Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Dataloss] Security lapse makes GPAs visible

From: security curmudgeon (jerichoattrition.org)
Date: Tue Aug 04 2009 - 01:19:15 CDT

---------- Forwarded message ----------
From: InfoSec News <alertsinfosecnews.org>


By Alex Tomchak Scott
News Editor
Oregon Daily Emerald
August 3, 2009

The University has fixed a security breach in its DuckWeb system after a
student used it to look at three other students' degree audits.

The hole in DuckWeb's security allowed Web users to view certain other
students' degree audits by changing digits in the URL for a
printer-friendly version of their own audits, which contain information
about a student's grades and his or her progress toward a degree.

The student who discovered the breach was Daniel Bachhuber, a former
Emerald employee, who then called the University to alert officials of
the glitch July 22.

University registrar Sue Eveland estimated that the breach, which has
since been repaired, would have made at most 20 different students'
degree audits visible to those who manipulated the URL.

The glitch originated in the system the University uses to upload degree
audits. All degree audits for which information has changed on a given
day are uploaded simultaneously that night and assigned what Eveland
said is a randomly-generated nine-digit number called a batch number.
That number is at the end of the URL for the printer-friendly version of
the audit and it is the one Bachhuber used to access the degree audits.


Dataloss Mailing List (datalossdatalossdb.org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.