Security Problems
On Jan. 12, 2004, Evan Wagner, reporter for The Eagle, delivered a letter to me describing a variety of security exposures that he and a friend had discovered in the "my.american.edu" Web portal. In light of the understandably limited information available to Evan at the time, his letter presented a thoughtful and correct analysis of an important issue. The staff of e-operations and e-administration, who are responsible for developing and maintaining the Web portal, appreciate the manner in which Evan and his friend have pursued their investigation, and their cooperation has greatly assisted the University in resolving the issues identified.
Evan's letter provided significant detail and insight into the portal's security exposure. In addition to the letter, the e-operations technical staff also was discovering evidence of the problem Evan described and was researching it at the time the letter was delivered. This contributed greatly to our ability to rapidly resolve the problem, which was cured within an hour of the letter's delivery and which enabled us to ensure the security of AU's system.
Evan described vulnerabilities within the portal that were the result of multiple different design or programming flaws. Limited portions of the software failed to check for a valid security profile under certain conditions, which led to the possible security exposure. The most serious vulnerabilities were exposed only to logged-in users (authorized faculty, staff, or students). They were not exposed to the general public or casual Internet user; the vulnerability in the portal's keyword search function would not have been exposed to the general Internet user.
The portal offers access to more than 230 applications or procedures; the vulnerabilities identified by The Eagle included 18 of these. It is important to note that it was not possible to add, modify or delete academic or administrative information, including those related to sensitive academic status data of matriculated students or sensitive payroll information. These functions were not vulnerable.
Generally speaking, the only applications that were vulnerable were those that permitted searching of information by name or other generic means (typically, online report listings). Applications that required entry of a specific user ID were not vulnerable; however, a logged-in user might gain access to their own information using screens normally intended only for administrative staff use.
Although the investigation continues, it appears that no unauthorized access to confidential information took place, except for the known cases involving the students reporting the problem. These vulnerabilities have been addressed, and the system is secure. The design of the portal made it possible to solve the problem with no interruption in service to the community.
A review of all details associated with the incident will be conducted by Protiviti, the University's internal auditing firm, as well as by our technical staff. The results of this review will be used to improve the internal procedures of both e-operations and e-administration with respect to the development and implementation of new portal applications.
We regret that this situation occurred. Everyone who works to develop information technology solutions for the University takes seriously our responsibility to protect the integrity of the data in our systems, and we invest a great deal of effort into making that a commitment that can be relied upon. In this instance, our operating procedures did not change as fast as our technology, and our own performance standards were not met. I want to assure you that the conditions that precipitated this situation have been addressed, and that your information is properly safeguarded against this type of failure in the future.
In closing, I again want to thank Evan Wagner and The Eagle for the responsible way in which they discovered a problem in the University business systems, contacted those who might be able to fix it and limit any potential damage, and then reported what they found to the community.
Carl Whitman Executive Director, e-operations
Arson at AU
I just wanted to make a possible correction to one of the facts stated in The Eagle. The current acts of arson at AU are not without precedent. When I was a junior in the Spring of 1999, we were sitting in the lounge of good old fourth floor of Hughes when some of our more inebriated floormates came running in and shouting "AU is on fire!" We thought they were kidding but sure enough we look over and see plumes of smoke billowing from Roper Hall. [EDITOR'S NOTE: The fire, on Feb. 28, 1999, was designated an arson, which caused approximately $3,000 in damages.]
Now, to be fair I never actually heard if it was an arson or not, but when my little clique walked over to Roper to see what was going on, the Bureau of Alcohol, Tobacco and Firearms was already on the scene and though I never witnessed anything to this effect, but I was told so were the Secret Service. Also, weeks after this incident happened, my friends were randomly getting called in and having the good cop/bad cop routine done on them to try and get a confession. So to sum up, I never definitively heard if it was an arson or not, but judging by the administration's actions, I would have to assume it was.
Chris Van Zandt CAS Class of 2000
