A year after University email hacking, “Wildfire” email sparks further internet security concerns
A year after hackers sent racist and anti-Semitic emails to engineering and computer science students, the University is still dealing with concerns regarding internet security — especially in the context of accurate security alerts reaching students on campus.
Just last month, many students received an email encouraging them to download Wildfire, a new safety alert system application. The email, designed to appear as though it came from the University of Michigan’s administration, was not sent by or affiliated with the University — a note only made available to students in the fine print at the bottom of the email.
In fact, the administration never approved of the app at all, citing conflict and confusion that could arise from students receiving emergency alerts from two different sources.
This incident raises concerns over the security of University email accounts. Wildfire’s email utilized an old University logo and welcomed students back to the University after winter break, using language such as ‘We’re thrilled to have you back Wolverines!’ The subject of the email was ‘Wildfire App U-M’ and the email address was seemingly chosen to mimic those of the University.
School of Information assistant professor Florian Schaub explained companies can find email addresses to send marketing materials to through various means, including targeting institutions and paying third party websites to release data.
“They try to find ways to figure out email addresses,” Schaub said. “For example we have MCommunity, which is a public portal and you can search for people and see their email addresses and their contact information.”
This brings up another salient concern on campus of internet privacy. As the University is increasingly reliant on the internet, more and more personal information is being uploaded for anyone to find. To highlight these emerging issues, the School of Information and the Office of Information Assurance held the first annual Privacy@Michigan symposium at the end of January to call attention to internet data privacy. Schaub spoke at the event and gave audience members strategies to help them make good internet privacy decisions.
As for situations like the Wildfire one, where information — like an email address — has already been gathered, Schaub suggests email users be careful when coming across an unexpected email. Overall, Schaub emphasized that users should be suspicious whenever they are accessing a link, website or application, and urged them to read the company’s data policy.
“When I’m signing up for a service or a mobile app, (I ask) what are they allowed to do with my data,” Schaub said. “Whenever you use an email address you need to be really cautious and think about who they are sharing this data with.”
Dana Fair, the University Information and Technology Services senior marketing communications specialist, confirmed Wildfire was not affiliated with the University. However, Fair explained in an email interview Wildfire was just a marketing email and not malicious software.
“Receiving emails from entities outside the institution does not suggest that U-M email addresses or the privacy of individuals have been compromised,” he wrote.
In an email, Interim U-M Chief Information Security Officer Sol Bermann echoed Fair’s statements and maintained while marketing emails may be ‘junk’ and seen as annoying, there is little that can be done to prevent unsolicited emails from entering any inbox.
“The University community, myself included, often receives unsolicited marketing emails,” Bermann said. “This is not much different than unsolicited email you get in other email accounts you may have, and it can certainly be a nuisance.”
Many email accounts, whether through the University or personal, are subjected to marketing emails. However, Wildfire concerns some because the application claims to provide students with safety alerts, similar to the emergency alerts which the University Division of Public Safety and Security sends. Having an application that is not affiliated with the University advertise to students they can provide emergency notifications about matters concerning campus safety and security may potentially conflict with reliable information coming to and from DPSS.
DPSS currently sends safety and crime alerts through multiple channels, such as the Michigan App and the newly released DPSS App. In addition, students and faculty can sign up to receive text message alerts in the event of an emergency.
DPSS Associate Director Melissa Overton said while DPSS has not evaluated Wildfire, the Michigan and DPSS apps are the only alert systems they approve of because of their reliability.
“We continue to promote the Michigan and DPSS apps for accurate alert information,” she said.
As of Tuesday representatives for Wildfire have not responded to requests for comment. A link to the developer’s website on the Apple App Store leads to an error message.
LSA sophomore Sean Yoon shared his concern that Wildfire, an application not approved by the University, might provide students and faculty with unreliable information and sources.
“I definitely think reliability comes really important when it comes to this issue,” Yoon said. “We know DPSS (alerts) are credible and they are related to the University and they are giving us credible information, whereas this one we don’t know if they are credible or not.”
LSA junior Evelyn Kim shared Yoon’s concerns about the reliability of Wildfire but saw some potential benefit in having a student-reported communication app, as Wildfire depends on students to report incidents in a social-media type platform.
“I think that if there are people who are saying they witnessed something, that can actually help the investigation of the case — I think that’s actually a helpful side of Wildfire,” Kim said. “(But) that application should require people to at least provide their phone numbers so that they can provide some critical information there.”
However, Yoon and Kim both agreed the marketing of the application in the email sent to students was deceitful and problematic because Wildfire misrepresented themselves to the community as a University-sanctioned application for campus safety information.
“The fact that they even used the logo for the University of Michigan is a problem in the first place,” Yoon said.