you're reading...
Academe, Security, Software Development

On UIS (CRS) Security

Last Wednesday, the new eCRS team released the University Information System (a new version(?) of what used to be the Computerized Registration System). It reminded me a lot of my security predictions for 2007. (Heck! They just made some my predictions come true.) This is a good example of a release that is not even alpha test quality. Over at their blogs, Sir Rom discussed the issues with the new system and nightfox focused on the app’s usability.

On porting the system to PHP
What I find really disturbing is that the new UIS is written in PHP. CRS was developed in Java. While Java security is not perfect, PHP security is worse. I mean, what’s the point of taking down a stable system if you can’t provide a better one?

I just want to ask. Shouldn’t be the application be approved by a steering committee? If I am not mistaken, the old CRS had one that directed its development and release.

Also, did anybody QA’d the system? Or atleast, studied the ‘old’ to determine the its features and algorithms (conflict-identification, overload-unit-checking etc.) used. Apparently, the new system seems a record-keeping system (add, edit and delete functionality).

I agree. It even looks like something from sourceforge(no offense meant. I mean, we are aware that not every code there are of the highest quality…). It reminded me of the my cs12 Machine Problem (it’s a record-keeping system). Just shows how much time and fund they wasted for a system that is not even at par with the previous one. The development for this is just, more or less, a semester (Depending on how fast they were able to come up with a new team and when they actually started.), if I am not mistaken. Pre-mature, indeed.

On encryption

Whatever gets out there first is not likely to be good – just first. More to the point it is almost certainly going to have security left out.

It still amazes me that somehow, they forgot(?) to encrypt the page. In a previous press-release, one of the team members said:

We follow the rules on keeping [the students’ records] confidential.

I wonder, does that not include encrytion? The UIS contains the pre-enlistment data of students, their student informations (including student numbers) and their “unofficial” transcript of grades.

Is the system encrypted? Seeing how it is prematurely released. I strongly doubt it. A system full of bugs, will, most surely, have security left out. (Heck, if they weren’t able to do the code right, what’s the probability that they got the security right? 😛 )

On the absence of a digital certificate

A few people thought it was a phishing site because it displayed an IP address instead of a URL. I do not blame them – with systems being hacked every few minutes, I wouldn’t be surprised if someone created a phishing site pretending to be UP’s and retrieve faculty, staff and student accounts… but then again, you can’t sell the info outside, no point in getting their data. :p

No wonder they thought it was a phishing site. There was no digital certificate to begin with. The ‘previous’ CRS (also the UP Webmail and UVLE) issues a digital certificate to identify itself. It is interesting that the UIS, however unfitting the name is, does not have a digital certificate to identify it with the University.

Also I find it weird that sessions don’t expire anymore. So, please, don’t forget to logout especially is you’re using public / university terminals.

Honestly, I won’t be surprised if we soon hear student accounts being hacked.

, isn’t it? [read: sarcasm]

update: Now, this is interesting:

CRS won’t accept me
i’m freaking out. i can’t log onto CRS. when i try to log in, it goes on saying that i don’t have permission to access my account. is it because i’m on LOA? or is it because i’ve already been kicked out of school? what? tell me!

The post is dated 23rd of March this year. Now, I wonder… (AFAIK, taking a leave of absence does not curtail one’s CRS previlages.)

Apparently, it is an SOP to first present a certificate of readmission for someone who was on LOA/AWOL before s/he can log in. 😀


About princess of antiquity

Abbi Cabanding is a member of the Security Bloggers Network and had been blogging on information security since 2006. She is also a member of the Association for Computing Machinery. She studied Computer Science and Fine Arts at the University of the Philippines - Diliman.


8 thoughts on “On UIS (CRS) Security

  1. A person on LOA/AWOL the previous semester wouldn’t be able to log in to CRS until he or she presents a certificate of readmission from his/her college. That was the old CRS, at least.

    FYI lang. 🙂


    Posted by Hunny | March 25, 8:10 am, 8:10 am
  2. Thanks for the info. Updated the post already. 😀

    Hehe. I have never been on LOA/AWOL, myself. 😉

    Posted by princess of antiquity | March 25, 10:46 am, 10:46 am
  3. Actually there is priority given still to graduating and the freshmen. It was not official yet so we pointed out to people who asked that there is no priority.

    You can try to hack the system if security is your issue.

    We don’t neglect security. The system double checks every input. We wish we could let you see the codes written before ours. And maybe you would have a turn-around.

    That’s all for the posts.

    Posted by radical_mind | March 27, 2:03 am, 2:03 am
  4. Also there are new modules in the UIS. It’s just that these softwares are currently being tested before deployment. Moreover, only those with priveleges can access them. That was a stupid comment from your tagboard friends. Are they really that pathetic? Please investigate more. You are short of information. It’s up to the developers to secure their code.

    Posted by radical_mind | March 27, 2:08 am, 2:08 am
  5. Nice site! kabababrubarta

    Posted by kabababrubarta | March 27, 8:18 am, 8:18 am
  6. I’ll stay in this channel to see if there would still be bugs coming out. Thanks for pointing out things. This will help improve the UIS a lot. 😉

    Posted by radical_mind | March 27, 8:44 am, 8:44 am
  7. Actually, I pointed out the security issues in the hope that they’ll get addressed. If the system gets better security, we all win. If it doesn’t, we all lose. That’s all that’s in it for me.

    And I do hope that the UIS will improve.

    Posted by princess of antiquity | March 29, 9:52 am, 9:52 am
  8. siguro dahil maxadong pressured yung current CRS team… pero the thing is… bakit do so much as to replace the system with something less secured than the previous? di ba it’s supposed to be upgraded, not the other way around?

    sana man lang…inisip nila na marami kami na nag-ddepend sa CRS (este, UIS na pala) para medyo maibsan ang hirap ng enlistment pag dating ng enrollment period. like sir aldwin said, they’re toying with the academic lives of over 8000 students -_-“

    Posted by shien | March 29, 10:29 am, 10:29 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Sin of Silence E-Book

single-page view
two-page view

On Wordpress

  • 96,913 readers

Subscribe via FeedBurner

Enter your email address to receive notifications by email.

Princess of Antiquity on Twitter

RSS Princess of Antiquity on Tumblr

  • An error has occurred; the feed is probably down. Try again later.

Creative Commons

Creative Commons License
Original content in this work is licensed under a Creative Commons License.
%d bloggers like this: