Security vulnerabilities in VLEs: protection against identity theft versus innovative education

Andrew Booth ², Jon Maber^1
1Leeds Metropolitan University, United Kingdom, ²The University of Leeds, United Kingdom

The wealth of information about students held in Virtual Learning Environments (VLEs) is increasing. When operating as a gateway to student registration databases the breadth of information protected by the VLE authentication mechanism is alarming. What effect on student attitude to on-line learning would result from some high profile cases of identity theft arising from poor VLE security in universities and colleges? Will the individual's concern for protection of identity stand in opposition to institution's desire to develop innovative education? Does the open attitude to security of open source VLE developers stand in opposition to the closed attitude of commercial vendors?

The authors have independently reviewed the security of several VLE systems. They will explore the possible impact on attitudes among an intake of students that might result from a series of highly publicized cases in which students are victims of identity theft arising from VLE security vulnerabilities.

Examples would include the theft by one student of the identity of his instructor, followed by the changing of the grades of himself or others; or the theft of the identify of another student for the purposes of fraudulently obtaining a student loan. The authors will invite participants to contribute to this discussion.

The presenters will give a practical demonstration. This will be followed by a presentation of the possible divide between learners and teachers that could be opened up in the event of high profile security blunders resulting in learners becoming targets of criminal activities related to identity theft. This will then be opened up to comments and discussion among the participants.

Participants will gain insight into the need for strength of security to be high in the list of criteria for VLE procurement exercises. They will be more aware of the need for continual reviews of VLE security and will be better equipped to ask VLE suppliers penetrating questions about their procedures for rapid response to newly identified vulnerabilities.