%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*" errorPage="" %>
Web security holes fixed, techs sayStudent reported unprotected pages on campus web sites A glitch in the Fresno State computer system made it possible for anyone with some computer savvy and the right software to tap into confidential information such as student grades and financial aid records, said a Fresno State computer science student who wishes to remain anonymous. Officials say the problem has been fixed, adding that it is very unlikely that any records were compromised. The student said he reported the breach to University President John Welty’s office more than a month ago. He added that he is not sure if unauthorized users had accessed any information during that time but that the problem was commonly known among students in his department. A computer engineering senior, who also asked that his name not be used, backed The Collegian source. “ I realized there were security problems when the system came online,” he said. “I reported the problem to the information technology department but nothing was done.” California Senate Bill 1386, dealing with state privacy and security laws, states that covered parties must disclose any breach of the security of personal data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. John Briar, interim director of campus information systems, said he became aware of the problem because of the student’s report to Welty. He said that the university’s staff started looking at how to fix it the very next day, and that a new, secure login page has remedied the problem. Until the login was moved Nov. 6, students and staff were prompted to enter their username and password on a non-secure page. Using a network troubleshooting program, the student said it was possible to access usernames and passwords from various campus and remote locations. With that information, someone could tap into a student’s financial aid information, manipulate grades and ultimately commit fraud, he said. Briar and Campus Information Security Manager Rafael Villegas both said it would have been virtually impossible for people to access the information unless they were on the school’s network in the library, or at another shared location on campus. Briar blamed the security hole on an update to PeopleSoft, the university’s main software system, for the security problem but added that he is not sure when the breach occurred. “ I thought the information was going to be encoded,” Briar said, describing how passwords and user identifications are transmitted in code, rather than clear text, to protect user information. Briar admitted that in the wrong hands, there could have been major ramifications. The mycsufresno.edu part of the system was launched using existing usernames and passwords to simplify the transition, and to use one common directory, Briar said. To prevent security pop-up messages, he said it was easier to start the login on a non-secure page. Several areas of the campus system use the same directory, Briar said. Other programs that use the same identifications and passwords include: PeopleSoft, Blackboard, the wireless access program, and campus e-mail systems. According to Briar and Villegas, security problems with those sites have been fixed. As part of the university’s effort to keep up with online security issues, Villegas and others, including Briar, initiated a security assessment program about five months ago. He said the group is charged with identifying the school’s resources, figuring out how to protect them, and preventing unauthorized people from using the system. “ I believe we are making every attempt to keep up with security,” Villegas said. “We know that the process is integral to campus and that it’s a never-ending cycle.” Villegas and his group expect to finalize a security report for Welty, including recommendations for the future, by the beginning of next semester. Computer users, including students and staff, can aid the university’s security effort by doing their part, Villegas said. He reminded online users to update their operating and virus protection systems regularly, abstain from opening unknown attachments, change their passwords often, and use strong passwords that contain a combination of letters and numbers. Additional concerns about online security can be directed to: security@csufresno.edu, Villegas said. The Collegian’s anonymous source has some additional advice: “Students should avoid logging into their school accounts from anywhere but at home,” he said. “This will decrease the likelihood that their password and information could be compromised.” |