Is your e-mail safe?

Portland State’s computer network is vast and complex – except to those who manage it. From campus-wide networks to the wireless shadow to student-created web pages, PSU’s Office of Information Technology (OIT) ensures that information is secure.

To understand the scope of their task, consider this: PSU offers three types of e-mail, dial-up Internet access, campus-wide and department-specific computer labs, Unix servers for creating programs, and additional space for personal files and web pages to each and every student, faculty and staff member. Approximately 70 staff and 160 part-time students in the OIT maintain this web of information for over 17,000 full-time students, 15,000 part-timers and 3,000 faculty and staff.

Each facet of the university’s electronic network is slightly different, especially in terms of security. In some instances, such as e-mail, security is largely left up to the users. In other cases, such as the systems that run the Banner administrative program, only the highest industry-standard encryption methods will do.

Dan Ashcom manages the campus-wide computer labs, and says that any e-mail account is only as secure as the user’s computer. “It’s basically just plain text, and we don’t send it encrypted or anything,” he says. As for virus attacks, the university strongly encourages all students to make use of the college’s site license for Norton Antivirus and download a free copy to protect their own computers.

Cory Bell, PSU’s information security officer, explains that the university has different layers of security depending on what kind of information they’re trying to protect. The way most people send e-mail over the Internet is not protected, but when those people log on to check e-mail, that’s where the protection kicks in.

“Say when you send mail, it goes to Purdue,” Bell says. “It’s not protected between here and there, but when you log in here, that connection is protected. We want to protect your credentials, what gets you access to the system, rather than the content of your mail.” If someone were to acquire the logon and password information for an account, they could send out malicious e-mails and viruses without the user’s permission.

PSU uses Secure Sockets Layer (SSL) and 128-bit encryption to secure any sort of private information, such as social security numbers, Banner student records and Odin accounts. SSL is a format for sending data that uses secret numbers to encode confidential information, and “128-bit encryption” means those secret numbers are 128 bits long. There are 2^128 possible combinations of numbers in a 128-bit system – literally trillions of trillions of secret numbers, so the chances that code will be broken are slim to none.

Personal web pages posted via Odin are not typically secured using SSL once they’re posted, but Bell explains this is the very nature of individual web pages – they’re designed to be public and don’t contain terribly essential information. However, when users log in to post files on the server, that logon is authenticated and secure.

“We do have web pages that are considered secure, such as the account creation web site. They are SSL-protected,” Bell says. “The Banweb page, how you check the balance on your account – that’s all protected.”

Although attacks on the network are common, Bell explains that most of those hits aren’t a big deal. “We’re constantly scanned, but nine-tenths of that is automatic” via self-propagating “worm” viruses, he says. “In a matter of speaking we’re attacked all the time [by the worms], but a specific person looking for a specific thing is much more rare.” Viruses are just looking for vulnerabilities in the network that would allow them to enter and spread, whereas an individual targeting the university would have a specific route they were following. Bell says the constant scanning done by the worms is “like a drive-by – there’s essentially no intelligence behind it.”

“The largest hole in security is human beings,” Bell says. He gave as an example the last worm virus that hit the university at the end of January. Rather than being self-spreading, users had to open the e-mail message, unzip a file and then run a program for the virus to spread. Though only about 30 machines were infected, in three days PSU had received just under 100,000 copies of the virus, and the overall message volume on the network went from an average of 80,000 messages per day to 426,000 messages per day. “When infected users send out additional messages, it puts an additional load on the servers,” he said.

Campus computer labs don’t typically get infected with viruses because of security restrictions. “We decide what software goes on them, and people that use the lab machines don’t have the privileges to install software, so it [the worm virus] wouldn’t have actually run,” Bell says. “The virus definitions are also kept completely up-to-date, and there’s more central control. The desktops have looser restrictions.”

Bell says that security in general is a tradeoff between protecting against outside risks and imposing additional restrictions on users. The OIT looks at the plusses and minuses of additional security measures, particularly whether or not people would use them, and considers whether or not to increase security. “The general consensus is that people don’t want to do more work than they’re already doing,” he says.

For more information on setting up PSU e-mail and web accounts, check out the OIT web site at www.account.pdx.edu or contact the Help Desk at www.uss.pdx.edu, (503) 725-HELP. Students and staff can also download a free copy of the Norton Antivirus software on the Help Desk web site.

Breakdown of electronic resources for PSU studentsHere’s what’s in your PSU digital grab bag:? Personal Web page space: up to 50 MB? Network space for file storage: up to 50 MB? Modem Dial-up Internet access: 5 hours per day? High-speed Internet access: unlimited at on-campus labs