By Justin Chandler and Jacob Dubé
In the span of six days, automated password-guessing bots make about 3.6 million attempts to access students’ my.ryerson accounts.
Brian Lesser, Ryerson’s chief information officer, said those guesses come from around 3,000 machines in about 103 countries. Bots try to log into accounts using passwords generated from a list of the area’s most common. That list is filtered so the passwords fit Ryerson’s complexity rules.
Thanks to rate limiting—restricting devices from logging in after multiple failed attempts to do so— 75 per cent of the attempts don’t go through. But student and faculty accounts are still constantly at risk.
Here’s what you need to know to keep your Ryerson account safe.
Lesser said that 1,100 Ryerson accounts were hijacked in 2014, but in 2015 that number fell to about 250.
The decline was partly thanks to Ryerson Computing and Communications Services (CCS) pushing account-holders to change their passwords regularly and make them more complex.
Many people use simple, easy-to-guess passwords.
After nearly 33 million Twitter accounts were hacked in June, it was reported that the most common passwords used on hacked accounts were “123456,” “123456789,” “qwerty” and “password.”
“There are various ways to make a good password, but the problem with passwords is contradictory,” Lesser said. “On one hand, it’s gotta be something that’s easy to remember, on the other hand, it has to be so complex so that it’s not in the list of top 10 million popular passwords that hackers are trying on your account all the time.”
Experts recommend using a combination of characters and symbols, or switching out letters in a long, memorable phrase with numbers.
Soon, Ryerson students will be more secure when using their my.ryerson accounts. Lesser said the CCS will be implementing two-step verification for all my.ryerson accounts. Some staff already use it.
If enabled, the new feature will require people to confirm, using a secondary device, that they are trying to log into my.ryerson before they are given access. This is usually done with people’s phones using a text message, push notification or special code from an authenticator app.
Ryerson is also planning to let students make longer passwords (more than 100 characters long) for their Ryerson accounts. Long passwords are more secure than short ones.
Since most attempts to guess Ryerson accounts’ passwords are made outside of Canada, Lesser says the CCS might use geolocation to more severely rate limit foreign attempts to access Ryerson accounts.
He said the CCS will likely enable two-factor authentication and longer passwords in October.
One of the biggest threats to students’ online accounts comes from malware and account hijacking, Lesser said. When people use peer-to-peer file sharing, such as Megaupload, to access music and movies, they often subject their devices to attacks. Students downloading files from untrustworthy sources can unwittingly download malware which can gain access to their accounts.
Often, compromised Ryerson email accounts will be made to send people spam. When the CCS detects an email sending out large volumes of what it believes to be spam, it will notify the account’s owner to warn them.
Who’s monitoring you?
System administrators at Ryerson have the ability to access my.ryerson accounts, but are directed to only do so in exceptional circumstances. Access may be granted if law enforcement provides the university’s general council with a warrant to access a student or faculty member’s account.
Lesser said administrators’ access to accounts is logged, meaning there should be a record if one of them snoops on a person’s Ryerson account.
Ryerson monitors its networks for performance and threats, but they don’t usually identify an individual’s online traffic unless a person is flooding the network with unmanageable traffic or if Ryerson tech support is helping someone troubleshoot a problem.
A device will be blocked from accessing Ryerson’s network, if administrators detect a threat coming from it. On Sept. 17, the CCS blocked network access from a laptop that appeared to be contacting a known malware command and control server, Lesser said.
No online system perfectly protects users’ privacy. On Sept. 21, the CCS emailed students and faculty to warn them of a privacy breach involving Ryerson Google accounts managed with the Windows 10 calendar app.
The CCS warned that if that any events created on Ryerson Google Calendars using the Windows 10 app were automatically set to be public. This means that if a student or faculty member shared their Ryerson calendar with other people, events they had intended to keep private, such as appointments or meetings, would be visible.
The CCS was notified about the breach by a faculty member who noticed they had public events on their calendar that they wanted private. The CCS does not know how many people’s calendar events were shared, but it does know that the Windows 10 calendar updated something in the accounts of 193 students and 131 Ryerson employees, all of whom had a public event on their Ryerson calendar.
“Anything that makes things less private without you explicitly making them less private is a problem. So you should have the choice, not the software,” Lesser said.
The CCS emailed the people affected to explain how they could make their Google Calendar events private.
Lesser said the CCS is unaware of any similar privacy breaches.
He said the CCS is constantly working to protect students and faculty against increasingly dangerous online threats.
“It’s not getting better. It’s getting worse.”