I Having Nothing Worth Stealing

"What would anyone want with my account -- I have no confidential data"

You may have data that you do not want distributed (even, for example, posted freely on the Internet in your name, or in the name of the institution). Even if you have NO DATA AT ALL in your account, there are other issues that can lead to potential problems.


Your system access can provide someone else with a foot in the door. There are attacks that can be used to attempt to gain further access to a system. These attacks leave traces in logs and other security systems, which will then be identified as coming from your account. A classic example is to use one compromised account or personal computer to attack the information systems of another institution (such as a bank). University systems are often initial targets for such attacks because the typical system will be fairly new (and powerful), be connected to a fast Internet connection, be available 24 hours but not be in use in the evenings or late at night and may not be updated with the latest security patches. As well, the collegical process of a University lends itself to data sharing and freedom of information access, which makes the attack easier.


Residual Data such as credit card info, your name, address, phone number and other information may be stored on your system. These items may be there even if you did not "save" them; for example the cache file in an internet browser may hold personal information that could be abused or used to start another type of attack. The cache file will certainly hold information such as what sites have been visited, and may hold information such as passwords and identification information for other internet accounts.

Creating a 'fake' id is an old trick to avoid problems with systems administrators and law enforcement. For example, an attacker could use your account to apply for an account on another system, join clubs or organizations in your name or even sign in to an on-line bank or apply for a credit card "on-line". This is one example of "identity theft', one of the fastest growing crimes in North America.

You may not be the only user of a system, or your system may use resources from a shared facility such as a department server. Just as it is easier to gain access to valuables in a house once you are invited in as a guest, it is easier to bypass security controls when you are already partially trusted as a shared system user. Others may have confidential data that is being placed at risk.

Harrassing and cyber-stalking others, by sending inappropriate, obscene or otherwise unsolicited email messages, sending messages to chat groups, posting pornography in your name, or generally insulting others are all possible once your electronic ID is known. Several 'hacker' sites regularly post the account names and passwords of compromised accounts, and many news groups regularly distribute such information. Remote access to a shared account is only one type of access. Physical systems can also be abused. In some situations, for example, Windows and Macintosh systems in 'private' offices that are connected to the net can be used without a password by anyone who gains access to the office.


Your account (and/or your computer) have storage capability. An attacker could store inappropriate images, stolen or copyrighted software, or hacking software on your machine without your knowledge. If your machine is also connected to the net, it can then be used as a distribution point where others can access this material anonymously. In the worst cases, your machine could be used to store and distribute child pornography.

Your account (and/or your computer) have processing and communications capability. Processing could be used to as part of an attack on a password protected machine somewhere else, or as part of a distributed attack on a web site or to spread virus materials.