Presented by

  • Peter Burnett

    Peter Burnett

    Peter is a PHP developer working primarily on Moodle, an open source learning management system. Over the last 6 months, Peter, in conjunction with the team at Catalyst IT, have been working to increase Moodle's security, through third party plugins, as well as changes to Moodle core code, and pull Moodle into the new decade, with a suite of more powerful tools at its disposal.

Abstract

Moodle is an open source learning management system, popular with universities. As Moodle has aged, some aspects of its security have fallen well behind industry standards for security. This talk will discuss the measures that have been taken to bring it up to scratch, and the ways that this can be applied to any application. The first priority in improving the security of the platform was targeting its password policy, which suffers from the older model of 'You must have atleast 2 uppercase characters'. To address this, a new plugin was developed for the platform, which acts much more in line with current NIST guidelines, including checks for compromised passwords using the HaveIBeenPwned API, and a user's personal information. This talk will show the guidelines we worked against, and how it can be applied to any applications password flow. The next challenge to tackle was the lack of ways to augment an authentication flow. There are a huge amount of ways to authenticate to a Moodle, with support for all major SSO services, however, no potential to augment this process with additional tools such as MFA. To this end, work was done with Moodle HQ to implement a platform for this functionality on all pages that require higher security, such as changing and resetting a user's password. This talk will discuss what we learned along the way, and how to avoid common problems when implementing an MFA system such as security questions. Finally, this talk will discuss the work that we are doing to implement MFA in a way that works alongside other authentication methods, such as SSO, with discussion on alternative factors, such as trusted IP networks. Linux Australia: http://mirror.linux.org.au/pub/linux.conf.au/2020/room_6/Tuesday/You_Shall_Not_Pass.webm YouTube: https://www.youtube.com/watch?v=cPoxNkJ9g3E