On March 21, Concordia University issued a statement warning students and faculty that keylogger devices had been found on university computers.
“These keylogger devices can capture personal data such as login information and passwords (for example, passwords associated with your Concordia netname) by tracking the keystrokes used at a workstation,” a press release from Concordia explained.
Students were advised to change their passwords for their Concordia accounts as well as the passwords for any other accounts accessed through the affected units. On March 22, McGill sent an email to students following Concordia’s statement to confirm that no McGill infrastructure had been similarly tampered with.
“The majority of public computers managed by IT Services have already been inspected to verify that no keyloggers are attached, and the inspection will be completed by tomorrow,” the email read. “While we do regularly review and inspect the computers and IT infrastructure managed by McGill, we strongly encourage all McGillians to be vigilant when using any public computer, be it on, or off campus.”
Keyloggers work by recording keystrokes—the keys that a user presses—on a computer. They can take the form of a physical device that intercepts communication between the keyboard and computer, or a software that works at a low level to record keyboard input to send to a third party.
Although McGill students were largely unaffected by the incident at Concordia, security lapses have happened at McGill in the past. One notable example is the Heartbleed Bug. Many websites use a security protocol called SSL to get information from users privately. One implementation of Secure Sockets Layer (SSL)—used to establish an encrypted link between a web server and a browser—had a major bug accidentally introduced in 2011. This bug allowed people access information from servers that they should have been blocked, letting eavesdroppers acquire passwords, private keys, and other personal information. In 2014, McGill issued a statement advising students to change their account passwords to reduce the risk of their account being compromised.
It’s easy to forget about the role that security plays in people’s day-to-day lives, but its importance cannot be over-emphasized, especially for university students. Most computer users have terrible habits when it comes to keeping their information secure.
For a case of what happens when bad habits are exploited, look no further than Mat Honan, a staff writer for Wired. Honan, like many people, used the same email prefix for several accounts, and hadn’t taken the time to set up two-factor authentication on any of his devices. Because of this, after gaining access to his Amazon account, hackers were able to take over his Apple, Gmail, and Twitter accounts within minutes, wiping his iPhone and Macbook and issuing racist tweets from his Twitter account.
“In the space of one hour, my entire digital life was destroyed,” Honan wrote in a Wired article. “First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages.”
To protect themselves, students are encouraged to adhere to some simple practices. For starters, students should avoid repeating username and password combinations across accounts and set up two-factor authentication. It’s best to avoid communicating private information over public networks, to help minimize the risk that one security lapse could affect multiple accounts on different services.
In general, although it’s impossible to guarantee that an account will never be compromised, following a few common-sense rules can drastically improve security and mitigate that risk.