Slashdot Mirror
UT Austin Hit By Massive Security Breach
mrpuffypants writes "Reported in the Austin-American Statesman: The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty. Official word from the school can be found here. Most troubling of all is that, like most schools, UT still uses SSNs for student ID numbers, and that was part of the information taken from them in the attack."
anyone bet the old administrative staff is cursing these new fangled boxes?
"Those SSNs that matched selected individuals in a UT database were captured, together with e-mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed."
Phew, I feel so much better now!
I wish I had known about it, I would have asked them to change my transcripts to give me a better GPA. :P
::.. check out some Cell Phone Reviews
What legal action may the students and faculty take? In Washington it is illegal to use a students SSN to identify students. There was groaning at every campus in Washington for weeks. I bet there as glad as me that Washington was so on top of this.
OK, so I can see how a university might come to use SSNs as an identifier. They're unique and everyone already has one. Easy.
But why are SSNs so sensitive? It's like a credit card number -- it's printed some places, gets bandied about in others. Not exactly confidential, and no intuitive or documented boundaries on who should be trusted to with it. So it's a scary number that can be used for bad things, but you'll have to give it out in many circumstances where you aren't fully aware of how it'll be used. Makes it tricky to know who has it, or to make an informed decision about where you use it.
Again, it's easy to see how the practice of using it as a credential has continued (and got worse), but when did it start?
I've seen a whole bunch of 'stolen credit card #' type stories on Slashdot lately... the thing is, we never hear about any repercussions of these thefts. Do the thieves ever use the stolen records in large quantities? Follow-up is good :). Any info people have, post it here (I'm thinking of, in response to the Amazon CC# thefts from a few weeks ago, etc.)
Karma: pi (Mostly due to circular reasoning in posts).
A smart cracker would already have lined up the buyer(s) for the information (probably spam companies) before doing the crack. At least one copy of the data would have been made at the time of the crack to insure that it doesn't get captured and lost.
But nothing says that these cracker(s) are smart. Possibly just lucky.
robi
My school still uses SSN's as student id's. I've found that as a student employee I run into thousands of id's a day. I know it's the same way for a lot of student employees on campus. When will schools learn the benefits of a autogenerated key?
Do I contradict myself? Very well, then I contradict myself, I am large, I contain multitudes. -- Walt Whitman
...of UT, I think it's reasonable to assume that I'm among the names taken by the bastards.
Unfortunately, I don't have a clue what to do about potential identity theft. I mean, everything uses your SSN. What steps can one take to protect one's identity?
Is it a sign that I play too many games when I read the title as a security breach in Unreal Tournament ???
Eu4ria
in schools, its very easy to retrieve information, I went round no less than 10 junior schools in my area to get information on the new students that are about to enter the new year in the secondary school I work as the information manager.. NOT ONE of the schools asked me for ID, they showed me to a machine and logged me in and let me walk out of the door with the information on floppy...
Its a very scary.. but what can you do..
moo
Not to adapt a blame-the-victim mindset, but I mean really, why is this stuff on an internet-connected machine to begin with? I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked.
This stuff needs to be taken seriously, and not just in punishing the offenders. Look at it this way: If your bank got robbed tomorrow and all the items in your safe deposit box were made off with, would you blame the bank if you found out that the vault was left open and the deposit boxes were made of cardboard? I sure would.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Correct me if I'm wrong, but doesn't UT have one of the best CS departments? and this couldn't be prevented?
Lame Unreal Tournament jokes? You guys are off form!
Seriously though that is a nasty identity theft situation over there.
Bush and Blair ate my sig!
The UT link appears to be /.ed, but when I read it before it sounded like a simple brute force ssn lookup. The attacker simply generated random ssn and sent them against a page that returned information based on ssn. The attacker then simply harvested "positive" hits. The problem was that this interface was exposed to the public and that it had no means of throttling/preventing multiple requests/failed requests.
On another note, UT is phasing out SSN in many aspects of the students life. My wifes UT ID does not contain her ssn, it has a student # now. Though I assume that there are still many points of interface with the UT system that expects to see ssn.
My school uses social security numbers as their student ID number. I didn't like that idea, so I asked to change it which I was allowed to do. But I then later found out that the school still keeps your ssn on records. My ssn is no longer given out on class lists now (which is why I changed it), but the fact that they still have it makes me a little irritated.
"The University is currently developing a communication plan and will contact affected individuals as soon as possible. At this juncture, there is no evidence that the data have been further exposed or misused."
I shall now write a script that emails UT random ssn's and asks "was I a affected and what information do you have on me?"
muhahhahaha...
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
Reading the article (as I am sure everyone already has), would tell you that the informatio nwas not tied in to any student grades. Two different systems / databases.
This does mean a spam has a few thousand live accounts of young (read: target audence) college students (read: active email users).
That is bad in more ways that one.
robi
It's amazing how much information you can get kicked back by simply trolling SSN's. This reminds me of the scandal last year with Yale's admissions information, which a Princeton administrator obtained by simply entering SSN's and birthdates on their web site. A brute-force attack like this one, simply adding birthdate to the mix, could have successful results in other places, I'm sure.
Stop by my site where I write about ERP systems & more
ah well, guess that's why I shouldn't have hesitated in my lameness :)
Slashdot response: (taken from front page)
"I imagine they will eventually raid some domestic homes and make a scapegoat of some unfortunate teenagers."
Not a difference in my opinion. You might feel different if you were personally affected too. Hackers get what they deserve regardless of age.
My former school, UVSC uses social security numbers, firstname and lastname combinations for user IDs. They then use birthdays for passwords. Talk about insecure. I even saw a teacher who typed his password as "password" (He was in CS) Yea, scared me too.
void
This is NOT the first time, and I do not believe that it will be the last. I work and attend a medium sized college and I happen to know from other employees that our systems have been compromised on several occasions, and in fact they are still being compromised. I do not believe that any critical information has been stolen, but the security of the critical systems at our nations colleges and universities needs to improve. Our college refuses to publicly admit that they have had a serous breach or deny any knowledge of current security problems. It's quit frustrating to be a computer security enthusiast and attend a college that refuses to admit they have a serious problem.
"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."
/. has an opinion as to how this happened?
It is good to see the University being so frank and honest about this matter. I am sure some heads are gonna roll, but at least the people affected will be provided with information and know how it happened.
Speaking of how it happened... the article does not go into technical details, but I am curious how this database was accessible to the world and was spitting out data to qualifying queries of SSNs without any security context... I am sure someone here on
This johnny-come-lately "UT" is ripping off the initials and the colors of the original UT (est. 1794 thank you very much)!!
;-)
We demand that our child State of Texas cease and decist in the molestation of our look and feel.
Sincerely,
Volunteer Graduate of 1994
PS, The UTK English Department is the Home of the Vowels
Eve Fairbanks says I drive a hybrid!LOL
I'll bet this attack was done by a student to get more information about which college freshman girls to harrass. When I went to college, the online phonebook did not include gender, or year by default, but you could get that information if you clicked a few checkboxes (but only one student info at a time). A friend of a friend of mine (at the time) wrote a simple script to harvest all of the data. He was never contacted for doing anything wrong.
Very popular slashdot journal for adul
SSN's are valuable because you can use them for identity theft. You can use them for identity theft because they're a national ID card. Something "they" (the mythical them) say they are not.
Apart from that all of the credit reporting, etc. goes through shadow companies that you can do nothing to if they screw you over (IE issue a credit card to a you that's not you).
We need to make using an SSN for identification purposes entirely illegal, credit card companies and banks be damned. Or say it is a National ID and come up with a better way of securing identities.
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
Northwestern recently sent this out to all students:
d /inde x.html
d /vend ing.html#refundloc
Dear Students:
The following three bulleted topics are of student interest:
* Social Security Number is removed from WildCARD ID
With complaints about identity theft nearly doubled last year as the fast-growing crime topped the government's list of consumer frauds for the third consecutive year, WildCARD offices on the Evanston and Chicago campuses have started issuing new WildCARD identifications without social security numbers.
The re-designed WildCARDS are being issued at no charge to faculty, staff and students who wish to exchange their existing card for one minus a social security number printed on the front. Those without a card to exchange because it was lost or stolen will be
charged a $15 replacement fee.
"The new purple WildCARD looks the same as the old one, but as opposed to printing the person's social security number that used to be their Northwestern "id" number, we have implemented a shortened "emplid" number which the University is issuing that has no association whatsoever with one's social security number," said Arthur Monge, manager of WildCARD and Vending.
"We are not mandating that WildCARD holders be issued a new card, but the option is available for anyone who feels concerned about having the social security number visible on their existing card. It is a matter of personal choice to replace their existing card for one with an "emplid" number, at no charge, unless they have lost their card or it has been stolen." Since switching to a new WildCARD is optional, it can be done at one's leisure. Existing WildCARDS will continue to work, so if someone doesn't feel the need to have one without a social security number immediately, they can continue using their existing card until it expires.
Northwestern University's multi-purpose, one-card program, WildCARD, was developed nine years ago to provide better identification for members of the University community and to simplify use of existing services, control access, reduce handling of cash, and enhance security. Students, faculty, staff, spouses and domestic partners of active, full-time faculty or staff, authorized contractors working within the University community, Research Park tenants, and individuals affiliated with a University department are all eligible for a WildCARD. For more information, call Art Monge (847) 467-3135 or check the WildCARD Web site at:
http://www.univsvcs.northwestern.edu/WildCar
* New vending machine refund bank locations
If you didn't already know it, there are vending machine refund banks located throughout both campuses. A complete list can be found on the WildCARD & Vending web site at:
http://www.univsvcs.northwestern.edu/WildCar
New locations include the Family Institute at 618 Library Pl (front desk), Lake Shore Center at 850 N. Lake Shore Drive (front desk) and at Wieboldt Hall, 339 E. Chicago (Administrative office, 2nd fl). One is also planned for Galter Library in the near future.
Each vending machine should have a sticker on it that indicates the nearest refund bank. If one is missing, please inform the Evanston Wildcard Office at 7-6843.
* Other tidbits of information:
--The Abbott Hall ATM now sells stamps
--A Pepsi vending machine promotion is taking place now. Pepsi is giving away 80 Willie the Wildcat bobble head dolls. Look for a sticker on your next Pepsi purchase.
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
While my university doesn't use the SSN for our student ID number, it still asks students to put it on countless forms and enter it into countless databases. It's always made me uneasy, and I hadn't even thought of the potential for a computer break-in. Rather, I was unsettled that any student worker who checked out a book for me at the library could see my SSN on his screen after scanning my ID card.
But nothing wakes up a university -- especially a state school -- like the threat of litigation. If the cracker followed up and committed full-scale identity theft, the students would have grounds for a lawsuit against the school. Consider the recent New Hampshire lawsuit that dealt with SSNs and other personal information. With the potential for bloodthirsty lawyers, universities might finally get serious about protecting their students' information.
Doesn't one of Bush's daughters go to UT?
Could this possibly be related?
Seriously. In the UK the closest equivalent is a National Insurance number, which you give out to quite a few people. Banks often want this (because it's unique to you, which makes record-keeping easier). Your employer will want it, so their accountants can calculate your tax. Your doctor will probably want it, again, because it's a unique identifier.
Why are Americans so paranoid about who knows their SSN?
that MS is telling them that if they had simply upgraded from Win2K to XP, this never would have happened. BTW, the main site runs Solaris, but the in-house is done on MS per our Ex-gov.
Sorry....we'll do our best to lock the barn door now that the cow's escaped!.......
I used to admin at a University. One of the most frustrating things I encountered was the incessant desire for there to be no restrictions on any of the computing systems that the students used. This includes the servers. The firewall was just an expensive router. We were not allowed to run blocks from the internet to inside IPs, as that defeated the spirit of free access. I tried to explain why it was a 'Bad Thing(tm)' repeatedly, but alway met with resistance from the shared governance committee. One cannot blame the administrators in this thing. I assure you they feel just as powerless as I did. This kind of thing will become more and more rampant as clueless faculty (or upper-management in the business world) are allowed to influence major IT decision-making.
Anyone with information about this crime is encouraged to contact UT's IT director via email. VISA-1234-5678-9012-3456-EXP1207@ut.edu
X
Big deal. If anyone wants to know my ssn, it's "336721433".
SSN's are public information.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
IT is more important than a SSN. With an SSN someone could ouse public records to find place of birth, date, etc (heck even the SSN itself is coded for regions of the US).
Using that info someone could generate a false passport. Get the picture. False passport, fals entry into the States. False entry under a name that exists, that is legit. Airlines would see this person as a green threat (under the proposed new system) and ignore them. If the actual person was a Branch Dividian, an IRA terrorist, PLO, etc they have transparency of movement.
Someone just got all the information they need to smuggle thousands of people around our country. Give each illegal 5-10 different identities, never use the same one for connecting flights, then travel tracking becomes really hard for FBI.
robi
they thought it would be cool, or because they wanted me to r00t it ?
thanks,
fluffy bunny
They immediately disconnected the compromised database from the Internet, later hooking up a database of useless information.
They probably just copied over the DB containing the University's security procedures.
UT says:
Someone is more than a little bit confused about the nature of digital storage if they think they can `recapture the stolen data'.
`Ah, cool, we've managed to delete the copy they made of our data.'
(whispers)
`Another copy? How many copies did they steal?'
In principio creauit Linus Linucem.
I can see it now....
NEW! Overnight REAL UT Diploma's in your choice of:
A few years ago I got a new bank account and they told me that due to a federal social security law they could not use my SSN as an identification source and that anyone who used it as such was breaking the law.
I know that many institutions and businesses use it (SSN) that way, but isn't it against the law? Or did I misinterpret the statement from the bank?
All I can say is 'Oh Shit'
Nanite
God is real unless declared integer.
Hold on, why were UT's internal data reporting systems hooked up to the internet? I thought sensitive information like this was only exchanged over secure intranet and stored in systems with no access to public networks?
They just should not be used by any third party, one thing I was amazed on after moving from the UK to the US was just how many companies/people here ask for that information when really its not necessary.
StarTux
I knew him ~10 years ago when I worked at UPenn. What a dick.
I hope he becomes the sacrifical lamb for UT over this.
@ UB we have a "people number" it might sound stupid... but atleast if there hacked they dont get my ssn
http://www.DaveNet.biz/
Dear UT Austin Students/Faculty/Staff,
We were dumb@sses and now you're royally fscked.
Now let's try and hide those two facts by swamping you with irrelevant details
Sincerely,
UT Austin MIS Staff
I'm not sure which is worse: do you want your orange brighter and more eye-pokin', or browner and more rustlike?
...
UTK has a nicer campus, IMO, for matters of simple geography -- Knoxville has *hills*! Architecturally, though, UTA wins by a nose. (Whether or not you're a fan of the UTA campus "Master Plan," it's really not much of a going concern any more -- sprawl has taken care of that.)
Culturally, more similar than people like to admit, but Austin is simply a bigger, hipper city. In fact, Knoxville and Austin have a lot in common -- somewhat liberal by comparison to the rest of the state, high student population, comparitively green
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
Bad thoughts!! Bad thoughts!! Think pure thoughts!!!!
When you apply for a credit card you do not need a SSN until it comes time for verification. You just did yourself a disservice... I hope someone that can do this will see your post and will remove your number for you.
You've got WAY more to worry about than hackers.
ANYONE who works in the offices (especially student workers) can get this information. Admissions? Financial aid? All of these people could find enough info out about you to get a credit card in your name or go down to Circuit City and buy a big screen.
Just like the people who worry about their credit card being stolen from shopping online - You've got a better chance of the guy working at the mall going through reciepts, or the waitress at Hooters when she takes your card up to pay the bill.
Obviously there's no way that database should have been connected to the internet. Someone failed to put the crack pipe down on that one. But at least they bothered to take full responsibility for the breach, and admit that they did in fact f*ck up. Should I be impressed, or should I wonder why someone admitting in a pupblic manner that they dropped the ball is refreshing?
If thou see a fair woman pay court to her, for thus thou wilt obtain love
XML causes global warming.
Thank you.
This is my digital signature. 10011011001
Some helpful person probably setup a "phone search" databse where you could search via ID. Probably they just didn't know the IDs were SSNs, or didn't care, or didn't put 2&2 together to realise that in adition to finding people's phone numbers, you could find people's SSNs.
Then someone just wrote a script to brute force the SSN range it seems from the 2nd link
"Thursday, March 06, 2003 12:34 PM RE: addl info for transcript rrequest Your student ID # is your SS#. When requesting transcripts: Full Name Purdue Student Identification number Date of Birth Dates of Attendance at Purdue Where you would like the transcript sent The number of transcripts being requested(maximum 10 per request) Your written legal signature Our fax number is 765-494-0570, or you can mail in a request. " gee
*I used to be quite irreverent and ignorant. I am probably much smarter now. I seem to realize this every 45 days or so.
..., but I to am glad that they changed in WA State. I Currently am enrolled at a college there, and as bad as my finance situation is, I sure don't need to be telling creditors,
"No, I did not get a Credit Card, buy a yacht with it, and crash it into the Golden Gate Bridge with a dead body on board..."
Yito Graft
I currently am a student at the University of Texas at Austin. The spineless fuckers in administration still have yet to inform us about our possible exposure. They may have only release info to the public about this yesterday, but as a current student, and employee I feel that I should have been informed first, not by my mom calling me at 8 am this morning, asking what the hell is going on at UT. Besides, you can't trust a University that claims a budget shortfall, but pays $400,000 for personal consulting for the UT President so he "looks like a more kind, and understanding person." One last thing, test forms that you hand out here have a field for you to bubble in your SSN as a unique identifier. Last I checked, isn't that a violation of the Social Security act?
Everyone already knows that online games are full of security vulnerabilities.. this topic wouldn't be /. worthy. :-)
I don't know what the law is here, but in Virginia, you still may be screwed.
...
I work for Virginia Commonwealth University. We have unique ID numbers for the students, staff, and faculty--not our SSNs
But every time you need something, almost ANYTHING, you have to give your SSN. Over the phone, in person, on a form, whatever.
When I got my university ID, some jackass had written down my SSN and NAME on a fucking Post-It and almost THREW IT AWAY when I got my little plastic card.
I said, "Whoa, give me that, dude. Don't throw it in the trash can." He looked at me like I was crazy.
No one around here understands why that kind of stuff is bad. I, on the other hand, ripped it into pieces and put it in two different trash cans.
Perhaps a bit paranoid, sure, but after I saw what happened to a friend of mine whose SSN and name were compromised (massive fraud around the city in his name, by some still-unknown individual), I don't care.
It's the same mentality that leads people not to password-protect their computers.
-/-
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
Hmmm, Univ. of Texas' mascot is a Longhorn...
Microsoft's upcoming O/S is codenamed Longhorn...
And Microsoft has a campus agreement with the Univ. of Texas to provide faculty/staff/students with full/premium/pro versions of their software at extremely low prices!
Hmmm... now why would I really ever want to upgrade Windows?
"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."
Unfortunately the literal translation of this is:
I am so fired!
"I'm just here to regulate funkyness." - James Gandolfini, as Winston in The Mexican
Ever dream you could fly? Get up from the Flight Sim. I Fly
And, the University of Utah does not use
Social Security Numbers as identification.
Utah switched to using an idependent 8-digit
ID number about a decade ago.
Is it really that hard for a university to assign sequential student numbers? I mean, you start at 1000000, and go up from there! That way, the only information imparted by a student'd number is approximately when they enrolled.
-Michael Roy Some people are like Slinkies. Not really useful, but you can't help smiling when you see one tumble down
Even if the school didn't use SSN as a student ID number, there are many reasons why the school needs to know a student's SSN. Financial aid, and "selective service", to name two.
So the fact that the university uses SSN as a student ID number is only interesting at best. I bet if they used a different ID for "university ID", they'd STILL have the student's SSN in their records.
In any case, any organization that use the knowledge of a person's SSN as a means of "security" doesn't know anything about security.
I go to Kent State University, in Ohio and last year about the same thing happened. A student too advantage of the system to get a large amount of information about students. Instead of changing the use of social security numbers to a random student ID, they did next to nothing. It makes me think they really care.
I went to a private HS that had one computer with the database to the students records. The harddrive of that computer was stollen, and scared everyone in the administration. That database had all the information for all students back probly a good 20 years at least.
Well, through the grape vine, i heard that the harddrive had been stolen because of its size, the theif formated it before he even knew what was on it... and the information as destroyed.. he just got lucky when he pulled open a computer randomly...
Yito Graft
Currently the State of Texas is in the middle of some staggering budget shortfalls (as are most of the other states in the US). One state-funded entity that is looking at a shrinking budget is the UT system.
:P
Here's what I'm wondering: How do the powers-that-be, whether elected officials or University administrators, or the public for that matter, expect that security breaches like this are to be avoided when there is little to no budget to prevent them?
The agency that I work for, and many others, is faces increasing scrutiny by the state legislature and must undergo budget cuts, hiring freezes, and potentially the loss of staff to meet the State leadership's plans. As a result, we've already lost funding not only for basic needs already planned for, but also for what are known as "exceptional items" or those items that we see a need for outside our normal budget.
I understand the argument that "Hey, we need Police and health protection before you get new computer software!" but let's get real. Those are the same folks who will be panic stricken when their SSNs, or other personal info are stolen by crackers when agencies are broken into. And woe to the poor SysAdmin who couldn't work magic with a non-existant budget to prevent it...
I'm a taxpayer too, mind you, but how can we expect State and Federal agencies to protect their resources without security being made a priority and funded as such...
"Of course I'm wrong... That's how I get to 'right'." - Gil Grissom
You moron.. ssns are not public.. you can't just take someones name and go look it up on some database.. not only credit card verification, but many other financial institutions such as bank accounts and mortgage information, student loan.. etc
you should think before you start typing
Have you every worked for a non-profit? It's pretty hard to get fired. People that work for non-profits tend to fall into the "touchy-feel" category. Imagine taking a corporation's HR department and staffing every single position throughout the non-profit with that type of personality. In other words, if you see ".gov", ".org", or ".edu", don't expect normal organizational behavior.
Even so, if there ever was an event that deserved a massive firing, this is it. Here's hoping my company doesn't pick up the newly unemployed.
kind of scary that just anybody can find all this info by getting some scrap paper from the recycle bins or wherever around campus. I do that a lot but most of it's junk. But if you work in on campus I'm sure you can find lots of confidential info in the recycle bins and such that should NEVER be released.
Stop the Slashdot Effect! Don't read the articles!
That's interesting wording.
Given that the official number of stolen records is "approximately 55,200", I think that I would've chosen the phrase "more than 55,000" instead.
Of course I wouldn't've used a comma to separate the thousands. Confuses the tiny parser in my brain.
// todo: implement sig
The SSN is not unique - just some of the reasons: Fraud, errors by the issuing agency, also, when they first came out, working wives were issued the SAME SSN as their husband, just with an additional suffix to indicate their status as an appendage to the Male. This gave them a 10-digit SSN. Supposedly, the SSA went back and fixed all that - I'm sure they did as perfect a job as any other govt. agency....
The site www.utexas.edu is running Apache/1.3.27 (Unix) PHP/4.2.3 mod_ssl/2.8.12 OpenSSL/0.9.6g on Solaris 8.
Yep.
Knoxville will always have Cas Walker. All Texas will ever have is LBJ.
Eve Fairbanks says I drive a hybrid!LOL
"Those SSNs that matched selected individuals in a UT database were captured..."
Does anyone else wonder what the attacker's selection criteria were?
It was mostly college kids, meaning that Social Security is practically guaranteed to collapse before they're even eligible.
That's my ssn!
;)
If you are going to try and prove a point with someone's personal information, at least use your own.
Guess how many web based systems do not (a) check for SQL injection attacks and/or (b) dont validate where HTTP POSTS/GETS are originating from.
Folks, this is something those dumb "Teach yourself SQL in 10 minutes" books leave out.
Gig em.
It's a great idea. The minor detail being that the cost of every bank, state agency, credit reporting company and insurance agency in the US migrating off that number is going to be incredible. More work for me though.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
my university has 'chmod 644' backups of /etc/shadow for anyone to read. anyone can ftp this of the public unix box and rip the passwords out of the 30,000 staff, student and admin accounts contained within. they could then steal, delete or change every last byte of data on the network. if the admins are dumb enougth to leave such critical files unsecured, how many serious attacks remain undiscovered as well?
Dumbass.
You deserve to get F'd over.
All numbers are public, by definition, but some numbers are more public than others. A SSN has value if you know that it belongs to a live human being of a certain age group, with a good credit rating and without a passport, if you have a bad credit rating, no passport and the same age. In contrast, a non-existent SSN, or one that belongs to a dead person has zero value. See for example an old guy who got arrested in South Africa recently, due to an FBI most wanted listing. A criminal stole his SSN and is probably a serial murderer, so this old guy spent a very hard time in a very tough jail for a few weeks. Not a nice holiday, but one he'll never forget.
What's your full name and your mother's maiden name?
Best Slashdot Co
dont confure with UT Austin
Alright, it seems that the time is right to dust off those "Free Kevin" bumper stickers...
Trolling is a art,
You were born in Illinois.
I worked at UT Austin for a semester in '01, not sure if my SSN was compromised or not. I know there have been and are a lot of non-US students and faculty at UT Austin... What are the chances that one of our SSNs is going to get misused as a result of this and land us in trouble at some point with Homeland Security, INS, or the like?
The information - sans SSNs - is already publicly available via http://x500.utexas.edu/
I don't see how this is such a big deal - the employee training records detail when you took the PN1000 "New Employee Orientation" (and other useless classes offered by HR services).
The *real* information is protected by the ITS UT-EID, which was not compromised.
I'm putting $20 on the guy going to death row when he's caught.
oh. what? aggies not going to the tourney?
oh, well; we'll compare GRE scores next week.
is 60,000 lawsuits against the university for using those S.S. numbers. I can understand a student who is trying to get accepted to the school being afraid to confront them and not supply it even though they have no legitimate use for it, but they should be held responsiable for their misuse of the numbers. 60,000 lawsuits would be a good start, and send a message to outhers who careless abuse these numbers at great risk to the individuals who own them.
I'm an American. I love this country and the freedoms that we used to have.
Whew, for a second there I thought the Undertaker and Steve Austin were both robbed.
D
The first, last, and only tech news site on the net
Yes, that's probably it. Saddam Hussein is trying to steal her identity as part of his plan to create a fake-daughter robot, full of explosives.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It's absurd, but you only need the number to assume the identity of the person to which the number belongs. While credit card numbers usually can't be used without the actual card, the SSN can.
The US really needs a personal ID card, to protect the citizens from identity theft, like many other countries have. Americans already are uniquely identified by the government with a combination of paper trails, so it is not a question of integrity - that was lost long ago.
Think of the SSN as a public key, with your personal physical ID card as your private key. If it gets stolen that's when you worry and contact the police, not when your SSN gets guessed or stolen. Countries far more secure and respectful of citizens integrity than the US use this model successfully.
Oh, I can't help quoting you because everything that you said rings true
I have both attended at work at UT in IT, so I can give you my observations.
For many years, UT had a non-centralized IT infrastructure. That is, the Colleges did one thing, the Administrative Computing Group did another thing, the Academic Computing Group did yet another thing, and the Libraries something else entirely. This was recently changed with the introduction of a new Office of Information Technology head by a new Vice Provost (Dan Updegrove, originally at Yale). One of the very first things I heard him address was the Social Security number problem in which every student, faculty, and staff member used their SSN as their ID. That practice had to change in order to meet both legal and privacy standards (see FERPA) , and UT has been trying for the past couple of years to make that happen. The trouble is, it was so integrated into all of the different services and departments that it is a slow process to remove it. They started to phase it out, but now UT is seeing the effects of this particular practice. I'm likely one of the ones who will be affected, so I'm waiting for them to announce where people can find that out. (It may be at the UT site, http://www.utexas.edu/datatheft/.
The Daily Texan (student newspaper) has an article about the theft, as does the Houston Chronicle.)
By the way, your Social Security Number isn't public information. It is required for use by some agencies of the government, but you are not required to provide your SSN to private groups unless they need to interact with certain government agencies (this includes your employers, who deal with the IRS). That being said, SSNs are so commonly used a search may pull up that information- but that doesn't mean it is legally public info.
The university for which I work uses SSNs as student ID numbers as well. They are in the process (another 3 years or better) of converting over to PeopleSoft, which will use another unique ID number for staff, students, and faculty. Until then, we just have to hope all our systems are secure.
ZeTeS
2+2=5 for extremely large values of 2
But presumably, no evidence that the data hasn't been distributed.
I hate it when they word shit like that to placate/fool the casual reader.
Fess up, take it on the chin!They use SSNs initially to keep track of how much money you are paying into the SS system, and they usually catch it when two different people are paying into the same account. Besides, there can only be one name on the account, so one person would wind up with a SS card with the name of the other person on it, though I suppose the last person assigned the number would have his name on the account. As soon as you give it to your employer they check with the SSA and would come back with the other person's name on the account.
"Gig 'em Ags!"
I feel socially insecure :(
-- www.globaltics.net
Political discussion for a new world
Gee.. Don't they know not to have the database
located on the outside of a firewall, and when it is
on the inside you should use kerberos or pki.
Responsibly? Bull!! I guarantee you it is a case of "I'll throw *you* to the lions so I can save my butt" As with most big entities the foot soldiers who really know what's going on are kept underground and not allowed to contribute to the decision making equation, mainly because the higher-up's are clueless in technology (but well connected politically within the organization) and don't want to "look clueless" in front of their peers.
Just to let everybody know, this was the last semester that UT was using SSN's as id's. We are in the process of switching over to what they call the EID. The EID is just a text string (similar to a user login). This is what we have to use to access online services for several years. Within months it was going to be our official identifier in all of the university's systems.
Ok, this is just silly. I for one also thought whe i first saw the header that Unreal Tournament had been breached, but thats off topic. People need to figure out that: 1. an SSN really doesnt matter. 2. that the gay martian fagoodelic freaks who are so paranoid they plug the push pin holes in their rooms with putty because *They are out to get them* would shutup if they did what MY HIGHSCHOOL does and have a nice litte 4 digit Student ID!!!
$a = SQLquery) 'What we do in life
...I resent both your spelling and your implications.
A better question would be "why the hell is everyone pretending a heavily distributed 10 digit number printed on an easily duplicated piece of paper is a viable means of identity verification?"
It's just plain dumb. Your SS number is no more a secret than your driver's license number. In fact, it's less of a secret since more places request it of you. And the card is easier to fake than even the most rudimentary fake id.
If you wonder whether a national ID system will ever come into being, you need look no further than large scale data thefts like these. In the wired world, being able to prove you are who you are (and be secure in the knowledge that someone else can not prove they are you) has never been more important. As online electronic transactions replace face to face paper ones, the same efforts taken to prevent counterfeiting and theft of cash will be necessary to prevent the equivalent cybercrimes.
Personally, I wouldn't mind if I only needed one card instead of a wallet full of them, with all my accounts cleverly linked to it.
Special IDs like school cards are meant for quick visual verification of identity and enrollment. Reference cards like my insurance and calling cards are meant to be read. Gift cards like Best Buy are meant to be given as physical item. Data cards, like my subway stamp card, need to cary special information. Everything else - ATM, cash, credit, ID, store membership, and so forth could be rolled into one rigorously protected and verified universal card. If you're really fancy, maybe even one that can store and display custom data, including reference and special ID.
---If you can't trust a nerd, who can you trust?
What we need is a honey pot full of fake SSNs ... when people try to use them (obviously stolen), the Feds go round and arrest the bastards.
A lot of schools still use SSN's as student ID's out of sheer habit. Many small schools never bothered to update to Student ID's, and are now in a situation where there are tens of thousands of SSN's floating around campus being used for things as simple as resetting an E-mail password.
My employer just finished a shift from SSN's to an actual student ID less than a week ago. The conversion's been a bitch (users: "whaaaaaa, why do I have to learn a new number?") and the fact that it was done in the middle of the semister hasn't made things any easier. I'm glad it's been done, it's something that should've changed a long time ago.
On a side note. When the ID's were changed we were told that it was being done in part to comply with upcoming changes in government regulations? Any truth or links to back that up?
There are some people that if they don't know, you can't tell 'em.
Now, so is mine . . .
Sdelat' Ameriku velikoy Snova!
Being that I work at a university, I understand your point. The thing I have found is that it is far easier to be fired from a University for misconduct than for poor performance. In this case however, someone is going to be fired. That is, if they can determine who is responsible and that person is still working there. Even then, (taking your point in consideration) it is entirely possible that the events that caused this system to be available occured far too long ago to really hold somebody accountable now. (Although, IMHO, some heads should roll for not doing proper security audits)
The thing is that Universities hate bad press... UT will likely do something public to show that they cannot allow this to happen in the future.
It's sad, but UT already *has* unique IDs for each of its students. I'm holding my UT student ID card in my hand, and I've got a 16-digit number and a barcode printed plain as day on the front of it.
On tests @ UT, it's common to have to write your full name and SSN on the front of the test when you turn it in. In all my time there, only ONE professor ever asked for the number from our ID cards. Only in small classes or discussion sections did I hand in tests without my SSN.
I'm betting that, even though someone was bright enough to know that using SSNs for IDs was a bad idea and came up with new ID#s to print on student ID cards... there's too much legacy code to manage the 50k+ students that relies on their SSNs.
It is theoretically possible to be an adult without a SSN, although it would make life very difficult.
Mea navis aericumbens anguillis abundat
"the more urgent task is to [...] recover the data"
Huh? Does this mean that UT no longer has the data? That the FBI will have to go around to thousands of FTP servers and gather together a few bits here, a few bits there?
This theft metaphor just doesn't work with "stolen secrets", and never has. Once someone has discovered your secret, and told someone else, you can't get it back. It's not the data that was removed, but only the secrecy.
Large Universities breed incompetence and stupidity among their IT staff. Insulting pay and reprimand for working intelligently sends anyone with half a talent packing and the useless yes-men keep climbing the ladder of stupidity. The incompetent and insecure IT managers won't hire talent for fear of their own exposure and the University will just keep throwing money at them to hype up new projects for PR that will never roll out until they throw even more money (usually taxpayers') to outsource it to an overseas development shop. I've seen this exact U. of T. situation happen with student registration and credit card info at a university where I worked. The worst part was that when the gaping security hole was pointed out, they couldn't even understand why it was a problem. You might as well accept the fact that student information is just out there for the taking.
The money you have in your account is accessible from anywhere, if your bank has any kind of Web front end for checking and savings. It does, by now. Banks also hook into one hell of a certificate system for all the electronic transactions going on out there, leaving alone the little consumer Web site thing. They take this stuff seriously; if anything they take it more seriously than Health Care has, which is why HIPAA's got everyone worked up.
I agree, negligence would be the legal principle, so we don't need to invent new punishments as a deterrent. But the analogy works.
"Fundamentalism" isn't about divine morality. It's about human authority.
This is really sickening. A lot of schools still use SSN as student IDs. In State University of New York, until very recently, your SSN was used on your grad reports, your dorm phone bills, your administrative notices, and teachers even insisted that this SSN/Student ID should be written at the top of every homework. Old phone bills with your name, date of birth, address and SSN were often found in classrooms or on the floor.
When I approached a SUNY teacher about this potential ID theft problem (back in 1999), his answer was: "I've been doing this for 20 years and I've never heard of this problem". Shocking, astonishing conclusion: The American academia is clueless! Oh no! How can that be! (But hey, it explains so much.)
It took a few ruined students and an order from the Attorney General (IIRC) for stopping NY schools from using SSNs as student IDs.
I am not really surprised that some administrative cretins are still camping on their position after all the theft ID problems of the last few years. After all, Schools Are Clueless.
I would like to entertain the hope that a few of these moronic school administrations would be sued 'till they bleed by ruined students, but how could ruined students afford this kind of legal costs?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
molybedenum-at-hotmail-dot-com
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
In US territories a ssn is often assigned to a family rather than to an individual. Then the children of the family come onto the mainland for college. A bit of a mess when a large puerto rican family has 8 kids that all go through the same college.
"What steps can one take to protect one's identity?"
;
Don't go to UT . . . wait a minute ; ;
Actually, I also graduated from UT in the last couple of years. I majored in Economics, but that's not even a part of the Business School at UT! So, I see this as a opportunity to steal the identity of someone who DID graduate from the business school. Business school majors were usually snobs anyway.
Sdelat' Ameriku velikoy Snova!
There are laws which compel the school to maintain your SSN--like they have to know if you are delinquent in child support, blah, blah blah, as a consequence of recent legislation to catch skip-out dads, so you cannot get a driver's license or enjoy a lot of state benefits, etc. if you are a deadbeat parent. We have lots of foreign students, and you have a lot of reports on them to make to the INS (or whatever is replacing the INS now that they got rid of it) due to post-9/11 legislation. They will by god have your SSN in their computer somewhere, and the common practice for well run schools (mine is not--hence the AC) is to use the SSN only on your transcript, which is one place it very definitely belongs!!!!
There is a federal law, since the adoption of the SSN in 1935, which prohibits use of your SSN as a general identification number, i.e., it is a federal offense for your university to use your SSN as your student number. So, the good practice is to generate some unique but random number and assign it to each student as their student ID number, and reserve the SSN for use only on transcript and required government reports and compliance checks with the myriad of givernment BS regulations your school is burdened with.
Incidentally, the current interpretation of recent legislation is that it is **quite illegal** to post any grades under any form of identification--apparently somebody might get their feelings hurt just knowing they didn't do as well as the majority of their class just looking at a list of grades with random student identifiers and random order.
UT is being hit with a penalty, but its no fine or jail time. They're suffering a huge blemish on their reputation. IMHO, a hit to one's reputation is jsut as bad as being convicted of some crime. People think UT now, they think "insecure network, i wouldnt trust them with my info if ya paid me." No one takes this type of think lightly, and those who know about this will probably reconsider applying for admission or a job there. They've got some serious makin up to do. -D
that's funny, but i work at UT and know for a fact that there's no way updegrove is going to get fired. he's just below VP. he -might- fire somebody (questionable), but his job is safe -- unless something else happens ...
That information wasn't leaked, it was FREED!
"Ask not what your country can do for you." --John F. Kennedy
(Extra credit props points to anyone who can name the system that I am talking about... Hint, this was late 70s to early 80s)
And these are the people who want to "fix the problems" at Los Alamos? No thanks. UC will do just fine.
Cool. What's your /. password again?
Share and Enjoy!
Here's a solution: Cash only! Screw credit, that's how we got into this mess in the first place.
And these are the people who want to run Los Alamos National Lab? No thanks. UC will be just fine.
UT has about 50,000 students attending at any given time. Given this, probably what was taken were the records of currently attending students.
I suspect that we alums probably have less to worry about, though vigilance is probably still a good idea.
It was probably some over-eager credit card company who will now use the information to send 60,000 "pre-approved" credit card applications to the students. I mean, come on. Everyone knows we have to keep these students drowning in a pool of debt. Otherwise, how would the economey function?
This space for rent.
From http://www.utexas.edu/datatheft/affected.htmlIs your SSN in the following ranges?
449-31-98xx - 450-91-24xx
451-12-32xx - 451-20-35xx
451-20-64xx - 452-20-40xx
If so, within these ranges, 55,200 people of the following types, including but not limited to:
Current students, faculty and staff
Former students, faculty and staff
Job applicants
Retirees
may be affected.
If you believe you are affected, please contact us.
------ This has been provided as a public service! ------
As is a freindly troll. Listen carefully; your defeat was not honourable, it was weak, it was a disgrace, a dreadful blight on your miserable life.
That you tried to initiate friendly and self-deprecating banter with your opponent makes your defeat even more embarrasing, even more sickening. In fact, your post created such an unberable gut-twisting nausea deep in my soul that I will go for 7 days without food, to try and cleanse my body of what I just witnessed.
Words cannot describe what I am feeling here. I must leave.
You were born in Illinois.
Not necessarily. It is the state where it was issued. Kids today had theirs done up at birth by mom/dad, but older folks applied when older. I got mine when I was 13 and started working. However, that SSN is from great lakes region. Besides, I seriously doubt that it belongs to the poster. It is almost certainly made up or somebody else like an X.
I prefer the "u" in honour as it seems to be missing these days.
I highly recommend to everyone to read this page carefully
http://www.fightidentitytheft.com/flag.html
and if the drawbacks don't sound too bad (think carefully!) make the calls. It takes about a half hour. Much less than the time you'll spend untangling the mess of an identity theft. You may also consider calling your bank and creditors to ask them to put similar holds on your contact info so that some clever scammer doesn't have your statements forwarded to Timbuktu, thus gaining them extra time to run amok and causing you even more grief. This isn't paranoia talking, it's experience.
Here are the numbers.
Credit Bureau Fraud Departments
TransUnion
Fraud Victim Assistance Department
Phone: 800-680-7289
Equifax
Consumer Fraud Division
Phone: 800-525-6285 or: 404-885-8000
Experian
Experian's National Consumer Assistance
Phone: 888-397-3742
Davo -- Free speech, free software, AND free beer.
On Sunday, March 2 at 7:20 p.m., computer systems personnel at UT Austin discovered a computer malfunction. The affected computer system was immediately shut down, and detailed analysis was begun.
What happened?
The malfunction was assessed to be the result of a deliberate attack from the Internet. Subsequent analysis revealed that a security weakness in an administrative data reporting system was exploited by writing a program to input millions of Social Security numbers. Those SSNs that matched selected individuals in a UT database were captured, together with e-mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed.
Is there evidence that the stolen data have been misused or disseminated?
UT, in conjunction with the U.S. Attorney's Office, the U.S. Secret Service, and other law enforcement agencies, has focused its efforts since Sunday evening on identifying the perpetrator(s) of the break-in and recapturing the stolen data. To date there is no evidence that the stolen data have been distributed beyond the computer(s) of the perpetrator(s).
What is UT doing about this?
UT's highest priority has been to identify the source of the attack and to cooperate with law enforcement authorities to capture the perpetrator(s), and any associated computers and data. Our second priority will be to assess the extent of further data exposure - if any - and to establish a proactive communication program with affected individuals and the UT community.
How many individual records were exposed?
Approximately 55,200 individuals had some of the above data exposed. This group includes current and former students, current and former faculty and staff, and job applicants.
How will affected individuals be notified?
The University is currently developing a communication plan and will contact affected individuals as soon as possible. At this juncture, there is no evidence that the data have been further exposed or misused.
Comments or questions sent to datatheft@its.utexas.edu will reach the UT Incident Response Team. (Do not send your Social Security number in any e-mail message.)
UT regrets this incident and commits to do whatever is required to ensure the integrity of the data of all our past and present colleagues.
Daniel A. Updegrove Vice President for Information Technology The University of Texas at Austin
BTW, our HR department is insane.
Hmm, strangely I looked up "number" in the dictionary, but never once did it say that public was part of the definition. Must have a bad dictionary or something.
I am surprised at the number of people calling for a unique number (or code or whatever) and best argued for in the parent. However, I think this is a Very Bad Idea. Who gets to hold this information and use it? The only people I can see close to achieving this in the present/near future is Microsoft. Needless to say I don't have, and won't be signing up for a password account. The idea that one key can be used to unlock everything encrypted about you leaves cracking it as a way to screw you up bad. I'm not advocating security through obscurity, but a bit of redundancy. Maybe if there were 5 keys which could control everything, then if one was comprimised, the other 4 could prove your identity. And each one should only protect 1/5th of your sensitive data, so your doctor can't check you cash situation, and your employer can't check on your health.
Nice to see that UT used the term "attacker" instead of "hacker" or "cracker". It's a fair and reasonable compromise. Too bad the media report didn't follow UT's lead.
I work in computing support for an academic institution which shall remain nameless. My observation has been that we are generally more secure than most other academic institutions. That being said, I once helped someone who was trying to transfer a rather large file from a satellite office to one of our main offices. The person had been having problems with an FTP server. I checked the server in question. Lo and behold, there was a text file with 50 screens worth of SSNs, names, and addresses, on a publically readable server.
Academic institutions frequently fall victim to the security/convenience tradeoff. While the official policy may be to err on the side of security, an awful lot of people with access to sensitive data don't have any data security training at all, and just "do what works". With a large bureaucracy, the odds that at least one person will screw up are rather high.
WARNING: there is a trojan on your
Here at the University of Florida we have just moved to a new system called the UF-ID system. Students had to get recarded. It took almost a year to re-code all of the University's systems (housing, accounting, libraries, etc) but we had a successful launch on January 21st 2003. The system works great and ties in directly with the University's new ActiveDirectory that was established for the entire campus.
Furthermore I think the FERPA (Family Educational Rights Protection Act) makes it illegal to use even partial identification numbers to post grades. You can read more about the University of Florida's system at http://ufid.ufl.edu
Apart from the fact that the guy in question (whose last name was Bond btw) was a Brit and hence didn't have an SSN in the first place. However, I seem to recall a "not so publically disclosed" piece of info that the criminal actually managed to find the guys passport number and use that with the guys name + DOB: dunno how he did it though (of course, this fact would have probably got in the way of a 'stupid fbi' story...)
There's a solution if you use cryptography. Assign everybody a social security number. Also, give them a private key (or better, let them pick their own). Then, publish everyone's social security numbers and the public keys that match up with their private keys. (The government could even provide a service that allows people to look up public keys based on social security number.)
Then, everyone's number is out in the open. Whenever you want to do something with it, you create a message along the lines of this:
Then you sign that message with your private key. Once you've done that, anyone can use your public key to verify the signature. That means they can be assured that, unless someone has stolen your private key or broken the crypto, it could only have been you that wrote that message.
Thus, your social security number becomes public knowledge, but that doesn't help anybody because they'd need your private key to do anything with it. And, most importantly, there never is any situation where you have to give your private key to anyone. Your secret remains your own. No third-party ever gets a copy of it. This is important for two reasons:
My younger brother's SSN is actually immediately prior to my own. Yet we were born 3 states away from each other (and 2 years apart, too). So the parent post is correct. The probability of being born in the associated state is high, and higher with younger people, but is not a certainty. And as the numbers are used up, they may even change the scheme to assign them. Maybe they should now.
now we need to go OSS in diesel cars
I work in the admissions department of a Community College which uses SSNs for SIDs. One of the reasons that it is almost necessary to use the ss# as the identifier is because of the transcripts that we require for admissions into certain degree programs. We have about 20,000 unidentifiable documents that have only the name as the identifier on them, and 99% of these documents use maiden names, so without some uid (even as little as a current name and a birth date) , they are utterly worthless, and thus end up in a dead letter office. I personally recieve the same documents over and over again, but without the sending party taking the step to identify people, the documents aren't processed and people are denied admission because they miss deadlines.
At UT, a student's SSN is used as his/her ID number by default. However, a student may request that it be changed to a random 9 digit number by simply going to the ID center. Few students know about this, but it's why UT does not get in trouble for using SSNs as ID #s.
Hook'em
Long live GUIDs! The UT attack would be nigh impossible had we been using GUIDs. The problem with serial numbers is that they are, well, serial. Thus the numbers are clustered in a relatively small bitspace. If 12345 is a valid serial number, you can bet 12346 is too. Now with GUIDs there is a much bigger space to search, making blind searches for identifier numbers practically impossible. That's because every person would have a number randomly selected from a very, very large domain. Granted GUIDs can't solve all problems, but they would make similar brute force attacks nearly impossible.
Stealing files with fingerprint information isn't as helpful as it sounds. Fingerpint scanners don't compare against graphic files, they look for similarities between distinct features of your fingerprint (where ridges are, how far apart loops, etc...) Not enough information is stored in these files to make a working duplicate of someone's fingerprint (you might could hit a few of the features, but not enough). On the other hand, you could always lift someone's print off a glass and use the ole gelatin trick...
;).
Not sure about retinal scans, maybe that's an answer
I agree though, the use of SSN is outdated, it is security through obscurity using a less than obscure number. If I want to steal your identity, all trying to hide your SSN from me does is make it take me a little longer and piss me off that much more, you'll be owned soon enough
Why bother providing a valid ssn when enrolling in school or getting a job - It's not like you are ever going to receive any payback from "social security" if you are of college age now...
I thought they breached Unreal Tournament.
Here I sit
Cheeks a flexin
About to give birth
To another Texan!
You think if they catch the hackers they will get the death penalty? Will the lethal inection be intraveinous or rectal? Fags.
26th street (now Dean Keaton, or however that's spelled) is a big hill, for instance. But compared to Knoxville, No ;)
(I remember wondering where the "Hill Country" was.)
However, that *is* another good comparison -- both Knoxville and Austin are *relatively* hilly, compared to the vast bulk of the rest of their respective states.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
Cas Walker's old location on Chapman Highway is now Disc Exchange ;)
That doesn't actually invalidate your point though. Just funning a bit.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
Not to be ignorant or anything, but as a Texas A&M Aggie it's my duty to say -- Whoop!
-dewhite
I was bitching about their lack of security as early as 1997... by default, they shunt(ed) all contact information into a publicly accessable x500 server. It wasn't a commonly known thing, and you had to take proactive steps to remove yourself from it (go down to an office, fill out a form, etc)
:)
:p)...
:)
:)
:))
From ksparger@vaevictis.stf.org Fri Aug 1 10:42:46 1997
Date: Fri, 1 Aug 1997 10:42:45 -0500 (CDT)
From: Vaevictis
To: info@x500.utexas.edu
Subject: Questions regarding the x500 service.
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:
Hi
Sorry to pester you (I know how much of a pain it can be to administrate an internet service
I'm a freshman taking English 301 (Composition class), and we've just recently been assigned a proposal argument.
My proposal is that the university change the policy on the x500 so that instead of having the student's information accessable by default, the
student would need to sign a release form. (in other words, the exact opposite of the way it's done now... as a new student, I was horrified to find that my personal information (home address and telephone number, specifically) was being given to all comers..)
I would like to know the following information, if it's not too troublesome for you to give to me
What would need to be done to change the student's default from "distribute information" to "withhold information" in the x500
directory?
Would it require a change at the actual x500 site (ie, configuration files?), or would it require that some other group (the registrar, perhaps?) change policy?
What kind of security measures are installed to log accesses of information? For instance, I know for a fact that you don't attempt identd lookups, do you log access attempts by hostname, IP address, or do you log at all?
What are the scenarios if it is found that someone used information acquired from this database for illegal/unethical purposes? ie, could you even prove where a certain access came from if you had to in court?
Anyhow, thanks for your time, it's much appreciated
If you don't know the information for any of the above questions, I would
appreciate it if you could tell me who could (if you know, anyway
Thanks a lot,
Kyle Sparger
Date: Fri, 01 Aug 1997 11:13:04 -0500
To: Vaevictis
From: "William C. Green"
Subject: Re: Questions regarding the x500 service.
In-Reply-To:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Status: RO
You should read our FAQ and all associated links: http://x500.utexas.edu/x500info/faq.html
Specifically, Appendix C Subchapter 9 with special attention to section 9-201 of the General Information Catalog.
I would suggest you begin your inquiry with the Registrars office, although many other offices would be involved. My understanding is that any change would need to be approved by the Regents.
This question is more complicated than it would appear.
As part of your argument, you should consider the implications of not having a directory service, or, a service that is restricted to UT Austin
access only.
Host access information is kept in rolling logs.
Yea, I work for ACC and I know this to be truth. But in actuality it may be that he CYA'ed too. It may be one of those institutional things that just can't be fixed until the sh** hits the fan. At that point then you can say "I told you this would happen", until then the only thing you can do is holler long and loud.
"I'm just here to regulate funkyness." - James Gandolfini, as Winston in The Mexican
Aside from the fact that the custodian of the information certainly has a lot to blame in this, there is another big part of the problem. That problem is what people can actually do with the information.
An SSN is identity. It is nothing more than that. The problem is people make the incorrect assumption that it is authenticity (I can recite the number, or read it off a little card in my wallet, so it must be me), and authority (this account has your SSN and is overdrawn, so you are liable for it).
If any law change is needed, it is a law change that says that it is illegal for an SSN to be accepted for any purpose other than identity. What that means is that if I walk into a bank and open an account citing some SSN, the bank needs to understand that all this does is identify someone, and not necessarily me. If the bank causes harm to the real owner of the SSN by having provided any derogatory credit information based on that SSN, then the bank shall be fully liable for having not taking reasonable measures to ensure accuracy of information. And by that, what I mean is that the bank can't simply say that the victim needs to track down the perpetrator to cover the costs. The banks need to be forced to properly authenticate the information they use, especially when and where it might be used in a negative way.
And I don't mean to pick on banks (I just happen to have an open case with Chase Manhattan bank which continues to allow someone to operate a credit card account with my SSN, reported on my credit reports, without my consent, and after I have advised them of the fraud). Such a law should apply to anyone and everyone who accepts and uses SSN data for anything. It's the negative things that can be done (like bad credit info) that needs to be stopped (in addition to other stupidities like running computers insecurely and connecting systems to the internet that have no business being there).
now we need to go OSS in diesel cars
I spent a summer studying at UT, and let me to you, they are hardcore about forcing you to give them your SSN. They have an option on thier application for using an alternate # as your student id, but all my academic and enrollment advisors told me NOT to use an alternate number. I tried explaining the danger of using SSNs, but it was always "it won't be a problem.. dont worry" When I turned in my form, it said that I wanted an alternate id #. What # did I get on my ID card? My SSN.
I dont even want to get into the issues I had getting an oncampus job. They demand a Social security card, when the federal law states that a passport is sufficient. I'm still pissed off about all the junk I had to go through with that.
When I was in college I was broke, in debt and had no credit. Go ahead steal my identity you can have
it!
Microsoft aggravates my tourettes syndrome.
If SSNs were only supposed to be used by the IRS, and the current system is so ripe for abuse, why hasn't there been a law against using SSNs for non-tax purposes? Easy - lobbyists and money. Credit card companies and credit bureaus see SSNs as a godsend. For them, it's cheaper and easier to have a central registry in order to troll for new credit accounts, regardless of the security problems inherent in using SSNs for everything.
Every effort to reduce the power of credit bureaus and protect individual privacy has been defeated or weakened by the credit bureaus and credit issuing companies. Their claim is that a central database tied to everyone's SSN is critical to doing business. Of course, they neglect to mention that they do plenty of business outside of the US without having such a system in place, AND the fact that SSNs are not guaranteed to be unique.
At this point, reasonable souls would start to question whether this is a government for the people, by the people, or a government for big business, buy the politicians! Face it, it won't be until the system is completely broken, with millions of people affected, and with the costs of keeping the current way of doing business too high to continue, that they'll change. By then, it'll be too damn late...
Hey goofball, shouldn't you be getting drunk on Tequila & Lone Star, catching syphilis and celebrating Davie Crocket Day out there in TX?
Is your SSN in the following ranges?
* 449-31-98xx - 450-91-24xx
* 451-12-32xx - 451-20-35xx
* 451-20-64xx - 452-20-40xx
If so, within these ranges, 55,200 people of the following types, including but not limited to:
* Current students, faculty and staff
* Former students, faculty and staff
* Job applicants
* Retirees
may be affected.
I attend community college at night and in one class we have to telnet into a Solaris box from W2K. Our login name is the frist 3 letters of our last name, followed by the last four digits of our social security number. Guess what the password is? Yeah, our full social security number. One day I came to class early with a copy of Knoppix on a CD and booted off it and ran ettercap, poisioning the switch so all traffic goes through my machine first... One by one, as students came in, I was able to sniff the their login name and password (which was their social security number). I sent an email to the school using that as an example of why students passwords, or their ID number should be a SSN number. I have not yet gotten a response
My school still uses SSN's as student id's. I've found that as a student employee I run into thousands of id's a day. I know it's the same way for a lot of student employees on campus.
Not just student workers, hell anyone that choses to set foot on campus. If I wanted too, I could amass hundreds of student names = addresses = SSN = birthdates very very easily from public information. (like grades posted on walls)
"Fortunately", my school just moved from SSN as student identifiers to random 7 number identifiers. But even today, on my math midterm, I was required to put down my SSN!!!
WTF?!?!
Elsewhere on campus, SSN as an ID is rampant, eventhough it is now ILLEGAL for professors to post grades as SSNs.. but it still happens! WHEN ARE THEY GOING TO GET SERIOUS ABOUT THIS? Only after 100 student identities are stolen? 1000? 10,000?
I suppose I should as to see the President or Dean of Student's SSN to post in the middle of campus.... its only fair right?
Apparently being a subscriber does not help!
YOU FAIL IT!
Glad I wasn't accepted. City College doesn't even an internet connection. I'm feeling sooo safe.
crappy soviet russia joke, and by the way, about the FP...
YOU FAIL IT
umm....
YOU FAIL IT
No big words.
regarding your fp...
YOU FAIL IT
... but the West Disk Exchange is far inferior to the big one in what used to be C. Walker's grocery. Plus, it's next to a great used book store (Book Eddy).
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
This has concerned me for quite a while. UT was very slow to change it's policy regarding the use of the social security #. Up until a year or two ago, you could find papers outside TA's offices with socials on them.. Probably still can..
A witty saying proves you are wittier than the next guy.
So what happens when these would be identity thieves find out my credit is maxed out with student loans?!@#
Doh! Don't you think college student and facility SSNs aren't really the right crop to harvest?
But, while your there please fix up a few of those loans!
that March 2nd is Texas Independence day?
Could this be a politically- or culturally-motivated attack?
Funny how this security breach at Princeton never got the media attention it deserved:
t
http://www.ispep.cx/files/tucson.princeton.edu.tx
Mod this up as Informative...
Ever need an online dictionary?
The Indiana University School of Medicine was hit recently. Not just social security numbers, but medical records, too--everything you need to know to become someone else. All these poor folks were patients of their sleep clinic. I guess they have something else to keep them awake all night now...
-Scott Hutton
Has anyone asked what crap software they used? Did the pay good money to some corporate weasels to get software that was insecure out of the box? Sure, they should keep up with security issues and whatnot, but it helps if you stop buying crap.
My bet, and I have very good reason to suspect: PeopleSoft on Windows 2000 servers. This stuff can be cracked in no time.
This isnt an isolated incident, rather its a trend. Big state universities are a target for hack attacks unfortunately.
Kansas University was hit hard in late January. SEVIS was pilfered, Student Exchange Visitor Information System; part of the Patriot Act)
Info here.
My id would start with a 1998 then...
I might finish my degree this Spring... my first one
In case this site gets slashdotted, here is the article: Hackers steal vital data about UT students, staff Officials say they are closing in on thieves; university will begin telling those affected Related UT's report on its Internet attack By Ralph K.M. Haurwitz AMERICAN-STATESMAN STAFF Thursday, March 6, 2003 Computer hackers have obtained the names and Social Security numbers of about 59,000 current and former students, faculty members and staff at the University of Texas at Austin in one of the largest cases of potential identity theft ever reported. Authorities do not know whether the information has been put to illegal uses such as obtaining credit cards or withdrawing money from financial accounts. Law enforcement officials were expected to obtain and execute search warrants late Wednesday in Austin and Houston at homes where computers are thought to have been used in the cyberspace break-in. UT officials suspect the attack was carried out by a student or students, or by people living with students. They said the computer breach could easily have been prevented with basic precautions, adding that the incident will prompt them to redouble security measures and to accelerate a plan to phase out most uses of Social Security numbers on campus. "We flat out messed up on this one," said Dan Updegrove, the university's vice president for information technology. "Shame on us for leaving the door open, and shame on them for exploiting it. Our number one goal is to get those data back before they get misused." The incident comes at a time of growing concern about identity theft on college campuses. Many universities, including UT, use Social Security numbers as student identifiers, and the numbers are therefore found in many records. UT students have complained about the practice. The ranks of current and former UT students, faculty and staff include hundreds of thousands of people. University officials scrambled Wednesday to figure out how to advise those whose information was stolen. Some who are no longer affiliated with the university might not be reachable at the phone numbers and addresses on file. The university has set up a Web site -- www.utexas.edu/datatheft -- where it plans to post information. A telephone hot line will also be established, possibly staffed round the clock seven days a week, said Don Hale, vice president for public affairs. The theft was discovered Sunday evening by administrators of university computer systems conducting routine checks, Updegrove said. They immediately disconnected the compromised database from the Internet, later hooking up a database of useless information. Besides names and Social Security numbers, the hackers obtained e-mail addresses and, for some current faculty and staff members, office addresses and phone numbers. No grade, health or benefit records were obtained, Updegrove said. Computer system logs indicate the information was seized by a computer in Austin on Feb. 26, Feb. 27 and Friday, and by a computer in Houston on Saturday and Sunday, he said. It's likely that the intrusions from Austin and Houston were done by the same person or people, he added. The compromised database contains training records on UT staff. However, it has a connection with a broader list of current and former UT students, faculty and staff. The thief or thieves used a computer program to query the UT database with 3 million potential Social Security numbers, resulting in about 59,000 successful matches, Updegrove said. "It was just a brute force attack on the system," he said. Updegrove said the UT records should never have been accessible to anyone off campus or to anyone who is not an employee supervisor. He said he did not know how such a serious violation of security procedures occurred, or why it was not discovered in periodic systems checks. He did not know how many years the database has existed. "There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them." Those shortcomings will be examined in depth, but the more urgent task is to track down the perpetrators and recover the data, Updegrove said. To that end, the university has reported the theft to the FBI, the Austin Police Department, the Travis County district attorney's office and other authorities. "This could have grave consequences, so fast action is important to prevent further harm," said District Attorney Ronnie Earle. "The public integrity unit with the district attorney's office is working in partnership with the U.S. attorney's office on this case." Updegrove defended the university's decision not to announce the theft right away, thereby leaving the 59,000 people unaware that their information was compromised. It took time to understand the dimensions of the theft, he said. In addition, when it became apparent that the theft originated from two locations, university officials focused on lining up law enforcement help in trying to seize the rogue computers, in hopes that any dissemination of data by the thieves could be prevented. Disclosing the theft widely at the outset might have put that plan at risk, he said. Identity theft is a rapidly growing crime in which someone obtains key pieces of information such as Social Security and driver's license numbers to obtain credit, merchandise and services in the name of the victim, according to the Identity Theft Resource Center, a nonprofit group based in San Diego. "The victim is left with a ruined credit history and the time-consuming and complicated task of regaining financial health," the center reports on its Web site. rhaurwitz@statesman.com; 445-3604 ^H^H^H^H^H^H^H^H^H^
A click on the travel.fp3 file listed a couple hundred SSNs. It was completely wide open.
UT made it sound like a deliberate attack, but it looks to me more like administrative incompetence (and cya).
Think about it, if NASA has computers that are 20+ years old doing mission critical calculations, what to you think THIS would be run on? The keys would stay the same while computing power got cheaper and cheaper untill the Game Boy XL27B has enough power to crack the keys between games of Super Hyper Japenese Fighting Robot Training Farmers
Banaaaana!
They're quite aware of this and last I heard we were going to switch from SSN to what we use for our student services login which (in my case) is just lastname + first + arbitrary digit(s). It should be a tad better.
Responsibly? THEY WEREN'T GOING TO TELL ANYONE until the AAS called them on it. As a former UT grad I'm not at all surprised. Not at all.
Its not a defeat, its just that all corporations and institutions do things this way (using the SSN, having poor security, etc) because its cheap.
the guarantee of "if something bad happens we'll fix it for you" is given but all burden of time, proof, investigation, research and argument falls on the consumer. the catch is that the consumer often doesn't have the time or money to do that without serious hardship. yet the corporations are absolved of all responsibility for your lost opportunities while you fight to prove that your credit rating has false entries on it, etc. even a simple two week hold put on a bank account while you dispute an address change or fradulent charge is a serious hardship for many.
An ID card of any sort doesn't matter; those are easy to fake. the entire financial security of most people in this country rests on their widely-distributed SSN and their mailing address or possibly their mothers maiden name. that's not likely to change so long as its always "somebody else" statistically insignificant that gets screwed. raise id theft crime enough and watch heads start rolling and stupid laundry list ideas (like extra id cards) start flying.
Then there was the amusing experiment where a bunch of Germans managed to fool retina scanners using printed images of eyes that could be taken at a reasonable distance with a camera.
Xix.
"Everything is adjustable, provided you have the right tools"
Anyone know which OS is involved?
pr0n - keeping monitor glass spotless since 1981.
Is there any legal action that the affected individuals can take against UT?
I'm a student at UT-Arlington, the next largest school in the UT System. Last October our Student Congress passed a resolution I wrote asking them to basically make it easier for students to be able to request to no longer use their Social Security Numbers as their ID # - UTA currently has a system in place where you can request to use a randomly generated ID# instead of your SSN, but no one knows about it and they don't advertise it or make it easy.
The administration's response was "Come Summer 2005, when we have our new Student Information System, we won't use anyone's SSN" but that in the meantime, we're screwed because they weren't going to change anything.
A month ago I discovered the 'secure' portion of the Housing department's website had been indexed by Google, including the ID # (Social Security Number) of all 1200+ residents living in the on-campus dorms. This highlighted the need for the immediate cessation of collecting and storing SSN's, so I've introduced a follow-up resolution our Student Congress is looking to pass soon basically demanding each department document every way they use SSN's and the security measures in place to protect them, after which we want a committee of students and faculty to go through the documentation and approve or deny their use and storage of the SSN's.
Our school paper, The Shorthorn (www.theshorthorn.com) is supposed to do a story in tomorrow's (Friday's) issue concerning the leak at UT-Austin and the fact that administrators so far at UT-Arlington are ignoring the need to provide secyrity for SSN's NOW, and not just in 2005.
It should be interesting to see if the administration has finally 'seen the light' and will listen to us, this time.
Gonna add that? Name is public too.
The Cato Institute has a long study (actually an exeprt from a book -- see link below) documenting the systematic increase in the use of the SSN as a national identifyer. A summary of the paper is here or you can just grab the 166kb PDF
For the click-shy, here's the text of the executive summary:
To combat terrorism, Attorney General John Ashcroft has asked Congress to "enhance" the government's ability to conduct domestic surveillance of citizens. The Justice Department's legislative proposals would give federal law enforcement agents new access to personal information contained in business and school records. Before acting on those legislative proposals, lawmakers should pause to consider the extent to which the lives of ordinary Americans already are monitored by the federal government.
Over the years, the federal government has instituted a variety of data collection programs that compel the production, retention, and dissemination of personal information about every American citizen. Linked through an individual's Social Security number, these labor, medical, education and financial databases now empower the federal government to obtain a detailed portrait of any person: the checks he writes, the types of causes he supports, and what he says "privately" to his doctor. Despite widespread public concern about preserving privacy, these data collection systems have been enacted in the name of "reducing fraud" and "promoting efficiency" in various government programs.
Having exposed most areas of American life to ongoing government scrutiny and recording, Congress is now poised to expand and universalize federal tracking of citizen life. The inevitable consequence of such constant surveillance, however, is metastasizing government control over society. If that happens, our government will have perverted its most fundamental mission and destroyed the privacy and liberty that it was supposed to protect.
If you're curious, I originally bumped into this somewhere in Bill Moyer's archive
- a somewhat A, AC
In their newswire, Salon titled this story, "Computer crackers steal students social security numbers."
I thought the Slashdot community would appreciate Salon getting the terminology right on this one. It may seem like a silly point to some, but the distinction between "cracker" and "hacker" is huge in my mind, and it always makes me happy to see a journalistic outlet get it right, for a change.
I agree wholeheartedly that the abuse of SSN is a problem. However, realize that most US educational institutions will assign you another unique student ID which is not your SSN; it is not impossible to dodge their use, and if you truly care about your security you will never use this number except when forced to. You have the right to protest its use otherwise, but consider that this distinguishing characteristic may not be so good socially--the people around you might not be quite as apt to understand your rabid protection of this number, even if many of the more privacy-oriented do.
Moreover, as much as it is claimed (and perhaps rightly) that "the system" wants you to use this one unique identifier, there is a definite advantage to having an easy-to-remember number associated with almost everything, instead of separate account and unique personal identification numbers. However, some privacy experts agree, as do I, that the SSN should only be used for, well, Social Security when possible.Looking at that aformentioned letter, I find a passage which states that "from a technical viewpoint, the SSN is not a good identifier. It is not unique, [and] there are multiple users of a single SSN". While I can find no proof of this assertion elsewhere, I have heard anecdotally heard of people who used Richard Nixon's SSN throughout college (567-68-0515)--the results are obviously mixed. Overreliance on this number poses an undue threat to college students who, frustrated by this kind of wholesale theft which could lead to troubling financial consequences should the perpetrator preserve a copy of the data, might turn to forging SSN's--an OK idea until you get caught at it.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
Can he tell the difference between a real ID and any old fake one that can be had for $20? Green cards, drivers licenses, passports, what have you, if the government can print it so can a forger. That's why so many institutions used SSNs, it was unlikely that a forger would know the SSN that matched a name. Yet it's widespread use by the clueless, such as UT, is the downfall of it's use. Fewer people will trust SSNs as a unique identifier and the government will have to implement some other form of difficult to forge and know identifier.
Friends don't help friends install M$ junk.
And the US thinks it can stop the "infrastructure of terrorism" by freezing the assets of a few charities. Bah. If we can't get a grip on our own record and banking systems, the money will continue to flow. TIAA is a distraction at best, another place to lose information at worst, and a waste of resources either way.
Friends don't help friends install M$ junk.
Hmmm...caught stealing data in Texas. Isn't that a death penalty or at least a castration offense? That'll get the guy to reveal who he's given the data to.
From the UT Datatheft homepage as of 11:13 Central on 6.6.2003.
;)
Data Theft Incident Response: Latest News
From the moment of discovery, much work has gone into identifying the perpetrator(s) and impounding their equipment. This work has involved the vigorous participation of federal and local law enforcement officials. Search warrants were served the evening of March 5. More information on the ongoing investigation will be forthcoming.
Within a few days, we expect to know more about whether the stolen data went anywhere beyond those who captured it.
We will contact individuals whose social security numbers were stolen with information about the level of risk when the risk is evaluated. We will help each such person to take protective steps.
Wheeeee.. Hopefully the skinbeef didnt buy a Jaguar with my credit before the Federales nabbed his/her ass.
The way this sounds, there was a web page accessible to the internet that you could look up some information about 'yourself' by entering 'your' student ID #. If the person who wrote a script to harvest information stole 55,000 records, do they define theft to mean any access that is not using your own SSN? That's very much akin to having a bucket of mints next to the cash register at a restaurant... you generally take one on the way out, but some people take three or four. Or 55,000. Free within limits? Social customs do not apply on the internet.
...And whoever wrote that web page should be held responsible for the attack. He may as well have opened the vault at Fort Knox and held a bank robber convention on the grounds.
Whoever the script kiddie was, he deserves an accolade for a dumb, brute force attack. Had he made one query an hour, we'd never know about the security breach and there'd be no warning about all the identity theft, and the system would go unfixed.
Any connection between your reality and mine is purely coincidental.
I have had face to face contact with criminals who penetrated hospital computer systems. They had full employee access to programming facilities at Kaiser HMO, unlike hackers who do their work remotely. In one set of incidents, I was scheduled to look for billing and medical records discrepancies at Kaiser, one of America's largest HMO's, when a gunman fired in my direction with a sawed-off shotgun. A few weeks later, the first of many explosions was set off in a building where I was, across the street from one of the Kaiser Permanente hospitals. I received death threats and was subjected to intimidation by the HMO's own employees to discourage me from talking to auditors. In another incident, one of them intercepted copies of a report I had prepared, tearing off pages, lying to me about it, and refusing to provide me pertinent information. This specific report included a warning of problems at Kaiser involving hospitalizations and billing discrepancies.
According to an article in an AMA publication, "The University of Washington Medical Center, after some prodding, acknowledged that a hacker had infiltrated its computer system last year, stealing confidential records of thousands of patients . . . The intrusion at the University of Washington Medical Center was first reported on Dec. 6, 2000, by SecurityFocus.com, a Web site devoted to security issues. The academic teaching hospital initially disputed the report as 'completely inaccurate.' It acknowledged that it had detected and stopped an attempt to hack into its system last summer. It denied that the hacker had gained control of its network and said it had no evidence that any records had been stolen. But the center changed its account the next day after Seattle journalists got samples of the stolen records and presented them to the medical center for verification." (Excerpted from the article "Security breach: Hacker gets medical records" appearing in "American Medical News," a publication of the American Medical Association, published January 29, 2001.) In another incident involving billing fraud at the University of Washington hospital, articles described a climate of fear which had been imposed to cover up criminal acts.
An article published by MSNBC on November 12th, states that, "More than any American business, health care is one where fraud is rampant, simple and, by most accounts, about to get a lot more common . . . Unlike today's arcane accounting scandals, these involve out-and-out stealing . . . . The schemes are so lucrative that they've drawn criminals in the drug trade and Russian mafia. All of this raises a question: Why does the system make it so simple? . . . There are 4 billion health-care transactions every year worth a total of $1.5 trillion. Of that, experts say, between 3% and 10% is fraud, an amount unheard of in other industries."
I want to shine a bright light on criminals in medical data processing. Please visit "Criminal Activity at Kaiser HMO Hospitals Computer Center" at http://home.earthlink.net/~jimristrem/
This brings back memories.
When I was at UT Austin in the early '90s, I wrote a little screen-scraper to grab the contents of the UTCAT student directory. This included the name, address, and phone number of every student, excluding those students who had opted to keep their personal information private. Once I had captured the whole directory, I put it in a gzipped text file and stuck in my home directory in the CCWF Solaris cluster. I also made the file world-readable and told folks about it.
The University didn't like this. They tried to get me to remove the file, and claimed that I had broken some rules by capturing the information. The University also claimed that the information was protected by copyright. A lawyer who happened to be following my case on the UT newsgroups informed me that the information was public under the Freedom of Information Act. When I explained this to the University, the bullying stopped.
I later discovered that UT's Data Processing Department earns revenue by selling lists of students to businesses. Under the FOI Act, the information is public, but the University devised a way to make money anyway... UT provided the information on "standard" magnetic tape reels, and under the Act were allowed to charge a processing fee for copying the data to tape. The presence of a copy of the file on the public internet posed a threat to this revenue.
No charges were filed by the University against me, but the encounter did make it difficult to get a job in the computing center for which I was otherwise very qualified.
After my screen-scraping adventures, other more qualified people refined and greately sped up the process. One thing I always wanted to do (but never had time for) was to capture all of the public information. UTCAT contained only a part of this. More information on each student, including department, permanent address, and email address, is also considered public. These additional pieces of information are available via UT's X500/LDAP server. It wouldn't take much effort to capture and include this additionan information.
People are a bit paranoid about "hacking" these days. It sounds like this student exposed a glaring weakness in the way non-public information was being handled at the University. I wouldn't really call it hacking, and there's no evidence that it was malicious. Even if he meant no harm though, because the information exposed was not public information, he should have alerted UT to this weakness rather than try to exploit it.