IT asks community to change passwords after security breach
Security breaches at companies like LinkedIn and Adobe, along with over 100 compromised accounts since the beginning of the year, prompted Rice University Information Technologies to send an email on April 2 to all members of the Rice community asking them to change their passwords, according to Information Security Officer Marc Scarborough.
Security breaches at companies like LinkedIn and Adobe, along with over 100 compromised accounts since the beginning of the year, prompted Rice University Information Technologies to send an email on April 2 to all members of the Rice community asking them to change their passwords, according to Information Security Officer Marc Scarborough.
“In the past, you could pretty clearly see a correlation between a phishing [attempt] and compromised accounts sending lots of spam,” Scarborough said. “This year, we’ve seen some major differences. In January 2013, we saw 3 or 4 [compromises]. [This] January, we saw 40, [and] we don’t see the same correlation between phishing and the number of accounts.”
According to Scarborough, since people typically use the same username and password at multiple sites, a breech at any of those sites could be used to compromise the Rice account.
“Take the example of LinkedIn,” Scarborough said. “Their password database was compromised and they had notified their community in June 2012. We know a lot of people registered there with their Rice address and password. So when LinkedIn said, ‘Hey, these passwords are compromised and need to change,’ what we see is that the people at Rice did not change their password here, and those passwords aren’t just compromised in secret. They [were] compromised and published to the wild.”
Scarborough said Rice IT had correlational evidence that pointed towards a breach at LinkedIn as a large cause for the recent uptick in compromised accounts.
“Attackers are using the user ID of a Rice email address and the corresponding password to log into our systems,” Scarborough said. “For example, 28 out of 30 accounts [might be] created before June 2012. It’s [also] not one department. It’s faculty, staff, students, departments all over the map. The only piece that was consistent was that all of the accounts were created in our system before LinkedIn announced their breach. It might mean something, itmight not. But the fact that it’s almost exclusively accounts two years or older is interesting.”
Scarborough said a breach at Adobe late last year may have also contributed to the compromised accounts.
“Adobe is actually a big player in higher education,” Scarborough said. “A lot of people have Adobe accounts. We know that, again, people use the same password, and, again, people probably were forced to change their password at Adobe, but we [didn’t] see a mass change of passwords at Rice when Adobe announced their breach.”
According to Scarborough, the breach was exacerbated because Rice does not require routine password changes.
“If we had an annual password change and [the compromised accounts] really were because of LinkedIn, we probably wouldn’t be having this [conversation],” Scarborough said. “People don’t want to move forward and make the entire university go through a system where we have to change passwords with some frequency. If there’s a big enough breach, and I can show that so many Rice addresses, if it’s 500 or 300, [were compromised], I can probably make an argument to push a campus-wide password change, but we haven’t been able to say that.”
Scarborough said password managers like KeePass and OnePass are useful tools for preventing account compromises.
“I know it’s a challenge for people to choose different passwords, and we don’t want to go back to writing them behind keyboards like the old joke,” Scarborough said. “Password managers work. Most have integrated browser support and work well on mobile devices.”
Scarborough said he encourages anyone with questions to email him at marc.scarborough@rice.edu or call at 713-348-5735.
More from The Rice Thresher
Local Foods launches in newly renovated Brochstein space
Local Foods Market opened at Brochstein Pavilion Nov. 19, replacing comfort food concept Little Kitchen HTX. The opening, previously scheduled for the end of September, also features interior renovations to Brochstein. Local Foods is open from 8 a.m. to 6 p.m. on weekdays and 9 a.m. to 5 p.m. on weekends.
Scan, swipe — sorry
Students may need to swipe their Rice IDs through scanners before entering future public parties, said dean of undergraduates Bridget Gorman. This possible policy change is not finalized, but in discussion among student activities and crisis management teams.
Energy summit talks the policy behind power
The 16th annual Rice Energy Finance Summit was held at Jones Business School Nov. 15. Speakers from the energy industry discussed topics including renewable energy, the Texas power grid and the future of energy policy under a second Trump administration.
Please note All comments are eligible for publication by The Rice Thresher.