Information security, especially at schools that provide training on the subject, in for-profit higher education should not be a premium. It would make a really great story to send an “undercover” technician to DeVry and Rasmussen campuses to observe their incredible service delivery.
Rasmussen’s portal has long had a SQL injection vulnerability that has been published on the internet several times. It still remains uncorrected.
Rasmussen College and DeVry Institute of Technology are both HLC accredited schools with for-profit business models. Both schools often claim, “the same accreditation as Harvard” and other quality Universities. Surprisingly, the two institutions have a lot more in common. From sharing questionable leadership to providing questionable placement practices for students and even extremely questionable security policies, these institutions are the embodiment of the flaws of American education.
The curriculum, and curriculum for partner schools as mentioned later, is created by individuals that rarely have any current knowledge in the subjects. Course material is often incorrect or misunderstood by the instructors. The policy of both institutions require instructors with Masters Degrees, but because they do not invest in qualified candidates they will allow, for example, an individual with a Masters Degree in Business to teach OpenGL Programming based on course material created by an individual with no programming experience.
Rasmussen and DeVry not only share the same accreditation, but the sponsorship was provided with the same seed money. The two institutions share employees, transferring their employees back and forth. One such employee is Todd Pombert, a newly appointed Vice President of Infrastructure and Technology for Rasmussen College. Having very little professional experience when compared to individuals at similar roles, it was insisted Todd be given this role by Gerald Gagliardi. Gerald Gagliardi is on the board of directors for businesses like NetWolves and Rasmussen College itself. A shrewd investor from Boca Raton, Mr. Gagliardi is shrewd investor that has used his resources to create successful people and businesses as he decides. There is no altruism here.
Rasmussen College, Inc. itself, along with it’s sister company Deltak Innovation which is now owned by John Wiley & Sons in an attempt to break into online courseware, is reorganizing. Rasmussen Collge will be its own entity with I.T. services provided by Collegis Managed Services. These are the same employees but now with a different title. Services provided include lead generation, hosting online courses with the Angel, Blackboard and Moodle LMS systems; retaining student data and more. Customers of Collegis include Purdue University, University of Florida, Gonzaga, Benedictine, Lubbock, Anna Maria College and more – if a school’s online URL includes learntoday.info it is a Rasmussen (now Collegis) resource. Similarly, if the URL begins with “engage” then it is most likely a Collegis resource. These schools are outsourcing to Collegis hosting some of their online courses. There are no operational controls, no security officer and no practice in providing even the smallest amount of protection for the data these schools have hosted with Collegis. In particular, many colleges are Jesuit schools that are preyed upon for their association to other Jesuit colleges.
In the case of Todd Pombert this individual was promoted to a very senior role with no practical or noticeable work experience that should be required for a leader in an industry requiring critical care in student information security. A drop-out from his Master’s Degree, this individual maintains this position only because of the multi-level-marketing that DeVry and Rasmussen consider as qualifications for employment. There is no Security Officer for Rasmussen College. There is no reputable third party providing those services. Todd Pombert does not have the qualifications to adhere to industry practices that provide protection, confidentiality and integrity to managed services exposing flaws to their customers. Worse, an educational institution cannot provide and does not insist on the training required to keep students of Rasmussen and its partners safe. The lack of knowledge is so blatant that Todd Pombert keeps an archive of every email he received at DeVry to use as reference at Rasmussen. From confidential information, business plans, document templates and even financial data, much of DeVry’s history and future decisions are recorded unsecured on a “competitor” owned laptop with no disk encryption.
The school has all of the students in the same domain as contractors, faculty, staff and the board of directors. Not only does this create conflicts, but it allows any domain user (ie: student, contractor, etc) to browse the domain for information about any other user. Students are free to attempt to brute force Executive passwords giving them access to unencrypted financial information of other students and more. The network services between campus and the datacenter is the same class A network – you can reach the Chicago based datacenter from a school in Fargo from any ethernet jack. There are no standard, practical security mechanisms in place to prevent such a thing.
Students are forced to use a password convention that they often can’t change – firstname.lastname password: fl1234. This 6 character password utilizes the last four digits of the student’s social security number. None of the websites have any protection from common brute force attacks. If you know the name of a student (Joe Smith) then you know 1/3 of his password (jsXXXX) and it is trivial to use the portal, online courses or other services to continually guess 0000-9999. This exposes the student to possible fraud from someone acquiring their personal identifying information as well as allows an intruder to view the student’s grades, financial data email to the student with the same password and any academic work the student has previously submitted.
Staff manage students through a public RDP system at class.learntoday.info. There is no password policy assigned. Staff are free to use passwords including their own names and more. If an intruder gains access to the RDP system all student financial data is stored unencrypted on a Windows file share.
The wireless network for Rasmussen is WEP. WEP is a long outdated mechanism for securing a wireless network. Modern approaches to attacking WEP networks can allow an intruder to gain access within minutes. Again, financial data for students and the school itself are not encrypted in-place or in-flight. An attacker is able to gain access to any information just by being near a campus or corporate site.
There is no NAP, no RADIUS no 802.1X. The networks are completely unprotected. Coincidentally, both schools teach courses that promote the use of tools capable of easily harvesting corporate, student and financial data like Wireshark and Snort.
Even basic controls have been neglected. The printers and copiers throughout all sites run default settings with no authentication and the web interface enabled. Anyone can request a re-print of jobs including social security numbers or financial data.
The employee portal itself did not follow practical standards and did not have SSL protecting employee information from being broadcast in plain text. That includes the passwords of financial aid employees as well as C-level visitors to local campuses.
These points above may not even be considered the most critical flaws in the service provided. The practices of Rasmussen and DeVry are a blight on Higher Education as a whole. Their practices should be considered, and some are outright, criminally negligent.
Rasmussen and DeVry continue to pay their questionable leadership large amounts of money. This is a clear misappropriation. If even a fraction of Todd Pombert’s salary was spent on security reviews, operational controls or educating Todd Pombert then these schools would not be risking disastrous consequences for their students and students of large, responsible institutions like Purdue and the University of Florida.
For Rasmussen (Collegis) hosted instances of online platforms nearly all of the content has the same ACL. There is nothing protecting content from one school from being used in another school’s offering or worse – being copied by an intruder.
Finally, to add insult to injury, while these schools are raking in student tuition to pay higher amounts of money to irresponsible leadership, they are placing students with Bachelor’s degrees as minimum wage Gamestop clerks. They claim this to be “in-field” placement for Information Technology students. The subject of ballooning student loans is covered in-depth lately and there is no need to remind you that these students will never be able to pay their debt for an education they received at profit for individuals just as qualified as graduates.
Former senior intelligence officials have created a detailed surveillance system more accurate than modern facial recognition technology — and have installed it across the US under the radar of most Americans, according to emails hacked by Anonymous.
Every few seconds, data picked up at surveillance points in major cities and landmarks across the United States are recorded digitally on the spot, then encrypted and instantaneously delivered to a fortified central database center at an undisclosed location to be aggregated with other intelligence. It’s part of a program called TrapWire and it’s the brainchild of the Abraxas, a Northern Virginia company staffed with elite from America’s intelligence community. The employee roster at Arbaxas reads like a who’s who of agents once with the Pentagon, CIA and other government entities according to their public LinkedIn profiles, and the corporation’s ties are assumed to go deeper than even documented.
The details on Abraxas and, to an even greater extent TrapWire, are scarce, however, and not without reason. For a program touted as a tool to thwart terrorism and monitor activity meant to be under wraps, its understandable that Abraxas would want the program’s public presence to be relatively limited. But thanks to last year’s hack of the Strategic Forecasting intelligence agency, or Stratfor, all of that is quickly changing.
Hacktivists aligned with the loose-knit Anonymous collective took credit for hacking Stratfor on Christmas Eve, 2011, in turn collecting what they claimed to be more than five million emails from within the company. WikiLeaks began releasing those emails as the Global Intelligence Files (GIF) earlier this year and, of those, several discussing the implementing of TrapWire in public spaces across the country were circulated on the Web this week after security researcher Justin Ferguson brought attention to the matter. At the same time, however, WikiLeaks was relentlessly assaulted by a barrage of distributed denial-of-service (DDoS) attacks, crippling the whistleblower site and its mirrors, significantly cutting short the number of people who would otherwise have unfettered access to the emails.
On Wednesday, an administrator for the WikiLeaks Twitter account wrote that the site suspected that the motivation for the attacks could be that particularly sensitive Stratfor emails were about to be exposed. A hacker group called AntiLeaks soon after took credit for the assaults on WikiLeaks and mirrors of their content, equating the offensive as a protest against editor Julian Assange, “the head of a new breed of terrorist.” As those Stratfor files on TrapWire make their rounds online, though, talk of terrorism is only just beginning.
Mr. Ferguson and others have mirrored what are believed to be most recently-released Global Intelligence Files on external sites, but the original documents uploaded to WikiLeaks have been at times unavailable this week due to the continuing DDoS attacks. Late Thursday and early Friday this week, the GIF mirrors continues to go offline due to what is presumably more DDoS assaults. Australian activist Asher Wolf wrote on Twitter that the DDoS attacks flooding the WikiLeaks server were reported to be dropping upwards of 40 gigabytes of traffic per second on the site.
According to a press release (pdf) dated June 6, 2012, TrapWire is “designed to provide a simple yet powerful means of collecting and recording suspicious activity reports.” A system of interconnected nodes spot anything considered suspect and then input it into the system to be “analyzed and compared with data entered from other areas within a network for the purpose of identifying patterns of behavior that are indicative of pre-attack planning.”
In a 2009 email included in the Anonymous leak, Stratfor Vice President for Intelligence Fred Burton is alleged to write, “TrapWire is a technology solution predicated upon behavior patterns in red zones to identify surveillance. It helps you connect the dots over time and distance.” Burton formerly served with the US Diplomatic Security Service, and Abraxas’ staff includes other security experts with experience in and out of the Armed Forces.
What is believed to be a partnering agreement included in the Stratfor files from August 13, 2009 indicates that they signed a contract with Abraxas to provide them with analysis and reports of their TrapWire system (pdf).
“Suspicious activity reports from all facilities on the TrapWire network are aggregated in a central database and run through a rules engine that searches for patterns indicative of terrorist surveillance operations and other attack preparations,” Crime and Justice International magazine explains in a 2006 article on the program, one of the few publically circulated on the Abraxas product (pdf). “Any patterns detected – links among individuals, vehicles or activities – will be reported back to each affected facility. This information can also be shared with law enforcement organizations, enabling them to begin investigations into the suspected surveillance cell.”
In a 2005 interview with The Entrepreneur Center, Abraxas founder Richard “Hollis” Helms said his signature product:
“can collect information about people and vehicles that is more accurate than facial recognition, draw patterns, and do threat assessments of areas that may be under observation from terrorists.” He calls it “a proprietary technology designed to protect critical national infrastructure from a terrorist attack by detecting the pre-attack activities of the terrorist and enabling law enforcement to investigate and engage the terrorist long before an attack is executed,” and that, “The beauty of it is that we can protect an infinite number of facilities just as efficiently as we can one and we push information out to local law authorities automatically.”
An internal email from early 2011 included in the Global Intelligence Files has Stratfor’s Burton allegedly saying the program can be used to “[walk] back and track the suspects from the get go w/facial recognition software.”
Since its inception, TrapWire has been implemented in most major American cities at selected high value targets (HVTs) and has appeared abroad as well. The iWatch monitoring system adopted by the Los Angeles Police Department (pdf) works in conjunction with TrapWire, as does the District of Columbia and the “See Something, Say Something” program conducted by law enforcement in New York City, which had 500 surveillance cameras linked to the system in 2010. Private properties including Las Vegas, Nevada casinos have subscribed to the system. The State of Texas reportedly spent half a million dollars with an additional annual licensing fee of $150,000 to employ TrapWire, and the Pentagon and other military facilities have allegedly signed on as well.
In one email from 2010 leaked by Anonymous, Stratfor’s Fred Burton allegedly writes, “God Bless America. Now they have EVERY major HVT in CONUS, the UK, Canada, Vegas, Los Angeles, NYC as clients.” Files on USASpending.gov reveal that the US Department of Homeland Security and Department of Defense together awarded Abraxas and TrapWire more than one million dollars in only the past eleven months.
News of the widespread and largely secretive installation of TrapWire comes amidst a federal witch-hunt to crack down on leaks escaping Washington and at attempt to prosecute whistleblowers. Thomas Drake, a former agent with the NSA, has recently spoken openly about the government’s Trailblazer Project that was used to monitor private communication, and was charged under the Espionage Act for coming forth. Separately, former NSA tech director William Binney and others once with the agency have made claims in recent weeks that the feds have dossiers on every American, an allegation NSA Chief Keith Alexander dismissed during a speech at Def-Con last month in Vegas.
