WebLearn does not currently have any known security issues and all connections and data transfers to and from the new WebLearn are encrypted using the secure HTTPS network protocol.
The WebLearn team are kept constantly up to date by the Sakai Security Team and will act swiftly to close any loopholes should they appear; the old WebLearn will also be updated if any issues arise.
It is also possible for a naïve or careless site owner / maintainer to manually grant access to the general public or to a user that should not have access. Care needs to be taken in providing access to materials; maintainers are strongly recommended to attend WebLearn training delivered by OUCS.
Some groups like to use WebLearn for storing slightly sensitive material, for example, drafts of yet-to-be-published papers or project proposals. We are often asked whether their data is secure. The answer we give is yes as WebLearn always uses SSL (Secure Sockets) and can easily be configured to only allow access to named individuals on production of correct Oxford SSO credentials.
The biggest danger (as always) is a compromised Oxford SSO username and password – there have been a number of ‘phishing’ and ‘spyware’ attempts over the last few years and a number of accounts have been compromised. Anecdotal evidence suggests that these details have been offer for sale on ‘Far East’ cyber-criminal websites so this is a real danger. User Education and reinforcements of good practice is the best approach to take.
There are a small number of other things that can be done to ensure a site is as secure as possible, these mainly combat the situation where a user has forgotten to close their browser down properly:
- Give your site a nondescript name, do not call it ‘Super-Sensitive Project X Proposal (Restricted Access)’
- Enable the Site Stats tool – this will allow access to all documents to be monitored. You can see which users accessed which documents and when – this may be useful as an audit trail, indeed you could show each user their access log and ask if it look suspicious if there were any questions being raised about a possible security leak.
- Remove you site from the hierarchy – within the site, click on ‘Arrange Site’ and then ‘Remove Site’. The site will still exist but will not be located under your treMake sure the site does NOT have any additional access granted, is NOT joinable and is NOT listed in the PUBLIC INDEX OF SITES. All these options can be controlled via “Site Info > Manage Access”
- Make sure your site is UNMANAGED. “Site Info > Change admin site” should show you which administration site is managing your site. It should say “Unmanaged site”, however, it is not possible for site owners to make their sites unmanaged themselves; the central team is happy to do this for anyone that requests it so long as the stated reason is sensible.
Just to reiterate, WebLearn is quite secure even if the above guidelines aren’t followed. If an account is compromised then it is unlikely that any of the above tips will have much effect in deterring a malicious user, however, they may serve to distract a casual user who has discovered an active WebLearn session by chance and is merely snooping around to see if there is anything interesting to be found.
Links
- OxCERT – OUCS Security Team
- Sakai Security Policy