Every day, students send dozens of electronic messages or store personal files in their accounts thinking that their messages will remain private and their files secure. This, however, might not be the case.
According to one computing assistant (CA) who asked to remain unidentified, break-ins into personal accounts are not uncommon. "People [on the Internet] have a false sense of security." Many users leave their accounts open in a public cluster and take a break, give out their passwords, or assign predictable passwords which hackers can figure out. Such unwise judgments are what lead to breaches of privacy, he said.
Stanley Eisenstat, professor of computer science, said that the "safety of your account is determined by your own control." Giving out passwords to friends, he said, is one of the main ways intruders gain access and control over a victim's account. Even so, Eisenstat said, another important component of a user's account depends on the security the system uses.
At Yale, the issue of network security is presently being addressed. According to Andy Newman, systems programmer for technology and programming, there are several levels of security available for students' accounts. For electronic mail accounts, Newman said there is a basic level of security that protects students from other students who might try to view their files. Because of the access privileges given to users' accounts when they are first set up, people that might try to break in - even at this basic level of security - will "run into substantial walls that will ultimately impede their access," Newman said.
Aside from the basic level of security accounts are given, employees of ACS "maintain a substantial number of tools that check the Minerva cluster for anomalies that might be indicative of illegal use of accounts," Newman said. Although the Minerva/Mercury/Morpheus pantheon is monitored continuously, not all accounts can be monitored simultaneously, allowing for some anomalous activity to go undetected.
The growth of security concerns at Yale and perhaps elsewhere, Newman said is due to the fact that in recent months, software that helps network criminals break into users's accounts has become easily available. Eisenstat said that the recent media attetion on Internet security is "not all just media hype. There is substantial concern and it is not limited to the Internet."
To counteract the recent developments in software technology that aid intruders, ACS will soon provide users with a modified verion of NCSA Telnet, the application which allows users to connect to the Pantheon, as well as other sites, remotely. The new version of Telnet will provide users with more protection. ACS will also soon start to record all network transit to prevent people from tapping into the open network lines, Newman said.
Recently, Yale has moved to make student's grades available on the network, which has raised security issues for some. To insure the protection of the information, the student's password is not sent through the network so that anyone that taps into the system will not be able to obtain it, Newman said. Even though the password cannot be "stolen" off the open network transit, the grades can be viewed by someone who taps into the wire. This, Newman said, is not a big concern. Even if someone does tap into the network transit, "the way the data is passed is not associated with a name. All someone who taps in will see is a bunch of courses and grades," he said.
But, according to Newman, even though the grades are not associated with any names when they are sent through the network wires, they will soon be encoded to add extra protection.
"Yale is not alone in the security issue....[We] are trying to stay ahead of the median with regards to others." Newman said.
Among the future projects for Internet protection, Newman said, ACS is planning to make available to students one of the best encrypting programs the private sector has to offer - Pretty Good Protection (PGP).
According to Newman, PGP will give the best protection currently available to anyone who desires it. The only concern about PGP, Newman says, is that it must be used correctly in order to work properly. This means that incorrect usage of PGP would render what is thought to be very well protected information totally vulnerable. The vulnerability of some systems that are thought to be totally secure is one of Newman's biggest concerns. "The illusion of security is far worse than the fear of insecurity," he said.
Although Newman says he is confident that the system Yale uses is very secure, he does recognize the usefulness of keeping very sensitive information away from where the public might have access to it. "It is like leaving a very expensive Rolex in the gym's locker - although the locker has a lock, it might be wiser to keep valuables away from such public areas," Newman said.
This article may be freely distributed electronically, provided it is distributed in its entirety and includes this notice, but may not be reprinted without the express written permission of The Yale Herald, Inc. Write to herald@yale.edu for additional details.