Grace Hsieh ’07 said she uses Yale’s wireless network all the time. So do many of her friends and “almost everybody” she sees in the Berkeley College library. Hsieh said she is aware of the security risks of a wireless network, but the fact that she is using a Yale network makes her feel “subconsciously” safer.
“I know that Yale does care a lot about the security of its students,” she said.
But close study reveals that Yale’s wireless network is not entirely safe — third parties could gain access to users’ data.
Yale’s wireless network transfers data through the air just like a cell phone. A wireless access point is analogous to a cell phone tower. An access point connects the wireless user — generally someone using a laptop or a personal digital assistant — to a much larger network. A normal cell phone will only hear calls intended for it, and will not ring when someone standing nearby receives a call. But on Yale’s wireless network — or any other system based on the same wireless standard — a wireless laptop or device can “hear” all of the communication happening in the general area. This practice is called “sniffing” and it can be done with ordinary computers using free, downloadable software.
When sniffing a wireless network, it is possible to read any unencrypted data. When a student uses a browser to buy books on Amazon, his credit card information is safe because the web server encrypts the data. But normal Web sites are unencrypted, and sniffers can see what sites users access. In the worst-case scenario, they can even read e-mails or passwords.
“In the normal wireless network, there is no security,” University Information Security Officer Morrow Long said. But he said the University has implemented security features for those who wish to use them.
Director of Information Technology Services Philip Long said ITS has provided fully-encrypted password service to the whole University for several years.
“We’re always worried about security,” Long said.Ê
ITS distributes Eudora, which, when configured correctly per the instructions on the ITS Web site, will protect the user’s e-mail passwords. Sites shielded by Yale’s Central Authentication Service do so as well. This does not necessarily protect data being sent, Long said, so ITS offers a Virtual Private Network service, which creates a “tunnel” between the user and Yale’s high security server network. VPN instructions are offered on the ITS Web site.
Despite these potential risks, students do not seem concerned with security on the network.Ê
“I don’t really use the secure ITS services. It’s very nice to know that they exist, however, and I would consider using it if I did have important data to send over the Internet,” Hsieh said.
Whether or not a user feels safe depends on his definition of importance. If a student considers his NetID and password important, the default wireless security is not enough. An outsider could read both if the student checked his e-mail over the wireless network.
But Berkeley College computing assistant Casey Street ’06 said he feels confident in the security of Yale’s wireless technology.
“The computer assistants are aware of many of the dangers of the wireless network, but this is a risk that is necessary to provide wireless access to the Yale community,” Street said in an e-mail. “The IT staff has taken every precaution to secure the wireless network.”
Yale’s Ethernet and wireless networks both use a computer’s MAC address (a hardware identification system) to determine who is allowed to use the network. Yale keeps track of a user’s MAC address once the user registers with a NetID and from then on allows full network access.
But a MAC address can also be captured by a sniffer. Someone could capture a MAC address by sniffing the wireless network, change his computer to use the stolen address — a relatively simple task –Êand then masquerade as someone else. If this illegitimate user were to commit a crime while posing as someone else, it would appear that the person whose address was stolen was the perpetrator.
“Years ago I saw hackers change their MAC addresses to sidestep certain access control in a campus network,” Sheng Zhong GRD ’04, whose research interests as a computer science student include information security and network security, said in an e-mail.Ê”In theory, this should always be doable, unless there is a dramatic change in architecture.”
As long as MAC addresses remain visible to the outside world, using them as a form of authentication will not suffice. And while there is no default protection on the wireless network, Yale’s wireless community will remain vulnerable.
“We are looking at automatic VPN solutions,” Philip Long said.Ê”The primary problem with such solutions is that it requires a client application and thus presents additional cost and setup on the user desktop.”
Long said the University has not yet found a solution, but the problem is under “active investigation.” Until the University finds these solutions, students and faculty members may want to think twice about ways they use the wireless network.