Information Assurance

Heath Walden

front | classes | research | personal | contact

Information Assurance

Media Analysis - Georgetown University Online Director

Flaw in the implementation of the Georgetown University Online Directory

Problem:

Georgetown University provides an online directory of all members of the Georgetown community through the website http://contact.georgetown.edu. This site is accessible to anyone to search through. You can either enter a name or part of a phone number. Phone numbers will only return employee and department phone numbers not numbers of students. The search results will only tell you that a student is a student not even at what school medical, law, or undergraduate. The site has a preformed page if you wish to send an email to a user. They have reasons to hide emails and they state:

About the Georgetown University Directory
The University Directory contains a unified view of student, faculty, and staff information. Web Access to the University Directory server is maintained by University Information Services. After searching for a name, NetID, phone number, group or department, click on any name to display more detailed information about that entry. When your search results in a single listing, all the known details about that listing are provided.
A.The University Directory is provided for the Georgetown community and those who have a specific interest in reaching individual students, faculty, or staff. Information obtained from this Directory may not be used to provide addresses for mailings to students, faculty, or staff. Any solicitation of business, information, contributions or other response from individuals listed in this directory by mail, telephone or other means is expressly forbidden.

B. How Email Addresses are Displayed in This Directory
To protect Georgetown University students, faculty, and staff from email spam, email addresses in the University Directory are only displayed when accessed from the Georgetown University network. External users can still email individuals in the directory by using the link to "Send email to this user" and filling out a web form. Georgetown University users may use the "Georgetown University users" link and log in using their NetID to view complete directory records. The email message that is sent will include a header to let the recipient know that the message originated from this directory web site. Recipients should be aware that the authenticity of senders' email addresses cannot be verified in this process.

C. How to Update Directory Information
Students may update information by submitting changes in Student Access+ or visiting the office of the Registrar for your campus. Faculty and Staff listings are generated from information provided to the appropriate campus Human Resource offices, and from data provided by departmental Directory Coordinators for inclusion in the University Directory. To update your information, contact your home department's Directory Coordinator (usually your department's administrative officer). UIS is unable to accept individual requests for directory updates from faculty or staff. To determine the name of your Directory Coordinator, go to Access+, log in to Faculty & Staff Services, select Directory Services, and view your directory entry.
Faculty directory entries may link to a faculty profile for additional information. These profiles may be updated by individual faculty by going to the Explore site and using the Faculty Login option.
So the school goes through all the trouble of setting up an outside source for the ability to access people at Georgetown if you are not a member of the Georgetown community yet there is a flaw in the design. All the effort to not show netidÕs is wasted since in the http web address after you have chosen a user the last part is netid= and then lists the users net id and is accessible to anyone who searches through the directory at all.

So we have an elaborate system to cheap netids and thus emails confidential to avoid spam etc yet we give them away in the web address and thus itÕs a waste of time to even have the separate email page since you can just send one from there.

Possible problems are that everyone in the Georgetown system can receive email bombs or a potential hacker could easily spread a Trojan or worm through emails to the whole campus. Also with netidÕs they could potentially get into access+ or other systems and could find out sensitive information.

A fix would be to simply in the directory web program instead of listing a webpage for each individual with their netid instead list them with a number that we can assign to the user in the system. It would be much safer since anyone who would think it would be significant to other systems would be wrong.

What we can see is that there are flaws in design everyone. This can be seen as a flaw in the idea that who ever designed the system should have made sure that the netid would never be used and told the programmer not to display it. Also the programmer should have known that the netid is sensitive information and should not have used it as the main identifier in their program.