KEVIN MENZ / ISHMAEL N. DARO
Given a simple browser plug-in, the Sheaf was able to gain access to email and social network logins for numerous students working on campus.
Don’t worry, we didn’t do anything creepy — but others might. According to Campus Safety, there were 44 different instances of identity theft recorded on campus in 2010.
An informal survey of students using laptops on campus revealed that most were connected to the university’s unsecured Wi-Fi network, either unaware of the secured option or unable to access it.
How session hijacking works
When you log into an email account or social network, the website usually leaves behind a cookie. These browser cookies store information like your settings, the contents of a shopping cart or a record of your login.
Using simple and free software like Firesheep, a plug-in for the Firefox browser, someone nearby using the same wireless network can copy that cookie and gain access to your accounts.
As a test, we set up a computer in the main library running Firesheep. Within minutes of logging onto the unencrypted uofs network, we had access to other users’ email accounts, Facebook profiles and more. We had strict rules about not actually looking through strangers’ personal information, but it was clear that we — and anyone else running similar software — could have done considerable damage.
Some sites were better than others. All Google accounts returned an error, meaning that your Gmail, YouTube and other Google services are likely safe even on an open network. Hotmail and other Windows Live services, on the other hand, cracked open every time.
Facebook accounts were sporadic. Sometimes we gained access and other times we didn’t. This could be because Facebook is currently improving their security settings — likely an initiative taken after Mark Zuckerberg’s own page was hacked last week. They will soon allow fully encrypted access.
Twitter was wide-open but users can secure their accounts by adding https to their address bars.
Other sites vulnerable to session hijacking include Amazon.com, Tumblr and Flickr.
How the university networks operate
With about 800 hot spots or access points around the university, there are four different ways to get online, but the two main networks are “uofs” and “uofs-secure.”
The uofs network is “a general use network for wireless devices, easy to connect to [and] does not provide any particular privacy or security measures,” said Glenn Hollinger, acting associate director of Information Technology Services. “Users are expected to provide their own privacy and security to fit their needs.”
On the unencrypted network, wireless devices can easily be eavesdropped on, allowing people nearby to log into the same accounts through a process known as “session hijacking.”
The newer network is uofs-secure but many students we spoke with were either unaware of it or unable to gain access to it. Older computers running Windows XP, in particular, appear to have the greatest difficulty using the secured network.
The university is trying to move all traffic over to uofs-secure and eventually phase out the unencrypted network entirely. However, Wi-Fi on campus is not always under the university’s direct control. Access in St. Thomas More College, for example, is provided through a partnership between the two institutions.
Other universities are also facing the challenge of upgrading security on their wireless networks without shutting some users out. The University of Waterloo is scheduled to have just one secure network by March of this year but the date may have to change.
“We’re getting some push-back on that. Some older laptops running Windows XP don’t work on [the secure network],” said Bruce Campbell, director of network services at Waterloo.
Campbell said that about 80 per cent of Waterloo students have already transitioned to the secure network but the last 20 per cent who still use computers running programs such as XP were probably going to prolong the existence of the unsecured open network.
U of S students, by comparison, are using unsecured wireless connections in much greater numbers, leaving them more vulnerable to tampering.
How your PAWS account is secured
According to Hollinger, the PAWS login is secure on both the “uofs” and “uofs-secure” networks.
He said, however, that once logged in, security is dependant on which channels are being used by a student, faculty member or campus employee.
Channels do not refer to the tabs at the top of PAWS, but to each individual frame on the page, such as announcements, registration or your email inbox.
He was unable to specify which channels were encrypted and which were not, but claimed it is not a current security issue.
images: Pete Yee, Matthew Stefanson