The Washington PostDemocracy Dies in Darkness

Despite cyberattacks at JPMorgan, Home Depot and Target, many millennials aren’t worried about being hacked

JPMorgan Chase: 83 million accounts. Home Depot: 56 million payment cards. Target: 110 million shoppers.

Those numbers reflect three large cyberattacks that have taken place in the United States since last December, when Target, America’s third-largest retailer, said hackers had stolen information on 40 million debit and credit card accounts. Target later said hackers had accessed personal information for 70 million accounts.

Home Depot recently admitted that malicious software, or “malware,” had been on its system for the past six months. JPMorgan Chase & Co., America’s largest bank, reassured its customers by saying that there was no evidence that account information, such as passwords and Social Security numbers was compromised. Names, addresses, phone numbers and e-mail addresses of account holders were accessed.

The companies have indicated that their clients won’t be liable for fraudulent charges as a result of these data breaches. (JPMorgan indicated that customers must “promptly alert” the firm about any unauthorized transactions.)

Cyberattacks aren’t limited to giant retailers and financial institutions. Hackers also go after celebrities and, in recent weeks, have posted for public view photos that actresses like Jennifer Lawrence had intended for her own private cloud.

With all of these high-profile data breaches, you’d think that even though people can’t do anything about how Target and JP Morgan protect their data, everyone would at least be paying attention to how they protect their own computers from being hacked. They’d know to follow the basic practices of installing antivirus software, creating strong passwords, and being careful about what they share online, especially since the experts say that protecting the internet from hackers is a collective responsibility.

But, you would be wrong, as Jen Havermann, a cybersecurity engineering manager at Raytheon, explained to me over the phone.

“Many in the millennial generation appear to have a ‘so what’ attitude when it comes to Internet security,” Havermann said. “They, of course, don’t want their bank accounts drained, so they’re careful with passwords on those accounts, but they may not be quite as diligent in terms of keeping their system secure as a way of protecting the entire Internet from malicious hackers.”

“They’ve grown up in a connected world where everything is connected, meaning that everything is vulnerable,” she emphasized. “To be good citizens of the network, we must make sure that we do what we need to do to protect the system.”

“We all drive cars and keep them maintained to protect others. So why don’t we think we need to maintain our personal computers to protect others,” she asked.

That same notion of both the vulnerability and collective responsibility on the Internet appeared at a session on “Hack or Crack? How Strong Do You Think Your Password Is?” held on Monday in Tompkins Hall of Engineering at the George Washington University as part of National Cyber Security Awareness Month.

A group of GWU students were demonstrating how quickly a password-hacking program called “John the Ripper” can hack a password. After warning me not to use my real password, they asked me to type in a password and see how long it would take “John the Ripper” to figure it out.

A simple password, like “bear” took less than a minute to crack. A more complicated password like “GwU2014&” with a combination of numbers, capital letters, and symbols would have taken an estimated 24 years to crack. But even that password wasn’t all that strong.

A graduate student in systems engineering who was helping me choose my passwords is very aware of the importance of a strong password, especially for the vulnerable points in their online activity. To keep hackers away, her Facebook account password is really long and filled with symbols. It would take “John the Ripper” about 10,000 years to crack her code. Gayatri Mudaliar who is studying for a master’s degree in computer science had put her strongest password on her e-mail account because her most important personal information could be accessed through that account. She also changes it every six months.

So, these computer science and systems engineering students know the importance of having a strong password. They also know that they are vulnerable to weaknesses in the network — including people with weak passwords. (So do I. I have made my passwords much longer and added lots of symbols to them.)

They also understand the motivation of computer hackers, like the ones who broke into JPMorgan Chase’s accounts.

“’Cuz I can,” said Neel Shah, a sophomore majoring in computer science, as to why hackers do what they do. He then told me all about DefCon, the gigantic computer hackers’ conference that’s been around since 1993.

Hacking or being hacked is a part of their online world.

Many of them had been phished or hacked at some point, whether via an e-mail asking for funds to be deposited in a Nigerian bank account or via their own e-mail account being used to send spam email to their contacts.

They also aren’t impressed by attempts to erase information that’s on the Internet and have little faith that efforts, such as eliminating links to certain Web sites, will actually prevent people from getting that information.

To check, I asked them about the ability to enforce the “right to be forgotten” in online searches that stems from a European Court of Justice ruling earlier this year that while a newspaper could keep the offending articles on its own Web site, Google, if requested, must remove links to certain articles that come up on a search that are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.” In the past three months, Google has received some 135,000 requests to remove around 470,000 such links.

The students aren’t convinced that these efforts will be successful.

“The information’s still out there. Someone else will just invent another way to find the information,” said Mike Sequino, a freshman computer science major.

Jack Shannon, a senior computer science major, agreed. “It’s unrealistic to expect that anything that’s on the Web will ever be forgotten.”

Thinking back on his own online history, Neel Shah shrugged, adding “Everything I’ve ever put on Facebook is there. Even if I delete my Facebook account, Facebook still keeps my information.”

The cybersecurity engineer at Raytheon agrees.

“Once the information is out there, it’ll never be forgotten or go away. The best thing you can do is to not put it there in the first place,” Havermann stressed.

That’s advice that is as applicable to JPMorgan Chase, Home Depot and Target, as it is to the rest of us.