Updated Webmail failures shown up
The security of Oxford’s online information was called into question after changes to Oxford Webmail left users confused and at risk of leaving their email open to unauthorised users. In order to log out of out the updated Webmail students are prompted to close down their web browser. Early users of the new system, however, were unaware that this means all internet windows must be closed, with Mac users quitting their internet program entirely.
Should any windows be left open on a public computer, the next user would automatically be able to access the previously-accessed Webmail. These alterations were intended as a positive move by the University Computing Service. Under the new single-sign-on system, once a student logs in, they will be able to re-access their webmail without having to enter their username and password each time.
The new ‘webauth’ also provides users with a search facility, and a ‘news’ section has been introduced, which currently lists the additional features provided, including improved address book management. The possible security risks of the new system are highlighted on the OUCS website.
A statement reads, ‘If you don’t completely close down your web browser, anyone using the computer after you will have immediate access to all the facilities linked to your single-sign-on username, not just the ones you have been using.
The website says students will be held entirely responsible for any lapses in security resulting from incorrect log-offs, claiming, ‘It is your responsibility to protect your accounts by closing down your web-browser to terminate your single sign-on session.’ Students have also been deemed responsible for the security of others’ email accounts.
A statement issued by OUCS says, ‘If you ever start using a computer which has been accidentally left logged-in by someone else, you should immediately close down and restart the webbrowser. Unauthorised access to someone else’s account is an extremely serious violation of the university’s IT rules.
Dr Stuart D Lee, Acting Director of OUCS, said, “The system does not pose an increased security risk if you follow the advice we have been giving out for some time now: always try and quit your web browser, especially if you are using a public terminal and never share usernames and passwords.” A second option is also available for users if they cannot close their browser forcibly to log out of their account.
Lee said that the changes were introduced to allow users to access a variety of systems, such as Webmail and Weblearn, with a single username and password. He said using a single sign-on “is becoming fairly ubiquitous in other universities”. The implementation of the new system on Tuesday caused a series of problems for webmail users, who were unable to access their emails.
Some students were informed that they had taken too long to sign in, despite their delay being entirely due to the erratic new system. Jakub Figurski, a member of the Facebook group ‘I Hate Forcibly Logging Out of the Old Session On My Webmail’, said “I don’t see how the security of the network has improved. Students checking mail in public areas will inevitably forget to logout fully, and members of the public could get access to university web areas.
That potentially causes very real security dangers, especially in today’s climate.” New facebook groups are already springing up in response to the developments, with ‘What the hell have they done to Webmail’ and ‘What’s happened to Webmail?’ alive with students complaining about the changes. While allowances were made for the service to be unavailable for a maximum of two hours, problems persisted throughout the day.
An email sent to IT administrators by the Manager of the OUCS Help Centre Peter Higginbotham on Tuesday morning said, “It became very clear earlier today that the new version is more memory-hungry than the old, and the servers are struggling to handle peak load. “We have placed an order for additional RAM but due to a peculiarity of the server motherboards, it is proving difficult to source the correct type of RAM. We are expecting delivery next Monday at the earliest.”
9th Feb 2006