Rice University’s Student Newspaper — Since 1916

Friday, April 19, 2024 — Houston, TX

IT asks community to change passwords after security breach

By Andrew Ta     4/9/14 12:48pm

Security breaches at companies like LinkedIn and Adobe, along with over 100 compromised accounts since the beginning of the year, prompted Rice University Information Technologies to send an email on April 2 to all members of the Rice community asking them to change their passwords, according to Information Security Officer Marc Scarborough.

Security breaches at companies like LinkedIn and Adobe, along with over 100 compromised accounts since the beginning of the year, prompted Rice University Information Technologies to send an email on April 2 to all members of the Rice community asking them to change their passwords, according to Information Security Officer Marc Scarborough.

“In the past, you could pretty clearly see a correlation between a phishing [attempt] and compromised accounts sending lots of spam,” Scarborough said. “This year, we’ve seen some major differences. In January 2013, we saw 3 or 4 [compromises]. [This] January, we saw 40, [and] we don’t see the same correlation between phishing and the number of accounts.”



According to Scarborough, since people typically use the same username and password at multiple sites, a breech at any of those sites could be used to compromise the Rice account.

“Take the example of LinkedIn,” Scarborough said. “Their password database was compromised and they had notified their community in June 2012. We know a lot of people registered there with their Rice address and password. So when LinkedIn said, ‘Hey, these passwords are compromised and need to change,’ what we see is that the people at Rice did not change their password here, and those passwords aren’t just compromised in secret. They [were] compromised and published to the wild.”

Scarborough said Rice IT had correlational evidence that pointed towards a breach at LinkedIn as a large cause for the recent uptick in compromised accounts.

“Attackers are using the user ID of a Rice email address and the corresponding password to log into our systems,” Scarborough said. “For example, 28 out of 30 accounts [might be] created before June 2012. It’s [also] not one department. It’s faculty, staff, students, departments all over the map. The only piece that was consistent was that all of the accounts were created in our system before LinkedIn announced their breach. It might mean something, itmight not. But the fact that it’s almost exclusively accounts two years or older is interesting.”

Scarborough said a breach at Adobe late last year may have also contributed to the compromised accounts.

“Adobe is actually a big player in higher education,” Scarborough said. “A lot of people have Adobe accounts. We know that, again, people use the same password, and, again, people probably were forced to change their password at Adobe, but we [didn’t] see a mass change of passwords at Rice when Adobe announced their breach.”

According to Scarborough, the breach was exacerbated because Rice does not require routine password changes.

“If we had an annual password change and [the compromised accounts] really were because of LinkedIn, we probably wouldn’t be having this [conversation],” Scarborough said. “People don’t want to move forward and make the entire university go through a system where we have to change passwords with some frequency. If there’s a big enough breach, and I can show that so many Rice addresses, if it’s 500 or 300, [were compromised], I can probably make an argument to push a campus-wide password change, but we haven’t been able to say that.”

Scarborough said password managers like KeePass and OnePass are useful tools for preventing account compromises.

“I know it’s a challenge for people to choose different passwords, and we don’t want to go back to writing them behind keyboards like the old joke,” Scarborough said. “Password managers work. Most have integrated browser support and work well on mobile devices.”

Scarborough said he encourages anyone with questions to email him at marc.scarborough@rice.edu or call at 713-348-5735.



More from The Rice Thresher

NEWS 4/17/24 5:23pm
Jones wins men’s and women’s Beer Bike races, GSA snags alumni

Jones College won both the women’s and men’s Beer Bike 2024 races, while the Graduate Student Association claimed the alumni team win. Hanszen College bike teams were the runner-up in the alumni and men’s races, while Brown College was the runner-up in the women’s race. Martel and McMurtry Colleges did not bike in the alumni race, according to the Rice Program Council’s final report, and the GSA was disqualified from the men’s race for accidentally sending out two bikers simultaneously.

NEWS 4/16/24 11:08pm
Rice SJP hosts protest in response to S.RES 02 tabling

Rice Students for Justice in Palestine staged a  walkout and protest in response to the tabling of S.RES 02, a resolution that proposed a divestment of student funds to Israel-aligned companies, outside the Allen Center, April 12. The protest occurred during Owl Days, when prospective students were touring the campus.


Comments

Please note All comments are eligible for publication by The Rice Thresher.