InQuire 8.6

Page 1

InQuire visit our website at - www.inquirelive.co.uk

Free

the presidential carnival

Issue 8.6

stephen k amos’s agenda

2nd November 2012

canterbury festival parade raise & give: london raid

comment - page 5

iq entertainment - page 18

iq culture - page 21

iq features - page 12

Matthew Gilley Newspaper News Editor

student security. With this password, a hacker would be able to access anything a student uses that password for. The Student Data System containing addresses and phone numbers, the email accounts with personal information, and any files accessed from a computer with university network access are at risk. To carry out this kind of attack, all that is needed is a high-end laptop, time to run the programs and $20 to use a service called Cloudcracker that reveals the final encrypted password. We have been deliberately vague with our description of how this happens so as not to exacerbate the potential security risk to students on and off campus. More secure protocols are used by some other universities. Secure W2 EAP-TTLS, for example, is used by the Universities of Cardiff and Newcastle. The risks of this weakness being successfully exploited are reduced by Kent’s additional security measures. If staff and students’ devices are correctly configured using the University’s configuration tool then they will only be able to connect to the correct Kent server with the correct security certificate.

No such configuration tool exists for students with Macs. Mac users are provided with manual instructions on internet configuration that tell them to check that the server’s security certificate is correct before connecting. It does not warn of the risks of accepting the wrong certificate or provide instructions on how to automatically reject incorrect certificates, leaving them more vulnerable. Dr Alan Buxey, a key figure in the eduroam University IT community, has said that MS-CHAPv2 is “hidden from prying eyes”, but also that it is only secure “as long as users configure their devices correctly”. Jim Higham, IT Services Desk Manager, said that creating a tool for Mac users is “an area we will be looking at this year”. The University also has the ability to scan for rogue access points that might attempt an attack and disable their internet access. This is something they do on a regular basis. David Hayling, The University’s Head of IT Infrastructure, accepted that MSCHAPv2 is “absolutely” broken, but said: “[we have] a secure mechanism

which is only going to fail if, one, there are proactive steps taken by somebody to attack it, and they come across the minority of people who have misconfigured their devices.” If the password encryption system were to be changed, users would have the minor irritation of having to reconfigure their devices but would not necessarily have to reset their passwords and more secure protocols than MS-CHAPv2 do not rely on the strength of the password for the strength of the encryption. Our source said that there is “no good reason in this day and age to be using cryptography this weak”. Hayling said: “There are other areas that we would prefer to concentrate on in terms of improving our service, expanding our service, helping people make better use of our services.” He added that he would be “more than happy” to change to a more secure system when time and resources become available, but that the “low risk” means that this is a low priority. When we contacted the IT department about this issue, they were cooperative and thanked InQuire for assisting.

inquire exposes wi-fi security risk

INQUIRE has alerted the University’s IT department to a weakness in their wi-fi security that could leave students open to attack. An IT security consultant living in Kent, who wishes to remain anonymous, contacted us with concerns about the protocol the University uses to accept students’ and staff’s passwords; MSCHAPv2. In July 2012 a study was published online showing that MS-CHAPv2 can be cracked with a 100% success rate. This means your password can be exposed by a rogue hacker. Our source demonstrated a ‘man-in-the-middle’ attack whereby the attacker turns their laptop into a fake wi-fi access point, analyses information sent by users who connect to it and then runs that information through cracking programs that give the attacker users’ encrypted passwords. This can be used to impersonate them or to spy on their internet traffic. The encryption can then be decoded to retrieve the user’s password. This is a potential threat to

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.
InQuire 8.6 by InQuire Media - Issuu