Educause Security Discussion mailing list archives

Re: University credentials used by third parties

From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Tue, 17 Aug 2010 13:10:50 -0500

I agree.  I started looking at the site and reading through the terms
and conditions, but hadn't gotten much further than that.  Doesn't look
good at all from here.

- ken

Walter Petruska wrote:


I find this completely unacceptable, and fair game for complaint and
for blocking.

 

Any outrage/shock elsewhere?

 

 

*Walter E. Petruska,  CISSP, CISA, CGEIT*

/USF Information Security Officer/

/ /

*University of San Francisco*

*Lone Mountain North - 226*

2130 Fulton Street

San Francisco, CA 94117

ITS Help Desk Phone: 415-422-6668

Fax: 415-422-6719

 

 

 

*From:* The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU
<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Justin Sherenco
*Sent:* Tuesday, August 17, 2010 10:13 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
*Subject:* [SECURITY] University credentials used by third parties

 

Hello,

Recently a local on-line news site
(http://www.annarbor.com/news/university-of-michigan-students-can-wager-on-grades-via-website/)
wrote an article about a new website that lets students bet on their
own grades.  The betting aspect aside I was intrigued by this line
“they have to register and upload their schedules to grant the site
access to school records.”  To investigate further I went through the
account set up process and found that the student has the option to
allow the site to automatically download their student records (see
attached ultinsic2.jpg).  It actually asks for their academic user
name and password!  EMU is currently not on their list of supported
schools but they mention will be rolling out nationally.  We have
policies and standards in place that say don’t give out you password
and in my opinion giving credentials to this site would violate them. 
Are there any other Universities investigating the use of usernames
and passwords used by third party web applications not sanctioned by
the University?  Any talk on actually blocking a site like this from
automatically logging in (system stability/privacy/security issues?)
or is this more of users choice? 

 

 

Regards,

Justin

 

-------------------------------------

Justin Sherenco, CISSP

Easten Michigan University

Security Analyst

http://it.emich.edu/security


-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Current thread:

University credentials used by third parties Justin Sherenco (Aug 17)
- Re: University credentials used by third parties Walter Petruska (Aug 17)
  - Re: University credentials used by third parties Ken Connelly (Aug 17)
  - Re: University credentials used by third parties Bob Bayn (Aug 17)
    - Re: University credentials used by third parties Sam Hooker (Aug 17)
    - Re: University credentials used by third parties Cathy Hubbs (Aug 17)
    - Re: University credentials used by third parties Pete Hickey (Aug 17)
    - Re: University credentials used by third parties Valdis Kletnieks (Aug 17)
    - Password Expatriation notification James Farr '05 (Aug 17)
    - Re: Password Expatriation notification Ken Connelly (Aug 17)
    - Re: Password Expatriation notification Kieper, David (Aug 17)
    - Re: Password Expatriation notification Bob Bayn (Aug 17)
    - Re: Password Expatriation notification James (Aug 19)

(Thread continues...)