A former Boston College student was arraigned in federal court Tuesday for allegedly installing illegal software on more than 100 computers and using these programs to obtain personal information on students, faculty and staff.
The technology utilized by the BC student is known as “key logging,” or keystroke recording, something that, until recently, could be easily done at NU. A program is installed on a computer and runs in the background, recording everything that is typed into that machine. The key logging program saves the information to a text file that can be opened and read using Microsoft Word or simpler programs, such and TextEdit or Notepad. More complex key logging programs are even capable of automatically saving this text file, or log and sending it anywhere in the world as an attachment to an e-mail.
The most advanced versions of this technology may be used in the corporate environment to monitor workers and assure that they are being productive and not using company resources to “chat” with people, conduct personal e-mail correspondance, or perhaps spend their days playing online games. Such software packages may cost thousands of dollars.
However, greatly simplified key logging programs are easily available on the Internet for free. They are small files and download quickly. Most even come with instructions on how to set them up. According to the source that conducted an experiment for The News, key logging software can be installed, configured and actively recording in as little as four minutes.
Sensitive information, such as e-mail and instant messenger passwords, school registration records and bank account information, may be accessed by users of the InfoComons – the key logging software can capture it all.
Upon hearing about the incident at BC, a student source came to The News and expressed the concern that the personal information of Northeastern University’s faculty, staff and student body may be vulnerable to a similar computer assault. The source conducted an experiment to see how vulnerable NU really is.
On average, as many as 1,600 people swipe into the InfoCommons on a given day, according to Pam Erksine, director of Information Services Customer Service.
To provide evidence that there is a real, significant threat to the security of the users of the InfoCommons, our source installed key loggers on four different machines – two Windows-based PCs and two Apple iMacs. After a two-week period of lying quietly in the background of these machines collecting data, a combined total of more than 200 pages of logged text was compiled, according to the source. This information was collected to prove that with very little effort, the false sense of security, presumably enjoyed by the patrons of the InfoCommons, could be exploited. This “evidence” was then destroyed.
Melissa Yurasits, a freshman communications major, is uneasy about the potential breach of her security.
“I feel that the school should be advanced enough to prevent something like that from happening. The InfoCommons should be safe. My information should be protected,” Yurasits said.
The Office of Information Technology at NU maintains hundreds of computers around campus. The source says that after further experiments, it was found that the computers designated as “computer services kiosks” located in such places as the Curry Student Center, Ryder and Shillman Halls are impervious to these types of invasions. The machines are securely set up and can only access Northeastern Web pages. A user cannot download files (key loggers), and there is no available access to disk drives so loggers cannot be uploaded from a disk.
Vice President of Information Services Robert Weir acknowledges that the possibility of using key logging software exists. Because The News has presented this issue and speculated on its effects on the university community, there has been a great deal of effort concentrated on addressing the problem.
“One of the challenges we have in an academic environment is having to balance security and openness. Once you say that, we end up welcoming the good with the bad,” Weir said.
According to Weir, in the past, there have been searches conducted for key logger software, but the program used has become outdated and ineffective. Also, all programs and system files are reinstalled on a weekly basis.
As of Tuesday night, new measures were being employed to help maintain a safe, constructive computing experience. For example, there will be an increase in the frequency of the reinstallation of the the programs and system files.
“We are not going to ‘lock down’ the computers, however, we will limit exposure in a couple of different ways,” Weir said. “We have acquired much more sophisticated software that will scan for key loggers as well as other ‘hostile code.'”
If a student, faculty, or staff member at Northeastern uses key loggers in the InfoCommons or other lopcations on campus, they will be in direct violation of the Appropriate Use Policy as well as several federal laws.
The Appropriate Use Policy prohibits the use of Northeastern University’s computer systems to “capture, decipher or record user IDs and/or passwords,” as well as “intercept electronic communications not intended for the recipient.”
Malicious use of key logging software is also a potential violation of state and federal laws. Massachusetts General Laws Chapter 266, Subsections 33(a) and 120(f) Chapter 266 imposes sanctions for gaining unauthorized access to a database or computer system, as well as several other actions. The United States Code, Title 18, Computer Fraud and Abuse Act, involves knowingly accessing a computer without authorization or in excess of authorized access, knowingly causing damage to protected computers, or trafficking in password information.
“Everyone using computers should be aware of the assets that they’re transacting,” said Glenn C. Hill, IT security manager. “Have awareness of the information that you’re managing. Also, changing your passwords frequently is one of the most effective things you can do to protect the safety of your data assets.”
Sophomore business major Kyle McCrann says of IT’s efforts, “It’s good to know that they are looking out for our best interests.”
In the past, a key logger may have been able to actively record for as long as one week, but renewed efforts by the Office of Information Services has cut that window down to, at most, two days. This, combined with users regularly changing their passwords, should help keep our university community secure on the information superhighway.