, August 17, 2010 12:06 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] University credentials used by third parties
>
> I find this completely unacceptable, and fair game for complaint and for blocking.
>
> Any outrage/shock elsewhere?
>
>
> Walter E. Petruska,  CISSP, CISA, CGEIT
> USF Information Security Officer
>
> University of San Francisco
> Lone Mountain North - 226
> 2130 Fulton Street
> San Francisco, CA 94117
> ITS Help Desk Phone: 415-422-6668
> Fax: 415-422-6719
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
> LISTSERV EDUCAUSE EDU>] On Behalf Of Justin Sherenco
> Sent: Tuesday, August 17, 2010 10:13 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] University credentials used by third parties
>
> Hello,
> Recently a local on-line news site 
> (http://www.annarbor.com/news/university-of-michigan-students-can-wager-on-grades-via-website/) wrote an article 
> about a new website that lets students bet on their own grades.  The betting aspect aside I was intrigued by this 
> line “they have to register and upload their schedules to grant the site access to school records.”  To investigate 
> further I went through the account set up process and found that the student has the option to allow the site to 
> automatically download their student records (see attached ultinsic2.jpg).  It actually asks for their academic user 
> name and password!  EMU is currently not on their list of supported schools but they mention will be rolling out 
> nationally.  We have policies and standards in place that say don’t give out you password and in my opinion giving 
> credentials to this site would violate them.  Are there any other Universities investigating the use of usernames and 
> passwords used by third party web 
a!
>  pplications not sanctioned by the University?  Any talk on actually blocking a site like this from automatically 
> logging in (system stability/privacy/security issues?) or is this more of users choice?
>
>
> Regards,
> Justin
>
> -------------------------------------
> Justin Sherenco, CISSP
> Easten Michigan University
> Security Analyst
> http://it.emich.edu/security

Attachment: signature.asc
Description: OpenPGP digital signature