FRI 30 JAN 2004
ITS says security breach likely will not lead to identity theft
By Nate PoppinoArgonaut Staff
A security breach in the university e-mail system should not pose a significant threat to students, according to Information Technology Services.
The breach involves the transmission of usernames and passwords from students’ machines to the main e-mail server. The transmission is “in the clear,” which means it is not encoded and a person who intercepts it can read the username and password it contains. This information could help an intruder take over students’ accounts, an activity known as identity theft.
The risk of an intruder successfully stealing a student’s account is small, said Tony Opheim, associate director of network systems for ITS. The university networks are switched, which means that only the sending and receiving device can access the transmitted data.
“ITS is in charge of the network from end to end,” Opheim said. “The only areas at risk are the off-campus students who aren’t part of the network and the wireless network.”
Opheim said ITS realizes the problem exists and needs to be solved.
“If you ask my system and security guys, they would say it is something to address,” Opheim said.
Graduate student Bryce Poole thinks the problem should have been fixed by now.
“I contacted them at the beginning of the fall semester. They said they knew about the problem and were looking for ways to fix it,” Poole said. “When a respectable amount of time has passed and they have chosen not to fix the problem, they are putting the entire student body at risk.”
Opheim said the reason the problem has not been fixed is the lack of consistency in e-mail clients. In order to make the transmissions secure, all e-mail clients used by students, faculty and staff would have to support the same encryption.
“The real problem is not all clients support encryption,” Opheim said. “The ones that do don’t do it well.”
Opheim also said ITS’ ability to address problems depends on the public’s perception of the problem. If people do not know about the problem or do not worry about it, it is not likely that problem will be addressed.
“Our security in the academic world is based on people’s perception of need for it,” Opheim said.
Poole said one solution is to use a secure telnet program and access e-mail directly.
“The best thing to do is use ssh, a secure telnet program, and login to unix.uidaho.edu and use pine to check your e-mail,” Poole said.
If an account violation did occur, ITS would easily be able to stop it, Opheim said.
All e-mail transactions are logged,” Opheim said. “We see whether the person who was logged in was located anywhere near the device.”
Opheim said the person who owns the account is never considered guilty unless it can be proved he or she caused the problem. If the account owner is not nearby, then ITS assumes identity theft has been committed and starts trying to figure out how it happened.
“If it gets more serious — if there are threats of violence — then we bring in law enforcement to help with our analysis,” Opheim said.
If an account is compromised and keeps jumping between computers or logging in from off-campus, ITS can turn off the account to stop the problem. This course of action is slowly becoming more prevalent.
“Two years ago I’d have said we would never have to disable an account, but now that is different,” Opheim said.
TODAY
College of Law open houseUI Menard Law Building
4 p.m.
Architecture lecture series
Idaho Commons, Crest Room
5 p.m.
ASUI senate meeting
UITV-8 programming
8 p.m.
Piano recital: Peter Henderson
School of Music Recital Hall
8 p.m.
SATURDAY
High school band festivalSUB
Noon
Wyoming certification wildlife biologist exam
College of Natural Resources, Room 10
10 a.m.
SUNDAY
Sigma Alpha Iota MusicalSchool of Music Recital Hall
3 p.m.
MONDAY
Lecture: “Paraphrases and Reminiscences”Steven Spooner
School of Music Recital Hall
8 p.m.
UI Argonaut, 301 Student Union, Moscow, ID 83844
Argonaut: 208.885.7845 Advertising: 208.885.5780