|
Wireless network is not completely safe
BY DANIEL HOLEVOET
Contributing Reporter
Grace Hsieh '07 said she uses Yale's wireless network
all the time. So do many of her friends and "almost everybody"
she sees in the Berkeley College library. Hsieh said she
is aware of the security risks of a wireless network,
but the fact that she is using a Yale network makes her
feel "subconsciously" safer.
"I know that Yale does care a lot about the security of
its students," she said.
But close study reveals that Yale's wireless network is
not entirely safe -- third parties could gain access to
users' data.
Yale's wireless
network transfers data through the air just like a cell
phone. A wireless access point is analogous to a cell
phone tower. An access point connects the wireless user
-- generally someone using a laptop or a personal digital
assistant -- to a much larger network. A normal cell phone
will only hear calls intended for it, and will not ring
when someone standing nearby receives a call. But on Yale's
wireless network -- or any other system based on the same
wireless standard -- a wireless laptop or device can "hear"
all of the communication happening in the general area.
This practice is called "sniffing" and it can be done
with ordinary computers using free, downloadable software.
When sniffing a wireless network, it is possible to read
any unencrypted data. When a student uses a browser to
buy books on Amazon, his credit card information is safe
because the web server encrypts the data. But normal Web
sites are unencrypted, and sniffers can see what sites
users access. In the worst-case scenario, they can even
read e-mails or passwords.
"In the normal wireless network, there is no security,"
University Information Security Officer Morrow Long said.
But he said the University has implemented security features
for those who wish to use them.
Director of Information Technology Services Philip Long
said ITS has provided fully-encrypted password service
to the whole University for several years.
"We're always worried about security," Long said.Ê
ITS distributes Eudora, which, when configured correctly
per the instructions on the ITS Web site, will protect
the user's e-mail passwords. Sites shielded by Yale's
Central Authentication Service do so as well. This does
not necessarily protect data being sent, Long said, so
ITS offers a Virtual Private Network service, which creates
a "tunnel" between the user and Yale's high security server
network. VPN instructions are offered on the ITS Web site.
Despite these potential risks, students do not seem concerned
with security on the network.Ê
"I don't really use the secure ITS services. It's very
nice to know that they exist, however, and I would consider
using it if I did have important data to send over the
Internet," Hsieh said.
Whether or not a user feels safe depends on his definition
of importance. If a student considers his NetID and password
important, the default wireless security is not enough.
An outsider could read both if the student checked his
e-mail over the wireless network.
But Berkeley College computing assistant Casey Street
'06 said he feels confident in the security of Yale's
wireless technology.
"The computer assistants are aware of many of the dangers
of the wireless network, but this is a risk that is necessary
to provide wireless access to the Yale community," Street
said in an e-mail. "The IT staff has taken every precaution
to secure the wireless network."
Yale's Ethernet and wireless networks both use a computer's
MAC address (a hardware identification system) to determine
who is allowed to use the network. Yale keeps track of
a user's MAC address once the user registers with a NetID
and from then on allows full network access.
But a MAC address can also be captured by a sniffer. Someone
could capture a MAC address by sniffing the wireless network,
change his computer to use the stolen address -- a relatively
simple task --Êand then masquerade as someone else. If
this illegitimate user were to commit a crime while posing
as someone else, it would appear that the person whose
address was stolen was the perpetrator.
"Years ago I saw hackers change their MAC addresses to
sidestep certain access control in a campus network,"
Sheng Zhong GRD '04, whose research interests as a computer
science student include information security and network
security, said in an e-mail.Ê"In theory, this should always
be doable, unless there is a dramatic change in architecture."
As long as MAC addresses remain visible to the outside
world, using them as a form of authentication will not
suffice. And while there is no default protection on the
wireless network, Yale's wireless community will remain
vulnerable.
"We are looking at automatic VPN solutions," Philip Long
said.Ê"The primary problem with such solutions is that
it requires a client application and thus presents additional
cost and setup on the user desktop."
Long said the University has not yet found a solution,
but the problem is under "active investigation." Until
the University finds these solutions, students and faculty
members may want to think twice about ways they use the
wireless network.
Copyright © 1995-2003 Yale
Daily News Publishing Company, Inc. All rights reserved.
|