Wired Campus icon

Previous

Blackboard to Buy 2 Education-Software Companies

Next

Journal Review Process Increasingly Includes Check for Plagiarism

July 8, 2010, 02:00 PM ET

Flash on College Web Sites May Pose Security Risk for Students

College Web sites using Adobe Flash risk exposing students’ personal data, a new study finds.

Three computer-science lecturers at the University of Worcester—Joanne Kuzma, Colin Price, and Richard Henson—ran a scan on 250 college Web sites, testing for security vulnerabilities. Approximately 20 percent of the sites ran applications containing personal information within a Flash plug-in, which the researchers say may not be as secure as the universities' own systems. Six displayed what the researchers deemed “high-critical problems," containing scripts that could be manipulated by hackers. 

According to the report, which is unavailable online, security problems can arise due to professors, departments, and student organizations maintaining separate pages through the main university Web site. Academic departments often have their own individual servers, which are not set up through the school’s IT department and, therefore, may unknowingly pose security risks.

Mustaque Ahamad, a computer-science professor at the Georgia Institute of Technology, said Flash software contains bugs that may leave the machine vulnerable to hackers.

“From what I understand, hackers have exploited Web-security holes to taint and upload Flash files to university Web sites,” he said.

The tainted files allow hackers to track users who visit the sites. Such security holes also allow attackers to access other information stored in databases behind a server.

“Universities need to implement better Web security to ensure that hackers cannot upload tainted content that is hosted by their Web sites,” Mr. Ahamad said. “We are nowhere near achieving perfect security, but the risk can be reduced by being diligent about Web security.”

Adobe could not be reached for comment.

Comments

1. bajabob - July 08, 2010 at 07:02 pm

... Oh Chronicle. What terrible reporting. So let me get this strait, you have no available sources, your computer science professor doesn't even work at a university, and a flash file somehow has security holes that can allow hackers to upload *new* flash files that can be used to "taint" the web page.

The truth of the matter is, there are twenty or so Apple fans out there that don't get flash on their iPads, and they have been calling around to every university trying to get everyone to switch their sites to a different standard. In seeing that a * prestigious* university has dropped flash altogether the common grounds of all websites elsewhere on the net will follow.

These flash rumors are getting more and more far-fetched. There are thousands of e-commerce and larger-than-university sites out there that have way more sensitive information, like credit card numbers that hackers would love to take. We don't see the industry complaining.

2. txbd75a - July 09, 2010 at 07:54 am

The timing of this along with the Apple/Adobe war does seem very suspicious....

Flash is no more secure/insecure than other technologies. The real problem that we see all over the country is that departmental servers often pull confidential and FERPA data out of campus admin. systems and data warehouse and then host this data for departmental/college users. Central IT has its problems remaining secure, but these departmental systems are often written by staff/students who don't know how to write and test software for security. Virtually no universities do regular scans on department servers to spot insecurities, so these sites are all over the place.

That should have been the story, not this lame teaser.

Flash doesn't kill security.... poorly trained developers kill security....

3. draymusa - July 09, 2010 at 08:01 am

Bajabob,

What terrible analysis. You say there "no available sources," but "not available online" does not mean not available. The report is published in the International Journal of Electronic Security and Digital Forensics, Volume 3, Issue 2, 2010. You also say "your computer science professor doesn't even work at a university," but the Georgia Institute of Technology is, in fact, a tier one national university, ranked 35 in US News and World Reports 2010 ranking. That ranking is available online (http://colleges.usnews.rankingsandreviews.com/best-colleges/atlanta-ga/georgia-tech-1569.

4. techrunner - July 09, 2010 at 08:15 am

The real story here is not about Adobe Flash. Oh, that grabs headlines but the meat of the matter is found in the sentence, "Academic departments often have their own individual servers, which are not set up through the school's IT department and, therefore, may unknowingly pose security risks." I have personally seen this happen. My institution had a rather serious incident several years ago where the opening that allowed the problem to infiltrate our campus network was a poorly maintained departmental server. Departmental servers are less likely to be properly managed and secured. It doesn't matter whether it's Flash or any other particular technology. If not properly managed, any technology can become a risk for exposure of sensitive information. Diligence is key when dealing with sensitive information. That diligence is often missing on departmental servers because those responsible for them usually have a myriad of other things to do.

5. ej_leblanc - July 09, 2010 at 08:42 am

I'm getting sick of this propaganda machine called the Chronicle. I tuned into the Chronicle because it said "online learning might slightly hurt student performance." I thought it was a fluke - but I was irate enough to comment.

As I am now. This is obvious propaganda. If it happens again, I'm tuning the Chronicle, and all affiliated with it, out for good.

6. msmith64 - July 09, 2010 at 08:50 am

@txbd75a sadly it's not true that "Flash is no more secure/insecure than other technologies."

While it's very hard to argue that Flash is less secure than the "other technologies" generality, I can say with some confidence that Flash Player, along with another Adobe Product, Acrobat Reader, pop up on US-CERT for high security vulnerabilities more often than most other major vendor products.

You said, "Flash doesn't kill security.... poorly trained developers kill security....", but who do you think wrote Flash?

7. jeanniec - July 09, 2010 at 09:18 am

@ej_leblanc Agreed.
@draymusa She should have posted the article information even if it is not available online.

8. sinutkomorgan - July 09, 2010 at 08:37 pm

Wow, the 2nd article I've read in years from The Chronicle and the 2nd that is woefully misinformed and resembling an undergraduate journalistm assignment. Agree w/ @techrunner's comments.

9. adobeedu - July 13, 2010 at 02:21 pm

http://chronicle.com/blogPost/Flash-on-College-Web-Sites-May/25384/#comments

10. adobeedu - July 13, 2010 at 05:05 pm

We apologize for the delay in response, and want to clarify why Adobe wasn't available for comment last week. As has been our practice for several years, Adobe's US offices were closed for a summer shutdown period concurrent with the Fourth of July holiday between July 5-9, 2010. We do want to provie comment, however, on this post.

As you know, Adobe products are relied on by individuals and organizations worldwide. Given the relative ubiquity and cross-platform reach of many of our products, in particular our clients, Adobe has attracted -- and will likely continue to attract -- increasing attention from attackers. However, Adobe employs industry-leading security software engineering practices and processes in building our products and responding to security issues, and the security of our customers will always be a critical priority for Adobe. The majority of attacks we are seeing are exploiting software installations that are not up-to-date an the latest security updates. Adobe strongly recommends that users follow security best practices by installing the latest security updates as the best possible defense against those with malicious intent.

We will also reach out to Kelly Truong, the reporter, and offer to clarify any questions she may have.

Thanks to all of your for your comments and support.

Add Your Comment

Commenting is closed.