On Wednesday, the University’s Information Security Office (ISO) blocked Internet access from people who had not watched the required 15 minute video about computer security.
While it is important to raise awareness about information security issues, requiring everyone on campus to watch a video about computer security is ironic when Stanford has not taken an important measure that would substantially increase information security on campus: securing the Stanford wireless network.
When you connect your computer to the Internet through Stanford’s unsecured wireless network, all of the communication between your computer and the websites you visit is broadcasted unencrypted through the air. What this means is that everybody else in your vicinity can also see which websites you are visiting and much of the information you send them.
(Stanford’s wireless network isn’t “open,” in that the Stanford routers won’t let just anybody connect to the Internet, which is why you had to register your computer the first time you connected to the Internet. But it is unencrypted, allowing people to read the traffic).
Unfortunately, there is no way to detect whether somebody is listening in, the same way that you can’t tell who’s listening to a radio broadcast. And the ability to eavesdrop on your web-surfing is not limited to elite hackers; anybody can download free software like Wireshark to make listening in easy.
Stanford’s unsecured wireless network is problematic for two reasons: It compromises our security and allows our privacy to be violated.
Transmitting our unencrypted information through the air makes it easier for identity thieves to steal our information. It also makes us more vulnerable to “man in the middle” attacks, in which a malicious machine pretends to be the router we wish to communicate with.
And even if we could trust every single member of the Stanford community to behave honestly, we would still be vulnerable to these attacks from Stanford machines that have been compromised by crackers and from malicious users outside the Stanford community.
An unsecured wireless network also allows our privacy to be violated. Many people assume that nobody else can find out which websites they visit, a common misconception that the ISO video made no attempt to clear up.
Especially for those of us who live on campus, it is reasonable to expect that webpages we visit in the privacy of our campus homes are as private as the conversations we have or the books we read there. Using Stanford’s wireless network, however, allows strangers to see most of our Internet activity.
Fortunately, some sites, like Facebook, Gmail and the websites of major banks, encrypt our communication with them through the HTTPS protocol.
But exploitation continues to be found due to flawed implementations of security measures, even at major websites. Two years ago, for example, software developer Eric Butler released an add-on to Firefox called Firesheep that took advantage of the fact that many websites, including Facebook, Amazon and Twitter, sent the cookies stored on our computers unencrypted over the network. Firesheep, which is still freely available, allowed a malicious user to crack into our accounts on these websites, effectively stealing our identity.
The Stanford Daily was quick to report on Firesheep and the havoc it allowed.
But despite this clear warning sign, Stanford did not implement wireless encryption, which would have prevented this session hijacking attack.
The fact is that we do not know where the next major security breach will come from or how bad it will be. What we do know, however, is that adding an extra layer of security can prevent security breaches in other layers from harming us. As the ISO video itself says, “It’s good to use multiple defenses because there is no secret recipe for staying 100% safe.”
Wireless encryption has been standardized since the 1990s, an eternity ago in Internet time, and security researchers, including those at Stanford, have continued to strengthen these standards since then.
Many of our peer universities, including Harvard, Yale, and the University of Chicago, have recognized the importance of secure and private network access and have implemented wireless encryption.
It is embarrassing that a university renowned for being at the cutting edge of information technology still uses unsecured wireless.
Before the ISO puts out another video about what we can do to improve computer security, Stanford should secure the campus wireless network.
Naftali Harris, doctoral candidate, statistics