Cyber security has its limits
If hackers can invade computers at Carnegie Mellon University, an internationally renowned leader in the field of cybersecurity, they can penetrate them anywhere.
That was the reaction of computer experts and privacy rights advocates Thursday to news that hackers raided computers at CMU’s Tepper School of Business earlier this month and gained access to sensitive personal information belonging to about 20,000 applicants, graduate students and support staff.
“It can happen to the best and brightest,” said Beth Givens, founder and director of the Privacy Rights Clearinghouse, a nonprofit consumer rights group based in San Diego. “Data breaches like this point out there’s really nothing an individual can ultimately do to prevent identity theft.”
The CMU cyber-theft wasn’t an isolated incident.
In March, a laptop was stolen from University of California at Berkeley — another computer security powerhouse — with the names and Social Security numbers of 98,400 individuals, predominantly graduate students.
Since mid-February, the personal information of more than 4 million people has been compromised by similar electronic security breaches at organizations as diverse as ChoicePoint, Bank of America and LexisNexis, Givens said.
“This problem at CMU was certainly unlucky,” said UC Berkeley computer science professor Doug Tygar, a cybersecurity expert and former Carnegie Mellon faculty member. “But I wouldn’t conclude that CMU has poor computer security on its administrative computers. There are lots of universities vulnerable to attack.”
No evidence suggests that the Social Security numbers, addresses, telephone numbers and credit card information stolen during the CMU breach on April 10 have been used for illegal or malicious activity, Tepper School spokesman Michael Laffin said yesterday.
But the threat is real — and escalating.
Almost 13 percent of the more than 4,000 people surveyed in September 2003 by the Federal Trade Commission responded they were victims of identity theft in the previous five years. This implies that about 27 million Americans had their identities stolen in this time period, the FTC reports.
“Identity theft is a big problem, and anecdotal evidence suggests it’s also a growing problem,” Tygar said. “The sad thing is that there’s relatively little people can do to protect themselves.”
Everyone should check their credit reports regularly to make sure there’s no unusual activity and try to minimize the amount of personal information they disclose, privacy advocate Givens said. To reduce the risk of identity theft, she also recommends locking your mailbox; shredding all receipts, bank statements and bills; and emptying your wallet of extra credit cards, Social Security card, birth certificate and passport.
While consumers can take basic steps like this to safeguard themselves, at some point, security becomes a leap of faith.
Tepper School graduate students, staff and applicants, for example, entrusted CMU with their personal information, never foreseeing a computer break-in. Now many of them feel as if that trust has been broken.
“I’m upset about it, but there’s not much you can do,” said Alan Roth, 26, of Shadyside, a master’s of business administration student at CMU who was notified by e-mail on Wednesday that his information might have been stolen during the hacking incident.
Right now, California is the only state that requires companies and nonprofit agencies to inform its residents if someone gained unauthorized access to their personal data. The U.S. Senate is considering a bill that would require notification in the event of a computer security breach.
Roth plans to ask credit bureaus to flag his file with a fraud alert so creditors must get his permission before opening any new accounts in his name. Otherwise, he isn’t too worried.
“My apartment was burglarized in October so I’ve already been totally violated,” Roth said. “This information, as far as I’m concerned, is already out there.”
To protect their computer systems, organizations should take steps such as encrypting personal data and putting all computers that bank sensitive information on access-restricted machines without connections to the Internet, Tygar said.
Since last month’s laptop theft, Berkeley has launched an internal audit of its computer networks to determine which information is being stored, who has access to that information and whether policies designed to protect that information are being implemented, he said.
CMU has notified federal authorities about the hacking incident and the school’s computing services staff plans to review computer storage procedures and processes, Laffin said. U.S. Attorney Mary Beth Buchanan declined through a spokeswoman to comment yesterday.
“This underscores the importance of making sure you have the most up-to-date ways of protecting your networks,” Laffin said.
Universities present a unique cybersecurity challenge because of their decentralized, open nature, said James Joshi, an assistant professor of information science and telecommunications at the University of Pittsburgh.
“These are big communities where coordinating across multiple departments and multiple systems becomes really challenging,” Joshi said. “It becomes even more difficult because as universities, we try to provide open access to information.”
Organizations can continue to install the latest security Band-Aids on their networks or raise cyber firewalls. Ultimately though, it is going to take a major shift in how computers are designed to make them secure, said Kenneth Birman, a computer science professor at Cornell University in Ithaca, N.Y.
Birman and his colleagues have joined with researchers at CMU, Berkeley, and other schools to lead a new $19 million center paid for by the National Science Foundation and called TRUST, or the Team for Research in Ubiquitous Secure Technology. The idea for the center is to look at ways to build more secure systems from the outset, before a disaster happens.
“We’re running into the phenomenon of computers not being trustworthy,” Birman said. “We can try to tackle problems when they happen and apply the latest patch, or we can design trustworthy computers from the get-go.”
Birman said this radical shift will take time, but will be vital to maintaining personal and national security.
“We hear stories like the one from CMU every couple of hours,” Birman said. “To me, that’s a symptom of pervasive lack of attention to these systems, and the only real answer is to spend two decades paying pervasive attention to them.”
Latest security breaches
What to do
If you suspect you’re a victim of identity theft: