UT Austin Hit By Massive Security Breach

mrpuffypants writes "Reported in the Austin-American Statesman: The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty. Official word from the school can be found here. Most troubling of all is that, like most schools, UT still uses SSNs for student ID numbers, and that was part of the information taken from them in the attack."

Clarification?

[binaryDigit]

The UT link appears to be /.ed, but when I read it before it sounded like a simple brute force ssn lookup. The attacker simply generated random ssn and sent them against a page that returned information based on ssn. The attacker then simply harvested "positive" hits. The problem was that this interface was exposed to the public and that it had no means of throttling/preventing multiple requests/failed requests.

On another note, UT is phasing out SSN in many aspects of the students life. My wifes UT ID does not contain her ssn, it has a student # now. Though I assume that there are still many points of interface with the UT system that expects to see ssn.

Changing GPA

[robi2106]

Reading the article (as I am sure everyone already has), would tell you that the informatio nwas not tied in to any student grades. Two different systems / databases.

This does mean a spam has a few thousand live accounts of young (read: target audence) college students (read: active email users).

That is bad in more ways that one.

robi

Re:All they got...

[stoolpigeon]

They'll get the rest later using the SSN. That and a name are often all you need. Who cares about grades- when they know who you are and have your social you are screwed.

It's OK!

Slashdot response: (taken from front page)
"I imagine they will eventually raid some domestic homes and make a scapegoat of some unfortunate teenagers."

Not a difference in my opinion. You might feel different if you were personally affected too. Hackers get what they deserve regardless of age.

SSN as ID number

[TPIRman]

While my university doesn't use the SSN for our student ID number, it still asks students to put it on countless forms and enter it into countless databases. It's always made me uneasy, and I hadn't even thought of the potential for a computer break-in. Rather, I was unsettled that any student worker who checked out a book for me at the library could see my SSN on his screen after scanning my ID card.

But nothing wakes up a university -- especially a state school -- like the threat of litigation. If the cracker followed up and committed full-scale identity theft, the students would have grounds for a lawsuit against the school. Consider the recent New Hampshire lawsuit that dealt with SSNs and other personal information. With the potential for bloodthirsty lawyers, universities might finally get serious about protecting their students' information.

and this system was on the internet because ?

they thought it would be cool, or because they wanted me to r00t it ?

thanks,
fluffy bunny

`Recapturing'?

[TKinias]

UT says:

UT, in conjunction with the U.S. Attorney's Office, the U.S. Secret Service, and other law enforcement agencies, has focused its efforts since Sunday evening on identifying the perpetrator(s) of the break-in and recapturing the stolen data.

Someone is more than a little bit confused about the nature of digital storage if they think they can `recapture the stolen data'.

`Ah, cool, we've managed to delete the copy they made of our data.'
(whispers)
`Another copy? How many copies did they steal?'

Re:What's the big panic about SSNs?

[jaymz666]

Because EVERYTHING is tied to it. Should someone get a hold of your SSN they can get a credit card in your name, or whatever.

What the?

[Baracus]

Hold on, why were UT's internal data reporting systems hooked up to the internet? I thought sensitive information like this was only exchanged over secure intranet and stored in systems with no access to public networks?

Re:What's the big panic about SSNs?

[Fulcrum+of+Evil]

Why are Americans so paranoid about who knows their SSN?

Because I can use your SSN to apply for a credit card in your name and then, when the bill comes due, it falls on your head (until you explain that that wasn't actually you). Then I can do it again.

Re:Penalties

[GuyMannDude]

Am I the only one who thinks that there should be penalties for the hack-ee when private information is stolen?

I would imagine that under such a system, no organization would ever admit to being cracked since they would be financially liable. And having some third-party prove that the organization was cracked without access to the computer records would be quite a feat.

GMD

Student Numbers = SSN

[vasqzr]

You've got WAY more to worry about than hackers.

ANYONE who works in the offices (especially student workers) can get this information. Admissions? Financial aid? All of these people could find enough info out about you to get a credit card in your name or go down to Circuit City and buy a big screen.

Just like the people who worry about their credit card being stolen from shopping online - You've got a better chance of the guy working at the mall going through reciepts, or the waitress at Hooters when she takes your card up to pay the bill.

Re:What's the big panic about SSNs?

[joebp]

Should someone get a hold of your SSN they can get a credit card in your name, or whatever.

I think I see where the problem lies.

It's like security through the obscurity of these numbers.

SSN issue

Even if the school didn't use SSN as a student ID number, there are many reasons why the school needs to know a student's SSN. Financial aid, and "selective service", to name two.

So the fact that the university uses SSN as a student ID number is only interesting at best. I bet if they used a different ID for "university ID", they'd STILL have the student's SSN in their records.

In any case, any organization that use the knowledge of a person's SSN as a means of "security" doesn't know anything about security.

Re:What's the big panic about SSNs?

[jaymz666]

Essentially, yes. It's a retarded system. It all hinges on an SSN, that can easily be stolen.

Which head will roll?

[plaidlad]

Currently the State of Texas is in the middle of some staggering budget shortfalls (as are most of the other states in the US). One state-funded entity that is looking at a shrinking budget is the UT system.

Here's what I'm wondering: How do the powers-that-be, whether elected officials or University administrators, or the public for that matter, expect that security breaches like this are to be avoided when there is little to no budget to prevent them?

The agency that I work for, and many others, is faces increasing scrutiny by the state legislature and must undergo budget cuts, hiring freezes, and potentially the loss of staff to meet the State leadership's plans. As a result, we've already lost funding not only for basic needs already planned for, but also for what are known as "exceptional items" or those items that we see a need for outside our normal budget.

I understand the argument that "Hey, we need Police and health protection before you get new computer software!" but let's get real. Those are the same folks who will be panic stricken when their SSNs, or other personal info are stolen by crackers when agencies are broken into. And woe to the poor SysAdmin who couldn't work magic with a non-existant budget to prevent it...

I'm a taxpayer too, mind you, but how can we expect State and Federal agencies to protect their resources without security being made a priority and funded as such... :P

Re:At least the University is acting responsibly..

[lucabrasi999]

I am sure some heads are gonna roll

Have you every worked for a non-profit? It's pretty hard to get fired. People that work for non-profits tend to fall into the "touchy-feel" category. Imagine taking a corporation's HR department and staffing every single position throughout the non-profit with that type of personality. In other words, if you see ".gov", ".org", or ".edu", don't expect normal organizational behavior.

Even so, if there ever was an event that deserved a massive firing, this is it. Here's hoping my company doesn't pick up the newly unemployed.

Re:Action

[Gossy]

Why is it such a hassle for Unis to generate their own unique IDs for students?

As I undertsand, the SSN isn't even a *good* unique identifier - for one thing it has no built-in checksum, and it's possible that your number isn't unique (could be wrong on the latter, but it's not really my point..)

Just issuing consecutive numbers to students who enrol is just one extremely simple way to replace using SSNs.

My bank issues me a number that identifies my account, my mobile phone company gives me a number to identify my phone, why is it so hard for unis to issue numbers to identify students?

Why were the unis in Washington so unhappy with the change? Sure, a few thousand people need to be given numbers and that can take a while to physically issue - but if the law allowed, perhaps a phased implementation of the scheme, so new people are given one of the new numbers?

Re:Slightly OT - choice of credentials

[Greyfox]

Because every company on the planet uses the number to identify you. When you apply for a loan, a driver's license, a credit card or insurance, the Social Security number is all they need. Given yours, I can request a car or home loan in your name, get a nice fat check and skip out of town or out of the country. And you might not ever know about it until the credit collectors catch up with you, you're denied credit or you don't get a job when they run a credit check on you. Assuming they even tell you your credit history is why they didn't hire to. Many employers ignore the laws stating that they have to tell you if that's why they don't hire you.

If someone is using a driver's license acquired in your name with your social security number, they could very well build up a criminal record in your name in some other state. A routine traffic stop could then lead to you getting arrested.

With that in mind, if someone asks you what yours is, the first thing that comes out of your mouth should not be that number. It should be "I don't think you need to know that information." Note that in the historical past (I don't know if this is still true) if you knew someone's name and birth date, you could use an Internet information service to find out their social security number and criminal history.

Foreigners screwed?

[howler.fi]

I worked at UT Austin for a semester in '01, not sure if my SSN was compromised or not. I know there have been and are a lot of non-US students and faculty at UT Austin... What are the chances that one of our SSNs is going to get misused as a result of this and land us in trouble at some point with Homeland Security, INS, or the like?

Re:Penalties

[Minna+Kirai]

there should be penalties for the hack-ee

There is already a penalty of sorts- any corporation victimized in this way will get a big overtime bill from their IT department as it patches the holes and audits the damage. They also claim to lose revenue for the period the systems were offline.

Look at the huge dollar amounts of "damage" that companies quote when they suffer a "hacker attack". Those are big losses- it must be some kind of punishment.

Now, one might say that amount of punishment isn't a sufficient deterrent against poor security, because corporations so far haven't invested enough in prevention.

Are there approaches the government could take to increase the magnitude of that punishment? Yes, two ways:

• Declare that knowingly running an insecure server is a public safety violation. Fine administrators who do this. (This requires more effort from police and lawyers. Maybe someday it will happen)
  
• Spend less government effort pursuing "hackers", and reduce the legal repurcussions once they're caught. This would permit freelance hackers to mete out more punishment towards insecure corporations by attacking them more often. (This reduces the current government expenditures on enforcement and prosecution. But, it'll never happen)
  

Re:What's the big panic about SSNs?

[wideBlueSkies]

1. Please mod the parent as insightful. (Or even funny). This is the best description of the problem I've ever heard.

2. It's an antiquated system. Back in the day, before massive amounts of information were available on computer, you'd occasionally hear about a guy who's number was stolen. It's a bad thing, but it was a rarity. The system worked because your number was secret, and there were few real ways to get it.

These days, SSN's are being compromised by thousands at a time. This is a broken system, and it should be fixed.

Perhaps thumbprints or retinal scans as a system of identification. But if you think about it, this leaves us with the same problem. The retinal or thumb image needs to be kept somewhere for the purposes of comparison. The files can be stolen just as easily as SSN's.

Maybe there is no solution.

Honey pot

[oxfletch]

What we need is a honey pot full of fake SSNs ... when people try to use them (obviously stolen), the Feds go round and arrest the bastards.

Re:What's the big panic about SSNs?

[TuxGrep]

Hm. So I need only your name and your SSN ??

Djeez. No wonder you all need a homeland security office and ultraparanoid officials everywhere, if the underlying 'security' mechanisms are SO easy to break.

It may surprise some of you but in the rest of the world you actually need to show some real identity document, like a passport or drivers license, to get anyone to actually trust your identity.

Maybe something to implement in the next, say, 20 years in the great USA ?

Yeah. This sounds like a flame. So sue me. Another thing US residents seem to be really good at ;-)

Re:What's the big panic about SSNs?

[ClipDude]

Again, it might surprise some of you ;-), but this is exactly the reason you can only apply for a credit card (loan, mortgage, etc) IN PERSON.

That's funny. Those ten or so credit card applications I get in the mail each week say nothing about coming to see them IN PERSON.

Re:What's the big panic about SSNs?

[KsQuasar]

SSNs were originally designed to only match workers with government Social Security benefits. They were never intended to be the all pervasive ID that they are used for now. However, because of the uniqueness of the SSNs across the country, many/most organizations began to use the SSAN as an identifier/authenticator instead of trying to develop their own systems. And, here we are today...

Re:Action

[Tokerat]

In Massachusetts, it is also illegal to use a student's social security number as identificaion.
So instead, they label it a "Student ID Number" and remove the dashes before they print it on the card. Somehow, that makes it legal.

And in this same world, I can go to jail for backing up my DVDs. Excuse me while I puke all over my keyboard.

crypto is a solution

There's a solution if you use cryptography. Assign everybody a social security number. Also, give them a private key (or better, let them pick their own). Then, publish everyone's social security numbers and the public keys that match up with their private keys. (The government could even provide a service that allows people to look up public keys based on social security number.)

Then, everyone's number is out in the open. Whenever you want to do something with it, you create a message along the lines of this:

My name is John Doe, and my social security number is 987-65-4321. I hereby authorize CreditCards-R-Us to issue me a credit card linked with my social security number.

Then you sign that message with your private key. Once you've done that, anyone can use your public key to verify the signature. That means they can be assured that, unless someone has stolen your private key or broken the crypto, it could only have been you that wrote that message.

Thus, your social security number becomes public knowledge, but that doesn't help anybody because they'd need your private key to do anything with it. And, most importantly, there never is any situation where you have to give your private key to anyone. Your secret remains your own. No third-party ever gets a copy of it. This is important for two reasons:

1. Third-party institutions don't have much incentive to guard your secret well. Many of them will do their due diligence in guarding it, but the bottom line is that it's just not their ass on the line, so they won't try really hard. Even if they mean well, they're a busy corporation or university or whatever, and they have other things to get done.
2. If you are forced to give out your secret to get anything done (for example, register for classes), over time lots and lots of organizations will get (and store) a copy of it. This is bad, because the probability that information will get stolen is pretty close to proportional to the number of people who have a copy of it!

Re:crypto is a solution

[Drakonian]

Yeah, until they look under your keyboard and see the sticky with your private key. The weakest link in security is often the human.

Re:crypto is a solution

[slank]

This is waaaay too complicated. Your social security card should have two numbers on it:

An identifier (000-00-0000) and
An authenticator (AAA-AA-AAAA)

The identifier can be used to uniquely identify you (until we reach a population of 1,000,001), and the authenticator can be used to authenticate your identity. Provide a public system that can be used to authenticate identifiers (perhaps something similar to what credit card networks use and well-logged/monitored for abuse). Banks, creditors, or even your university could access the system when appropriate. Make it illegal to store authenticators. Provide a system to allow you to (perhaps for a small fee) change your authenticator when your card gets stolen.

This is, after all, a proven system that every slashdot reader uses regularly - good ol' username and password. And most people have already become accustomed to things requiring one, so it shouldn't be a difficult thing for the public to use.

Re:crypto is a solution

[ibennetch]

Dang -- typed up a huge reply and lost it. Since I'm too tired to re-type the whole thing; here's my summary:

Most people aren't going to want to remember their password. What happens if someone looses their private key (misplaced, corrupt data...there are a ton of things that could go wrong.) It's hard enough for people to keep track of paper; much less a disk/USB keyring thing/whatever the private key would be on. Much less keep it safe from being stolen.

Just a few thoughts. Users are pretty clueless; you'll either end up with "password" or a post-it note with the password written down taped on their monitors, stuck in their wallets, or under the keyboard. And people will be afraid of loosing/breaking their private key and leave it at home; making an additional thing to remember when going for that new car, new job, bank transation...

That said, a private key system would be great because figuring out someone's SSN is amazingly easy, I'm sure. Many universities and colleges use them for student numbers, account logins (well, part of it anyway)...all I'd need to do is pay attention in line while picking up some financial aid papers, or paycheck, or registering for classes, or registering to graduate...the list goes on much longer than I'd like.

Oh, yeah; what you said about third parties not having much incentive to keep it a secret is slightly wrong. My university doesn't care who finds it out. I'm tagged by my SSN no matter what I do (see a few examples above); it's printed on my paycheck and I'm required to write it on pretty much anything I send them. And I'm sure most universities are worse. Ugh!

Re:crypto is a solution

[Com2Kid]

Congratulations, you would add oodles of layers of complexity to the system, and the system would still have a single point of vulnerability.

Namely the private key, which would be FUNCTIONALY IDENTICAL TO THE SOCIAL SECURITY NUMBER, except with a ton of technology placed in between point A and point B.

Number stolen, person still screwed, nothing changed. :)

The real solution is for SSN#'s to stop being used as unique identifiers!

Part of the problem is ...

[Skapare]

Aside from the fact that the custodian of the information certainly has a lot to blame in this, there is another big part of the problem. That problem is what people can actually do with the information.

An SSN is identity. It is nothing more than that. The problem is people make the incorrect assumption that it is authenticity (I can recite the number, or read it off a little card in my wallet, so it must be me), and authority (this account has your SSN and is overdrawn, so you are liable for it).

If any law change is needed, it is a law change that says that it is illegal for an SSN to be accepted for any purpose other than identity. What that means is that if I walk into a bank and open an account citing some SSN, the bank needs to understand that all this does is identify someone, and not necessarily me. If the bank causes harm to the real owner of the SSN by having provided any derogatory credit information based on that SSN, then the bank shall be fully liable for having not taking reasonable measures to ensure accuracy of information. And by that, what I mean is that the bank can't simply say that the victim needs to track down the perpetrator to cover the costs. The banks need to be forced to properly authenticate the information they use, especially when and where it might be used in a negative way.

And I don't mean to pick on banks (I just happen to have an open case with Chase Manhattan bank which continues to allow someone to operate a credit card account with my SSN, reported on my credit reports, without my consent, and after I have advised them of the fraud). Such a law should apply to anyone and everyone who accepts and uses SSN data for anything. It's the negative things that can be done (like bad credit info) that needs to be stopped (in addition to other stupidities like running computers insecurely and connecting systems to the internet that have no business being there).

Re:Action

[Third+Normal+Form]

>My bank issues me a number that identifies my account, my mobile phone company gives me a number to identify my phone, why is it so hard for unis to issue numbers to identify students?

Mostly because there wasn't enough of a vocal demand that the schools spend the time and money to do that.

The student information systems that a lot of schools use are written by a small group of companies, and it takes a lot of time and effort to recode those (old, legacy based) systems to use something else as a key. My school just got an upgrade within the last few weeks that just now allows something other than the social security number for the ID.

Thankfully, most states here in the U.S. are writing laws prohibiting the use of the SSN. I think this should have been done years ago, but it wasn't because there weren't enough people demanding it.

Re:What's the big panic about SSNs?

[Mr.+No+Skills]

The problem is not so much that a single, unique identifier exists. The problem is that so many organizations will blindly take that number and extend credit to anyone, with very little verification that the number belongs to them.

Then, when fraud has been committed, they use that number to shut down the true number's owner and assign numerous penalties to them, when in many cases the incompetence is with the organization that extended the credit in the first place.

We've set up a system where a handful of low level, poorly compensated clerks can destroy years of good credit history, either on purpose or by accident. The cost to clean up the mess is horrendous to the individual who most likely did nothing wrong. Authorities do little to catch those during this as it is often written off as the cost of doing business.

Salon gets it right

[CleverNickName]

In their newswire, Salon titled this story, "Computer crackers steal students social security numbers."

I thought the Slashdot community would appreciate Salon getting the terminology right on this one. It may seem like a silly point to some, but the distinction between "cracker" and "hacker" is huge in my mind, and it always makes me happy to see a journalistic outlet get it right, for a change.