3 Cornell Tech Innovations to Prevent a Future Equifax-like Breach

By Arnaud Sahuguet, Director of The Foundry @Cornell Tech

I joined Cornell Tech just over two years ago. The selling point to convince me to go back to academia was a simple analogy with the early days of aviation. Back then, there was no science of flying. Aviation pioneers rarely knew what they were doing; they hadn’t discovered the “principles” behind flying; and yet they were trying, inventing, innovating, sometimes at the cost of their lives. The point of the analogy was that “being digital” today is not that different from flying back then. And the mission of Cornell Tech is to provide these foundations: “integrating technology, business, law and design in service of economic impact and societal good.”

The Equifax Debacle

This current state of affairs was brought back to the forefront very violently in the last few weeks with the Equifax “affair”, where the digital lives of more than 143 million Americans have been put at risk.

« Equifax, one of the three major consumer credit reporting agencies, said on Thursday that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers. » — as reported by the New York Times.

This is not the first one: Yahoo! is another example. And this is certainly not the last one.

The saddest part of the story is that (1) Equifax could have prevented this tragedy and (2) Equifax managed to make things even worse by exposing further personal information in their attempt to let people figure out if their identity had been compromised.

According to various reports, the root cause of the breach was a failure to apply a security patch on a piece of software (the Apache Struts web framework ) used to run one of the company’s websites.

When the breach was made public, Equifax launched a dedicated website on a separate domain to let potential victims find out if they are at risk. It was hard for users to figure out if this new domain was legit. The company itself misled users by pointing them to a fake domain launched by a “concerned programmer”. Also, sending the last 5 digits of your SS is not the most reassuring thing to do. This is not that different from what concerned Ashley Madison’s users had to go through.

The congressional hearing revealed even more “horrors”, including the fact that Equifax was storing sensitive information in plain text. For even more details, John Oliver dedicated his most recent “Last Week Tonight” episode to Equifax.

Cornell Tech to the rescue?

Here are a few examples of ongoing efforts by the Cornell Tech community to address these types of issues.

Regarding the first issue, one of Cornell Tech’s spinout companies tackles this exact problem. GitLinks — founded in 2016 — “lists all open source components and track vulnerabilities [and] [f]or each component we monitor security risks, legal risks, and version updates.”

So, in the case of Equifax, GitLinks software would have identified Apache Struts as being used by the company and sent an alarm regarding the discovered vulnerability.

Regarding the second issue, the company was asking users to share their personal information in order to find out if their personal information had been comprised. This is the essence of phishing. Fortunately, there are secure ways to check whether Personally Identifiable Information (PII) is part of a leaked dataset. Some on-going research at Cornell Tech is exploring this issue. With more and more data leaks uncovered every week, having a solid toolset to make it easy, fast and secure for people to check their PII against a given dataset without disclosing their PII is critical.

Finally, regarding the storage of password and sensitive data — which was unveiled during the congressional hearings — some published research by Cornell Tech offers various ways to make the storage of passwords more secure with the Pythia project, led by Professor Ari Juels and Professor Thomas Ristenpart; or handle typos gracefully while preserving security using the TypTop System, co-designed by PhD student Rahul Chatterjee and Professor Thomas Ristenpart. A reference implementation for each project is available on github.

Conclusion

Of course things are not that simple. Flight safety was not achieved right away and this is still an ongoing battle. Our digital lives will always face challenges but this is not an excuse for not trying to build solid foundations, to spend some time researching better solution and educate younger generations about problems and solutions.

Cornell Tech offers a unique combination of academic research and graduate education, mixing students and faculties from diverse backgrounds and bringing real problems to the core of the conversation.

If you are a student (computer science, electrical engineering, operation research), check our Masters and PhD programs. If you are more business oriented, check our MBA Tech. If you are a lawyer, check our LLM.

If you are a company, work with our students by submitting a product challenge and hire our new grads.

If you are a philanthropist, fund some of our initiatives.

“If you are planning for a year, sow rice; if you are planning for a decade, plant trees; if you are planning for a lifetime, educate people.” — Chinese proverb.

Resources

• https://www.gitlinks.com
• The Pythia PRF Service (github repo)
• The TypTop System: Personalized Typo-tolerant Password Checking (github repo)
• Professor Thomas Ristenpart
• Professor Ari Juels
• PhD candidate Rahul Chatterjee

Update

Last week, Github announced that it will soon provide a way to see vulnerabilities in packages used in a given repository. And a consortium led by Google and IBM announced the launch of the Grafeas open source project to keep track of “authorship and code provenance”. So, GitLinks is getting some competition. On a sadder note, the Equifax website seems to be serving malicious ads to its visitors.