Easy reporting of website security problems

Two major educational institutions in India have a major security issue with their website (that contains student information) which has now been exposed to any roaming cyber-shark, This information was released rather irresponsibly on Twitter today.

This post is about the difficulty that I faced while trying to contact these organisations. None of the phones mentioned on their site contact page worked and the only listed email was a gmail based address.

Since these sites have exposed almost all their student contact information and other details I thought of contacting them so that they quick block access. But sadly all efforts to connect via phone have failed. Last recourse was to email their listed gmail address. Which I am sure is inundated with spam and so is not monitored regularly or even ignored.

Any organisation with a web site that is hosting student, patient, customer or private information behind an authentication framework should expect to get compromised, or as in this case affected by bad software design that allowed  admin login that can access all student records. When such a compromise is detected by the white-hats, pen testers and other cyber security outfits they generally tend to post it on their site and social network. A security report section should be made part of a standard website framework along with the  existing home, about, contact and blog sections. This makes is very easy to be informed about any security problems and resolution can be that much faster.

The Security Vulnerability Reporting section should contain the following:

A dedicated email address e.g. security.problem@domain.tld

A Security Vulnerability Reporting policy that defines the cyber warriors code of conduct;

  1. Don’t steal, corrupt or delete data
  2. Don’t disrupt or degrade service
  3. Disclose the vulnerability with technical details and proof-of-concept if necessary.
  4. Provide a  reasonable amount of time before public disclosure.

Of course, once this problem has been reported and fixed, then it’s the organisations responsibility to inform all the people whose data has been compromised. A general rule of thumb is that if the exposed data is likely to affect the person then they must be informed about the data breach. Email id, password and phone number are all valid candidates to trigger the “likely to be affected” alert. Especially passwords are very sensitive as its a common practice to repeat passwords for various services like email, Facebook, Twitter, Instagram etc.

Please don’t contact me for the school names.

 

Custom setup for email accounts

Outlook Settings

File > Add Account > Manual setup … > POP or IMAP

Fill in the details (username = email id) > Click [More Settings]

Click Outgoing Server Tab > Tick/Check “My Outgoing Server …” and “Use same settings …”

Click Advanced Tab > In Server Port Numbers, change the encrypted connection type as follows:

  1. Incoming: SSL (Port 993 for IMAP and 995 for POP)
  2. Outgoing: SSL (Port 465) or TLS (Port 587)

Click Ok to go back to the Account Settings screen > Click Next

Outlook will now send a test mail,

Android Settings

  1. Settings > Accounts > Add Account > Email > other (POP3/IMAP)
  2. Fill-in details and click [Manual Setup]
  3. Select POP3 or IMAP
  4. Fill-in details and change security to SSL/TLS, Port will change to 993 for IMAP and 95 for POP3
  5. Credentials will be verified, in case of error re-check the email/username and password
  6. Fill-in details for the SMTP server, change security to STARTTLS, Port will change to 587
  7. Credentials will be verified, in case of error re-check the email/username and password
  8. Change account settings and account name as required

Screenshots

IOS Settings

… coming soon, waiting for screens.