University Privacy: How to Doxx 60,000 Students

Lightweight Directory Access Protocol (LDAP) is at the heart of most large universities. A student may use it to login into campus computers, access campus email, and use it as a single sign on provider for university services. LDAP servers also store a student's personal information. This data can have poorly-chosen security settings that reveal sensitive data. We will discuss the privacy and implementation details at two Illinois public universities with a combined population of above 60,000. The directories contain many individuals affiliated with the schools, including graduates and faculty. We found almost every student's major, year in school, email address, phone number, and home address, using just a single student's credentials. University officials didn't find this information to be terribly problematic, citing a law passed in the 70s called FERPA. FERPA protects student educational information such as grades, but gives the university the ability to release student directory information without individual user permission. We will discuss how FERPA outlines the process of opting out of directory information as a student, and its shortcomings, such as limiting employer ability to check university records. The risks aren't limited to just personal directory information though: we will discuss what information can be mined from a user's password changed timestamp and last login timestamp. We show that attacks against user privacy are being carried out using university directories: businesses on campus harvesting emails using LDAP for marketing, and an individual who was scammed using personal information probably gathered from the system (http://bit.ly/uiucredditscam). We will discuss how these attacks can be prevented by changing technical policy and educating users.

Presented by