ShareThis Page
Cyber security has its limits |

Cyber security has its limits

If hackers can invade computers at Carnegie Mellon University, an internationally renowned leader in the field of cybersecurity, they can penetrate them anywhere.

That was the reaction of computer experts and privacy rights advocates Thursday to news that hackers raided computers at CMU’s Tepper School of Business earlier this month and gained access to sensitive personal information belonging to about 20,000 applicants, graduate students and support staff.

“It can happen to the best and brightest,” said Beth Givens, founder and director of the Privacy Rights Clearinghouse, a nonprofit consumer rights group based in San Diego. “Data breaches like this point out there’s really nothing an individual can ultimately do to prevent identity theft.”

The CMU cyber-theft wasn’t an isolated incident.

In March, a laptop was stolen from University of California at Berkeley — another computer security powerhouse — with the names and Social Security numbers of 98,400 individuals, predominantly graduate students.

Since mid-February, the personal information of more than 4 million people has been compromised by similar electronic security breaches at organizations as diverse as ChoicePoint, Bank of America and LexisNexis, Givens said.

“This problem at CMU was certainly unlucky,” said UC Berkeley computer science professor Doug Tygar, a cybersecurity expert and former Carnegie Mellon faculty member. “But I wouldn’t conclude that CMU has poor computer security on its administrative computers. There are lots of universities vulnerable to attack.”

No evidence suggests that the Social Security numbers, addresses, telephone numbers and credit card information stolen during the CMU breach on April 10 have been used for illegal or malicious activity, Tepper School spokesman Michael Laffin said yesterday.

But the threat is real — and escalating.

Almost 13 percent of the more than 4,000 people surveyed in September 2003 by the Federal Trade Commission responded they were victims of identity theft in the previous five years. This implies that about 27 million Americans had their identities stolen in this time period, the FTC reports.

“Identity theft is a big problem, and anecdotal evidence suggests it’s also a growing problem,” Tygar said. “The sad thing is that there’s relatively little people can do to protect themselves.”

Everyone should check their credit reports regularly to make sure there’s no unusual activity and try to minimize the amount of personal information they disclose, privacy advocate Givens said. To reduce the risk of identity theft, she also recommends locking your mailbox; shredding all receipts, bank statements and bills; and emptying your wallet of extra credit cards, Social Security card, birth certificate and passport.

While consumers can take basic steps like this to safeguard themselves, at some point, security becomes a leap of faith.

Tepper School graduate students, staff and applicants, for example, entrusted CMU with their personal information, never foreseeing a computer break-in. Now many of them feel as if that trust has been broken.

“I’m upset about it, but there’s not much you can do,” said Alan Roth, 26, of Shadyside, a master’s of business administration student at CMU who was notified by e-mail on Wednesday that his information might have been stolen during the hacking incident.

Right now, California is the only state that requires companies and nonprofit agencies to inform its residents if someone gained unauthorized access to their personal data. The U.S. Senate is considering a bill that would require notification in the event of a computer security breach.

Roth plans to ask credit bureaus to flag his file with a fraud alert so creditors must get his permission before opening any new accounts in his name. Otherwise, he isn’t too worried.

“My apartment was burglarized in October so I’ve already been totally violated,” Roth said. “This information, as far as I’m concerned, is already out there.”

To protect their computer systems, organizations should take steps such as encrypting personal data and putting all computers that bank sensitive information on access-restricted machines without connections to the Internet, Tygar said.

Since last month’s laptop theft, Berkeley has launched an internal audit of its computer networks to determine which information is being stored, who has access to that information and whether policies designed to protect that information are being implemented, he said.

CMU has notified federal authorities about the hacking incident and the school’s computing services staff plans to review computer storage procedures and processes, Laffin said. U.S. Attorney Mary Beth Buchanan declined through a spokeswoman to comment yesterday.

“This underscores the importance of making sure you have the most up-to-date ways of protecting your networks,” Laffin said.

Universities present a unique cybersecurity challenge because of their decentralized, open nature, said James Joshi, an assistant professor of information science and telecommunications at the University of Pittsburgh.

“These are big communities where coordinating across multiple departments and multiple systems becomes really challenging,” Joshi said. “It becomes even more difficult because as universities, we try to provide open access to information.”

Organizations can continue to install the latest security Band-Aids on their networks or raise cyber firewalls. Ultimately though, it is going to take a major shift in how computers are designed to make them secure, said Kenneth Birman, a computer science professor at Cornell University in Ithaca, N.Y.

Birman and his colleagues have joined with researchers at CMU, Berkeley, and other schools to lead a new $19 million center paid for by the National Science Foundation and called TRUST, or the Team for Research in Ubiquitous Secure Technology. The idea for the center is to look at ways to build more secure systems from the outset, before a disaster happens.

“We’re running into the phenomenon of computers not being trustworthy,” Birman said. “We can try to tackle problems when they happen and apply the latest patch, or we can design trustworthy computers from the get-go.”

Birman said this radical shift will take time, but will be vital to maintaining personal and national security.

“We hear stories like the one from CMU every couple of hours,” Birman said. “To me, that’s a symptom of pervasive lack of attention to these systems, and the only real answer is to spend two decades paying pervasive attention to them.”

Latest security breaches

  • Carnegie Mellon University said Wednesday someone hacked into its computers and accessed Social Security numbers and other personal information of about 5,000 applicants, graduate students and support staff at the Tepper School of Business. Addresses and telephone numbers for about 14,000 recent grads also were accessed. CMU is directing those potentially affected by the April 10 hacking to the Web site for tips on protecting themselves. More information is available at (800) 226-8258.

  • Online discount broker Ameritrade Holding Corp. said Tuesday it has informed about 200,000 current and former customers that a backup computer tape containing their personal information has been lost.

  • Thieves who accessed a DSW database took 1.4 million credit card numbers and the names on those accounts, including information from shoppers in the Pittsburgh area, between November 2004 and February, the company said this week. This number is 10 times more than investigators estimated last month.

  • Lexis-Nexis said Monday it has begun to notify about 280,000 people whose personal information might have been accessed by unauthorized individuals using stolen passwords and IDs.

    What to do

    If you suspect you’re a victim of identity theft:

  • File a police report; call the fraud unit of the credit companies or banks and place a victim statement on your credit report.

  • Contact the Federal Trade Commission identification theft consumer response center at (877) ID-THEFT.

  • Opt out of pre-approved credit card offers by calling (888) 5OPTOUT, or (888) 567-8688. Your request covers all three major credit bureaus.

  • Get your credit report: Equifax — report fraud at (800)525-6285 and order a credit report at (800) 685-1111; Experian — report fraud at (800) 397-3742 and order a credit report (888) 397-3742; TransUnion — report fraud at (800) 680-7289 and order a credit report at (800) 888-4213.

  • Most insurance companies now offer identity theft protection policies. Privacy Rights Clearinghouse Director Beth Givens recommends investing in this extra protection only if it comes as a low-cost rider to another policy or at an inexpensive annual rate. “No one should have to pay $10 or $15 a month to one of the industries at fault for this epidemic crime,” Givens said. Those self-employed or paid hourly might also want to consider identity theft insurance to cover lost time and wages in trying to recover from identity theft, which is a lengthy process.

  • TribLIVE commenting policy

    You are solely responsible for your comments and by using you agree to our Terms of Service.

    We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

    While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

    We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

    We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

    We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

    We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

    We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.