“Phishing” scam poses as IT in email, targets university community
The start of the academic year has seen The New School’s information technology system affected by a number of technical problems, including flaws in the controversial SafeConnect program.
The program, which all New School students must download before being able to access the school’s Wi-Fi network, suffered problems after a system update. The technical issues left many student devices without Internet access intermittently for the week of September 5. Additionally, two fraudulent emails were sent to students’ New School accounts as part of an identity theft scam known as “phishing,” meant to steal personal information.
SafeConnect is made by Florida-based technology company Impulse Point. The software keeps computers that are connected to campus Wi-Fi networks running on up-to-date antivirus software. It also prevents the use of peer-to-peer file-sharing programs, the use of which, while common, is against the law.
The program has been controversial for what some see as privacy and secuirty issues. Yet bugs in SafeConnect are now creating accessibility problems in The New School’s network as well.
“A technical malfunction occurred during an upgrade to part of the SafeConnect infrastructure,” said David Curry, New School director of information security, in regards to the log-in issues students suffered during the first week of September.
“In the process of [changing] the way in which newly-connecting systems are redirected to the New School wireless network login page, one step was accidentally skipped,” Curry added. “This caused [some devices] to get ‘stuck’ — they couldn’t reach the login page, but at the same time, they weren’t displaying the correct error message to help diagnose the problem.”
SafeConnect is used by other institutions, including Oberlin College and UCLA. But many universities, including NYU and Columbia, operate their networks without such a safeguard.
Curry said that the software is an important part of the school’s IT network.
“[SafeConnect] is necessary to protect not only our network and the systems connected to it, but also other users of the network,” Curry said.
The program has its critics at The New School. Ted Byfield, a professor of arts, media and technology at Parsons, wrote a 20-page report about the software in June of 2010, questioning its implementation at The New School.
“It’s reasonable to ask whether the potential ethical, legal, and reputational risks of this system outweigh the limited benefits that New School IT has offered as justification for adopting it,” Byfield wrote in his 2010 report. “I believe that [SafeConnect] is incompatible with The New School’s history, values and mission.”
Inspired by Byfield’s work, the Electronic Frontier Foundation and researchers at the University of Michigan investigated SafeConnect. They obtained a copy of the SafeConnect Policy Key — the application that users are required to download before gaining access to their university network — and found that earlier versions of SafeConnect posed a substantial security risk, accepting updates from local servers with no authentication necessary.
“This goes to show that asking people to install software just to be allowed onto a network can come with its own set of security risks, since bugs in that software constitute new ways onto users’ machines,” wrote Cindy Cohn and Seth Schoen in an EFF blog post from October 6.
The phishing email that was sent appeared to be a legitimate notice from The New School’s “Information Technology Service Help Desk.” It alerted students and faculty that the school was experiencing a server overload and needed their account user name, password and date of birth.
A university-certified email was sent later that day, warning students not to reply with their information or forward the email to anyone else. But students were not the only ones to receive the email.
“The New School accounts that received the message were just a small fraction of the total number of accounts to which it was sent,” according to Curry.
It is not known exactly how many students, faculty and staff received the phishing email, but IT did receive feedback about the message.
“We received around 100 calls and emails to the Help Desk about it,” Curry said. “No solution is perfect, and the occasional [fraudulent email] will still get through.”