Updated: Feb. 9, 2015 at 4:17 p.m.
A wireless leak last semester resulted in 30 Net IDs and passwords downloading onto a research lab computer from GW1X, which could have compromised academic and personal information.
A breach in the University’s old wireless network, which it officially moved away from last month, enabled a computer in a computer science research lab to download the information, which could log someone who had the information into faculty and students’ GWMail and Blackboard accounts.
A researcher who spoke on the condition of anonymity said the information was downloaded to a lab computer that was left turned on in the computer science department because of a hole within the GW1X network. The researcher said someone with the information could have changed grades on a professor’s Blackboard account or accessed users’ email accounts.
Officials notified the students and faculty whose information was downloaded, and the project was suspended, University spokesman Kurtis Hiatt said in an email.
David Steinour, GW’s chief information officer, declined to sit for an interview to discuss the leak or the process behind how the leak was reported.
His office is now offering more information to IT workers, faculty and student researchers about University research protocols to make sure there’s communication about future research projects that could affect GW’s wireless networks, Hiatt said. He declined to comment on how those efforts would be presented.
“DIT also provides information about university protocols and options to safely support cyber research, including an existing program that matches student researchers with Division of IT staff to safely conduct experiments and gain practical experience,” he said.
The University stopped using GW1X at the beginning of January, shifting to a new wireless network, GWireless. The new network “prevents the occurrence of the same or similar incidents the future,” Hiatt said.
Krishna Venkatasubramanian, an assistant professor of computer science at Worcester Polytechnic Institute, said an IT department should educate a university community about general cybersecurity safety, but that researchers should pay special attention to that information.
Universities should acknowledge that computer science teaching and research can require mock hacking a network, he added.
“We have to teach students how to secure networks. Many times they have to learn the skills to actually be able to use the networks to do simulated bad things in a controlled manner,” he said.
Still, departments should be able to come to an understanding about policies that balance network safety with educational practices, he said.
“The most important thing is for computer science faculty to engage the IT department and the IT department to engage computer science faculty and faculty in general,” he said. “They need to inform them what is expected behavior and how do you deal with it.”
Communication between among technology administrators is becoming more important as computer science becomes a more prominent field and more research is based on institutions’ networks, said Tracy Mitrano, the former director of IT policy at Cornell University’s Institute for Computer Policy and Law.
During her tenure, she said there were times when research affected the university’s networks, but her office could typically work with those researchers to make sure there were not additional implications for the network.
While Cornell didn’t establish any formal programming for researchers, she said she focused on opening communication between her office and faculty.
“Once we had created those communication channels and relationships there was no formal education or no formal processes,” she said. “Once all that was established, it all happened naturally.”
Though communication can sometimes fall through, it’s important that universities make an effort to prevent miscommunication, Mitrano added.
“This area is very challenging, and the idea that an institution is going to be perfect every time on all of these challenges is not reasonable,” she said. “But if they’re ignoring something, if they’ve been made aware of something and they ignore it, that’s where there’s a real problem.”
This post was updated to reflect the following correction:
The Hatchet incorrectly reported that the wireless leak resulted in 30 GWIDs downloading onto a research lab computer. It was actually 30 Net IDs. We regret this error.