Thursday, September 20, 2007

CSRF handling and SunGard Banner

Paul Asadoorian from OSHEAN published a whitepaper on CSRF vulnerabilities in SunGard Banner - an ERP system common used in higher education. The whitepaper is a useful read for developers who work with Banner, but would also be useful background material for any programmer who works with authenticated web sessions. Very few applications that I've seen account for CSRF, and getting the techniques described in the paper implemented as part of your standard framework could save you a lot of pain in the future.

Tuesday, September 4, 2007

Emergency notification systems - SMS for emergencies

The College of Notre Dame (note, that's not the University of Notre Dame) used their e2Campus SMS based emergency alert system recently. e2Campus provides bulk SMS messaging (and other features) for emergencies - a similar system is the NTI group's Connect-ED messaging service. These services provide emergency contact via SMS, email, and phone messages - and may provide additional options. This goes beyond what many of us were used to with campus tornado sirens having special tones for other emergencies - these services can provide news briefs in a timely manner to large groups.

Many colleges are starting to adopt these services as a useful way of contacting their cell-phone carrying student base. It is interesting to note that a percentage of students did not receive the message - while the article says that this percentage is low, it does point out that SMS messaging is not a total coverage solution and should be only a part of a comprehensive emergency communication system. With that said, notifying your constituents with enough detail to do something useful is an amazing tool to have in an emergency.

Would a system like this be useful to you? Quite possibly, depending on your user demographics and what your communication needs are.

A few caveats and comments up front:

  1. A test should be done to ensure that information is properly entered - in the case of a University, this would probably need to be done each semester.
  2. Rules need to be in place to control the use of the system - like any communication system, if the SMS capability is co-opted for non-emergency use it will be more easily ignored. The backlash from spam from the emergency system would likely be massive.
  3. Users must be made aware that the system will not be a 100% solution - cell phones may not always receive SMS messages. Use your alternate information sources as well.
  4. Spoofing may be possible via a VOIP or other system - having a known sender is still useful, but not a guarantee of validity.
  5. Control expectations, and let your users know how and why you will contact them.