On Binghamton University’s unencrypted network, one can readily access Facebook and other accounts of nearby network users, even without any knowledge of computer languages, a Pipe Dream investigation found.
An extension for the Mozilla Foundation’s Firefox Internet browser enables the user of that feature to monitor nearby Wi-Fi traffic and usurp the login sessions of other users.
The extension is a third-party application, which users of the browser can download to add functionality to the browser. Users of Windows Live Hotmail are also vulnerable to prying by the extension.
This and other vulnerabilities can be at least partially avoided if users of BU’s wireless network set their network preferences to use the ‘busecure’ rather than the ‘buwireless’ service set identifiers.
Service set identifiers, or SSIDs, are subsets of the campus Wi-Fi network. All wireless devices on a wireless local area network must employ the same SSID in order to communicate with each other.
The Firefox extension that pirates Facebook sessions only works on the unencrypted ‘buwireless’ SSID and cannot access information on the secure ‘busecure’ SSID.
Students can connect to the ‘buwireless’ SSID without logging in every time, but they can log into ‘busecure’ by entering their PODS name and password into a login window.
Some students, however, are unaware of the differences between the two SSIDs.
Ankit Tamakuwala, a junior majoring in computer science, thought that the administration should promote the more secure ‘busecure’ network.
‘I always thought that ‘busecure’ was for the professors, I usually just connect to ‘buwireless’ because there’s less hassle,’ Tamakuwala said. ‘A lot of times you can see which computers are connected to the ‘buwireless’ network and how many people are using the network.’
Jamie Arnold, a senior programming analyst at BU’s Information Technology Services, explained that both the ‘buwireless’ and ‘busecure’ SSIDs are available to students.
Arnold said that one method of encryption is website-based. Websites that use ‘https’ rather than ‘http’ in the URL are encrypted ‘ the ‘S’ stands for ‘secure.’
‘Any time you are submitting personal information, you should be sure the website is using HTTPS/SSL encryption,’ Arnold said. But the ‘busecure’ SSID can provide an extra layer of protection for information sent through sites that merely use ‘http.’
He did caution, however, that ‘using encrypted wireless should not be considered a replacement for SSL encrypted websites or good security habits when using the Internet.’
Amisha Shastri, a computer science graduate student, has never felt the need to use the secure wireless network, choosing ‘buwireless’ instead for general schoolwork.
‘It doesn’t matter so much for me what network I use unless I had something important to do,’ Shastri said. ‘If I really had to make sensitive transactions, then I would just prefer to use my home network.’
But for the many students who live on campus, ‘buwireless’ is their home network.
Arnold said that there has been no report of fraudulent online activity on the unencrypted ‘buwireless’ network, but said it likely happened on a daily basis, especially at universities.
‘Hackers looking to obtain information tend to target universities,’ he said. ‘Anything that would be reported would involve the police department.’ He said ITS occasionally gets calls about fraudulent activity, but that they do not come in often.
Arnold did not recommend using one wireless network over the other, saying it depends on the situation for using the network.
‘The encrypted network has been experimenting on and off for a year,’ Arnold said. ‘It is not something announced for general use yet, but anyone may try it at this point.’
How to connect to ‘busecure’ instead of ‘buwireless’
On a Mac:
Using Windows 7: