This Date in UCSF History: Online Registrar Info Unencrypted
Originally published on Synapse - The UCSF student newspaper Jan. 28, 1999.
Many UCSF students have appreciated the convenience of registering and filing online during the past year.
However, the registrar's Web server has not been using encrypted protocols to transfer personal information such as social security numbers, home phone numbers, and grades over the internet.
In fact, with the unencrypted system, it has been technically possible for a hacker with a small amount of knowledge and skill to intercept that information as it passes over local networks.
Last week I brought this situation to the attention of Synapse, after using a “packet sniffer” program to intercept my social security number as it passed over the office network while attempting to file my winter quarter study list.
“If I can do it, so can anyone,” I figured.
The program I used is freely available over the internet, and the entire process took less than five minutes.
In response to impending publication in Synapse of information about this vulnerability, Michael Strizich of Student Information Services on Tuesday, Jan. 26 suspended online access to the registrar's Web site until the system can be updated with encrypted protocols.
“We do not want the perception of a security threat to cause students to be particularly wary about accessing their data on our web site,” said Strizich.
What is the nature of the vulnerability? Most local area networks work in a manner analogous to a room in which a number of conversations are going on and each computer has the potential to overhear any conversation on the network.
Normally, each computer only listens to conversations that directly involve it.
However, when running a program known as a “packet sniffer,” a computer can then record every conversation on the network and save that information to disk.
In the absence of encryption, a data thief can then sift through the conversation record and literally read out information such as social security numbers and home phone numbers.
Not all networks are vulnerable to packet sniffing. Modem and more expensive “switched” local area networks are safer, but h is not a trivial matter for the average user to determine what kind of network he or she is using.
Accessing the registrar's Web site over the internet means that your personal information is being sent through at least three networks: the one your computer is hooked up to, the one that connects your network to the registrar's network, and the one the registrar's Web server is on.
Information can potentially be intercepted as it passes through any one of these networks.
To reduce problems with eavesdropping on the internet, commercial web sites like Amazon.com, eTrade, and Wells Fargo use encrypted protocols to transmit sensitive information such as credit card numbers and account statements.
Encryption means that all information is translated into a sequence of characters that would look like gibberish if intercepted.
Forty-eight-bit encryption is the standard level of encryption for most sites, and it is fairly difficult to break without considerable effort and sophistication on the part of the data thief.
One hundred-twenty-eight-bit encryption is so hard to break that the U.S. government forbids export of products capable of applying it.
According to Michael Strizich, encrypted access to the registrar's Web site with either form of encryption should be available by spring quarter registration.
All data that is transferred over the internet is at some risk, but such risks can be minimized by using encrypted protocols and by sending out only the smallest amount of sensitive information that is necessary for a given transaction.
For instance, in the future it may not be necessary for the UCSF registrar to send social security numbers over the internet if some other less sensitive identification code is used instead.