Educause Security Discussion mailing list archives
Re: University credentials used by third parties
From: Brad Miller <bradmiller () MAIL UND NODAK EDU>
Date: Thu, 19 Aug 2010 15:46:33 -0500
In doing some research on this, I came across a number of universities that actually give students the ability to set up accounts for "third-party" access to their information. https://webapps.wsu.edu/ais/sharedinfo/(S(2qhuzdzmn5scctapb2kv0mup))/Help/FAQ.aspx http://www.depauw.edu/admin/registrar/thirdparty.asp http://www.uni.edu/its/is/help/parentPortalFAQ.html It seems like these types of "third-party" accounts would be tailor-made for students to provide to Ultrinsic or other such "services". ~Brad Brad Miller IT Security Officer Information Technology Systems and Services University of North Dakota (701) 777-3587 http://itsecurity.und.edu
Paul Kendall <PKendall () ACCUDATASYSTEMS COM> 8/18/2010 9:14 AM >>>
Something most students fail to realize is that the userid/password they are provided does NOT mean the resources they access are theirs to do with as they like. It is permission to access a university resource, and they should never be divulging that access without explicit written permission from the university. Your acceptable use policy or similar policy probably spells that out; if so, then a very good case can be made for blocking this site. Betting on grades? Some days I REALLY do miss 80-column punch cards... Paul ======================================== Paul L. Kendall, PhD, CGEIT, CHP, CHSS, CHS-III, DHS-CVI, CISM, CISSP, CSSLP PCI Qualified Security Assessor Senior Consultant Accudata Systems, Inc. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Martin Manjak Sent: Wednesday, August 18, 2010 8:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] University credentials used by third parties Many public institutions have a prohibition against commercial use of campus resources. That should provide sufficient justification to block any access on the part of Ultrinsic to course management systems or other repositories of educational records. Marty On 8/17/2010 1:12 PM, Justin Sherenco wrote:
Hello, Recently a local on-line news site (http://www.annarbor.com/news/university-of-michigan-students-can-wager-on-grades-via-website/) wrote an article about a new website that lets students bet on their own grades. The betting aspect aside I was intrigued by this line "they have to register and upload their schedules to grant the site access to school records." To investigate further I went through the account set up process and found that the student has the option to allow the site to automatically download their student records (see attached ultinsic2.jpg). It actually asks for their academic user name and password! EMU is currently not on their list of supported schools but they mention will be rolling out nationally. We have policies and standards in place that say don't give out you password and in my opinion giving credentials to this site would violate them. Are there any other Universities investigating the use of usernames and passwords used by third party web applications not sanctioned by the University? Any talk on actually blocking a site like this from automatically logging in (system stability/privacy/security issues?) or is this more of users choice? Regards, Justin ------------------------------------- Justin Sherenco, CISSP Easten Michigan University Security Analyst http://it.emich.edu/security
-- Martin Manjak Information Security Officer University at Albany CISSP, GSEC, GCWN
Current thread:
- Re: University credentials used by third parties, (continued)
- Re: University credentials used by third parties Valdis Kletnieks (Aug 18)
- Re: University credentials used by third parties David L. Wasley (Aug 18)
- Re: University credentials used by third parties Pete Hickey (Aug 18)
- Re: University credentials used by third parties Anthony Phillips (Aug 18)
- Re: University credentials used by third parties Isabelle Graham (Aug 18)
- Re: University credentials used by third parties Valdis Kletnieks (Aug 18)
- Re: University credentials used by third parties Joel Rosenblatt (Aug 18)
- Re: University credentials used by third parties Cal Frye (Aug 18)
- Re: University credentials used by third parties Ullman, Catherine (Aug 18)
- Re: University credentials used by third parties Nate johnson (Aug 18)
- Re: University credentials used by third parties Brad Miller (Aug 19)
- Re: University credentials used by third parties Jeff Kell (Aug 19)
- Re: University credentials used by third parties David Gillett (Aug 18)
- Re: University credentials used by third parties Ozzie Paez (Aug 21)
- Re: University credentials used by third parties David Gillett (Aug 18)
- Re: University credentials used by third parties Paul Kendall (Aug 18)