Unexpected Email Mishap Makes UA Student a Viral Sensation
In an incident that has captivated both the campus and the broader public, University of Arizona student Hector Gutierrez inadvertently sent a recommendation letter to a campus Listserv on Wednesday evening, propelling him into the spotlight as both a local and national celebrity.
This incident spurred inquiries into how such a mass email, reaching more than 24,000 students, was even possible.
According to Teneshia Arnold, the director of the Office of Student Involvement, which oversees the Honor Society Eligibility Listserv, the system was configured with “appropriate permissions.”
Arnold noted, “Hector must have had the magical touch. I observed in his reply that he copied and pasted this email address, which likely facilitated his success.”
Barrett Elder, the director of customer relations for the Office of Information Technology, confirmed that the Listserv’s configuration would be altered moving forward. He elucidated, “There are numerous configurations available when establishing a Listserv.
This particular one was set as a ‘discussion forum’ type, permitting replies to the entire list. Once we recognized the complications, we transitioned it into an ‘information broadcast’ list, restricting mailings to the list creators and designated individuals.”
Eventually, the Listserv hit its daily cap of 50 messages and ceased receiving further replies. However, the earlier exchanges resulted in students disclosing their phone numbers and Campus Wide IDs, potentially leading to significant security vulnerabilities.
Matthew Hudnall, an associate professor specializing in management information systems at the university, equated the disclosure of CWIDs to the exposure of social security numbers due to the inherent “security concerns” of including such sensitive information in email signatures.
He remarked, “Identifiers like CWIDs should be safeguarded whenever feasible, as access can be gained to various accounts with just a last name and CWID, or even a date of birth in conjunction with a CWID. After all, one wouldn’t typically include their social security number in an email signature.”
Arnold mentioned that discussions are ongoing between the Office of Student Involvement and the Office of Information Technology to ascertain whether anyone who included their phone number or CWID in a response that night was affected.
While including phone numbers in email signatures is fairly routine, Elder cautioned against adding personal data such as CWIDs, asserting that if students share that information “willingly,” it doesn’t classify as a data breach.
Though this peculiar email incident was merely an error made by a fellow student, apprehensions have arisen regarding the potential for phishing attacks or hacks stemming from the event.
Hudnall stated, “Just as you can spoof a spam phone call, spoofing an email address to make it appear as though it’s coming from a trusted source is feasible. If the email content appears authentic, it opens the door to various phishing assaults if recipients engage with attachments or links.”
The correspondence from Gutierrez contained a PDF attachment featuring a letter of recommendation from an instructor.
Hudnall added that while there are no known vulnerabilities associated with PDF attachments at present, the risk of a “zero-day attack,” where hackers exploit unrecognized vulnerabilities, remains a possibility.
“The prevailing advice is to refrain from opening attachments unless you are expecting them and can verify the sender’s identity,” Hudnall admonished.
For further guidance, the Office of Information Technology maintains a webpage with email safety tips for both students and staff, which includes recommendations on avoiding personal information in signatures, employing encryption when necessary, deliberating before selecting “reply all,” and being vigilant against phishing attempts.
“Personal security is a focal point for the OIT cybersecurity team, as collective effort is essential in safeguarding our campus,” Elder concluded. “It is crucial to prevent the disclosure of personal information that could be weaponized against you.”
Source link: Thecrimsonwhite.com.
