Site search
sponsored by
sponsored by
46°F 
Saturday November 22nd
Saturday November 22nd 
| Welcome, Guest |
|
| LOGIN | Become a Member | What's This? |
Please enter the following information:
| Email or Screen Name: | |
| Password: | |
| Remember Me | |
|
Forgot Password?
Become a Member |
Close Window |
Jobs
Classifieds
WINCHESTER — A hack into Umpqua Community College’s online learning management system in January could have been much worse.
The college shut down the system, called Moodle, because student information was at risk.
What the hacker didn’t find was that the information on Moodle wasn’t secured properly, and that he or she could have done real damage.
Professors post assignments, syllabi, handouts and more on Moodle; students use the system to turn in work, check their grades, and communicate with instructors and other students.
“Any person in the world that uses Moodle and knows the way to administer the system via the Web could log in with no passwords,” Victoria DeVore, the college’s director of information technology, wrote Feb. 21 in an e-mail message to biology professor Ken Carloni, who was inquiring about the system. “This gave them access to all users’ accounts, names, passwords and other demographic information along with changing anything they wanted!”
The demographic information included data about student race, gender and addresses, according to Javier Ayala, director of curriculum and instruction. He does not believe any highly sensitive information such as social security numbers or credit information was exposed.
So far no students or professors have reported problems, DeVore said Monday, adding that the students’ passwords were encrypted.
The college became aware of the security breach when the system began slowing down. An investigation uncovered a message from the hacker in the system that said he or she had hacked into it, Ayala said.
DeVore said she discovered how vulnerable the system was after the hack, and she also learned that students’ personal information had been put on Moodle, a move she said she would not have authorized.
She learned about the hack sometime in the middle of January, though a Feb. 14 UCC press release said “Umpqua Community College became aware early Tuesday (February 12) that a ‘Learning Management System’ called Moodle used by a small number of our students had been compromised. ... As one of the steps the College is taking, Moodle has been shut down.”
DeVore said the school’s press release was referring to “the day we officially said it was shut down.”
She said she’d actually shut it down a week before that.
“It was stopped way before you got the press release,” she said, speaking to a reporter. “It took us a while to get things together.”
About 300 students were using the system, according to Ayala.
<b>NO SAFEGUARDS</b>
UCC had been using Moodle for many years, but it was paying another company to manage it. Moodle is free, open source software, which means the code is available and programmers can tailor it to their needs. But it also takes a lot of support.
In 2005, DeVore said, the college decided to switch from Moodle to another system called Angel.
Last spring, the college began running Moodle itself. DeVore said that was to give the nursing instructors time to make the change, since the nursing department used Moodle to supplement their classes.
“It’s a lot of work for them to move over” to Angel, she said. “It’s a lot of work for them to learn another piece of software.”
But at the college, Moodle was run without safeguards, she said.
DeVore said the security measures could have been taken when Moodle was first set up, but they weren’t.
She said the system was supposed to be temporary and used only by the nursing program. But other instructors continued to use Moodle, too.
Carloni said he and others were told they could use it to supplement any regular classes.
<b>INFORMATION EXPOSED</b>
DeVore said she didn’t know the system was being used outside the nursing department. She also didn’t know a database of students’ personal and demographic information was put on Moodle. She said she doesn’t know who put the database on the system, but it had to do with nursing certification and accreditation.
The hacker had breached a security hole in Moodle, she said. Moodle issued a security patch — DeVore isn’t sure when — but the hacker got into the system before the college installed it at the end of January.
In early February, the system was still having problems.
“It kept on crashing,” DeVore said. “We didn’t know why.”
As DeVore spent more time trying to find the problem, she discovered Moodle had students’ personal information on it.
That led her to recommend shutting down the system, she said.
“Our primary concern was for the students that were accessing the system,” she said. “We took all the precautionary measures that we possibly could. This was an unforeseen situation.”
Those measures included shutting down the system and resetting passwords on all the campus software systems.
“We regret the inconvenience, but we would never sacrifice security,” said Beverly Brandt, the college’s vice president for administrative services.
<b>MOODLE NOW</b>
After Moodle was shut down, instructors and students were left trying to figure out what to do.
Carloni said he couldn’t get to five weeks’ worth of student work, and he didn’t know how he was going to evaluate his students.
Carloni and other professors asked the college to let them move Moodle to a private company that could host it securely. They were willing to pay for it themselves, he said.
The college decided to pay for a similar service, and Moodle should be running securely this week. New courses won’t be added, but students and staff who were already using Moodle will be able to keep using it.
“We’re basically pretty happy about this,” Carloni said.
Staff and students who use Angel are also mentoring their counterparts who’ve been using Moodle, said Ayala.
He said a task force will decide whether Moodle will be used after this school year.
• You can reach reporter Teresa Williams at 957-4230 or via e-mail at twilliams@newsreview.info.
The college shut down the system, called Moodle, because student information was at risk.
What the hacker didn’t find was that the information on Moodle wasn’t secured properly, and that he or she could have done real damage.
Professors post assignments, syllabi, handouts and more on Moodle; students use the system to turn in work, check their grades, and communicate with instructors and other students.
“Any person in the world that uses Moodle and knows the way to administer the system via the Web could log in with no passwords,” Victoria DeVore, the college’s director of information technology, wrote Feb. 21 in an e-mail message to biology professor Ken Carloni, who was inquiring about the system. “This gave them access to all users’ accounts, names, passwords and other demographic information along with changing anything they wanted!”
The demographic information included data about student race, gender and addresses, according to Javier Ayala, director of curriculum and instruction. He does not believe any highly sensitive information such as social security numbers or credit information was exposed.
So far no students or professors have reported problems, DeVore said Monday, adding that the students’ passwords were encrypted.
The college became aware of the security breach when the system began slowing down. An investigation uncovered a message from the hacker in the system that said he or she had hacked into it, Ayala said.
DeVore said she discovered how vulnerable the system was after the hack, and she also learned that students’ personal information had been put on Moodle, a move she said she would not have authorized.
She learned about the hack sometime in the middle of January, though a Feb. 14 UCC press release said “Umpqua Community College became aware early Tuesday (February 12) that a ‘Learning Management System’ called Moodle used by a small number of our students had been compromised. ... As one of the steps the College is taking, Moodle has been shut down.”
DeVore said the school’s press release was referring to “the day we officially said it was shut down.”
She said she’d actually shut it down a week before that.
“It was stopped way before you got the press release,” she said, speaking to a reporter. “It took us a while to get things together.”
About 300 students were using the system, according to Ayala.
<b>NO SAFEGUARDS</b>
UCC had been using Moodle for many years, but it was paying another company to manage it. Moodle is free, open source software, which means the code is available and programmers can tailor it to their needs. But it also takes a lot of support.
In 2005, DeVore said, the college decided to switch from Moodle to another system called Angel.
Last spring, the college began running Moodle itself. DeVore said that was to give the nursing instructors time to make the change, since the nursing department used Moodle to supplement their classes.
“It’s a lot of work for them to move over” to Angel, she said. “It’s a lot of work for them to learn another piece of software.”
But at the college, Moodle was run without safeguards, she said.
DeVore said the security measures could have been taken when Moodle was first set up, but they weren’t.
She said the system was supposed to be temporary and used only by the nursing program. But other instructors continued to use Moodle, too.
Carloni said he and others were told they could use it to supplement any regular classes.
<b>INFORMATION EXPOSED</b>
DeVore said she didn’t know the system was being used outside the nursing department. She also didn’t know a database of students’ personal and demographic information was put on Moodle. She said she doesn’t know who put the database on the system, but it had to do with nursing certification and accreditation.
The hacker had breached a security hole in Moodle, she said. Moodle issued a security patch — DeVore isn’t sure when — but the hacker got into the system before the college installed it at the end of January.
In early February, the system was still having problems.
“It kept on crashing,” DeVore said. “We didn’t know why.”
As DeVore spent more time trying to find the problem, she discovered Moodle had students’ personal information on it.
That led her to recommend shutting down the system, she said.
“Our primary concern was for the students that were accessing the system,” she said. “We took all the precautionary measures that we possibly could. This was an unforeseen situation.”
Those measures included shutting down the system and resetting passwords on all the campus software systems.
“We regret the inconvenience, but we would never sacrifice security,” said Beverly Brandt, the college’s vice president for administrative services.
<b>MOODLE NOW</b>
After Moodle was shut down, instructors and students were left trying to figure out what to do.
Carloni said he couldn’t get to five weeks’ worth of student work, and he didn’t know how he was going to evaluate his students.
Carloni and other professors asked the college to let them move Moodle to a private company that could host it securely. They were willing to pay for it themselves, he said.
The college decided to pay for a similar service, and Moodle should be running securely this week. New courses won’t be added, but students and staff who were already using Moodle will be able to keep using it.
“We’re basically pretty happy about this,” Carloni said.
Staff and students who use Angel are also mentoring their counterparts who’ve been using Moodle, said Ayala.
He said a task force will decide whether Moodle will be used after this school year.
• You can reach reporter Teresa Williams at 957-4230 or via e-mail at twilliams@newsreview.info.
Other Top Items
|
Related Articles
|
Most Recommended Articles
|
Comments
You must be logged in to leave a comment.
