Virtual Learning Platforms Thread, Frogteacher security announcement in Technical; Because of recent discussions FrogTrade have been in touch with me and have asked me to post the same message ...
Because of recent discussions FrogTrade have been in touch with me and have asked me to post the same message that they have sent to their customers.
They have been very positive in their efforts to ensure things go smoothly and appreciate the patience of NMs and Techies, but want to make sure that people are aware of the full and correct procedures for securing the FrogTeacher environment.
----------------
Sent: Fri, 11 Aug 2006 16:31:40
Subject: FrogTeacher Announcement
Dear Frog Administrators,
We have been alerted to an incident at one of our schools where a
disgruntled ex-pupil managed to log in to the school's Learning Platform
using a staff member's password. They then proceeded to paste links to
the information found on Internet. This problem has arisen from a
combination of two factors: insufficient password management and the
storage of sensitive data in publicly accessible areas of the Learning
Platform.
We felt the best approach was to draw attention to this incident to
ensure that other schools aren't exposed to similar problems.
We therefore recommend that:
1. You ensure that your teaching staff have passwords that are not
obvious (FrogTeacher can now authenticate against your Active Directory
Server allowing it to pick up the passwords and policies directly from
there).
2. Ensure that anything confidential is kept in a password protected
folder within the FrogTeacher software and NOT in any publicly
accessible areas. This ensures that the resources are protected
regardless of how they are accessed.
If you have any queries about password protection or Active Directory
integration, please feel free to contact our support team at support@frogtrade.com or 01422-250800.
There is also a PDF explaining password protection attached to this email.
My mistake in previous posts due to the way others had explained how FrogTeacher works ... and from the information available. The technical problem is actually the way FrogTeacher works ... most of us are used to session tickets for authentication or for longer authentication we use cookies, or integrated authentication.
FrogTeacher allows for ACLs to be applied to pages but chunks of security are based round locking out menus ... if you have a direct URL to a page from having previously logged in with the right authentication you can then go back to that page without authentication.
FrogTrade is saying that if you have *any* information that needs to be secure you should not purely rely on locking the menu page ...
If you are a FrogTrade customer and have not heard from them yet please contact them on the above details.
LinkBack URL
About LinkBacks
Reply With Quote
