Canterbury University IT staff are still hunting the cause of a security breach that saw students able to view other students’ confidential information.
The thinking late last week was that the security flaw may have been the result of a confusion in XML messages passing between various transaction screens, but the staff are having difficulty reproducing the conditions that lead to the original fault.
“We’ve had robots going for 48 hours putting simulated student accesses into the system and we haven’t recreated the problem yet,” says IT director Mike Dewe.
The robot load simulators have now been complemented by “a raft of computer science students” logging into the system continually and attempting to trigger the fault, with the offer of a prize to spur their efforts. Students entering their username and password were initially given access to their own account, but when they tried to transfer to another screen to perform a different transaction, a screen relating to another student popped up.
Some of the visible records reportedly contained highly confidential material such as financial and health details.
It was a random process, says Dewe. “It wasn’t as simple, or as serious, as everyone being able to access anyone else’s record.”
“I suspect the design of the system was not as robust as it should have been,” he says.
“There were a vast number of transactions going through [at the time the error showed up] and it’s not easy to simulate that. We’re trawling through the transaction logs too, but it’s a long process.”
As Computerworld went to press, university staff and a consultant had still not definitely identified the problem.