These vulnerabilities stem from Harvard’s use of a non-confidential number to verify identity and access secure systems. ID numbers, which Bradner says are considered “non-public but not secret,” are often widely distributed—to course heads and staff, on printed ID cards and even to students planning a barbecue.
Though most Harvard websites with secure information require a confidential PIN or other password in addition to the ID, The Crimson has identified a number of online applications—ranging from PharmaCare to network access to mail forwarding—that require nothing more than an ID number and birthday, or ID and last name.
Computer security experts say such use of a non-secure identifier as a password is a serious and common problem.
“The ID number, much like the Social Security Number, has always had this problem of operating both as a record identifier and as a password,” Rotenberg said. “It’s the interchangeable nature of the identifier that creates a security risk.”
Until yesterday afternoon, exploiting such vulnerabilities could have been made easier by the long-standing glitch in the polling tool. The website, which allows people to design and conduct surveys, enabled anyone—with or without Harvard affiliation—to search the entire Harvard directory by first or last name, e-mail address or Harvard ID number. Unlike other campus directories, the system did not hide users who have requested FERPA security from the University, or respect other user-set restrictions on the distribution of their directory data.
A series of steps common in conducting a poll enabled any iCommons user to directly look up the ID number of any Harvard affiliate—from secure-flagged students to University President Lawrence H. Summers. No other public system permits students to search ID numbers or to associate ID numbers with names.
Susan Rogers, project manager for iCommons, was surprised when The Crimson demonstrated the technique for looking up a FERPA protected student’s information, though she had previously planned to remove the search by ID number feature.
She added yesterday evening that preliminary analysis of the usage logs of the poll tool showed that prior to pulling the site, only The Crimson had used the method that non-Harvard affiliates could use to gain access.
BEHIND UNPINNED DOORS
But even if iCommons is fixed, The Crimson has identified a variety of web tools that require no more than the non-secret ID, or a combination of ID and last name or birthday, to access information that would generally be considered confidential.
For instance, anyone on campus can delete or register a Harvard network connection just knowing an individual’s ID and last name. This would permit someone to illegally share files traceable to another person’s identity.
A last name and ID are also the keys to choosing course sections and accessing the Student Employment Office’s jobs database. Only an ID is required to access the Office of Career Services’ MonsterTrak job listings database.
With a Harvard ID and birthday—obtainable by undergraduates through an online facebook, and more widely through websites like anybirthday.com—a user can post or download resumés on someone else’s eRecruiting account or access the online UHS health insurance waiver form. Individuals can also activate an e-mail address for someone who is eligible for a Faculty of Arts and Sciences account but has not requested one.