Residence Hall Association's listserv violated by fake message

By Geoff Smith
Arizona Daily Wildcat
September 12, 1996

Members of the UA Residence Hall Association may think twice about believing the next message they receive on their electronic mail accounts, after a bogus message they received Tuesday afternoon declared that Dorm Daze, the group's biggest event of the year, had been canceled.

Chris Christensen, RHA president, said that just after noon Tuesday, someone gained access to the group's listserv account. Listservs are systems that keep mailing lists so that mass mailing can be distributed to subscribers.

The individual who broke into the account distributed a message to the account's 300 subscribers claiming that Dorm Daze, a mini-Olympics for the residence halls, was to be canceled because one chairman had the chicken pox and the other had quit.

Linda Drew, computing manager at the Center for Computing and Information Technology, said the listserv, a "closed and moderated" system, is only directly accessible by the listserv's owner or individuals who have received cleared access by the owner.

Benjamin Steers, owner of the listserv, said the only two people who had access to the account at the time were himself and Scott Cole, RHA's vice president for public relations.

Steers said the perpetrator, whom he said CCIT had apparently successfully traced but not named, used an Internet application like Netscape to either send a letter and make it appear as if it had originated from Cole's account, or to get into the account itself.

Once inside the account, the perpetrator was able to write what ever he wanted to the listserv's recipients. In this case, he or she canceled Dorm Daze.

"I didn't know what was going on at first," Cole said. "When I checked my e-mail Tuesday, I had received 10 responses from administrators and hall directors who were disappointed to hear about the event's cancellation. I immediately got back on the listserv and sent another message to the subscribers notifying them that Dorm Daze was still on."

"Someone knew that I had access to the server," Cole said. "I am really disappointed; not that my personal privacy was violated, but because of the breach that occurred for the organization. This is a real tragedy."

Drew said CCIT did not know who had sent the messages or how someone was able to get into the account. She said they are currently looking into three possible ways the message could have been sent.

"Cole last accessed his account from a public site," Drew said. "If he did not completely log out before leaving the computer, someone could have sat down at the computer and access the account without any kind of login."

Drew said the account could also have been accessed by someone who knew Cole's account password.

The third option being investigated is whether or not someone used an ethernet connection, like Netscape, to manipulate the appearance of the letter and whom it was coming from.

"You can tell a message has been altered if you look carefully," Drew said. She also added that CCIT's main investigation was leaning toward the theory of impersonation.

Drew said that while CCIT knew impersonation was possible, she did not know of any other circumstances when it had happened at the university. While not a violation of any law, she said, such an impersonation is a violation of UA code of conduct.

"If the person who did this is caught and they are a student, they will be referred to the Dean of Students Office. If it is a university faculty or staff member, they will be referred to the Human Resource Office."

Drew said there are ways that individuals with e-mail accounts can protect their accounts.

"Make sure that the last login date is correct when you log into your account, she said. "If you logged out at 5 p.m. yesterday and the message says someone was on at 8 p.m., then you need to check your files."

Drew also said e-mail users should change their passwords periodically.

"If someone looks over your shoulder while you log in, they have full access to your account," she said. "Also, always make sure you are completely logged out so no one can get on your account after you have left the computer."

Cole and Steers said in separate interviews that they plan on continuing use of the listserv as it remains the best way to get messages to all of their members. Cole has changed the password to his account.


(NEXT_STORY)

(NEXT_STORY)