My university’s servers are seriously outdated, store passwords in plaintext, and are running very old and unsecure versions of Apache.
I do not personally feel safe having my information stored on their network, however to access my courses I must.
Since I know nobody at the university will take me seriously, is there anything I can do to ensure that they make the network secure? Something like a ‘better business bureau’ for network security?
I’m not going to share the university or the security issues I have found since my information is available on that network.
Answer
I would also advise you to not assume you will not be taken seriously, and try to bring up the issue as the severe vulnerability that it is. The way that you say they store passwords in plain text makes me think that you saw them laid out. If that is the case, using the credentials will get you into very murky waters very quickly. But if the credentials are that horribly protected, and you can do a dump of them to a file or otherwise, that could be used to help make your case be taken more seriously. One could argue that if the passwords are that badly protected, and are readable without much effort, that they could be posted somewhere as a wake-up call to other students that they need to stand up for their security. I do not mean this to be a suggestion of what to do, because the lines of how far you can go before things get unethical or illegal are blurry at best.
Even if you don’t take it that far, you could tell the facility staff that the security needs to be increased, or it will be made public that their security leaves passwords as readable. I am in the IT profession, but I like to think that the general population understands the needs for security to be taken seriously in this world that is full of data breaches on a regular basis.
Attribution
Source : Link , Question Author : Brydon Gibson , Answer Author : Cory Knutson
