Yale inquiry prompts OIT security increase

Since learning that University admission officers had exploited a Yale University admission website's reliance on social security numbers as passwords, University technology officials have been working to fix a similar vulnerability in the campus system.

Use of the network has skyrocketed in recent years, with students sending thousands of e-mails per day, checking their academic records online and storing files on the UNIX server.

Before the University began acting this month, more than 90 percent of accounts were vulnerable.

The problem centers on the default password for most new accounts: the last eight digits of the social security number.

Data suggest few users change their passwords from the default. Officials said that by early September, 4,292 of about 4,600 undergraduates had not changed at least one of the three main passwords from the default — for e-mail, academic records and UNIX.

OIT set up a website this month for users to change all their passwords simultaneously. The office sent an e-mail instructing students to change their passwords from the default.

By Wednesday, 1,600 students had followed the OIT e-mail.

At month's end, OIT will lock users out of accounts for which passwords remain unchanged.

A hacker only needs a user's social security number to breach any of his accounts that still uses the default. Social security numbers are written on campus documents, can be used instead of an ID card at Frist Campus Center and can be found through online sources.

Officials originally chose the social security number because it was easy to remember. But they said this summer's admission scandal gave them a chance to remove a vulnerability in campus systems.

"There is a heightened awareness because Yale used it, and it is in the news," said Dan Oberst, director of enterprise services at OIT.

"This is a teachable moment," an OIT official said.

Get the best of the ‘Prince’ delivered straight to your inbox. Subscribe now »

OIT plans to assign University-generated passwords to new students, starting with the Class of 2007, he said.

After current students change their passwords, OIT will begin to secure employee accounts, he said.

Despite these efforts, OIT officials said they could not know if accounts have been compromised unless someone told them about a problem.

"[We] want to get to the point where we are proactive. Much of what we do is reactive," Oberst said. "Nobody is sweeping the whole system."

Tighter security often makes the systems more inconvenient for users, and the new security measures would have enraged many users before, OIT security expert Rita Saltz said.

"[It's] always been the desire of this office that passwords be changed as soon as possible," she said, noting that the goal is to balance convenience and security.

But some students say they are used to their social security number passwords and do not want to change them. Some have asked why there is not one overall password.

Oberst said passwords for different accounts will remain separate, though OIT is trying to facilitate the process.

Officials pointed out that they are fighting other methods of getting passwords, too. Even passwords changed from the default are susceptible to advanced hacking programs.

One move among many

The drive to fix this problem comes amid a push to enhance all University security and privacy.

Discussing the results of the internal investigation of the admission breach in August, President Tilghman pledged "to undertake a thorough assessment of Princeton's policies regarding issues of privacy and its practices regarding the security of data."

OIT has wanted someone to oversee security for some time. Last fall, it requested $110,000 from the Priorities Committee, the University's budgeting arm, to hire a security officer.

The position was approved. The search has narrowed to one person, officials said, and an announcement should come soon.

In addition to emphasizing network security, Tilghman stressed the importance of keeping records private.

In January, the University of Pennyslvania became the first Ivy League university to hire a privacy officer.

University counsel Peter McDonough said, however, that his office has not yet found one necessary.

Instead of appointing one specific person for privacy issues, the University has created a team of senior level administrators, he said.

The counsel's office has hired Clayton Marsh '85, a lawyer with expertise in privacy issues, McDonough said.

Marsh's main focus will be OIT and privacy issues spanning many offices.

In general, top administrators have increased their support for technology resources, said Lauren Robinson-Brown '85, director of communications.

"[President Tilghman's] cabinet members are much more aware and forthcoming with resources," she said.

Chief Information Officer Betty Leydon reorganized OIT this July after concluding that it had to be "more logical" and "more efficient," she said.

She cut the number of departments from nine to five — academics, administration, servers, support and finance.

The consolidation has not increased how centralized University data are, but Leydon said last year's adoption of the PeopleSoft database software will help integrate data across the University.

PeopleSoft is a program that helps large organizations store information across many departments.