Log off computers, protect passwords
February 5, 2012
A functionality of Google Chrome allows users to extract passwords from my.pitt.edu webmail when… A functionality of Google Chrome allows users to extract passwords from my.pitt.edu webmail when students leave their accounts signed in to campus computers.
But a Pitt Computer Services and System officersaid that the issue isn’t unique to the browser and students just need to take one step to keep their passwords safe when using those computers — log out.
As long as students log out and close browser sessions when they finish using campus computers, their passwords are safe from extraction or being stolen by the computer’s next user. John Hudson, an information security officer with CSSD, said that the email session as well as the password that is transmitted across a network is encrypted — not saved into a computer’s memory.
“We are aware, but this isn’t a Google Chrome issue — all browsers behave in a similar fashion. It’s like leaving your card in front of an ATM or if someone left their bank account open. It’s only an issue if the session is left open,” Hudson said. “Any time you log into a web-based program, a portal or a bank account, for example, log out.”
If students do not log out from their webmail, a simple right-click option on Google Chrome allows the user to view the logged-in username and password.
Katie Hoetzer, a junior majoring in sociology and urban studies, has worked as a computer lab consultant since last semester.
She said that from her experience covering the tech labs at the Hillman Library, Alumni Hall and the Cathedral of Learning, most students remember to log out when they finish their sessions.
“Once or twice a month, when closing [a lab], there’s a person who forgot to log off, but it doesn’t happen too frequently,” Hoetzer said.
John Hudson found that most frequently, issues of security breach occur not because of log-off oversight, but because of dangerous online activity.
“Never click on a link if you are not sure what it is. Some [links] can download malware with keyloggers,” he said.
Hudson said that keyloggers are system monitors that track a user’s keystrokes and send the data back to a malicious user. These monitors can give access to virtually all of a victim’s online information.
Also, malicious third parties often “phish,” or send students emails requesting personal information by posing as an official University email or a local bank. Hudson said that there is the potential for hundreds of thousands of these attacks on PittNet, Pitt’s Internet network, each month.
“No reputable organization will ever ask for a password by email,” he said. “We will never ask for it, nor should anyone else. We spend a lot of time telling students that you will never get an email, Facebook or Twitter message asking for these details.”
Still, a number of Pitt students fall prey to online assaults each week, and Hudson said that Pitt’s online security team can catch when a student’s profile is attacked in some circumstances — when there is a password failure, 24-hour surveillance security can detect it. But, there are limits to the feature — it usually latches on when the network receives a large number of requests, far more than someone mistyping their password.
“We aren’t looking for fat fingers, but if a computer is failing attempts at password login many times a minute — for example, with a dictionary tool — we’ll contact the student. If we can’t contact the student, we may disable the account until they can change their password or fix the malware,” Hudson said.
Nevertheless, surveillance is an imprecise science. Network security cannot see students’ data or content, just their traffic patterns. It’s the traffic of data that helps alert CSSD to suspicious patterns to determine whether or not a student’s Internet security has been compromised by malware.
“This isn’t like CSI where you click a few buttons and see what’s going on. There’s a privacy issue,” he said. “Our job is to protect you, not to see what you’re doing.”
Of course, with this insurance of privacy comes a compromise of security. Not all malware uses a large amount of data, so it will not necessarily be picked up by security. Oftentimes, malicious programs can go undetected while invading a student’s academic and financial information.
Hudson said that students should follow these procedures to insure safety online: installing up-to-date anti-virus software and patching systems, both of which are available free to students by CSSD, and routinely changing their passwords.
He said that this is the reason Pitt students must change their my.pitt password before Thursday as part of the Computing Service’s Internet safety campaign.
“There’s no good way to tell [if a password has been stolen] unless they do something unusual, so you should always change it regularly. My suggestion is to change it every month — you don’t have to wait until we tell you to,” Hudson said.
As of now, Hudson approximates that only half of the students have changed their passwords, even though the deadline is three days away and those who haven’t changed it by then will be barred from access to PittNet until they do so.
Freshman Grace Kim has yet to change her password, and doesn’t understand why anyone would want to access her information.
“I’m waiting until the last minute to change my Pitt user password,” she said. “Like, who’s going to hack into my account? And why would they make the password so hard?” she said, citing her frustration at the symbols and numbers that Pitt requires to be blended into the password.
But Hudson said that everyone needs to make an effort for safety, and password diversity is an important part of online defense.
“Unless you’re a millionaire, online criminals are looking for easy targets,” he said, challenging students to take full advantage of the free protection software that the University provides. “It takes a minimal effort. You’re helping us help you.”
Students can access CSSD’s resources by going to their website at www.technology.pitt.edu/security/safe-students.html.