higher-education-fraud

Information security, especially at schools that provide training on the subject, in for-profit higher education should not be a premium. It would make a really great story to send an “undercover” technician to DeVry and Rasmussen campuses to observe their incredible service delivery.

Rasmussen’s portal has long had a SQL injection vulnerability that has been published on the internet several times. It still remains uncorrected.

Rasmussen College and DeVry Institute of Technology are both HLC accredited schools with for-profit business models. Both schools often claim, “the same accreditation as Harvard” and other quality Universities. Surprisingly, the two institutions have a lot more in common. From sharing questionable leadership to providing questionable placement practices for students and even extremely questionable security policies, these institutions are the embodiment of the flaws of American education.

The curriculum, and curriculum for partner schools as mentioned later, is created by individuals that rarely have any current knowledge in the subjects. Course material is often incorrect or misunderstood by the instructors. The policy of both institutions require instructors with Masters Degrees, but because they do not invest in qualified candidates they will allow, for example, an individual with a Masters Degree in Business to teach OpenGL Programming based on course material created by an individual with no programming experience.

Rasmussen and DeVry not only share the same accreditation, but the sponsorship was provided with the same seed money. The two institutions share employees, transferring their employees back and forth. One such employee is Todd Pombert, a newly appointed Vice President of Infrastructure and Technology for Rasmussen College. Having very little professional experience when compared to individuals at similar roles, it was insisted Todd be given this role by Gerald Gagliardi. Gerald Gagliardi is on the board of directors for businesses like NetWolves and Rasmussen College itself. A shrewd investor from Boca Raton, Mr. Gagliardi is shrewd investor that has used his resources to create successful people and businesses as he decides. There is no altruism here.

Rasmussen College, Inc. itself, along with it’s sister company Deltak Innovation which is now owned by John Wiley & Sons in an attempt to break into online courseware, is reorganizing. Rasmussen Collge will be its own entity with I.T. services provided by Collegis Managed Services. These are the same employees but now with a different title. Services provided include lead generation, hosting online courses with the Angel, Blackboard and Moodle LMS systems; retaining student data and more. Customers of Collegis include Purdue University, University of Florida, Gonzaga, Benedictine, Lubbock, Anna Maria College and more – if a school’s online URL includes learntoday.info it is a Rasmussen (now Collegis) resource. Similarly, if the URL begins with “engage” then it is most likely a Collegis resource. These schools are outsourcing to Collegis hosting some of their online courses. There are no operational controls, no security officer and no practice in providing even the smallest amount of protection for the data these schools have hosted with Collegis. In particular, many colleges are Jesuit schools that are preyed upon for their association to other Jesuit colleges.

In the case of Todd Pombert this individual was promoted to a very senior role with no practical or noticeable work experience that should be required for a leader in an industry requiring critical care in student information security. A drop-out from his Master’s Degree, this individual maintains this position only because of the multi-level-marketing that DeVry and Rasmussen consider as qualifications for employment. There is no Security Officer for Rasmussen College. There is no reputable third party providing those services. Todd Pombert does not have the qualifications to adhere to industry practices that provide protection, confidentiality and integrity to managed services exposing flaws to their customers. Worse, an educational institution cannot provide and does not insist on the training required to keep students of Rasmussen and its partners safe. The lack of knowledge is so blatant that Todd Pombert keeps an archive of every email he received at DeVry to use as reference at Rasmussen. From confidential information, business plans, document templates and even financial data, much of DeVry’s history and future decisions are recorded unsecured on a “competitor” owned laptop with no disk encryption.

The school has all of the students in the same domain as contractors, faculty, staff and the board of directors. Not only does this create conflicts, but it allows any domain user (ie: student, contractor, etc) to browse the domain for information about any other user. Students are free to attempt to brute force Executive passwords giving them access to unencrypted financial information of other students and more. The network services between campus and the datacenter is the same class A network – you can reach the Chicago based datacenter from a school in Fargo from any ethernet jack. There are no standard, practical security mechanisms in place to prevent such a thing.

Students are forced to use a password convention that they often can’t change – firstname.lastname password: fl1234. This 6 character password utilizes the last four digits of the student’s social security number. None of the websites have any protection from common brute force attacks. If you know the name of a student (Joe Smith) then you know 1/3 of his password (jsXXXX) and it is trivial to use the portal, online courses or other services to continually guess 0000-9999. This exposes the student to possible fraud from someone acquiring their personal identifying information as well as allows an intruder to view the student’s grades, financial data email to the student with the same password and any academic work the student has previously submitted.

Staff manage students through a public RDP system at class.learntoday.info. There is no password policy assigned. Staff are free to use passwords including their own names and more. If an intruder gains access to the RDP system all student financial data is stored unencrypted on a Windows file share.

The wireless network for Rasmussen is WEP. WEP is a long outdated mechanism for securing a wireless network. Modern approaches to attacking WEP networks can allow an intruder to gain access within minutes. Again, financial data for students and the school itself are not encrypted in-place or in-flight. An attacker is able to gain access to any information just by being near a campus or corporate site.

There is no NAP, no RADIUS no 802.1X. The networks are completely unprotected. Coincidentally, both schools teach courses that promote the use of tools capable of easily harvesting corporate, student and financial data like Wireshark and Snort.

Even basic controls have been neglected. The printers and copiers throughout all sites run default settings with no authentication and the web interface enabled. Anyone can request a re-print of jobs including social security numbers or financial data.

The employee portal itself did not follow practical standards and did not have SSL protecting employee information from being broadcast in plain text. That includes the passwords of financial aid employees as well as C-level visitors to local campuses.

These points above may not even be considered the most critical flaws in the service provided. The practices of Rasmussen and DeVry are a blight on Higher Education as a whole. Their practices should be considered, and some are outright, criminally negligent.

Rasmussen and DeVry continue to pay their questionable leadership large amounts of money. This is a clear misappropriation. If even a fraction of Todd Pombert’s salary was spent on security reviews, operational controls or educating Todd Pombert then these schools would not be risking disastrous consequences for their students and students of large, responsible institutions like Purdue and the University of Florida.

For Rasmussen (Collegis) hosted instances of online platforms nearly all of the content has the same ACL. There is nothing protecting content from one school from being used in another school’s offering or worse – being copied by an intruder.

Finally, to add insult to injury, while these schools are raking in student tuition to pay higher amounts of money to irresponsible leadership, they are placing students with Bachelor’s degrees as minimum wage Gamestop clerks. They claim this to be “in-field” placement for Information Technology students. The subject of ballooning student loans is covered in-depth lately and there is no need to remind you that these students will never be able to pay their debt for an education they received at profit for individuals just as qualified as graduates.

-Anonymous Email Submission-