Thoughout 2008 I and some colleagues have become increasingly concerned about security vulnerabilities in Virtual Learning Environments (VLE), also known as Course Management Systems (CMS). Yesterday (10th September) I and Andrew Booth gave a presentation on the subject at the ALT-C 2008 Conference.
Here are some resources related to that presentation.
This is the principle threat to VLEs and CMSs that is causing me great concern. The standard approach to combating Cookie Theft in interactive web sites involves filtering user input and prevent user from publishing scripted content within the web site. However, in a VLE users demand the right to upload scripted content because many learning objects use scripting for their functionality.
So in the case of Trojan Horse learning objects the standard tactic for defeating cookie theft attacks is ineffective. System designers need to assume that cookies can and will be stolen and must render them useless to the hacker.
I am at an advanced stage of developing a software product that will improve the security of web applications. Cookie cutter is implemented as an Apache module and is intalled on the web server that runs the web application. Page requests enter the networking part of Apache pass through Cookie Cutter onto the VLE software. Responses follow the same path in reverse. Cookie Cutter digitally signs outgoing cookies and checks the validity of all incoming cookies.
Updated news about Cookie Cutter will appear here or you can register your interest with me and I'll keep you up to date via Email. I intend to make the software available to unversities, colleges and schools who wish to secure their VLEs and also available under license to vendors of VLEs if they wish to bundle it with their products.
If your organisation wishes to review the security of its web based services I may be able to help. Please get in touch and we can discuss options.
The main thing is to keep on at your VLE supplier to provide an update to their software or a solid assurance that the software isn't affected. The ideal would be some kind of guarantee to pay compensation if a damaging incident occurs.
Second - review the functionality provided by your VLE. If the VLE log-in provides access to personal data, e.g. via a portal to the student registry then I advise you disable that functionality. Personal data can be posted up in all sorts of places in a VLE and I'd advise a strict acceptable use policy which bans the sharing of any personal data such as date of birth, home address etc. in the VLE.
Third - if your VLE software allows it consider switching to the use of X509.3 digitial certificates for authentication. Simply using HTTPS encrypted links may not be useful. If you have many students this could lead to very significant user support implications since few are familiar with using personal certificates. A compromise would be to make use of digital certificates compulsory for staff - even if it were made compulsory only for system administrators and help desk staff that would be beneficial. Technology is available for providing students and staff with USB dongles which store certificates and make their use very much easier to understand.
Email address: firstname.lastname@example.org