By Oscar Ho
As part of an 18-month plan to upgrade the university’s network beginning this month, University of Tulsa officials will be increasing the security of the school’s wireless network by adding an option for encrypted connections.
This decision will alleviate many concerns that some of the university’s computer security experts have been expressing about the possibility of stealing students’ information and pretending to be someone else on the network.
TU had an encrypted wireless network until the beginning of the fall 2012 semester, when the option to encrypt was removed.
“We just simply aren’t staffed—I’m not suggesting we should be staffed—to help people configure (their devices to the network),” said then-Chief Information Officer Dale Schoenefeld, explaining the decision to remove the encrypted network.
Current Chief Information Officer Richard Kearns expressed more optimism about Information Technology’s ability to configure their devices to the network. He cited the improvement in wireless technology, better network documentation and an increased IT staff as reasons that students could more easily learn the network.
Kearns also said that the encrypted network will run on brand new infrastructure separate from the unencrypted network. It “will not interact with old Cisco switches that were problematic,” a move that should result in a much better network than the secure one from 2012.
The encrypted network will become available to students gradually. As each building’s infrastructure is upgraded, students will be able to access the encrypted network from that building.
The regular unencrypted network is receiving an upgrade too. This will include “the replacement of all out-of-date data switches; the upgrade of the core network routers, switches and firewalls; … and expansion of the wireless network to accommodate expanded use.” Users should expect more security, reliability, and speed from this upgrade.
The decision to bring back an encrypted wireless network means that students can again connect to the network without exposing themselves to a number of attacks.
In a world where spying and malware are perpetually evolving threats, maintaining network security is a complex task for the Information Technology office. No network is 100% secure, said Michael Haney, a graduate student in computer science.
That is certainly true for TU’s wireless network. Several computer science students, including Mr. Haney, shared two major concerns they had about the network. Both revolved around the fact that TUwireless is unencrypted.
An unencrypted wireless network is susceptible to eavesdropping. A smart eavesdropper could, in TU’s case, learn enough to commit identity theft just by listening to traffic on TUwireless.
Listening in on the network is quite easy. Information can be picked up with any computer or a special antenna.
Perhaps the most important information on the network is metadata. Metadata is “information about information,” said Mr. Haney. These tidbits provide clues about other people on the network.
For example, a computer sometimes makes its name visible to anyone on the network. This piece of metadata, a computer name, could reveal the computer’s purpose. For example, a computer named “Bob’s laptop” could indicate who owns that computer. A computer named “Fluid Dynamics Lab 1” could indicate the purpose and physical location of that computer.
Users’ devices are not the only things broadcasting metadata about themselves. Servers, routers, and other hardware on the network infrastructure can similarly be sniffed.
This freely available, unencrypted metadata is a cause for concern. Metadata is important for someone trying to take advantage of the network. A snoop could drive into a TU parking lot, fire up a computer inside the car and listen for metadata that can paint a picture of TUwireless’s users and infrastructure. Using this metadata, our snoop could decide on a target for a hacking operation.
TU controls its network by requiring its users to register their devices’ Media Access Control (MAC) addresses with the IT office. However, this registration is only necessary if a user wants to use TUwireless to explore the internet. As a result, an attacker can listen for metadata without registering his computer with the University, said Haney. If he has a wifi antenna, he can listen.
The problem is if someone steals a MAC address and uses it to pretend to be someone else, said Haney. The thief may start to do illegal activity under this disguise. The suspicious web traffic will be linked with the MAC address, which is registered to a law-abiding person, not the thief. It is a form of identity theft where a villain frames an unsuspecting person. This had happened before.
Unfortunately, MAC addresses are currently visible as plain text metadata to anyone listening to TU’s network, said Haney. Stealing a MAC address to cover illegal activity can be easily done here.
Everyone who we consulted said the most effective way to prevent the sniffing of MAC addresses is employment of network encryption.
The man-in-the-middle attack is the most significant threat to TUwireless’ security. To perform a man-in-the-middle attack, an attacker fools a user into connecting to a wireless point that he controls.
Performing a man-in-the-middle operation can be very rewarding, and at TU, it is nearly undetectable. By listening to someone’s internet activity, the attacker could learn usernames and passwords to email accounts, social media, Amazon.com accounts, and more.
Utulsa login credentials may be stolen, giving the attacker access to a victim’s university Gmail, WebAdvisor, Filer and Harvey.
It is difficult to detect because the attacker disguises his connection as a legitimate access point to TU wireless. Haney believes there is nothing TU can do to discover a man-in-the-middle.
Given the enormous volume of data that flows around TU, “it’s easy to be a needle in a haystack” and avoid detection, he believes.
Encryption makes a user’s activity unintelligible and can be employed in at least two ways. One is the use of an encrypted network. This is an option that is not currently available to students, but will become available as the network is upgraded.
The second method is the use of an encrypted connection to a website (via Secure Socket Layer SSL). It is easy to tell whether you have such a connection. A “https” prefix instead of “http” will appear in the URL. Some browsers even have a little lock or “secure” icon that will pop up.
In the digital domain, security and convenience rarely come in the same package. Security requires maintenance. Much like the TSA makes benign people’s lives miserable at the airport in an effort to keep lives safe, security mechanisms in the digital world can cause problems for a legitimate user.
The effort necessary to maintain encryption algorithms and keys and firewalls, protect servers, and assist users is significant, said Haney.
In contrast, a convenient network would mean easy access to anyone. The price is that such an accessible network would mean few protections from eavesdroppers or anyone seeking to plant malware.
The balance between accessibility and security is tough to find, and no amount of security will eliminate every threat. “There are risks with wireless regardless,” said Haney.
Until the encrypted network is available, users seeking maximum safety will need to look for other options. The use of “https” style encrypted websites whenever possible will defeat a man-in-the-middle attack.
More privacy will require more elaborate methods, such as a VPN (virtual private network, which relies on an encrypted connection to a special server) or TOR (The Onion Router, which scrambles your identity and your activity).
Commenting on the general safety of TU’s wireless network, Haney said, “I don’t think they have any glaring holes.” All the traditional rules apply, he said, including using strong passwords and avoiding suspicious websites and downloads. TU has to compromise between convenience and security. The user’s situation is not any different. “If you want to be 100% secure, unplug your computer and don’t use it,” he observed.