NETSCAPE: Penn InTouch pulled off line

Threats to World Wide Web security have forced the University to pull Penn InTouch off line, just two weeks after the program was introduced. The Internet utility, which is designed to give students on-line access to their transcripts, financial information and course schedules, will be down for at least a week. Officials will reactivate the program when they are convinced that student security will not be compromised. According to yesterday's New York Times, two University of California -Berkeley students discovered the leak in the Netscape program Sunday night. Netscape is the World Wide Web browser supported by the University. The students said the leak would make it possible for a knowledgeable person to break into the Netscape system within a minute and collect confidential information from unknowing users. Penn InTouch is the only University application protected by the Netscape security system, officials said. Internet users access Penn InTouch by entering their student identification number and personal access code. "We did not want to put student records at risk," said University Registrar Ron Sanders. "We shut down to find out the complete story and evaluate whether the student records are in jeopardy." According to a statement released by Netscape, the program has worked successfully for almost a year. To correct the problem, though, the company will provide updated versions of Netscape Navigator via the Internet by next week. In addition, newer versions of Navigator 2.0, unveiled earlier this week, include this improvement as well as several additional security features. Netscape is also consulting with security experts who will review Netscape's solution and determine if it is effective in solving this vulnerability. Dan Updegrove, associate vice provost for Information Systems and Computing, said all students need to obtain the updated version of Netscape in order for the information they provide to remain private. "As soon as the software is available, we will make it available for students to download," he added. Despite the scare, Updegrove said most transactions will proceed as usual. "In most cases, people are browsing public information and don't mind if people know who they are," he said. "There is no need for confidentiality." In general, anything a user enters on the Internet is not encrypted. Information, such as the particular page the user accesses, is available and recorded. However, transactions involving sensitive data, including credit card numbers and student records, are encrypted. It is unknown whether anyone illegally observed any transactions involving student records when Penn InTouch was accessed. More information on Netscape security can be found at "http://home. netscape.com/newsref/std/random_ seed_security.html". Updates to Penn InTouch can be accessed at "http://www.upenn.edu/ computing". David Millar, the University's information security officer, said if anyone on campus has other secured information on Penn Web, they should alert officials immediately.