Sports

Star Wide Receiver Cooper Barkate, 7 Other Harvard Football Players Enter Transfer Portal

News

Cambridge City Council Takes First Step Toward Eliminating Broker Fees

News

Beth Israel Medical Center Residents and Physicians File for Unionization

News

As Students Denied Refunds, Blame Game Begins Over Harvard-Yale Pregame Debacle

News

Man Arrested for Secret Sexual Surveillance at Harvard’s Hemenway Gym

Roberts Winters at Cambridge City Council Candidate Forum

News

Cambridge Residents Slam Reappointment of Inflammatory Blogger to City Committee

News

Social Science Dean Lawrence Bobo To Take Unexpected Leave in Spring Semester

Tracking the Digital Trail

Amidst audit to protect sensitive information, Harvard faces data security challenge

By Joshua P. Rogers, Crimson Staff Writer June 9, 2005

She adds that no complaints of fradulent charges have been filed.

But Steen said that the lax security surrounding students’ and staff’s ID numbers is not usually a serious risk.

“One of the key elements is that you need two pieces of information to do anything, including getting an e-mail account, which is something that we just changed for security reasons,” Steen says.

In response to The Crimson’s findings, University spokesman Joe Wrinn said in February that Harvard would conduct an audit of all websites that require ID numbers and other nonsecure items in order to grant access.

Gene Madden, associate director for information services at the Office of Risk Management and Audit Services, says that the audit is proceeding in priority order, addressing the most serious issues, such as noncompliance with Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act regulations first. The audit also aims to stamp out the use of nonsecure items such as birthdays, social security numbers, and last names as passwords.

“I expect that we will be wrapping up the frontline systems by the end of the summer,” Madden says.

DAILY MOVEMENTS

The potential availability of some of the most widely used personal information—e-mail and swipe access—introduces an additional privacy concern.

Students enlisted as UAs are given access to a broad range of information to aid in their work helping with computer-related problems.

Steen confirmed that UAs can change Faculty of Arts and Sciences (FAS) account passwords, thereby gaining access to any e-mail inbox, where sensitive information is often stored, though he emphasized that while students have the power to do this, he knew of no instance when this had actually happened.

“That would lead to some serious disciplinary action,” Steen says.

But one does not need UA access in order to track people using their FAS e-mail accounts. Using scripts such as “friends” or commands such as “last” or “rwho,” intrepid computer stalkers can follow movements of anyone using telnet programs—like SecureCRT and Terminal—by matching the IP address at which the target is or was logged in with the physical location of that IP address on campus.

The “friends” script has a detailed listing of what Harvard IP addresses correspond to what buildings, allowing users to pull up with a few keystrokes where any user they have listed is logged into telnet on campus. Coordinator of Residential Computing Kevin S. Davis ’98 says that HASCS would not comment on the subject.

Harvard servers also hold another form of information used daily—swipe card data.

HUDS publicly discusses the data it receives from monitoring swipe action in the 14 residential dining halls across campus in order to allocate resources and staff. Snyder says, however, that the data is only ever distributed in aggregate—with no names or IDs attached.