Application Security // Database Security
8/5/2013
03:43 PM
Connect Directly
Facebook
Google+
RSS
E-Mail
50%
50%

University E-Mail Security Practices Criticized

One example: 25% of colleges surveyed by Halock Security Labs request applicants send personal data, including W2s, over unencrypted email to admissions and financial aid offices.

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
Are colleges and universities, those bastions of open discussion and debate, paradoxically putting sensitive information at risk because their email systems transport messages unencrypted over the public Internet?

Yes, concludes a survey released last week by cybersecurity firm Halock Security Labs.

After surveying 162 institutions, Halock found that half of them allow the transmission of sensitive information over unencrypted email. Moreover, a quarter of the institutions actually request that applicants send personal information, including W2s, over unencrypted email to admissions and financial aid offices.

"I was surprised at the 25%," Terry Kurzynski, a partner at Schaumburg, Ill.-based Halock, told InformationWeek/Education in a phone interview. The problem was across the board, at schools big and small, Kurzynski added.

[ Run a website? Make sure you know about this security risk: HTTPS Hackable In 30 Seconds: DHS Alert. ]

Although Halock elected not to publish the names of the institutions that encouraged the use of email for sensitive documents, it did note the states in which the schools -- a mixture of Big 10, Big 8, Ivy League, community colleges and technical institutes -- are based.

Beyond parent and student financial records and social security numbers sent during the financial-aid process, proprietary university research could be compromised via insecure email connections.

Data theft is a growing problem for academia and business alike. A recent article in The New York Times reports that research universities experience "millions of hacking attempts weekly."

In its release about the survey, Halock listed a number of characteristics that make academic institutions especially susceptible to email incursions and computer hacking in general. Among them: transient and inexperienced student workers; limited security and compliance budgets; complicated and bureaucratic procurement processes; and student hackers with lots of time.

But the leading vulnerability, Kurzynski said, was immature risk management. "Unfortunately, our findings and other research shows it often takes an incident for them to have a wakeup call," he said.

Halock recommends a number of inexpensive solutions to the email-security problem, starting with a school setting up a secure Web portal for the delivery of private documents. In this configuration, email becomes a notification mechanism, not a delivery channel. The company also recommends that institutions clearly state their contact email addresses should not be used to send private information.

Since publication of the survey, some security experts have said the Halock findings are overblown. For example, according to PrivacyRights.org, computer breaches of all types at academic institutions have been on the decline, from 13% in 2005 to around 8% so far this year. Other critics note there are larger issues around data management, once sensitive documents reach a school.

"I totally agree with that," Kurzynski said. "But it begs the question, if you have such insecure methods externally, how secure are you internally?"

Halock has embarked on two new surveys of unencrypted email that are focused on financial institutions and cloud service providers. Those surveys will be published this quarter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.