Modernizing Authentication — What It Takes to Transform Secure Access
But the story should not end there, for LeMenager's actions -- and other cases involving the surreptitious use of computers in academia -- point to a need for educational institutions of all stripes to start educating students about computer ethics. At the same time, it points to a rather incredible security lapse on the part of whoever maintains the Yale admissions site. Indeed, there are plenty of lessons to be learned here.
To recap the Princeton case, it involved a Web site that Yale uses to inform applicants whether they were accepted to the school. To find out his status, an applicant entered his name, date of birth and social security number. That's it. No password, no user name, no form of identifying information that would be known only to the applicant. Some tough security.
|Security Guard Archives|
Identity Management Combines Security, ROI
LeMenager, being the admissions director, had access to names, dates of birth and social security numbers for a number of students who applied to both Yale and Princeton. He and others in the admissions office apparently used this information to visit the Yale site 18 times, accessing accounts for 11 applicants.
According to reports published in the Boston Globe, he says he did so to test the security of the Web site, because Princeton was considering a similar site. Let's assume he's telling the truth. Then why visit the site 18 times? Wouldn't once, or maybe twice be enough to prove the point?
To make matters worse, when students who were accepted logged on to the Yale site, they were greeted with a congratulatory fireworks display. Those who did not make the cut were likewise informed at that time. In both cases, this information appeared only the first time a student logged in. On subsequent log-ins, it was assumed the student already knew his or her status. In at least two cases, the Princeton admissions personnel beat the student to the Yale Web site; no fireworks for those kids, no matter what their status.
Princeton's president, Shirley Tilghman, said LeMenager was motivated by simple curiosity and was not seeking a competitive advantage by his actions, according to a Globe report. She goes on to say that LeMenager was "widely respected" for his "integrity and professionalism."
That's what makes this case doubly disturbing. Probably LeMenager is indeed widely respected and full of integrity. He has, after all, been working in the admissions office at Princeton since 1983, according to the Globe. Princeton, being an Ivy League institution and all, presumably has high standards for its employees.
And yet LeMenager considered it acceptable behavior to pose as someone he was not and access private information on the Internet.
LeMenager, of course, is far from alone in his use of the Internet for academic mischief. Last month, I came across a story about a University of Delaware student who was smart enough to be able to fool the human resources department into setting new passwords that enabled her to get into her instructor's online accounts. She was also stupid enough to use that access to change her grades in a math and science class from Fs to As. She got caught and was charged with identity theft, among other things.
Like the Yale/Princeton case, the Delaware episode exposes faults on both sides. Assuming the allegations prove true, the student is obviously at fault, but so are the HR professionals who fell victim to her form of social engineering. By extension, so are the University of Delaware security professionals and management team that failed to educate those HR professionals about how to recognize such scams.
But the point here is not to assess blame. Rather, it is to highlight the need for education on matters of Internet security. Clearly that starts with education for the security professionals who are charged with implementing security measures, whether they be technical or process-oriented. But it also means educating the user population, such that they understand that using the Internet to gain unauthorized access to information is no different than, say, breaking in to an office and rifling through file cabinets. Hopefully these episodes will prompt educators at every level to take a hard look at what they can do to further that cause.
Paul Desmond is a writer and editor based in Framingham, Mass. He serves as editor of eSecurityPlanet.com, a source of practical security information for IT managers, CIOs and business executives. Email him at firstname.lastname@example.org.