Stanford University And Stanford Medical Servers Have Been Hacked Hundreds Of Times


"Tele-Medicine" and "Doctor-Via-Zoom" may be a DOA concept. Your video chat with your psychologist about your fear of men, your gynecologist about your herpes or your proctologist about your anal warts could be on the entire internet 48 hours later.

Famous people went to Stanford, work at Stanford, and attend Stanford. Middle East elites, political operatives and rich families draw hackers, like flies, to the Stanford medical and scholastic servers. A bounty of hundreds of thousands of dollars is offered by dark webbers for a Clinton confessing to sex crimes, or a Kashoggi murder tip on an Arab shah. Every day, the tele-medicine videos at Stanford Medical are rife with elites and tabloid news targets revealing their darkest secrets. Solarwinds hackers and Julian Assange wannabe's are constantly sifting the video streams and server files at Stanford for juicy meat.

Stanford bosses claim to have bought "very high-end software" that is "hard to hack", but fail to comprehend that such a claim is juvenile. The entire U.S. Government was hacked in the Solarwinds hack, using ten times better software than Stanford has. It is ludicrous for Stanford bosses to deny the fact that hackers can romp through their servers with impunity.

Live, in-person, meetings with doctors in secured rooms, is the only solution. Trying to make the Sandhill Road venture capitalists richer by forcing the public to use the internet is a crime against society.

Stanford University is always being hit by embarrassing data breaches that expose the personal information of students, including home addresses, Social Security numbers and even test scores and essays.

The Stanford Daily is reporting that Stanford students could view applications and high-school transcripts of other students “if they first requested to view their own admission documents under the Family Educational Rights and Privacy Act (FERPA).” Documents that were compromised by the hackers including extremely sensitive personal information like Social Security numbers for some students, as well as “students’ ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and whether they applied for financial aid. Official standardized test score reports were also accessible,” the paper reported, which explained that while students’ documents could not be search by name, the were “accessible by changing a numeric ID in a URL.”

“We regret this vulnerability in our system and apologize to those whose records were inappropriately viewed,” the school said in a statement released on Friday. “We have worked to remedy the situation as quickly as possible and will continue working to better protect our systems and data. Finding and fixing vulnerabilities before adversaries discover and exploit them is an ongoing and essential activity in systems management.”

The breach comes 14 months after Stanford announced that a previously revealed hack of confidential information on a computer server at its Graduate School of Business was wider than had been reported earlier, according to Poets & Quants, a prominent online news site that covers the graduate-business school community.In that hack, the site reported, ” campus privacy investigators found that a shared platform at the GSB potentially exposed the personal information of” thousands of people at the university.” Like the recent hack, the 2017 breach compromised the personal date of students, including the “names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees – a snapshot taken in August 2008,” said the report. “The file apparently was made accessible to human resources staff at the business school for annual salary setting. The file was exposed to the GSB community for six months before it was locked and secured” in the spring of 2017.

The 2017 attack ended up costing Stanford’s chief digital officer his job. Ranga Jayaraman announced that he was leaving “after a student revealed that the school had not been forthcoming with its fellowship grants,” this newspaper reported at the time. In a statement, Jayaraman said “I take full responsibility for the failure to recognize the scope and nature of the … data exposure and report it in a timely manner to the dean and the University Information Security and Privacy Office. I would like to express my most sincere apologies … to anyone whose personal information might potentially have been compromised.”

According to the Stanford Daily, a student who had submitted a FERPA request in order to review the student’s own admissions documents discovered “the vulnerability in a third-party content management system called NolijWeb that the University has used since 2009 to host scanned files.” Anyone willing to submit such a request, going back to 2015, would have been able to examine the files through NolijWeb.” The Daily reported that this student, between Jan. 28 and 29, was able to access the records of 81 students.Who else saw the files
Other students who were told about the easy-to-access records were able to review personal information in 12 students’ records “during that time period while seeking to learn more about the kinds of files exposed.”

The Daily holds back
The newspaper also reported that it had held back on reporting about the exposed data until school officials “could secure the breach so that students’ records could be protected. The student who disclosed the breach to The Daily was granted anonymity to protect them from potential legal repercussions for accessing private information while investigating the security flaw,” said the paper.

The third-party content-management company is put on notice

The report says that Stanford notified Nolij’s parent company Hyland Software of the breach. Hyland, which has bought Nolij in 2017, had announced in late December that was discontinuing the NolijWeb product.

Stanford’s IT experts try to clean up the mess (but can't)
The Stanford University Information Technology (UIT) said it intended to implement “a new platform to replace the NolijWeb system by this summer,” said the Daily, adding that ” a number of schools still use NolijWeb to store admissions records. It is unclear how many schools using NolijWeb give students access to the online documents, or how many might be subject to the vulnerability.”

The company’s response? 
The Daily said its reporters had “reached out to eight different executives at Hyland Software for comment and expressed concern that other schools’ data may be similarly compromised by NolijWeb. Alexa Marinos, Hyland’s Senior Manager of Corporate Communications, confirmed receiving The Daily’s phone and email requests for comment, made over the course of a week. However, the company provided no statement on the matter.

Stanford students weigh in
Jonathan Lipman, sophomore, told this newspaper: “I’m glad the student who first discovered the breach acted morally and worked to have the breach closed before malicious actors scraped all undergraduate students’ admissions data. It’s a bit embarrassing that Stanford is using software that is no longer supported (NolijWeb was discontinued on December 31, 2018 according to its website). I think this demonstrates the importance of programs like the Bug Bounty. While I understand that UIT is concerned mostly with external security threats, I was both shocked and concerned that Stanford does not conduct security audits from multiple trust levels (student, staff, alumni, etc…). Some of the best hackers in the country have Stanford logins and it would seem prudent to conduct penetration tests accordingly.

“I can’t say I’m particularly shocked — Stanford has a sprawling IT infrastructure with many external vendors and legacy internal systems. It’s a difficult task to constantly maintain high levels of defense on all of these systems..”

Sophomore Ben Esposito said: “Stanford keeps running into trouble over data breaches precisely because it holds an unnecessary large amount of data on its students. If it held only the most essential data, they would be better able to prioritize which data to keep especially secure.”

David Jaffe, also a sophomore, said: “Stanford should look into investing in the incredible abilities of it’s students by offering more opportunities for students to support the university’s IT infrastructure. I know many great students with underutilized technical skills that, from what I’ve noticed, have been more than happy to assist others for free just for the experience.”

Linkedin insider Anna Sofia Lesiv contributed reporting to this story.

The NolijWeb hack was one of hundreds of hacks of the Stanford scholastic and medical servers. Your video chats with your doctor, shrink or teacher are NOT safe on Stanford servers. Stanford created the people who run Washington, DC and Silicon Valley. The families, children and connections to those people are of the highest possible interest to teen hackers, Chinese, Russian and Iranian state actors and others. Over 30 Chinese state spies are suspected to be under-cover, acting as "students" at Stanford. The digital realm around Stanford University and Stanford Medical is anything but "safe".

The liability, for Stanford, is off-the-charts. Stanford needs to get back to in-person classes and in-person doctor meetings or it could lose big with one huge negligence lawsuit.