In a letter to the Stanford community, Vice President for Business Affairs and Chief Financial Officer Randy Livingston provides an update on the recent breach of Stanford's information technology systems and offers recommendations for maximizing one's own computer security.
Members of the Stanford Community:
I’m writing to you today to outline steps that the University is considering to make our network more secure in light of the attack on Stanford’s information systems infrastructure that occurred last month.
Background
In late July, Stanford discovered that an unauthorized party or parties gained access to a portion of its information systems infrastructure. The attack appears to have been launched from an overseas location and was similar to foreign state-sponsored attacks reported in recent months by many large organizations in the United States. The purpose of the attack remains unclear, although data security experts suggest that these kinds of attacks are aimed at capturing intellectual property that could have commercial and economic value to the intruders' country. The intruders may also be interested in tracking activities of their overseas citizens. Universities are increasingly the focus of these intrusions, as reported by The New York Times in its July 16 article, “Universities Face a Rising Barrage of Cyberattacks.”
Upon discovery of the attack, as a security measure we sent a notification to all employees and students directing them to immediately change their passwords. While our investigation is continuing, we believe the attackers gained access to all Stanford SUNet ID account usernames and a “hashed” version of the passwords. The hashing algorithm converts a password into a different string of characters. While this hashing of passwords disguises the original password, hackers have the capacity to decipher simpler and shorter passwords. Though Stanford has no evidence that the hashed versions of the passwords were deciphered, Stanford is notifying all SUNet ID account holders of that possibility.
At the present time, we have no evidence that personal information — other than usernames and hashed passwords — has been accessed, but this is an ongoing process and we are continuing to investigate. Stanford has retained experts to assist us in this investigation, and we continue to work with law enforcement as well. As the Times and others have pointed out, cyber-intruders are persistent in their attempts to gain access to information systems and are very good at covering their tracks. We will continue to update the community and take action as information develops.
New security measures underway
To better protect Stanford assets and our information — including University data as well as personal information — additional security protections are being adopted to meet the ever-increasing threats of attacks. These safeguards will result in some inconvenience to users, but please be assured they are being implemented to improve our overall security.
One of the first measures will be to implement two-step authentication. When logging into certain Stanford applications like Axess or Oracle, in addition to their user names and passwords, users will need to input a second factor or means of identification. Users can learn more about two-step authentication and voluntarily begin using it by going to the Accounts page on the Stanford website. Click “Manage,” then click “Two-Step Auth” and follow the instructions. To date, more than 3,000 SUNet account holders have begun using this security feature. In the coming weeks, two-step authentication will become mandatory for accessing certain critical applications.
In addition to two-step authentication, Stanford is also taking steps to improve and enhance the security of its core infrastructure systems.
It is important to recognize that the hackers of today are very sophisticated. We cannot assume that new procedures, passwords, and security enhancements fully eliminate their continued presence. It may take several iterations of security improvements over some period of time to regain confidence in the security of the network.
Cooperation from users is essential
While we have no evidence that personal information — other than usernames and hashed passwords — has been accessed, the University is encouraging all users of Stanford’s computer network to be increasingly vigilant regarding their online activities. Cooperation from the University community will be essential, and everyone — staff, students, and faculty — will need to take more personal responsibility for the security of user devices and confidential information.
Users should, at a minimum, take the following steps to protect themselves and the University:
- Change passwords regularly, both for University connectivity and for personal use — financial, health, etc. For any personal accounts, use passwords that are different from your SUNet password.
- Follow protocols to make passwords more difficult for an unauthorized user to determine, including using capital and lower case letters as well as numbers and symbols. The longer and more complex the password, the safer it is.
- Be aware of efforts by outside parties to gain access to passwords and personal identification information. This begins with understanding and recognizing “phishing” attempts. A phishing attack is the practice of attempting to obtain your user name and password or other confidential information, typically by sending an email that looks as if it is from a legitimate organization but contains a link to a fake website that replicates the real one. Phishing attacks have been increasing and are more sophisticated than ever.
- Turn on the native encryption capability provided by recent versions of Mac OS X (versions 10.7 and newer) and Windows 7 (Ultimate or Enterprise edition) or Windows 8 (Professional or Enterprise edition) and through Mobile Device Manager (MDM) for iOS devices (versions 5.1 and newer) and compatible Android devices (Android OS version 4.0 and newer). Talk to your department’s IT contact for guidance as to the procedure for turning on that capability.
- View the information security awareness video on the Accounts site referenced earlier.
As many employees have multiple devices that are linked into the Stanford system, use best practices for securing not only your University-issued devices but also your home computer and personal mobile devices.
Moving forward
Further investigatory work — systems diagnostics, intensive activity monitoring, and working with law enforcement — is helping us understand more specific details of the attack on our system. Much of this work must remain confidential as it is helping to identify further steps that the University can take to protect and ensure the security of its systems and data.
As has been the case with other organizations that have experienced similar intrusions, efforts to ensure that Stanford’s infrastructure is free from compromise will be measured not in days or weeks but in months. The sophistication and persistence of these kinds of intrusions, combined with the complexity of the University’s data and information systems, create challenges that make the securing of those systems a painstaking process.
Thank you for your support and understanding. We will keep you updated on our progress.
Sincerely,
Randy Livingston
Vice President for Business Affairs
Chief Financial Officer