NEWS

  /  

May 15, 2004

Security concerns impact e-mail choices

Between rushing to classes, writing papers, and studying for midterms, many students have a ritual of checking their e-mail several times a day. The University servers process nearly 600,000 e-mails—including messages from friends, news of campus events, and mailings from clubs—everyday. In fact, the University sends official administrative information via e-mail and requires that all students routinely access their e-mail for such information.

Students can check their accounts at countless computers across campus using a variety of methods that include Webmail, POP, IMAP, and Harper. Students have also developed unique e-mailing rituals and often swear by one method or the other.

Beginning in the summer of 2002, NSIT launched the Secure Authentication initiative to eventually eliminate insecure services on campus. This initiative, in an attempt to improve campus security, includes the termination of plain-text authentication. Soon, NSIT will only support methods that encrypt text.

Max Trefonides, the Manager of Enterprise Network Systems Administration, explained that when students access e-mail using insecure means, their usernames and passwords are sent over the Internet in regular text, making it "fairly simple" for a novice hacker to secure this sensitive information. He noted that students are increasingly taking advantage of the username (CNetID) to access their e-mail as a personal identifier for an expanding list of University services that include the Travel Office and the Registrar. Trefonides warned that students who use insecure e-mail are susceptible to identity theft.

Trefonides explained that before the elimination of plain-text authentication, there were seven methods by which e-mail could be checked, including Webmail, insecure and secure POP, insecure and secure IMAP, Harper via SSH or via Telnet.

Of the nearly 17,000 accounts that have pointed to NSIT servers this year, approximately 2,700 accounts were being accessed using insecure POP or IMAP services, he said. He noted that insecure access to Harper via telnet has yet to be abolished and will be terminated on May19.

Zulfiqar Mahar, a first-year in the College who said that e-mail is "extremely" important to him, checks his account three or four times a day. Mahar accesses his account using Eudora, which he referred to as "the shit."

Others, like Ivan Beschastnikh, a second-year in the College, and Nicole Voelkel, a fourth-year in the College, check their e-mail even more frequently. Beschastnikh said that he checks his "every 30 minutes, sometimes every 10 minutes." He also checks his mail every two hours at night. Beschastnikh added that he uses the mail client "Mutt" on SSH, which he has specially configured to be color-coded.

Unbeknownst to many, there are both secure and insecure services on campus—and many students have been perusing their email with the latter.

NSIT's Secure Authentication initiative is one step in a continuous battle to secure University computing. Trefonides said that the University is literally under constant attack in the form of "probes" that search for vulnerabilities in the University's systems and network. He pointed out that at any given time a number of campus machines have been successfully broken into or compromised and said that every year a few thousand University computers are compromised. A compromised machine can be used to pry into the activity of other machines on the network or can possibly be used to launch more attacks.

Compromised machines are a sizable expense to the University. Additionally, individuals can lose valuable, sometimes irreplaceable, work that is lost or destroyed.

While there are server settings that vary from client to client, the server names for accessing secure e-mail are:

For IMAP connections: imap.uchicago.edu

For POP connections: pop.uchicago.edu

SMTP server (for outgoing mail): smtp.uchicago.edu

Secure access to e-mail can also be assured by using the software in the NSIT Connectivity Package. The package is free and can be picked up at the Campus Computer Store or the Account Administration Office.