Two members of UNM’s Computer science department wrote a letter to the Daily Lobo claiming to have found a security glitch in UNM’s network, but UNM IT said the problem has been fixed.
Research assistant Jeffrey Knockel and assistant professor Jed Crandall said the problem lies in SafeConnect, a software UNM requires to be installed on both Windows and Macintosh operating systems before they can connect to University networks, including the LoboWifi network.
“If you have SafeConnect installed on your computer, then wherever you use your computer, SafeConnect attempts to connect to one of UNM’s IT servers by sending information through Internet routers,” they wrote in an Aug. 29 letter to the Daily Lobo.
“We have notified UNM IT of a vulnerability in SafeConnect that allows any router between the user and UNM’s IT server to take complete control of a user’s computer that has installed SafeConnect,” they wrote.
The problem is so widespread, they said, that it can be equated to a University-wide policy that requires for any computer used at the University, the user is not the only person with access to it.
“Although this policy is not written, it is the de facto policy created by the vulnerability that we recently discovered in SafeConnect,” they said. “Furthermore, anybody that you share an Internet connection with, such as the other people in your department, the coffee shop or the hotel can trick your computer into using theirs as a router.”
IT Spokeswoman Vanessa Baca said Knockel and Crandall have not effectively demonstrated their concerns.
“Despite IT’s requests for confirmation, Computer sciences had not demonstrated to IT that they were successfully able to insert malicious code into the current version of SafeConnect at the time the op-ed piece was published,” she said.
Baca said the vulnerability was present in older versions of SafeConnect that have since been updated.
“The most current version of SafeConnect is updated to ensure it addresses the potential vulnerability, and is available today,” she said. “Users will automatically get updated when they connect to Lobo WiFi.”
When Knockel and Crandall wrote the Aug. 29 letter, they adderted that the glitch still exists.
They suggested uninstalling the software, but Baca said SafeConnect’s purpose is to keep computers secure.
Get content from The Daily Lobo delivered to your inbox
“IT strongly recommends that users do not uninstall SafeConnect,” she said. “The purpose of having SafeConnect is to ensure that only authorized users have access to UNM information and computing resources. Since the updated code is available today, Lobo WiFi users should simply connect to the UNM wireless network, and SafeConnect will automatically update on their systems.”
IT purchased SafeConnect five years ago using its general operations fund for networks, and there will be no cost to fix the problem, Baca said.
