During the week of March 1, approximately 35 Whitman faculty and staff received a USB drive accompanied by a letter advertising the drive as a new version of Facebook and promising a $25 Amazon gift card for those who downloaded the drive’s contents. According to Chief Technology Officer Keiko Pitter, the test was not designed to record the names of faculty or staff members who downloaded the contents, but rather to determine the number of people who chose to do so.
The USB drives were issued as part of Whitman’s Office of Technology annual security audit of the college’s technology systems through Secure Network, a New York-based firm that provides security consulting for banks, government agencies and large universities. According to Pitter, Whitman is one of the few small colleges that uses this firm.
“All the current literature of the last couple of years indicates that it’s no longer the technology that allows intrusion but personal error,” said Pitter. She commented that people make themselves vulnerable to intrusion by getting deceived by phishing scams and giving out personal information over the internet.
According to Pitter, phishing poses a real threat to the college’s technology systems. Within the last 18 months, approximately 70 Whitman e-mail users were tricked into giving out their usernames and passwords by phishing scams.
“Over 100,000 e-mails were launched from our site [as a result of these scams] and our domain name was blacklisted by other schools and organizations who did not want to receive spam from our site,” said Pitter. The Office of Technology Services is still dealing with the effects of this particular phishing scam.
Phishing scams are increasingly being conducted through popular social networking sites such as Facebook. Not surprisingly, phishing scams through social networking sites were the focus of this year’s audit.
If the phishing attempt were real, Whitman’s technology system could have faced a breach of security, threatening data stored on college computers.
The content of the letter accompanying the USB drives raised eyebrows among faculty and staff who received the drives, and professors notified each other of the scam over the faculty listserv.
“That’s exactly what we wanted as a result because it shows that we’re doing a good job of telling people not to trust these scams. But the flip side is that [the test] raised many concerns and frustrations,” said Pitter.
Associate Professor of Anthropology Jason Pribilsky was one faculty member who received a USB drive. According to him and Pitter, none of the Whitman staff and faculty members who received a USB drive downloaded its contents onto their computers.
“I think the issue for many faculty was that this experiment employed deception to test the college’s security. As researchers who do research on ‘human subjects,’ the idea that information would be procured by deceiving those you are researching must meet a high standard,” Pribilsky said in an e-mail.
“Another problem was that WCTS contracted with an outside security firm to do this experiment. There was little concern given to the particulars of a college community, our own ethics or the reception of such an experiment in light of the standards we ourselves keep in terms of the boundaries of ‘human subjects’ research,” he said.
Pitter views this test as a learning experience.
“We know that we have to continue security tests in the future, but I think we need to scrutinize what our security firm does much more carefully. [The tests] need to be custom-made for this environment because although they may work in a banking environment they don’t work here,” she said.