“Oh, thank God! It was about time.” I let loose a sigh of relief as I read Stanford’s July 25 announcement stating that there had been “an apparent breach of its technology infrastructure” – aka, “WE GOT HAXXED!”
It was a rather odd reaction: I, like any normal person, should have been horrified. The announcement meant that the huge collection of personal information Stanford had amassed on me – everything from my Social Security number (SSN) to my health care information to my freshman roommate essay – was potentially in the hands of hackers hell-bent on unknown evils.
What wasn’t comforting in the least was the administration’s claim they were “not aware … of any protected health information, personal financial information or Social Security numbers being compromised.” They admitted that Stanford administrators “do not yet know the scope of the intrusion,” so why would they be aware? Indeed, chances are good that they will never definitively know.
So, why the rush of sweet endorphins as I read Stanford’s announcement? Frankly, I found it validating. Before Stanford got hacked, every time I learned about someone else getting attacked, that little monster Jealousy would stir in my heart.
What’s so good about Berkeley that nefarious foes would take the effort to penetrate their systems a full four years before ours and steal the medical histories and SSNs of 160,000 patients? Were the 760,000 records compromised at Ohio State University in 2010 worth more than anything Stanford had to offer? My SSN is as good as any of the more than 7,000 that Purdue acknowledged were exposed in 2011. I tried to console myself with the argument that Stanford IT might be the one force in the world that could stop the mighty onslaught of state-sponsored cybersoldiers, greedy tech-savvy thieves and power-tripping script kiddies. But that was more and more difficult to believe every time Axess crashed during course enrolment.
At last, on July 25 the hackers took notice to soothe my ego. When, four days later, the University of Delaware admitted to having their systems breached and losing 72,000 personally identifying records, I felt a hint of smugness. We were first.
Here, let me clarify. My reactions above were facetious, but the facts hold. I certainly did not revel in Stanford’s security breach. I can hardly claim to have been surprised either. Putting your data on the Web nowadays is like entering a lottery, and winning is like never having your data stolen or passwords compromised. It seems that despite the best efforts of computer scientists, mathematicians and engineers, truly securing our data online is a losing battle. The time has come to focus on discovering and recovering from the inevitable.
Much of the aging technology protecting our Web interactions is being quickly outpaced by techniques to beat it. When a “pantheon” of exploits demonstrated to poked holes in HTTPS– that renowned guardian of sensitive Web traffic—the Internet can hardly be considered truly secure.
While real-world attacks that utilize HTTPS-beating exploits are still on the rather bleeding-edge, most attacks target vulnerabilities which have been known about and for which the solutions have been available for years. SQL injections, where an attacker tricks a service into returning data it shouldn’t, contributed to some 60 percent of all attacks studied by 7Safe, a global IT security company. The danger of SQL injections and methods to mitigate the threat they pose have been known since at least early 2000.
The diversity of technologies that have propelled the Web to ubiquity has simultaneously opened it up to hackers. The more technologies used, the more potential vectors of attack that exist. Hackers take advantage of flawed technology, outdated software and often-ignorant or negligent humans.
Given this, as we trust more and more of our identity and data to various online services, we inevitably create more ways for our data to be stolen. Our online identities are more fragmented than ever. As an example, services like Facebook Connect make it easy to spread our information around at the click of a button. In a situation I’m sure reflects that of many others, before I cleaned up my permissions, I had signed in to more than 100 apps with my Facebook account. Almost half of them were random, often unmaintained apps that I hadn’t used in ages. Each of these was a service authorized to take and store my personal data outside of Facebook’s fortress.
Given the impossibility of securing all our online data and the seeming inevitability of having it exposed one day – by thieves or, in light of recent allegations, our government – the time has come for a new priority in the struggle against cybercrime. For too long, we have expended our best efforts on preventing criminals from even accessing our data. The continuing prevalence of attacks like SQL injections shows that the fragmented nature of the Web makes better data protection an insufficient solution.
Today we rely on our own unreliable memories to track where our data lives. We trust its security and integrity to the prowess of those who run the services we use, whether they are naïve startups or hardened financial institutions. Nearly all of which have been proven vulnerable at some point or another.
Rather, we need to emphasize awareness and resilience. We will be able to better respond to possible breaches if we can get a complete picture of where our data resides and when and why it is accessed. Let’s put awareness and understanding back in the hands of those to whom it really matters.