Significant Computer Security Failings Put Student Information at Risk

Commentator Probe Reveals Danger to Credit Card Info and Ymail Passwords

A Commentator probe of basic computer security issues at Yeshiva has revealed that the University lags far behind other schools in important areas and thus jeopardizes student cyber safety. Credit card information, social security numbers, and email accounts are at unnecessary risk for users of the Yeshiva network.

In fact, Yeshiva lags far behind in system security. Two local universities - Rutgers University-Camden and New York University - were contacted for The Commentator study and were used for baseline comparisons.

The Problem

Yeshiva's system affords all its users free reign at its computers. All students are able to tamper with programs and files stored on the computers they use.

A user can access the World Wide Web, download a software program and install it on the computer at which he/she is working.

Although most software programs installed onto the University computers are innocuous, some students install software of a more malicious character. For example, complimentary software programs, called "keystroke recorders," are available on legitimate web sites. These programs record in a file everything that a user at a given computer has typed. Once installed, this software functions unnoticed on the computer. The student who installed the program needs only to return to the computer after a number of hours and collect his/her day's spoils on a floppy disk.

The information he/she has collected by the end of the day may include hundreds of ymail user names and passwords, credit card and social security numbers typed into the computer, emails, and private messages sent from that computer.

A student who has ordered a book from Amazon.com while sitting at a library computer has contributed his credit card number to the pool of information that can be collected. Another student might be using telnet to access his email account. His/her user name and password now belong to the student malevolently collecting data.

A student's email account may be, indeed has been, used to send threatening messages to professors without the knowledge of the account bearer. A user's password can be changed, removing his/her ability to access his account again.

A student who uses a University computer to manage a stock portfolio over the web may have contributed his access privileges to a hacker. The next day, when he/she checks on his/her portfolio, he/she may find that his forty stocks in Microsoft have been sold and stocks in a loser company purchased in its stead.

Other than keystroke recorders, several instances of people installing programs on YU computers that will later allow them to take over control of that computer have been reported. These programs allow this application even from the privacy of their own dorm room. These programs also run unnoticed, and can be both disturbing to computer users as well as an invasion of privacy.

There are many other problems with YU's system that arise from students' free access to install software on the individual computers. Students can install massive programs which paralyze the computer on which they have been installed. Many times this is done without harmful intent, but without knowledge of the possible consequences -- namely disabled, out-of-order computers.

Also, MIS has no control over the amount of computers in the library that offer America Online (AOL). If MIS wished to leave a few computers exclusively for web research, they would not be able to, because any student could simply install AOL on his own and chat away for hours.

Often, students change printers and screen settings and render these hardware items unusable by students who use these subsequently. In addition, an angry student who decides to delete Microsoft Word, or any other vital software program, from a computer may do so easily. Additionally, all information stored by students is left open for all to access. If a student has been working on a resume, he/she has no personal space to store his file other than a floppy disk. If he/she saves it on the computer's hard drive, it may be opened and read by anybody.

The Cause

The cause of this problem is Yeshiva's use of a system that allows users to anonymously sit down at any YU computer and have full ability to change anything on that computer, including downloading and installing their own programs.

Since a valid ID is not required to use the computers, anyone can do anything to a YU computer with impunity. And since users have no personal storage space in which to save their work and install new programs, they have no choice but to do everything on the computers used by the entire student body. Of course, with no personal responsibility for what a user does to a computer, the potential for wrongdoing is obvious.

The Solution

A login/password screen at every computer is standard procedure at both schools with which The Commentator spoke. This means that any student who wants to use a school-owned computer must first enter his/her name and password, similar to the way one logs in to the ymail email system to check his mail. While this practice is standard at NYU and Rutgers, it is not used at all at Yeshiva.

As mentioned earlier, some of the problems associated with the computers come from programs downloaded without authorization. These problems can be difficult to address. Both George Sullivan, Assistant Director of Yeshiva MIS, and the NYU official agreed that, "it is very hard to strike a balance between functionality and security." Due to the fact that some computer rooms in YU double as classrooms, a PC lockdown might impede the efforts of some professors for certain classes.

In order to make some effort to ensure that computers have only the software approved for use by MIS, YU has purchased software, called LabExpert, that on a nightly basis refreshes the computer to its original configuration. Since this program is only run at night, it is entirely possible to download a keystroke recorder, use it for one day, and have it removed by LabExpert. One way to fight this is to require a login and password to log on to the computer. Although such a measure would not eliminate all security concerns, it would greatly reduce them.

The way the login system would work is as follows: When a user sits down at a computer, he/she would enter his/her personal user name and password. After doing this, the user would change his desktop settings, program options, printer settings, etc. without affecting the computer usage of others. All these settings would be stored on something called a "home directory," which is personal storage space, accessible only to its owner, but from any computer on the network.

Thus, users would be able to save their work permanently in their home directories, rather than relying on the current temporary storage solution. This would also solve the problem of the keystroke recorder, since, even if a malicious user downloaded and installed a keystroke recorder, it would only affect his own usage of that computer. When the next user sits down at the same computer, he/she would log in with his/her own user name, and thus not be affected by the program installed by the previous user.

The Response

The RFC (Request For Comment) system, referred to as the "Talmud of the Internet" by one computer guru, is one in which laws are set based on the issues of the time. There are RFC's on everything from how to run a server to how to build a network to what configurations certain emails must have. RFC #1173 forbids unauthorized access to the Internet without a login and password - exactly what we have at YU - so that if something harmful is done, the owners of the server can find out who did it. Regardless of the RFC, a login/password screen, according to MIS officials at NYU and Rutgers, simply makes sense for all those concerned due to the heightened level of security it affords the users of the network.

Asked why YU does not have logins and password screens at all terminals, Sullivan said, "It is something we have discussed in the past, and are sure to discuss again, but there are manageability issues involved. It is certainly doable but it is a lot of work to create logins and passwords for every user and then maintain them." In response to this statement, the NYU official agreed, to an extent. "Manageability is certainly an issue, and it is a lot of work to create and maintain logins and passwords. The system can be onerous at times but even with all these issues, it is absolutely worth it because of security."

Ronald Thornton, a computer technician at Rutgers, agreed. "Every user is issued a login and password to make sure they are a current student or employee. We would not do it any other way."

In addition to the discrepancies in security between Yeshiva and other universities, YU also lags far behind the other universities The Commentator contacted in the number of technicians and help staff it employs. The official from NYU compared a university computer lab to a garden. Much like in a garden where one cannot just put seeds there and expect them to grow, one cannot just put computers in a room and expect them to work properly. "It is not enough to just buy hardware and software and plug the machines in. They need constant care and looking-after," he said.

Apparently, MIS at YU has yet to grasp this principle. The NYU official simply laughed when told that YU has one roving technician per shift assigned to monitor several hundred student computers. Although the main technician is in the library much of the day, that does not do much for the students in the computer rooms in Belfer Hall where there are frequently as many as ten to fifteen computers down at one time.

The Commentator's sources agreed that YU simply does not provide the most basic measures that most other universities provide in order to ensure system security and stability. Many possible solutions exist, including login/password screens, overall network security, and staff upgrades. The YU MIS department simply has not implemented them.