3

I recently visited a university for an event where I was expected to bring a computer and do work using the campus wifi. On first connection, I was asked to download a "SafeConnect Policy Key" (.exe) which, according to its description, was designed to verify the degree to which I engage in what the University viewed as proper information security practices, such as applying all patches and updates to the operating system and running an acceptable antivirus.

So in order to prove that I have good information security practices, I'm supposed to download and run an .exe file from an unknown author? It seems like that should be an automatic failing mark, not a mandatory requirement.

Further, as far as I can tell this is executable software which would continue running on my computer forever, with no clear way to remove it, reducing performance and causing who knows what other issues, even though I'm only planning to be performing duties for this nonprofit at this location for a day or so.

This is a common requirement at many universities. UCSC has a description of its operation here. UNC doesn't explain well how it works but provides an installation guide including instructions to provide administrator credentials and/or override security warnings from the operating system.

Requiring these steps seems like a poor way to secure or teach about cybersecurity, but this seems to be a common policy at lots of institutions, and I can't change that requirement at any of them. (Nor was there a good way of knowing about these requirements in advance of arrival).

What is the most appropriate response to such a situation?

WBT
  • 556
  • 1
  • 7
  • 14

2 Answers2

1

Run it in a virtual machine. Either they are too dumb to be serious about it, or they're just setting you up, but this way you'll definitely pass the test.

In case you won't get the access from your host machine that way, try to set up bridging (see: VirtualBox; VMWare) for that virtual machine and then route the traffic of the host machine through NAT in the VM. This will help in case the executable is checking and reporting the MAC address of the machine it's being run on. Again, either this is your actual assignment or they have dealt with sane people before. Don't give up, you'll learn something anyway.

Also, in (an unlikely) case the university is really good and the event in question has anything to do with Meltdown/Spectre, it might be a good idea to carefully migrate the said virtual machine away from your personal computer towards some cheap cloud out there soon after you've run that executable (and well before you've opened an university-owned Web page, just in case).

ximaera
  • 3,395
  • 8
  • 23
  • If you bridge the traffic, the VM will still have it's own MAC address, which will be seen as different. – multithr3at3d Feb 02 '18 at 02:26
  • 1
    @multithr3at3d I think you misunderstood what ximaera was saying. Running the .exe on your VM allows you to get access through the VM. If this does not allow you to get access through your host machine, then route the traffic from your host machine through the VM in order to get access. – Myles Hollowed Feb 02 '18 at 03:22
0

That is a classical question of trust. You commonly execute programs on your computer from various sources, you simply choose to trust them. Among them (not limited to): the kernel OS, a browser, a mail reader, various document editors, an anti-virus system. On a corporate system, it is common that it comes with various internal programs pre-installed and you are supposed to trust them too.

It is not that different here. Either you trust the University security team, and you can safely execute their code, or you do not trust and shall not use their network. But from the security team, the problem is more or less the same. Either they can trust you and your computer, and they should allow you in their private Wifi network with no other formality, or they cannot and their requirement is normal. So just wonder what reason they have to trust you more than the other participants in the event.

Please do not mis-understand. I do not mean that from your point of view it is safe to execute their code. I just say that as the team responsible for network Wifi security their requirement is not that excessive.

Their only alternative would be to either provide no Wifi access at all and let the participants use 3G-4G networks, or setup a public wifi hotspot with no security at all and warn all participants of it. They chose what is common in corporate networks accepting BYOD access: they provide a Wifi access on which only machines having up to date protection system are allowed, at the price of using their code to prove that your own system will not disturb other ones. But you also know that other systems connected to the Wifi network should not host plenty of malware ready to attack your machine...

And my personal opinions are: I can understand the security team choice, and I would not use their Wifi network in that conditions. Anyway, on my professional computer, it would be strictly forbidden by my corporate security rules.

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84