In response to the onslaught of cyber attacks targeted at the Boston University community, President Robert Brown announced Friday that BU will increase its cybersecurity within the school.
“Because of the increased risk, we are now taking a more active, rigorous approach to securing the personal information of community members,” Brown said in an email to faculty and staff Friday morning. “Social engineering techniques such as ‘phishing’ take advantage of people’s trusting natures and are increasingly sophisticated and deceptive.”
After an incident in January in which the usernames and passwords of 10 BU employees were stolen and the information was used to reroute their paychecks, BU Information Services & Technology will implement additional security measures, said Executive Director of Information Security Quinn Shamblin.
“We are working on ways to protect people when some event occurs, and if their information is somehow stolen, we want to try to protect them in that event just as much as we would want to protect anyone else,” Shamblin said. “What we are trying to do is to help provide that additional level of technical protection on top of good security decisions.”
BU’s former security policy, which aimed to facilitate open communication and academic freedom among staff and faculty users, rendered the school vulnerable to phishing attacks, Shamblin said.
“While we have a lot of protections in place and we have been working toward helping individuals understand the security risks so that they can make better security decisions when faced with those decisions, the fact of the matter is that people will often not understand the full implications of the decision that they might make,” he said.
One of the new measures, which was implemented Sunday, installed a green icon on the BU Web Login page URL to assure users that they are giving their information to the secure BU network.
“You will see now that there is a big, green icon or, if you are using Internet Explorer, the entire background of the URL turns green, or if you are using Safari there are some green letters that are printed on the side of the URL that say ‘Trustee of Boston University,’” Shamblin said. “This is a special security certificate designed explicitly to make it more visible that you are in the correct place.”
Shamblin said BU also plans to require more information in the user login, which would ideally eliminate the threat of unsuspecting users surrounding their personal information to online criminals.
“The problem is that passwords are simply a piece of knowledge,” Shamblin said. “It is extremely easy to pass knowledge from person to person.”
The new measure, known as two-factor authentication, will require users to confirm their desire to log in into their accounts through an external, physical medium, such as a cellphone.
“There is a solution we are evaluating right now that once you have it set up, you go to log in into something for the first time and it will send a message to your cellphone that is just a push bottom.” Shamblin said. “… If you are the one that is trying to log in and you receive this message, you just push ‘yes.’”
College of Arts and Sciences professor of computer science Ran Canetti said this is an effective way to prevent unaware users from compromising their accounts.
“The attacker might extract information from the user, but it will hopefully not be able to extract physical devices such as cellphones.” he said. “This is called two-factor authentication, and this is going to become a measure to protect users against themselves.”
However, Canetti cautioned users to educate themselves and be aware of the risks they face on the web.
“You should look right and left before you cross the street,” he said. “In the same way, browsing is dangerous. You should always be aware of the danger. It is simple stuff but people need to be aware of it.”