Security Issue

From: administrator@email.vccs.edu [mailto:administrator@email.vccs.edu]
Sent: Wed 9/21/2005 5:12 PMTo: administrator@email.vccs.edu
Subject: All students and faculty

The following two messages were received 9/22 and 9/21 (reverse order). Please encourage your students to change their password from their birthdate to a secure password. If they have trouble doing this refer them to TNCC Client Services - helpdesk@tncc.edu (825-2709). Faculty Should also change their password if they are still using their birthday.

Thank you,
Ruth




Students and Faculty,The Virginia Community College System is currently engaged in a process of strengthening the security of its enterpriseapplications (Blackboard, email, SIS, etc.). An integral partof this process is ensuring that users of these systems do not continue to use the default passwords that are initially provided.

Over the next several days a series of steps will be taken to remind users of the need to change default passwords. Soon, default passwords will no longer be allowed beyond the initial login. If you have not already done so, please change your password. Links to the password change function are provided at the login pages of enterprise applications.

Virginia Community College System
Information Technology Services




Posted on Wednesday, September 21, 2005 - 4:52 pm:

The following message was sent out today at 3:42 p.m.
-----
From: Neil Matkin [mailto:nmatkin@vccs.edu] Sent: Wednesday, September 21, 2005 3:42 PM To: Glenn DuBois; dlist_vccs_presidents; dlist_vccs_technology_council; dlist_system_office_cabinet Cc: dlist_vccs_presidents_secretaries; Susan Hayden; Ralph Lucia; James Davis; John Brilliant Subject: Security Issue

Friends,

I have been on the telephone with a reporter from the Roanoke Times this afternoon and an issue has arisen that is about to appear in print in that paper. I request your immediate attention to this security related issue.

Background:

In the last few months the ITS office and College IT offices have upgraded PeopleSoft SIS, Blackboard, and student e-mail systems. In conjunction with these upgrades, a new directory services application was initiated. Directory Services version 2 enabled all VCCS students to access student systems through a single sign on. The default password that has been used is the student's birthday. Students have the option of changing the password, however, today 74% of all students HAVE NOT CHANGED THE PASSWORD. Members of the Technology Council and John Brilliant, Internal Auditor, will recall past discussions dating back to March 2005 relating to default passwords for students and the need to move away from student birth dates. Plans to move away from birth dates have been underway for some time. Directory Services 2 has code in place that allows the VCCS to plug this hole and remove the threat.

Issue:

During the last year, a particular web site has become increasingly popular among students. Known as the FACE BOOK, this website gives students the opportunity to link to friends and meet people at our colleges and other colleges and universities throughout the state, nation, and world. Participants in the FACE BOOK record various biographic information INCLUDING THEIR BIRTH DATES to share with other members. The end result is that subscribers to the FACE BOOK could easily use the birth date data and access student accounts not belonging the them. Although we are not aware of a single instance where this has happened, the newspaper reporter that called today has been in conversation with at least one VCCS student relating to this issue. The minute this article hits the newsstands, we have a major problem in that students who subscribe to FACE BOOK may have easy access to our student systems.

Steps Taken Earlier Today by the ITS Office:

PHASE1: ITS has already made the following changes to encourage users to create secure passwords. Login screens of enterprise applications will include instructions and a link to the change password feature of my.vccs.
This will include:

Email (Mirapoint)
Email (AtMail)
SIS Blackboard 6
Blackboard 5

Below is the message students will see:

Default passwords are not secure. If you are still using the default password initially provided to you, please go to the Change Password page.

Users using a default password in my.vccs will see the following:
Warning: Default passwords are not secure. Please Change Your Password.

NOTE: In addition, a broadcast email to ALL STUDENTS will go out before 5 p.m. this afternoon advising students to change their passwords and provide a link to do so.

Steps Colleges Should Take Immediately:

PHASE 1 Recommended for Colleges

It is recommended that colleges immediately begin to review the instructions they provide to students regarding default passwords. In a quick survey of what various colleges are doing, weve noticed that Blue Ridge and John Tyler are doing an excellent job in this regard (there may be others as well).

http://www.brcc.edu/computing/student/accounts/Default.htm

http://www.jtcc.edu/jtpassport/StudentMyVCCS

Colleges may wish to begin to explore the help desk staffing changes that will be required to support the next phases of this process. Every change to enterprise applications has the potential to generate increased call volume and support requests. The move away from default passwords will also generate more requests for password resets.

Next Steps:

Attached please find a Word document which details additional implementation phases to ensure that our systems are operating in the most secure manner possible. I have asked my assistant, Sally Love, to schedule a conference call at 1 p.m. Friday, September 23, 2005 for Technology Council members or other college staff to discuss these next steps and would appreciate it if a representative from each college can be available. Sally will send out dial in instructions. Please have appropriate staff review the attached document in order to provide feedback as we move forward quickly to address this issue.

Please e-mail or call with questions or concerns
(nmatkin@vccs.edu)
Many thanks,
Neil

---

David Carter-Tod
ITS - Client Services Virginia Community College System
dcartertod@vccs.edu

Attachment