[unisog] Your security analysis of Blackboard Sync for iPhone -using sync building block

Hall, Rand rand at merrimack.edu
Fri Mar 20 12:28:27 GMT 2009


Kim,

 

I haven't kept up with BBSync since I was asked to do an initial
evaluation last May when there was the original opportunity to opt-out.
My evaluation follows. It may or may not be current or helpful. Just
FYI.

 

My advice would be to Opt Out-at least for the short term-and not for
security reasons. The product is buggy and does not yet work with our
site. I have verified this. Opting Out will save students who try to use
it needless aggravation.

 

In the long term, the college will need to balance the anticipated
benefit of this service with the following considerations:

 

Security:

 

-          Not as bad as it could be. All content is encrypted in
transit and not stored centrally. (I.E., faculty IP not at stake)

o   "Except for Announcements, none of the actual course content is
pulled out of the Blackboard system. Facebook users just receive
notifications about each new or updated piece of information, complete
with a direct link to the item in their Blackboard course."

-          Reportedly but unconfirmed, some complex passwords are not
supported (I.E, users with complex passwords need to make them insecure
to use BB Sync)

-          This application encourages users to volunteer their username
and password and control of their use...not a good habit.

-          "We heard you loud and clear that security was your number
one concern." Their answer? Make the least secure option the default.

-          Default mode is Open Access. The default mode stores
"encrypted" credentials on Blackboard servers. Nothing ever touches a
Facebook server. From Blackboard's own mouth, "Building Block mode is
more secure."

-          Default Opt-Out is always a sign of bad faith/hidden intent

-          We have talked of LDAP-enabling Blackboard. If we do this, a
more valuable set of credentials (Active Directory) will be exposed.

-          If for some reason the Scholar feature is undesirable, users
can end-run our prohibition with BB Sync

-          Product futures roadmap includes "syncing more
information"-this could include faculty IP

-          Product futures roadmap includes syncing with other sources
such as iPhones, SMS text, Vista Gadgets, and Google Open Social

-          Blackboard has a questionable security history at here

-          Facebook has a very poor record of dealing with privacy
issues

 

Other:

 

-          Open access mode does not always deliver accurate info
(design limitation)

-          There is a performance penalty associated with any automated
poll (similar to POP/IMAP), more so in the default Open Access mode than
in the building block mode

-          Facebook is very chatty. In its default configuration it
emails the user on the most insignificant of events. "So and so wrote on
your wall." This will exacerbate  that problem.

-          While "free" the BB Sync building block must be installed,
maintained, and managed

-          Support may be more difficult as users will have two ways to
navigate to content.

-          Facebook/BB Sync use a content tree. It is possible that a
user never logs into Blackboard. There may be essential content
presentation/layout designs that they never see-undermining the intent
of the instructor.

 

Facebook terms of service/policy:

 

The college may want to have their legal counsel review the various
Facebook and Blackboard ("Developer") terms of services and policies
prior to endorsing Blackboard Sync. Some of them look to have troubling
potential (read the just the bold words for the gist). 

 

"By posting User Content to any part of the Site, you automatically
grant, and you represent and warrant that you have the right to grant,
to the Company an irrevocable, perpetual, non-exclusive, transferable,
fully paid, worldwide license (with the right to sublicense) to use,
copy, publicly perform, publicly display, reformat, translate, excerpt
(in whole or in part) and distribute such User Content for any purpose,
commercial, advertising, or otherwise, on or in connection with the Site
or the promotion thereof, to prepare derivative works of, or incorporate
into other works, such User Content, and to grant and authorize
sublicenses of the foregoing."

 

"We may use information about you that we collect from other sources,
including but not limited to newspapers and Internet sources such as
blogs, instant messaging services, Facebook Platform developers and
other users of Facebook, to supplement your profile."

 

"(d) You acknowledge that Developers or Facebook or its licensors own
all right, title and interest in and to any and all Platform
Applications, portions thereof, and/or content or software provided
through or in conjunction with any Platform Applications, including
without limitation any and all patent, copyright, trademark, trade
secret and other proprietary rights, and any and all applications,
renewals, extensions and restorations thereof, now or hereafter in force
and effect worldwide."

 

"(a) Information That May Be Provided to Developers. In order to allow
you to use and participate in Platform Applications created by
Developers ("Developer Applications"), Facebook may from time to time
provide Developers access to the following information (collectively,
the "Facebook Site Information"): 

(i) any information provided by you and visible to you on the Facebook
Site, excluding any of your Contact Information, and 

(ii) the user ID associated with your Facebook Site profile. 

 (b) Examples of Facebook Site Information. The Facebook Site
Information may include, without limitation, the following information,
to the extent visible on the Facebook Site: your name, your profile
picture, your gender, your birthday, your hometown location
(city/state/country), your current location (city/state/country), your
political view, your activities, your interests, your musical
preferences, television shows in which you are interested, movies in
which you are interested, books in which you are interested, your
favorite quotes, the text of your "About Me" section, your relationship
status, your dating interests, your relationship interests, your summer
plans, your Facebook user network affiliations, your education history,
your work history, your course information, copies of photos in your
Facebook Site photo albums, metadata associated with your Facebook Site
photo albums (e.g., time of upload, album name, comments on your photos,
etc.), the total number of messages sent and/or received by you, the
total number of unread messages in your Facebook in-box, the total
number of "pokes" you have sent and/or received, the total number of
wall posts on your Wall(tm), a list of user IDs mapped to your Facebook
friends, your social timeline, and events associated with your Facebook
profile."

 

 

 

Cheers,

Rand

 

--

Rand P. Hall * Director, Network Services

Merrimack College * SunGard Higher Education

315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000

Fax 978-837-5383 * rand.hall at merrimack.edu * www.sungardhe.com

 

CONFIDENTIALITY:  This e-mail (including any attachments) may contain

confidential, proprietary and privileged information, and unauthorized

disclosure or use is prohibited.  If you received this e-mail in error,

please notify the sender and delete this e-mail from your system.

 

 

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Kim Cary
Sent: Wednesday, March 18, 2009 12:20 PM
To: unisog at lists.dshield.org
Subject: [unisog] Your security analysis of Blackboard Sync for iPhone
-using sync building block

 

Our concern with the above product is that 1) credentials be passed  

within REAL encryption, 2) that credentials not be cached and 3) that  

credentials not be available to the third party.

 

Has anyone done any analysis of this beyond the FAQ?

http://wiki.blackboardsync.com/display/SYNC/Home

 

We'd love to hear your considered analysis of this product.

 

Dr. Kim Cary, CISSP

Pepperdine University

Information Security Officer

 

 

 

_______________________________________________

unisog mailing list

unisog at lists.dshield.org

https://lists.sans.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20090320/0542b6f5/attachment-0001.htm 


More information about the unisog mailing list