Just not learning what they teach
Wi-fi networks of city’s elite educational institutes are unsecured and vulnerable to hacking by terror groups, find out AM reporters
By Yogesh Avasthi and Deepti Singh
Posted On Monday, December 22, 2008 (Ahmedabad Mirror : http://www.ahmedabadmirror.com/index.aspx?Page=article§name=News%20-%20City§id=3&contentid=20081222200812220232535646949dd22 )
At LD, AM reporter Yogesh Avasthi & Neelam Doctor sit outside one of the faculties and browse through its dial-up box (Bottom)These are city’s premier institutes. They churn out top class IT professionals. They have the brightest in the business, people who know the ins and outs of information technology, working for them. They know how to make networks impregnable and that is what students here learn. But these same organisations display exemplary laxity in securing their own wi-fi networks, making them open to abuse.Startling lapses in internet security were discovered at three elite institutes, LD Engineering College, Centre for Environmental Planning and Technology (CEPT) and Gujarat University by two AM reporters and IT expert Neelam Doctor carrying LAN installed laptops. The attempt to gain access at these institutes was quite like a walk-in.It’s no secret now that terrorists tap into unsecured connections to send threatening mails. The mail sent minutes before the July 26 serial blasts was also sent after terrorists tapped an unsecured connection in Mumbai. However, LD Engineering College, CEPT, and Gujarat University have not learnt their lessons.One institution that had taken care to secure its wi-fi connection was the Indian Institute of Management-Ahmedabad. It’s not for nothing that IIM-A is counted among the world’s best management schools. All the other three campuses where AM conducted this exercise have a lot to learn from IIM-A. The wi-fi box at all three of these institutions easily opened, revealed all information about the user, the IP address, its security status etc. Without any difficulty, the team could get into the network and send emails to whoever they wished to. And they did.They fired emails to Gujarat University vice-chancellor Parimal Trivedi, senior railway official Udayshankar Jha, Gujarat Technological University (GTU) registrar L L Bhuptani and senior FSL official J M Vyas. All the mails were successfully delivered.At LD, AM reporters got free access to networks of various faculties, including civil, mechanical and textile. So much for being the state’s premier institute for technology. To top it, access was also possible into the network of adjacent PRL, the country’s premier scientific research institute. A sheepish M N Patel, principal of LD Engg College, later said, “We have wi-fi facility since about one-and-a-half years, but we have not been able to do much to secure it. However, we plan to soon install ‘cyber ROM’, a device that will not allow accessibility to out network.”
The duo send out mails from the entrance of the GU premises by using its wi-fi. At least five connections were accessibleThe University area teems with many criss-crossing wi-fi connections since it houses many educational institutes in close proximity. Hence, our reporters could access the IP addresses of a number of institutes. For example, wi-fi connections of CEPT and LD could be accessed freely from GU campus. Mails were sent from all three closely located campuses. Our reporters asked GU V-C Parimal Trivedi why things were so lax at GU. At this, he said there was no question of any laxity since the wi-fi at the university, though installed, was still not functional. When told that it was not just functioning, it was also freely accessible for all and sundry, he said, “If that’s so, it is bad. We will inquire into the matter and ensure that it is secured.”The reporters found that the networks were not just not secured, the security staff also did not enquire with them what they were doing on campus with laptops in hand.HOW WE DID ITAhmedabad Mirror reporters Yogesh Avasthi and Deepti Singh acquired some handy knowledge on internet security from IT expert Neelam Doctor and set out to test how impregnable the networks at educational institutes were. With episodes of IT geeks like Peerbhoy of Mumbai being used as tools by terrorists at the back of their minds, the three just hoped they found the institutes’ networks safe and secure. But that was not to be.They walked into campuses, entered their wi-fi networks and sent out emails to eminent citizens of the city. The three could have walked away with misuse undetected if they had not chosen to tell their story to all with the hope that the authorities concerned plug the chinks in security set-ups. A common citizen’s internet connection may for once remain unsecured, but not institutes specialising in scientific study. They are supposed to know that a wireless access signal can extend beyond the four walls and out to the street. Routers and broadband modems have pre-installed user names and passwords that make it easy to get online wireless. Jumping from one IP address to another just takes five seconds.For example, a BSNL IP usually starts with 59.95.xxx.xxx. Searching this through a browser, the system will ask for a user name and a password. Once that is encountered, one can enter the system and use the internet freely to send emails or threats to authorities.HOW TO SECURE A WI-FI CONNECTION• Step 1: Set a password to protect Wi-Fi router set-up wizardAll routers come with an in-built set-up wizard. All you have to do is type the router IP in your browser. The IP used by most routers is: http://192.168.8.1/. The very first step is to make sure a router’s set-up wizard, or interface, is password-protected.• Step 2: Disable SSID broadcasting Every time a device scans for available wi-fi networks, Service Set Identifier (SSID) displays the name of your connection. Disable this feature once you establish a connection with all your wi-fi devices. • Step 3: Enable WPA, or WEP, encryption To enable WPA, log into your router’s set-up wizard. You can find this option under ‘Security’ or ‘WAN Set-up’. Both play the same basic role: to authenticate every device that tries to connect to the Wi-Fi router. • Step 4: WPA-PSK (Wi-Fi Protected Access Pre-Shared Key): It will generate a single password, which can be configured to expire after some time. This is a good option for people who use the internet only for short periods.• Step 5: Define maximum number of devices This options comes into play when you know how many devices normally connect to your router. You can set the maximum limit, so that once all the devices are connected and operational, no one else can connect to your wi-fi network. • Step 6: Turn off your router when not in use Turning of your router will make it virtually impossible for a hacker to use your connection.
By Yogesh Avasthi and Deepti Singh
Posted On Monday, December 22, 2008 (Ahmedabad Mirror : http://www.ahmedabadmirror.com/index.aspx?Page=article§name=News%20-%20City§id=3&contentid=20081222200812220232535646949dd22 )
At LD, AM reporter Yogesh Avasthi & Neelam Doctor sit outside one of the faculties and browse through its dial-up box (Bottom)These are city’s premier institutes. They churn out top class IT professionals. They have the brightest in the business, people who know the ins and outs of information technology, working for them. They know how to make networks impregnable and that is what students here learn. But these same organisations display exemplary laxity in securing their own wi-fi networks, making them open to abuse.Startling lapses in internet security were discovered at three elite institutes, LD Engineering College, Centre for Environmental Planning and Technology (CEPT) and Gujarat University by two AM reporters and IT expert Neelam Doctor carrying LAN installed laptops. The attempt to gain access at these institutes was quite like a walk-in.It’s no secret now that terrorists tap into unsecured connections to send threatening mails. The mail sent minutes before the July 26 serial blasts was also sent after terrorists tapped an unsecured connection in Mumbai. However, LD Engineering College, CEPT, and Gujarat University have not learnt their lessons.One institution that had taken care to secure its wi-fi connection was the Indian Institute of Management-Ahmedabad. It’s not for nothing that IIM-A is counted among the world’s best management schools. All the other three campuses where AM conducted this exercise have a lot to learn from IIM-A. The wi-fi box at all three of these institutions easily opened, revealed all information about the user, the IP address, its security status etc. Without any difficulty, the team could get into the network and send emails to whoever they wished to. And they did.They fired emails to Gujarat University vice-chancellor Parimal Trivedi, senior railway official Udayshankar Jha, Gujarat Technological University (GTU) registrar L L Bhuptani and senior FSL official J M Vyas. All the mails were successfully delivered.At LD, AM reporters got free access to networks of various faculties, including civil, mechanical and textile. So much for being the state’s premier institute for technology. To top it, access was also possible into the network of adjacent PRL, the country’s premier scientific research institute. A sheepish M N Patel, principal of LD Engg College, later said, “We have wi-fi facility since about one-and-a-half years, but we have not been able to do much to secure it. However, we plan to soon install ‘cyber ROM’, a device that will not allow accessibility to out network.”
The duo send out mails from the entrance of the GU premises by using its wi-fi. At least five connections were accessibleThe University area teems with many criss-crossing wi-fi connections since it houses many educational institutes in close proximity. Hence, our reporters could access the IP addresses of a number of institutes. For example, wi-fi connections of CEPT and LD could be accessed freely from GU campus. Mails were sent from all three closely located campuses. Our reporters asked GU V-C Parimal Trivedi why things were so lax at GU. At this, he said there was no question of any laxity since the wi-fi at the university, though installed, was still not functional. When told that it was not just functioning, it was also freely accessible for all and sundry, he said, “If that’s so, it is bad. We will inquire into the matter and ensure that it is secured.”The reporters found that the networks were not just not secured, the security staff also did not enquire with them what they were doing on campus with laptops in hand.HOW WE DID ITAhmedabad Mirror reporters Yogesh Avasthi and Deepti Singh acquired some handy knowledge on internet security from IT expert Neelam Doctor and set out to test how impregnable the networks at educational institutes were. With episodes of IT geeks like Peerbhoy of Mumbai being used as tools by terrorists at the back of their minds, the three just hoped they found the institutes’ networks safe and secure. But that was not to be.They walked into campuses, entered their wi-fi networks and sent out emails to eminent citizens of the city. The three could have walked away with misuse undetected if they had not chosen to tell their story to all with the hope that the authorities concerned plug the chinks in security set-ups. A common citizen’s internet connection may for once remain unsecured, but not institutes specialising in scientific study. They are supposed to know that a wireless access signal can extend beyond the four walls and out to the street. Routers and broadband modems have pre-installed user names and passwords that make it easy to get online wireless. Jumping from one IP address to another just takes five seconds.For example, a BSNL IP usually starts with 59.95.xxx.xxx. Searching this through a browser, the system will ask for a user name and a password. Once that is encountered, one can enter the system and use the internet freely to send emails or threats to authorities.HOW TO SECURE A WI-FI CONNECTION• Step 1: Set a password to protect Wi-Fi router set-up wizardAll routers come with an in-built set-up wizard. All you have to do is type the router IP in your browser. The IP used by most routers is: http://192.168.8.1/. The very first step is to make sure a router’s set-up wizard, or interface, is password-protected.• Step 2: Disable SSID broadcasting Every time a device scans for available wi-fi networks, Service Set Identifier (SSID) displays the name of your connection. Disable this feature once you establish a connection with all your wi-fi devices. • Step 3: Enable WPA, or WEP, encryption To enable WPA, log into your router’s set-up wizard. You can find this option under ‘Security’ or ‘WAN Set-up’. Both play the same basic role: to authenticate every device that tries to connect to the Wi-Fi router. • Step 4: WPA-PSK (Wi-Fi Protected Access Pre-Shared Key): It will generate a single password, which can be configured to expire after some time. This is a good option for people who use the internet only for short periods.• Step 5: Define maximum number of devices This options comes into play when you know how many devices normally connect to your router. You can set the maximum limit, so that once all the devices are connected and operational, no one else can connect to your wi-fi network. • Step 6: Turn off your router when not in use Turning of your router will make it virtually impossible for a hacker to use your connection.
