A former computer-system administrator at the University of Massachusetts at Dartmouth was arraigned in late February on charges that he hacked into student e-mail and Facebook accounts and downloaded a number of nude and partially nude photographs of 16 female students.
According to a local newspaper, The Standard-Times, Robert T. DeCampos, 30, would go to the Facebook home page and request that the site reset the passwords for the women’s accounts. (To do this, he had to supply the women’s e-mail addresses, which he had access to because of his position at the university.) Mr DeCampos would then use his administrative privileges on the university computer system to access the women’s e-mail accounts. Once in, he could open their e-mails from Facebook and retrieve the new passwords, then use them to access their Facebook pages, which contained images.
The university fired Mr. DeCampos last fall after police searched his home and found a portable flash drive containing the photos. Mr. DeCampos, who was released on his own recognizance after the arraignment, is being charged with 13 misdemeanor counts of unauthorized access, which carries a maximum penalty of 30 days in jail and $13,000 in fines. He is also being charged with one count of felony larceny, which could mean up to a five-year jail term and a $25,000 fine.
This story flew largely under the radar; only a few local news-media outlets picked it up. But while it is common these days to read about security breaches perpetrated by interlopers from outside the campus, this episode highlights a different sort of threat—one coming from inside the campus—that might be worth paying closer attention to.
Researchers for Carnegie Mellon University’s Computer Emergency Response Team, or CERT, have studied Internet security for the last two decades. “Insiders, by virtue of legitimate access to their organizations’ information, systems, and networks, pose a significant risk to employers,” they wrote in a recent report on internal threats to technology infrastructures.
Dawn Cappelli, the technical manager for threat and incident management at CERT, discussed strategies for protecting against inside threats to information-technology security on a recent podcast on the group’s Web site. Ms. Cappelli will be also speaking at The Chronicle’s Technology Forum in April. -Steve Kolowich