A Trojan Horse computer program has jeopardized the privacy of students and staff members since early this month by illegally obtaining uniqnames and passwords from campus computing sites.
Information Technology Division officials first discovered the program, which appears as a standard University login screen, on Sept. 11 at three computing sites - the Shapiro Undergraduate Library, the Frieze Building and Family Housing on North Campus.
After a user enters a uniqname and password on the login screen, the program captures the information and saves it to a file on the computer's hard drive. The stolen information can later be retrieved and used to access the user's e-mail, financial information, schedule and other secured items.
One hundred login IDs and passwords were found in files on computing site hard drives last week.
"Anyone capturing that password and using that uniqname can use that person's identity," said Laurie Burns, ITD associate director.
Trojan Horse programs are "designed to mimic real services almost perfectly, and it may be impossible for a user to detect any differences with them," ITD officials said in a statement Friday afternoon.
ITD officials recommend that all students or faculty members who have used these sites this semester change their passwords.
ITD sites manager Liz Salley said that although ITD is now familiar with this specific Trojan Horse program, it is difficult to safeguard against this type of program.
"We cannot guarantee this won't happen again," Salley said.
Some students at the Shapiro site Friday said they would change their passwords just in case their security had been compromised. Passwords may be changed at any University terminal by typing "passwd" at the Unix login prompt and following the subsequent instructions.
LSA sophomore Evette Adams said the incident would not deter her from using University computers.
"The whole system is built around computers," Adams said. "If you cut yourself off from computers, you can forget it."
ITD employees made a sweep of all campus computing sites last week after the program was first discovered. Although the creation dates on the program's directories made it appear to have been installed a few days earlier, the directories may have been cleared out or the machines restarted, said Dino Anastasia, an ITD computer systems consultant.
"There's the potential that in some instances the program sat on a machine for six to eight weeks," Anastasia said. The program may have been loaded this summer, he said.
ITD officials said the program was discovered on Intel-based Dell Pentium computers running the Windows 3.1 operating system in the three sites. Although this Trojan Horse program has not been discovered on Macintosh computers on campus, Macintoshes are also vulnerable to this type of program, ITD officials said.
Engineering Prof. Atul Prakash said the Windows 3.1 operating system is "fundamentally flawed from a security point of view."
Prakash said other systems, such as Windows NT, would be harder to fool with a Trojan Horse program.
"You would have to do a lot more work to change the standard login screen," Prakash said.
Restarting the machines can safeguard against security breaches. Burns said students are encouraged to restart all machines after use, except Unix machines.
Anastasia said ITD officials believe the suspect or suspects loaded the program, which appears to have been created in July, onto computer hard drives from a floppy disk. More relaxed computer regulation at the sites during the summer may have made it easier to go undetected, he said.
Anastasia said he sent a list of 100 potentially affected students' names to the accounts office last week. Those students were notified that their passwords had been captured and were assigned new passwords. The uniqnames and passwords of other students, staff and faculty may have been captured and previously removed from the hard drives, he said.
Department of Public Safety spokesperson Elizabeth Hall said she could not comment on the case until today because she was not aware of its details. On Sunday, Hall said she had not received any information about the case. However, Anastasia said DPS and ITD are both investigating the situation.
"It's illegal and against University policy," said University Assistant General Counsel Dan Sharphorn.
Although individuals whose passwords were obtained by the program may take legal action against the University, Sharphorn said he doubts the University would be found liable in such a case.
LSA sophomore Prasad Ambekar said he does not blame the University for the mishap.
"There's only so much the school can do," Ambekar said. "No matter how hard they try, there's always going to be someone who can hack the system a little better."
University Resolution Coordinator Mary Lou Antieau, who administers the Code of Student Conduct, said the suspect, if a student, could be charged under the Code.
"It could be a violation of two different violations of the Code," Antieau said.
Anastasia said the passwords and the uniqnames obtained could potentially be traded to individuals outside the University for software and other information.
Since the student information obtained from the Trojan Horse program could be used in a black market, the jurisdiction of the case could fall to the FBI, especially if the stolen passwords are transferred across state lines.
FBI Special Agent George Grotz, who works in the FBI's San Francisco headquarters, said he could not comment on the case until today. The San Francisco headquarters is one of three FBI computer squads which investigate security issues involving computers. The other two squads are located in the FBI's New York City and Washington, D.C. offices.
FBI Special Agent Dawn Moritz, who works out of the FBI's Detroit headquarters, said Friday that all inquiries about computer crimes should be directed to the national computer squads.
Don MacPherson, a computer-crime unit paralegal at the Department of Justice, said he would not comment on the case until today because he needed to find more information.
Burns said this is not the first time password security has been compromised at the University.
Two years ago, a student's password was illegally obtained and racist e-mail was sent from that student's account. Burns said the student received threatening messages and phone calls as a result of the fraudulent e-mail.
"His life was affected (by the situation)," Burns said. "He was really very much disrupted by that."
- Daily Staff Reporter Jennifer Harvey contributed to this report.
INFO BOX
Four ways to change your password: