The H.M. Long files

With your login name and password, a hacker could learn enough about you to write your biography. Your whole life--your financial aid information, your grades, your personal correspondence--can be found on the Yale network.

One man protects your vital information from online delinquents: Information Security Officer H. Morrow Long. With his trusty alphanumeric pager, Long is ready to respond to security emergencies 24 hours a day, seven days a week.

Recent break-in

Long received a page on October 14 from Academic Computing Services staff members, alerting him that off-campus hackers had infiltrated the network at Yale and were grabbing passwords as unsuspecting users logged into the Pantheon, Yale's e-mail server.

To the consternation of many undergraduates, everyone was forced to change his or her password before October 30.

Long is currently investigating the break-in with the cooperation of local law enforcement and CERT, the federally funded Computer Emergency Response Team. He refuses to reveal too many details about the break-in for fear of compromising the Yale network and the ongoing investigation, but explained to the YH Online how the hackers harvested passwords.

According to Long, they placed a "sniffer" program on a computer at what Long cryptically terms as "a location close to a central collection point of passwords." A packet sniffer is a program that grabs all information flowing past a computer on the network, whether or not the information was intended to be seen by that particular computer. The Yale infiltrator used such a program in order to collect passwords and login names to access student accounts. These accounts were then used to launch attacks on other Internet Service Providers and Internet Relay Chat servers, attacks that would be traced back to Yale, instead of the actual location of the hacker.

This case spurred Long and ITS to redouble their efforts to increase security on the Yale network. ITS is currently reconfiguring the Yale network, adding eavesdrop protection and other security enhancements to buildings not already equipped with them. On your end of the network, Long believes that he and other members of ITS will soon require students to change their passwords regularly. Long will also soon publicise email programs that encrypt your password as soon as it leaves your computer, leaving it less vulnerable to being intercepted by a packet sniffer before it reaches the Pantheon.

Fending off enemies within and without

Long has been thwarting would-be hackers since the late eighties, when he started working for Yale as a System and Network administrator for the Computer Science department. Now Yale's lone Information Security Officer, he has significantly more computers to protect--and significantly more attacks to stave off. "I receive an emergency call about once every two weeks," he said.

Many attacks originate from off campus. Recently, for example, spammers (producers of "junk" e-mail) tapped into Yale mail servers to make it appear as if their junk e-mail was originating from a Yale account. This sort of mail laundering is often used by people who are sending out messages about illegal get-rich-quick schemes.

But Yale students can be just as nefarious. "In many ways," Long said, "the campus network is as hostile as the Internet...we have some people who are as dangerous or more dangerous than those on the Internet." Students have done everything from hacking into Pantheon accounts to knowingly sending virus-infested word documents as e-mail attachments.

Don't believe everything you read

"Forgery of email is a difficult problem," Long said. Because electronic mail is so easily forged--anyone can simply change their Eudora settings to alter their identity--Long believes that e-mail is intrinsically insecure. "If you get an important message over email, I would call up the sender to verify that he really sent it," Long emphasized. Furthermore, anyone sniffing packets on the network can easily read email. In this regard, Long believes, "E-mail messages are more like postcards than letters in envelopes."

Time for paranoia?

Given the recent attacks on the Pantheon, how safe are you? A few precautions on your part can go along way. Long recommends that you choose a good password, and change it frequently. Above all, when it comes to the Yale network "try to be alert to anything unusual," Long suggests.

And if you do find anything unusual, you know who to call.

Photos by Julia Tiernan.

Is ITS doing enough to make Yale's network secure? View comments regarding this article and submit your own ideas in Speak Your Mind.

Back to Online Features...