Carleton University is increasing its digital security after finding six USB keystroke-loggers in Carleton classroom computers.
Changes include daily and more frequent checks of school computers for keystroke loggers in the future.
According to Geoff Leboldus, the information security manager with Information Technology Services at Carleton, USB keyloggers can capture anything typed on a computer.
“Everything you type on a machine with a keyboard logger is no longer private,” Leboldus said.
Leboldus said a key logger contains a transcription of everything typed, including usernames and passwords for Carleton’s website and other accounts.
In an email, Allan Burns, the director of the Department of University Safety, said they passed the issue onto the Ottawa Police, who are currently investigating who’s responsible for putting the key loggers on school computers.
A release on the university website states that there is “no evidence” that personal information was taken or that any university data was compromised by the devices.
The university sent an email to all students telling them to change their My Carleton Portal passwords after the devices were found.
“We’ve required all of our staff and faculty to change their user ID and passwords so any credential information for Carleton that these [hackers] may have gathered is no longer useful to them,” Leboldus said.
Leboldus said Carleton is unsure if USB key loggers have been put in before, which is why the school is requiring its staff to change their passwords.
Carleton also recommended students change their school and other account passwords as well, especially if they’ve signed in using classroom machines.
“What we’ve found is because those classrooms are often open and they’re open all night, there’s a significant number of students who are using them,” he said.
However, the hackers are potentially targeting faculty and staff, Leboldus said.
“By targeting podium machines and [based on] the time of year, we could guess that they were after faculty and contract instructor credentials,” he said. Targeted information could include exams and marks.
“It’s unexpected because it’s an old-school kind of attack,” Leboldus said. The attack is done physically with a USB stick, rather than online through phishing and spam emails.
The key logger method usually costs more for the hacker because of the USB sticks, according to Leboldus.
“Someone’s invested time and money into this,” he said. “If it was a phishing campaign, it wouldn’t cost as much.”
This isn’t the first time this has happened at Carleton. In 2008, software key loggers were put on various print release stations, and the hackers managed to get student information, Leboldus said.
He added people should change passwords yearly, have complex passwords and not reuse them to increase security in situations like this.
“Let’s say one account gets compromised,” he said. “Then you don’t want that one account to be seven.”
He said students could be more cautious with account security and sharing passwords.
“I think people don’t understand the ramifications and consequences of letting that information out, especially if you re-use passwords,” he said.
“This is your identity,” Leboldus said about account information. “This is you, so treat it as secret information.”
– Photo illustration by Angela Tilley
