In a recent post we discussed the potential security breaches that can result from publishing alumni lists online. Today, we examine the ’safety’ of alumni data that resides behind the firewall.
Phillips Exeter is one of country’s preeminent boarding schools. Mark Zuckerberg is even an alumnus. With an endowment of $1 Billion Exeter has, by all accounts, sufficient funding to afford the best alumni networking practices in the universe. Unfortunately, Exeter chooses to manage all its technology in-house, including its alumni systems. The following is representative of the paradox of many wealthy schools that think they are being ‘safer’ by not outsourcing tech. In most cases, they are wrong.
The Question: How easy would it be to impersonate an Exeter alum by accessing the network (likely the school’s biggest asset)?
Answer: It’s so simple we did so in about 5 minutes. [Please note, we have deleted all accounts and are alerting the network administrator to fix this security faux pas].
First we went to the alumni portion of the website. Exeter actually lists “missing” alumni, or those persons who have not been heard from in years. So we arbitrarily selected a person from the class of 1998: Pajo Sanjin.
Next, we created a fake Gmail email address: pajo.sanjin.com
Finally we ran a search in the alumni director for Pajo Sanjin, found the name and claimed our identity.
Access granted. Scary, isn’t it?
Update: To clairfy,PrepNY did not ever actually access the PEA database. While we easily could have, the point of this exercise was simply to inform schools of the dangers certain security flaws represent and what ‘could happen’ if the problems are not addressed.