Stanford University And Stanford Medical Servers Have Been Hacked
Hundreds Of Times
"Tele-Medicine" and "Doctor-Via-Zoom" may be a DOA concept. Your video chat
with your psychologist about your fear of men, your gynecologist about your
herpes or your proctologist about your anal warts could be on the
entire internet 48 hours later.
Famous people went to Stanford, work at Stanford, and attend Stanford.
Middle East elites, political operatives and rich families draw hackers,
like flies, to the Stanford medical and scholastic servers. A bounty of
hundreds of thousands of dollars is offered by dark webbers for a Clinton
confessing to sex crimes, or a Kashoggi murder tip on an Arab shah. Every
day, the tele-medicine videos at Stanford Medical are rife with elites and
tabloid news targets revealing their darkest secrets. Solarwinds hackers
and Julian Assange wannabe's are constantly sifting the video streams and
server files at Stanford for juicy meat.
Stanford bosses claim to have bought "very high-end software" that is
"hard to hack", but fail to comprehend that such a claim is juvenile. The
entire U.S. Government was hacked in the Solarwinds hack, using ten times
better software than Stanford has. It is ludicrous for Stanford bosses to
deny the fact that hackers can romp through their servers with impunity.
Live, in-person, meetings with doctors in secured rooms, is the only
solution. Trying to make the Sandhill Road venture capitalists richer by
forcing the public to use the internet is a crime against society.
Stanford University is always being hit by embarrassing data breaches that
expose the personal information of students, including home addresses,
Social Security numbers and even test scores and essays.
The Stanford
Daily is reporting that Stanford students could view
applications and high-school transcripts of other students “if they first
requested to view their own admission documents under the Family Educational
Rights and Privacy Act (FERPA).” Documents that were compromised by the
hackers including extremely sensitive personal information like Social
Security numbers for some students, as well as “students’ ethnicity, legacy
status, home address, citizenship status, criminal status, standardized test
scores, personal essays and whether they applied for financial aid. Official
standardized test score reports were also accessible,” the paper reported,
which explained that while students’ documents could not be search by name,
the were “accessible by changing a numeric ID in a URL.”
“We regret this vulnerability in our system and apologize to those whose
records were inappropriately viewed,” the school said in a statement
released on Friday. “We have worked to remedy the situation as quickly as
possible and will continue working to better protect our systems and data.
Finding and fixing vulnerabilities before adversaries discover and exploit
them is an ongoing and essential activity in systems management.”
The breach comes 14 months after Stanford announced that a previously
revealed hack of confidential information on a computer server at its
Graduate School of Business was wider than had been reported earlier,
according to Poets & Quants, a prominent online news site that covers
the graduate-business school community.In that hack, the site reported, ”
campus privacy investigators found that a shared platform at the GSB
potentially exposed the personal information of” thousands of people at the
university.” Like the recent hack, the 2017 breach compromised the personal
date of students, including the “names, birthdates, Social Security numbers
and salary information for nearly 10,000 non-teaching university employees –
a snapshot taken in August 2008,” said the report. “The file apparently was
made accessible to human resources staff at the business school for annual
salary setting. The file was exposed to the GSB community for six months
before it was locked and secured” in the spring of 2017.
The 2017 attack ended up costing Stanford’s chief digital officer his
job. Ranga Jayaraman announced that he was leaving “after a student
revealed that the school had not been forthcoming with its fellowship
grants,” this newspaper reported
at the time. In a statement, Jayaraman said “I take full
responsibility for the failure to recognize the scope and nature of the …
data exposure and report it in a timely manner to the dean and the
University Information Security and Privacy Office. I would like to express
my most sincere apologies … to anyone whose personal information might
potentially have been compromised.”
According to the Stanford Daily, a student who had submitted a FERPA request
in order to review the student’s own admissions documents discovered “the
vulnerability in a third-party content management system
called NolijWeb that the University has used since 2009 to host
scanned files.” Anyone willing to submit such a request, going back to 2015,
would have been able to examine the files through NolijWeb.” The Daily
reported that this student, between Jan. 28 and 29, was able to access the
records of 81 students.Who else saw the files
Other students who were told about the easy-to-access records were able to
review personal information in 12 students’ records “during that time period
while seeking to learn more about the kinds of files exposed.”
The Daily holds back
The newspaper also reported that it had held back on reporting about the
exposed data until school officials “could secure the breach so that
students’ records could be protected. The student who disclosed the breach
to The Daily was granted anonymity to protect them from potential legal
repercussions for accessing private information while investigating the
security flaw,” said the paper.
The third-party content-management company is put on notice
The report says that Stanford notified Nolij’s parent company Hyland
Software of the breach. Hyland, which has bought Nolij in 2017, had
announced in late December that was discontinuing the NolijWeb product.
Stanford’s IT experts try to clean up the mess (but can't)
The Stanford University Information Technology (UIT) said it intended to
implement “a new platform to replace the NolijWeb system by this summer,”
said the Daily, adding that ” a number of schools still use NolijWeb to
store admissions records. It is unclear how many schools using NolijWeb give
students access to the online documents, or how many might be subject to the
vulnerability.”
The company’s response?
The Daily said its reporters had “reached out to eight different executives
at Hyland Software for comment and expressed concern that other schools’
data may be similarly compromised by NolijWeb. Alexa Marinos, Hyland’s
Senior Manager of Corporate Communications, confirmed receiving The Daily’s
phone and email requests for comment, made over the course of a week.
However, the company provided no statement on the matter.
Stanford students weigh in
Jonathan Lipman, sophomore, told this newspaper: “I’m glad the student
who first discovered the breach acted morally and worked to have the breach
closed before malicious actors scraped all undergraduate students’
admissions data. It’s a bit embarrassing that Stanford is using
software that is no longer supported (NolijWeb was discontinued on
December 31, 2018 according to its website). I think this demonstrates
the importance of programs like the Bug Bounty. While I understand that UIT
is concerned mostly with external security threats, I was both shocked
and concerned that Stanford does not conduct security audits from
multiple trust levels (student, staff, alumni, etc…). Some of the best
hackers in the country have Stanford logins and it would seem prudent
to conduct penetration tests accordingly.
“I can’t say I’m particularly shocked — Stanford has a sprawling IT
infrastructure with many external vendors and legacy internal
systems. It’s a difficult task to constantly maintain high levels of
defense on all of these systems..”
Sophomore Ben Esposito said: “Stanford keeps running into trouble
over data breaches precisely because it holds an unnecessary large
amount of data on its students. If it held only the most essential
data, they would be better able to prioritize which data to keep
especially secure.”
David Jaffe, also a sophomore, said: “Stanford should look
into investing in the incredible abilities of it’s students by
offering more opportunities for students to support the university’s
IT infrastructure. I know many great students with underutilized
technical skills that, from what I’ve noticed, have been more
than happy to assist others for free just for the experience.”
Linkedin insider Anna Sofia Lesiv contributed reporting to this story.
The NolijWeb hack was one of hundreds of hacks of the Stanford scholastic
and medical servers. Your video chats with your doctor, shrink or teacher
are NOT safe on Stanford servers. Stanford created the people who run
Washington, DC and Silicon Valley. The families, children and connections
to those people are of the highest possible interest to teen hackers,
Chinese, Russian and Iranian state actors and others. Over 30 Chinese
state spies are suspected to be under-cover, acting as "students" at
Stanford. The digital realm around Stanford University and Stanford
Medical is anything but "safe".
The liability, for Stanford, is off-the-charts. Stanford needs to get
back to in-person classes and in-person doctor meetings or it could lose
big with one huge negligence lawsuit.