Hacking attempts on campus network prompt recommendations of password protection

With 30,000 systems on campus, ITS constantly tracks the network for intruders.

The recent celebrity iCloud breaches demonstrate the need for students to take greater measures to ensure their own online security. 

The hacking involved in the iCloud breach, which made nude photos of celebrities publicly available online in early October, is not unrelated to SU. Information and Technology Services deals with cyber attacks every week, said Chris Croad, SU’s information security officer. But students can protect themselves, particularly through password protection.

Croad, who develops security policies for ITS staff, said he manages threats to the campus network through mitigation and risk assessments everyday. ITS constantly tracks the network for intruders on the 30,000 systems on campus. “We get attacked all the time,” Croad said. “We have occasionally had successful attackers.”

Hackers have made a business of stealing personal information, Croad said. “It’s organized crime or nation states trying to get identities and sell social security numbers or proprietary information.”

“Phishing” is the most common type of threat on campus, Croad said. A hacker will send an email to 3,000 members of the university pretending to be ITS. The message informs the faculty or student that their mailbox is full and sends them to a fake ITS webpage that looks authentic, where they are prompted to enter their NetID and password, he said.

“It seems to be more pervasive,” said iSchool Professor Dave Dischiave, “but there are a lot of dead giveaways.” Although hackers copy university logos and websites, there will always be a mistake within the email address of the phisher. “Usually something like ‘syri.edu,’” Dischiave said. “There will be an ‘I’ or some other letter that nobody picks up on.”

Joon Park, a professor at the iSchool, said he believes that malware and attacks have become more highly sophisticated than ever.

ITS tries to educate people about phishing, Croad said, but it’s not always easy. “The bad guys are getting really good at creating these emails to look legitimate,” Croad said. He warns against using the same password on multiple sites. “You absolutely should not use your SU password anywhere else. Most people do, but we tell them not to.”

“People say, ‘You (ITS) didn't do a good job.’ But how good are our locks if you’re going to hand the keys over to the bad guys?” Croad said.

Users entrust cloud providers to do their job well, Croad said. “If it’s a big company, they’re probably doing it right. But if you read the terms of service, they’re not responsible if they lose your data. It is literally out of your control once you hand it over to these services.”

Passwords aren’t very effective in general, Dischiave said, “Why don't we use passwords to get into our houses and cars? Because they’re terrible,” he said.

Easy passwords can be hacked, and strong passwords are difficult for humans to remember. “We’ve carried this system forward into modern computing,” Dischiave said. “Passwords are just dumb and the apps we use to remember passwords are even worse because now you’ve given the data to someone else. Just look at iCloud.” Dischiave added that once the pixels leave the phones of individuals they have no control over them.

Recent breaches involving Home Depot, Target, and Apple all share a common denominator, Dischiave said. “Somebody left the window open.” Whether the window is a phone or a weak password, it acts as the portal for a hacker.

Dischiave said he predicts that the amount of breaches will increase and become more severe.

“We’re so dependent on computing and running everything with automation. Haphazardly we’re just moving everything to these clouds, unaware of the consequences,” he said. “It’s not a matter of if you’re hacked, but when.” 

Post new comment

* Field must be completed for your comment to appear on The NewsHouse
The content of this field is kept private and will not be shown publicly.