The privacy myth
It is no secret that the Internet plays an influential role in our lives today; at no point in history have our lives been so interconnected. Being able to talk face-to-face with someone on the other side of the world via the Internet is something that was unimaginable only a few years ago.
With these opportunities, however, come new dangers. Facebook and Twitter, for instance, have allowed us to enjoy an unprecedented level of interconnectivity at the expense of exposing many details about our personal lives.
Similarly, Aisis (Ateneo Integrated Student Information System) allows us to enroll and view grades with much ease. At the same time, however, it also stores a lot of student information—personal e-mails, addresses and parent information, among others. Inbuilt privacy measures can only do so much; only through keeping a wary eye can we have any measure of security.
Unfortunately, many still remain unaware of cybersecurity and it is on this ignorance that hackers thrive.
Not all hackers are out to steal your information or wreak havoc on the Internet, however. Those nefarious activities are the domain of so-called black hat hackers. White hat hackers, on the other hand, work to protect systems within legal means. Gray hat hackers, meanwhile, are just that: Neither fully black hat nor white hat, they work to secure systems but use the same illegal techniques as black hat hackers.
Since a year ago, incidents of hacking have become staple news items. The word cybersecurity—which refers to any kind of crime committed online—is now primarily perceived as the hacking of websites.
One instance of hacking involves an infamous “hacktivist” group—an activist group with a technological bent—gaining a foothold in the Philippines in 2012. Anonymous Philippines went on a hacking spree against government websites in protest of the controversial Republic Act 10175, more popularly known as the Anti-Cybercrime Law.
The attention to website hacking also give the impression that hacking websites is a relatively new thing. It isn’t.
The act of hacking websites has been around since the first days of the Internet in 1994. In the Philippines, the first conviction for hacking charges occurred in 2005 when JJ Maria Gener was sentenced to two years in prison and charged a P100,000 fine after hacking into gov.ph—the main portal of the government—and several other government websites, although he was later granted probation.
Terms and conditions
Most of the news coverage concerning hacking usually revolves around hackers defacing government websites. This could tempt Filipinos to dismiss the whole issue of cybersecurity as something that doesn’t really affect them; the truth is that cybersecurity is a worldwide concern. On the Internet, the notion of national borders, for the most part, does not exist.
For example, at the peak of both the Chinese-Philippine and Taiwanese-Philippine diplomatic crises, hackers from both sides engaged in a massive cyber war, disabling as many opponent government websites as possible.
In 2011, four Filipino hackers were arrested after hacking into the systems and making expensive calls to premium-rate services of AT&T, a telecommunications company based more than ten thousand kilometers away in Dallas, Texas. AT&T lost $2 million in the attack.
Cyberattacks also cost businesses billions of dollars in losses every year. In 2000, the ILOVEYOU virus flooded email servers and overwrote files on computers across the globe in a matter of hours. In 2004, the Sasser worm managed to disable everything from satellite uplinks, x-ray machines and radar stations by constantly crashing the computers that ran them. Banks and post offices across the world were forced to work without computers and lost hours of productivity as a result.
Most importantly, cyberattacks can cost us our personal information. Our names, addresses, contact numbers, even our online identities are up for grabs for anyone skilled enough to look.
On Facebook, for example, seemingly innocuous apps that promise features or exclusive content hijack accounts from users and use them to trick others into also running the app. Keyloggers–software that captures the keystrokes made on a keyboard–steal login information and enables hackers to assume people’s identities and use their credit card information.
Back on the hill
The destructive potential of hacking leaves us with one pertinent question: Is the Ateneo as vulnerable as Harvard University and the other hundred or so prestigious schools that were broken into last October by hacktivist group GhostShell?
Jose Alfredo de Vera III, director of the Management of Information Systems Program, thinks that the mere presence of an Atenean website already makes it a target for attack.
However, Rafael Alampay, an assistant instructor at the Department of Information Systems and Computer Science (Discs), suggests otherwise. Alampay says that the Ateneo will become a target only after it takes some sort of controversial stand. “The only reason why that happens is [because] there’s a conflict or big issue between two parties,” he says, referencing the hacking of the Philippine government’s websites.
Andrei Coronel, also a Discs instructor, remarks that hackers would definitely prefer hacking into websites of famous institutions. “It's a bit more fun for the evil mind,” he adds.
The Office of Management Information Systems (OMIS) and the Information Technology Resource Management Office (ITRMO), both responsible for the Ateneo’s various information systems, likewise consider the university a legitimate target for hackers.
As a countermeasure, the two offices enforce security policies on both the physical and network components of the university’s information systems. In addition, they ensure the integrity of the applications that run on top of them, an approach known as “defense in depth.” White hat hackers are also hired by the offices to occasionally test for loopholes in the system.
Both offices also keep an eye out for attempted Distributed Denial of Service (DDOS) attacks, which involve flooding a website’s host server with data requests until it crashes. They also regularly maintain backups to ensure rapid recovery in cases of system failure.
De Vera, Alampay and Coronel also expressed their confidence in the competence of the Ateneo’s information technology offices. De Vera cites the proactive security precautions taken by the Campus Network Group in securing the Loyola Schools-wide wireless Internet.
The same cannot be said of the students, however. Many of the aforementioned interviewees brought up the same example of students failing to log out of their social media accounts on public computers. “It shows the lack of understanding of how the whole online system works,” says Alampay. “People don’t understand that if you log in, you stay logged in.”
De Vera thinks that students are aware of good security policies but are often lax when it comes to enforcing them.
“I can give you more than five names of friends and students who don’t [change their passwords], for the mere fact that they think that no one’s going to hack them,” says Coronel. “But the thing is, nowadays, you don’t need an enemy to be hacked.”
In a state of flux
Technology never stays the same. Inevitably, something new will come by—whether it is some fantastical new software or some ingenious theory—that will force the rewriting of many of the rules of cybersecurity. Even now, hackers are finding more creative ways to get past security systems, while premade programs make it relatively easy for anyone to become an amateur hacker.
Even as some rules are rewritten, however, many will definitely stay. One is that, no matter how truly secure one is online, one should always be aware of the dangers and, more importantly, take concrete steps to secure oneself. We Ateneans should remember that, beyond remembering to log off Facebook every time we use it in the Rizal Library, we are ultimately responsible for our own security and our own identities.