Security Basics mailing list archives
Re: Security for grades stored online
From: Adam Mooz <adam.mooz () gmail com>
Date: Fri, 11 Dec 2009 11:59:09 -0500
On 2009-12-11, at 3:03 AM, Eitan Adler wrote:
From most of the responses I've seen the best idea for me would be to use some form of PKI. The reason I didn't jump immediately into PKI instead of my idea was: 1) Most of the teachers are probably not technologically sophisticated. I'm unaware of any easy-to-use PKI system 2) I'm assuming one of two cases here (a) the teacher left the computer alone or (b) the teacher chose an easy to guess password. 3) The teacher would probably choose the same password for the key as for the moodle account (which I'm modifying to fit my needs) Does anyone know of an easy-to-use system that would not be compromised by the above assumptions. I'm also working within a limited budget so (as far as I'm aware atm) no new hardware could be bought. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Honestly, if you have tight access control and audit logs of who did what to the database, and of course all the standard locks on the database, the school should be worried about students manipulating grades via the TA's. If the teacher has walked away and left their computer unlocked (as highlighted in a scenario above) then the student could modify the teachers local spreadsheet of assignment/test marks and then get the teacher to upload the falsified marks that way. The point I'm trying to make is that students are smart, if they wanted to subvert their marks they're not going to do so by attacking a database. They will social engineering to have the prof modify their marks for them. The two scenario's you've outlined are also...problematic. If the students have access to the prof's (or another trusted) computer with an active session there isn't much you can do without timeouts. As for weak passwords, again there is not much you can do about those. Implementing RSA tokens would defeat this but also requires a huge amount of resources. In short, obviously defend the database as much as you can with good programming, ACL's, etc...but IMHO if you have an excellent auditing of changes made(date/time, old value, new value, user making the changes) and who(ip) accessed the machine at what time and a good alerting system you should be able to not only prevent someone from changing marks on the database directly or if they do then you'll be able to track (and possibly prove) what student attempted what. ----------------------------------------------------------------- Adam Mooz Adam.Mooz () gmail com AdamMooz () me com http://www.AdamMooz.com ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Security for grades stored online Eitan Adler (Dec 10)
- Re: Security for grades stored online Aarón Mizrachi (Dec 11)
- Re: Security for grades stored online Eitan Adler (Dec 11)
- Re: Security for grades stored online Adam Mooz (Dec 11)
- Re: Security for grades stored online Eitan Adler (Dec 11)
- Message not available
- Re: Security for grades stored online Ramki B Ramakrishnan (Dec 11)
- Re: Security for grades stored online Aarón Mizrachi (Dec 11)
- <Possible follow-ups>
- FW: Security for grades stored online _john aleshunas_ (Dec 11)