Educause Security Discussion mailing list archives

Re: University credentials used by third parties

From: Bob Bayn <bob.bayn () USU EDU>
Date: Tue, 17 Aug 2010 12:19:22 -0600

No support from this quarter either.  But it does look like Ultrinsic.com does need to make arrangements for each 
individual school to automate the process of using the student-provided credentials to get to the schedules and grades. 
 Now, I wonder if those individual arrangements include individual approval from each school.  The list of schools is 
currently:

American University (undergraduate)
Boston College (undergraduate)
Boston University (undergraduate)
Brigham Young University (undergraduate)
Columbia University (undergraduate)
CUNY Queens College (undergraduate)
Duke University (undergraduate)

George Washington University (undergraduate
Georgetown University (undergraduate)
Harvard University (undergraduate)
Howard University (undergraduate)
Indiana University-Bloomington (undergraduate)
Massachussets Institute of Technology (undergraduate)
Michigan State University (undergraduate)
North Carolina State University (undergraduate)
NYU (undergraduate)

Pennsylvania State University (undergraduate)
Princeton University (undergraduate)
Rutgers University (undergraduate)
St. Johns University (undergraduate)
Stanford University (undergraduate)
SUNY Binghamton (undergraduate)
Syracuse University (undergraduate)
Texas A&M University (undergraduate)

Texas Tech University (undergraduate)
University of California-Berkeley (undergraduate)
University of California-Los Angeles (undergraduate)
University of Conneticut (undergraduate)
University of Michigan-Ann Arbor (undergraduate)
University of North Carolina (undergraduate)
University of Pennsylvania (undergraduate)
University of Pittsburgh (undergraduate)
University of Southern California (undergraduate)

University of Texas-Austin (undergraduate)
University of Wisconsin-Madison (undergraduate)
Wake Forest University (undergraduate)

Nope, I doubt those are all the results of explicit collaborations with each school's administration.  So, you may have 
to block Ultrinsic if they can get any of your student credentials and snoop around to figure out how to extract the 
data they need.


Bob Bayn        (435)797-2396      Security Team coordinator
             http://tinyurl.com/I-Need-a-Kidney
Office of Information Technology   at  Utah State University
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Walter Petruska 
[wpetruska () USFCA EDU]
Sent: Tuesday, August 17, 2010 12:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] University credentials used by third parties

I find this completely unacceptable, and fair game for complaint and for blocking.

Any outrage/shock elsewhere?


Walter E. Petruska,  CISSP, CISA, CGEIT
USF Information Security Officer

University of San Francisco
Lone Mountain North - 226
2130 Fulton Street
San Francisco, CA 94117
ITS Help Desk Phone: 415-422-6668
Fax: 415-422-6719



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Justin Sherenco
Sent: Tuesday, August 17, 2010 10:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] University credentials used by third parties

Hello,
Recently a local on-line news site 
(http://www.annarbor.com/news/university-of-michigan-students-can-wager-on-grades-via-website/) wrote an article about 
a new website that lets students bet on their own grades.  The betting aspect aside I was intrigued by this line “they 
have to register and upload their schedules to grant the site access to school records.”  To investigate further I went 
through the account set up process and found that the student has the option to allow the site to automatically 
download their student records (see attached ultinsic2.jpg).  It actually asks for their academic user name and 
password!  EMU is currently not on their list of supported schools but they mention will be rolling out nationally.  We 
have policies and standards in place that say don’t give out you password and in my opinion giving credentials to this 
site would violate them.  Are there any other Universities investigating the use of usernames and passwords used by 
third party web applications not sanctioned by the University?  Any talk on actually blocking a site like this from 
automatically logging in (system stability/privacy/security issues?) or is this more of users choice?


Regards,
Justin

-------------------------------------
Justin Sherenco, CISSP
Easten Michigan University
Security Analyst
http://it.emich.edu/security

Current thread:

University credentials used by third parties Justin Sherenco (Aug 17)
- Re: University credentials used by third parties Walter Petruska (Aug 17)
  - Re: University credentials used by third parties Ken Connelly (Aug 17)
  - Re: University credentials used by third parties Bob Bayn (Aug 17)
    - Re: University credentials used by third parties Sam Hooker (Aug 17)
    - Re: University credentials used by third parties Cathy Hubbs (Aug 17)
    - Re: University credentials used by third parties Pete Hickey (Aug 17)
    - Re: University credentials used by third parties Valdis Kletnieks (Aug 17)
    - Password Expatriation notification James Farr '05 (Aug 17)
    - Re: Password Expatriation notification Ken Connelly (Aug 17)
    - Re: Password Expatriation notification Kieper, David (Aug 17)
    - Re: Password Expatriation notification Bob Bayn (Aug 17)
    - Re: Password Expatriation notification James (Aug 19)
    - Re: Password Expatriation notification Ullman, Catherine (Aug 19)

(Thread continues...)