Cloud-based LMS challenges Blackboard to major security review


Blackboard said its security holes were 'common issues.'

A relatively new kid on the learning management system (LMS) block has jabbed Blackboard Inc. in the chest for three months, daring the commercial LMS behemoth to conduct a publicly available security audit of its popular platform. Blackboard, so far, has ignored the challenge.

Josh Coates, CEO of Instructure, a cloud-based LMS that counts several large campuses among its customers, used a Jan. 24 blog post to challenge the heads of Blackboard, Blackboard Learn, and Desire2Learn to hire a third party to conduct a comprehensive security audit, fix the security shortcomings found in that audit, and publish the results for everyone to see.

Ninety days later, Coates has yet to receive a reply to his audit proposal, and eCampus News interview requests sent to Blackboard and Desire2Learn went unanswered.

“This is something we should all agree on. We don’t have to be competitive about this,” Coates, founder of online backup service Mozy, said of Instructure’s audit challenge. “This is good for the industry, to be safe and secure. But when we asked, all we heard were crickets chirping. I got complete silence.”

Instructure’s own security audit, conducted by Australia-based Securus Global, turned up a few security holes in the cloud-based LMS service.

Those security lapses—which could leave the platform open to hackers or botnets trolling the web for student and faculty information—were quickly fixed, Coates said.

“I want to work together [with other LMS companies] to make students and teachers and administrators feel more secure about how their data is being protected,” Coates said, adding that an LMS security audit would cost about $40,000. “Of course they’ll find some security holes, but they need to put it out in the sunlight.”

Blackboard officials countered reports of security shortcomings published in a September 2011 SC Magazine article, which charged that Blackboard’s LMS vulnerabilities made it possible for students to change their grades and hackers to steal personal information.

An unnamed Australian university hired Securus Global to hack into its Blackboard LMS platform. Securus was successful, accessing databases that served as home to student grades and personal data.

“Many of these issues are common issues associated with any type of web application or software, and all of the issues will be addressed through existing patches and planned releases,” Stephanie Tan, Blackboard Learn’s security director, said in an interview with SC Magazine.

Anne Jenkins, a Blackboard spokeswoman, said Securus “was able to gain access to their database due to an improper configuration of a security control, which we advised them about immediately.”

Tan told SC Magazine that the vulnerabilities wouldn’t be patched until an update was ready at the end of 2011.

The flexibility of a cloud-computing-based LMS, Coates said, helps to streamline the patching of security holes found during audits.

Whereas colleges and universities that use traditional LMS platforms have to wait weeks, sometimes months, for a system update that includes a new batch of security patches, a cloud-based solution like Instructure can fix the problem quickly, because the company updates its system every two weeks, Coates said.

The 127 Instructure staffers also have only a single version of their LMS platform to focus on. Larger LMS systems based on the client-server model often have a dozen or more versions of their LMS running at institutions across the world.

“We only have one thing to worry about, so that gives us a major architectural advantage,” Coates said. “For others, it’s really hard to keep all those [versions] secure all the time. … That’s why we think they might have a big problem on their hands.”

In the SC Magazine article published last fall, Australian higher-education officials said they couldn’t wait for Blackboard’s security updates, which, at the time, were still months from being made available to education customers.

Anonymous sources told the magazine that they considered shutting down their schools’ Blackboard LMS before the security holes were discovered by hackers. This, of course, would eliminate the platform for a college’s online courses.

“We issued a support bulletin to Blackboard Learn clients today after completing our review of the issues,” Blackboard said in a statement published in SC Magazine. “The bulletin includes information about how the issues are being addressed through existing patches and planned releases, as well as recommendations for general security management and best practices.”

Jenkins, the Blackboard spokeswoman, said the security issues detailed in the SC Magazine report have since been addressed, adding that future Blackboard LMS updates will include “complex password management and anti-virus.”