Campus wishes speedy recovery to Devon Walker p. 4
a student newspaper of the university of tulsa
september 10, 2012 issue 2 ~ volume 98
New wireless network lacks security Shortly before fall classes began, TU’s two wireless networks were replaced with a single network—TU Wireless. Since the change, students raised specific security concerns. Conor Fellin Student Writer
The University of Tulsa’s new wireless network, “TU Wireless,” is not a secure network, according to many of TU’s aspiring computer security professionals. Their worries, many of which have been corroborated by the TU Information Technology (IT) department, include the lack of protection for passwords sent to unsecure websites and the ease of impersonating another student on the network. TU Wireless replaced the TU Secure and TU Web Only wireless
networks of previous years just before the first week of classes. Dr. Dale Schoenefeld, Chief Information Officer and Vice President of Information Services at the University of Tulsa, said that the decision to change networks came out of the difficulties new users regularly encountered configuring their devices to connect to TU Secure, difficulties that put pressure on the IT department. “With the broad, wide assortment of…BYOD (Bring Your Own Devices), we just simply aren’t staffed to help people configure all of it,” Schoenefeld said. Students who did not discover the new wireless network on their own were informed by a mass email explaining the new log-in requirements and encouraging wired connections. “They didn’t tell the students that the encryption was removed,” pointed out Electrical Engineering major Alison Maskus.
“I heard from other students.” The new network’s lack of encryption is a chief concern of the students opposed to the network. TU Wireless does not encode of a user’s credentials (that is, usernames and passwords) and inactions with unsecure websites in a way that prevents others on the network from seeing them. Computer science major and computer security researcher Christian Mann described one implication of not having encryption: “If I’m sitting across from you in ACAC (Allen Chapman Activities Center), I can read all your Facebook messages or post to your Twitter or delete your on-line persona without you ever knowing who I am.” Mann qualifies that this would require that the user connect to an unsecure website, i.e. any website whose address begins with “http” and not “https.” Most major sites,
including Google and Facebook, contain an option for connecting using “https.” John Lobsinger, TU’s Senior Network Engineer, admitted that credentials sent over http are now visible to nearby computers in a way that they were not when TU Secure was in place. He added, however, that “http is never deemed secure. (Data sent over the network) always going to be unwrapped somewhere in the network between here and there.” If no one in ACAC can see your password, there is still a chance that someone somewhere can. “If you’re accessing an http site, you should check to see if the vendor has a secure connection,” Lobsinger said. Another fear of TU’s computer security base involves the Machine Access Control (MAC) addresses that students can register in order to avoid the need to enter their
credentials whenever they connect to the network. According to computer science major and member of TU’s Collegiate Cyber Defense Team Jonathan Teel, “Registering MAC addresses means someone else can spoof my address and pretend to be me on the network.” When asked how a system administrator could prevent a user from learning another’s MAC address over the unsecure network and using that person’s identity for illicit actions like illegal downloading, Lobsinger replied, “You can’t. There are no actions to prevent it.” Lopsinger adds that the perpetrator could be caught if he or she attempts to use the network at the same time as the address’ real owner. Analysis of network statistics could also give circumstantial evidence that a user is not who he or she claims to be.
See Security page 5