Should I report this security issue to my school?
October 19, 2011 11:29 PM Subscribe
Is it troublesome to be able to obtain access to the names and e-mail addresses of students, faculty, employees, and alumni of a university? If so, how should I go about reporting it without being misinterpreted or punished?
My school has recently switched to a new e-mail system and it seems to be pretty easy to get access to every name and e-mail address on the system. You must be an authorized user to do so (basically anyone with an e-mail login), but otherwise there seems to be no strategy in place to hide irrelevant addresses from the user (for example, most students likely don't need employee or alumn[nus/na] names or e-mail addresses unless they are explicitly given).
If this is a significant security issue, how do I go about reporting this to whomever is in charge of the system without incriminating myself or inviting reprisal?
My school has recently switched to a new e-mail system and it seems to be pretty easy to get access to every name and e-mail address on the system. You must be an authorized user to do so (basically anyone with an e-mail login), but otherwise there seems to be no strategy in place to hide irrelevant addresses from the user (for example, most students likely don't need employee or alumn[nus/na] names or e-mail addresses unless they are explicitly given).
If this is a significant security issue, how do I go about reporting this to whomever is in charge of the system without incriminating myself or inviting reprisal?
It's a bad design, and students probably won't appreciate getting spam when their addresses are harvested. However, the best way to address this is to write to your school newspaper. That will create enough pressure on the administration to step on the IT department and get it fixed; whereas contacting the IT department directly probably will not fix the problem because they probably knew and didn't care.
posted by curiousZ at 11:43 PM on October 19, 2011 [1 favorite]
posted by curiousZ at 11:43 PM on October 19, 2011 [1 favorite]
Given that virtually every university e-mail system uses something like, (firstname-dot-lastname-at-university-dot-edu) or maybe (firstinital-middleinitial-lastname-digit-digit-at-university-dot-edu) it's not like they're really giving anything away that wasn't already pretty obvious. So if you throw the SECURITY flag here, they're pretty much going to ignore you as someone who is overreacting.
On the other hand, depending on how outward facing and free the system you describe is with information. If I have to look up addresses one at a time, that's not a big deal. If I can pull down the whole directory to a thumb drive and then sell it to a spammer for some extra beer money, that's kind of just asking for hot and cold running FREE HERBAL \/!@gR@ spam all day long and something ought to be done about that, but approach it as a "Hey, this is pretty much set up to guarantee that we get buried in spam - can you do something about that?"
posted by Kid Charlemagne at 1:18 AM on October 20, 2011 [1 favorite]
On the other hand, depending on how outward facing and free the system you describe is with information. If I have to look up addresses one at a time, that's not a big deal. If I can pull down the whole directory to a thumb drive and then sell it to a spammer for some extra beer money, that's kind of just asking for hot and cold running FREE HERBAL \/!@gR@ spam all day long and something ought to be done about that, but approach it as a "Hey, this is pretty much set up to guarantee that we get buried in spam - can you do something about that?"
posted by Kid Charlemagne at 1:18 AM on October 20, 2011 [1 favorite]
Yeah, having a student/faculty/staff directory seems normal and desirable to me. Alumni, I'm not so sure.
posted by hattifattener at 1:34 AM on October 20, 2011 [2 favorites]
posted by hattifattener at 1:34 AM on October 20, 2011 [2 favorites]
Also, if they're smart, they notice the bulk get-everything type of requests. It's even possible that you have LDAP access to that information if you know where and how to look for it. If you're curious, you can probably send email to 'abuse@your.edu'. Be worried if you find Social Security Numbers, Student IDs, or medical information. You'll probably have no luck with email, name, declared major, and the like. Alumni at my uni opt-in to keep their info in the directory.
FWIW, I'm in ITS at a large US university, we have a similar open directory.... (with LDAP access and warnings for bulk access attempts)
posted by zengargoyle at 1:41 AM on October 20, 2011
FWIW, I'm in ITS at a large US university, we have a similar open directory.... (with LDAP access and warnings for bulk access attempts)
posted by zengargoyle at 1:41 AM on October 20, 2011
What you have there is an email directory. Just like the telephone directory it lists contact details. Access being restricted to registered users is access being restricted to the people outside your institution I assume? At work I can access email addresses and phone numbers of all our global employees, that's well over a hundred thousand people, including facility management on other continents...do I need to be able to contact all these people? Probably not.
The only potential issue I can see here is the alumni being listed, too. But for all you know they gave consent to being listed. So by all means ask questions about the set up but it sounds like a generally accepted way of doing things to me.
posted by koahiatamadl at 3:10 AM on October 20, 2011 [2 favorites]
The only potential issue I can see here is the alumni being listed, too. But for all you know they gave consent to being listed. So by all means ask questions about the set up but it sounds like a generally accepted way of doing things to me.
posted by koahiatamadl at 3:10 AM on October 20, 2011 [2 favorites]
Sounds like our system. I find it's useful because you can type in what you figure someone's email will be and the address book will check the address and replace it with the person's name or title.
What the system doesn't allow you to do is to email everyone. Actually, the all students/all everybody listserv is pretty much under lock and key - all mass emails must go through one or two people now.
posted by sarae at 3:24 AM on October 20, 2011
What the system doesn't allow you to do is to email everyone. Actually, the all students/all everybody listserv is pretty much under lock and key - all mass emails must go through one or two people now.
posted by sarae at 3:24 AM on October 20, 2011
Why wouldn't a student ever need to be able to look up an administrator's email address? It happens all the time! This sounds like a standard email directory to me, and the fact that you need to be logged in to the network (that is, have credentials that can themselves be looked up, and be willing to leave a digital fingerprint when you log in) is the standard level of security.
Forget hiding from spammers by hiding email addresses. They are way past that. They can send a message to 1 million combinations of letters and numbers @yourschool.edu before you can write a message of complaint to your IT staff. If your school has anything like a modern infrastructure, it has robust spam filtering at a network level anyway.
posted by spitbull at 4:53 AM on October 20, 2011 [1 favorite]
Forget hiding from spammers by hiding email addresses. They are way past that. They can send a message to 1 million combinations of letters and numbers @yourschool.edu before you can write a message of complaint to your IT staff. If your school has anything like a modern infrastructure, it has robust spam filtering at a network level anyway.
posted by spitbull at 4:53 AM on October 20, 2011 [1 favorite]
But I should mention that in my university's system, any individual student can ask to have her/his email address hidden. Have you tried that if it bothers you?
posted by spitbull at 4:54 AM on October 20, 2011
posted by spitbull at 4:54 AM on October 20, 2011
Names and email addresses are considered directory information and are not protected by FERPA. But, I believe you can ask to have your directory information hidden. Check with the registrar.
posted by rachums at 4:57 AM on October 20, 2011
posted by rachums at 4:57 AM on October 20, 2011
Oh, I misread. A student needing to contact an alum by email would be more unusual.
posted by spitbull at 4:57 AM on October 20, 2011
posted by spitbull at 4:57 AM on October 20, 2011
Where I am, we do consider directory information protected by FERPA and students can opt out of the directory, but not all schools do this. Otherwise, that sounds completely normal except the alumni. Does your school have an IT security contact person? If so, he or she would be a good person to start with.
Why are you afraid that this would be incriminating? Is there a contact form on your school's IT website you can fill out without providing an email address? I think most organizations would be grateful to hear about this, if it really is an issue.
posted by beyond_pink at 5:23 AM on October 20, 2011
Why are you afraid that this would be incriminating? Is there a contact form on your school's IT website you can fill out without providing an email address? I think most organizations would be grateful to hear about this, if it really is an issue.
posted by beyond_pink at 5:23 AM on October 20, 2011
meh. it's a phonebook.
the alum access of info is a bit trickier. Most Universities should have some sort of Ask An Alum system setup so that the phonebook only holds current Faculty, Staff and Student info.
I wouldn't be that worried, but it certainly is odd.
posted by zombieApoc at 8:10 AM on October 20, 2011
the alum access of info is a bit trickier. Most Universities should have some sort of Ask An Alum system setup so that the phonebook only holds current Faculty, Staff and Student info.
I wouldn't be that worried, but it certainly is odd.
posted by zombieApoc at 8:10 AM on October 20, 2011
At our institution, Sensitive Personal Information (SPI) is info that is considered private and that our users have an expectation of not being revealed. Social security numbers, credit card numbers, date of birth, drivers' license, etc. is considered SPI. Email addresses and student ID numbers are not considered SPI.
posted by telophase at 8:55 AM on October 20, 2011
posted by telophase at 8:55 AM on October 20, 2011
I would only be concerned if the staff, faculty or student family home addresses and phone numbers were easily accessible. Otherwise, it's just a campus directory.
posted by misha at 9:22 AM on October 20, 2011
posted by misha at 9:22 AM on October 20, 2011
There could be perfectly good reason those addresses are public - there could be back end apps (for instance Blackberry server) that run into issues when users addresses are hidden from the GAL in exchange. Trust me, if tenured professors don't want their info public, they will have made it very very very known to the IT department.
And agreeing with the others, every place that I have ever worked has a general directory for staff/students that contains everyone's email address. They aren't sacrosanct.
posted by 8dot3 at 10:31 AM on October 20, 2011
And agreeing with the others, every place that I have ever worked has a general directory for staff/students that contains everyone's email address. They aren't sacrosanct.
posted by 8dot3 at 10:31 AM on October 20, 2011
This sounds totally normal, and actually more secure than the directory where I went to school, which is open to the public, though not widely advertised. (Though it is opt-out-able, and alumni are now in a separate, more protected system).
They used to publish hard-copy paper directories, one for opted in alumni and one for opted in students/faculty/staff. This doesn't seem much different to me.
posted by bubukaba at 10:39 AM on October 20, 2011
They used to publish hard-copy paper directories, one for opted in alumni and one for opted in students/faculty/staff. This doesn't seem much different to me.
posted by bubukaba at 10:39 AM on October 20, 2011
This thread is closed to new comments.
posted by drjimmy11 at 11:38 PM on October 19, 2011 [12 favorites]