Slashdot Mirror
UT Austin Hit By Massive Security Breach
mrpuffypants writes "Reported in the Austin-American Statesman: The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty. Official word from the school can be found here. Most troubling of all is that, like most schools, UT still uses SSNs for student ID numbers, and that was part of the information taken from them in the attack."
What legal action may the students and faculty take? In Washington it is illegal to use a students SSN to identify students. There was groaning at every campus in Washington for weeks. I bet there as glad as me that Washington was so on top of this.
OK, so I can see how a university might come to use SSNs as an identifier. They're unique and everyone already has one. Easy.
But why are SSNs so sensitive? It's like a credit card number -- it's printed some places, gets bandied about in others. Not exactly confidential, and no intuitive or documented boundaries on who should be trusted to with it. So it's a scary number that can be used for bad things, but you'll have to give it out in many circumstances where you aren't fully aware of how it'll be used. Makes it tricky to know who has it, or to make an informed decision about where you use it.
Again, it's easy to see how the practice of using it as a credential has continued (and got worse), but when did it start?
I've seen a whole bunch of 'stolen credit card #' type stories on Slashdot lately... the thing is, we never hear about any repercussions of these thefts. Do the thieves ever use the stolen records in large quantities? Follow-up is good :). Any info people have, post it here (I'm thinking of, in response to the Amazon CC# thefts from a few weeks ago, etc.)
Karma: pi (Mostly due to circular reasoning in posts).
A smart cracker would already have lined up the buyer(s) for the information (probably spam companies) before doing the crack. At least one copy of the data would have been made at the time of the crack to insure that it doesn't get captured and lost.
But nothing says that these cracker(s) are smart. Possibly just lucky.
robi
My school still uses SSN's as student id's. I've found that as a student employee I run into thousands of id's a day. I know it's the same way for a lot of student employees on campus. When will schools learn the benefits of a autogenerated key?
Do I contradict myself? Very well, then I contradict myself, I am large, I contain multitudes. -- Walt Whitman
in schools, its very easy to retrieve information, I went round no less than 10 junior schools in my area to get information on the new students that are about to enter the new year in the secondary school I work as the information manager.. NOT ONE of the schools asked me for ID, they showed me to a machine and logged me in and let me walk out of the door with the information on floppy...
Its a very scary.. but what can you do..
moo
Not to adapt a blame-the-victim mindset, but I mean really, why is this stuff on an internet-connected machine to begin with? I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked.
This stuff needs to be taken seriously, and not just in punishing the offenders. Look at it this way: If your bank got robbed tomorrow and all the items in your safe deposit box were made off with, would you blame the bank if you found out that the vault was left open and the deposit boxes were made of cardboard? I sure would.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
It's amazing how much information you can get kicked back by simply trolling SSN's. This reminds me of the scandal last year with Yale's admissions information, which a Princeton administrator obtained by simply entering SSN's and birthdates on their web site. A brute-force attack like this one, simply adding birthdate to the mix, could have successful results in other places, I'm sure.
Stop by my site where I write about ERP systems & more
This is NOT the first time, and I do not believe that it will be the last. I work and attend a medium sized college and I happen to know from other employees that our systems have been compromised on several occasions, and in fact they are still being compromised. I do not believe that any critical information has been stolen, but the security of the critical systems at our nations colleges and universities needs to improve. Our college refuses to publicly admit that they have had a serous breach or deny any knowledge of current security problems. It's quit frustrating to be a computer security enthusiast and attend a college that refuses to admit they have a serious problem.
"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."
/. has an opinion as to how this happened?
It is good to see the University being so frank and honest about this matter. I am sure some heads are gonna roll, but at least the people affected will be provided with information and know how it happened.
Speaking of how it happened... the article does not go into technical details, but I am curious how this database was accessible to the world and was spitting out data to qualifying queries of SSNs without any security context... I am sure someone here on
SSN's are valuable because you can use them for identity theft. You can use them for identity theft because they're a national ID card. Something "they" (the mythical them) say they are not.
Apart from that all of the credit reporting, etc. goes through shadow companies that you can do nothing to if they screw you over (IE issue a credit card to a you that's not you).
We need to make using an SSN for identification purposes entirely illegal, credit card companies and banks be damned. Or say it is a National ID and come up with a better way of securing identities.
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
Northwestern recently sent this out to all students:
d /inde x.html
d /vend ing.html#refundloc
Dear Students:
The following three bulleted topics are of student interest:
* Social Security Number is removed from WildCARD ID
With complaints about identity theft nearly doubled last year as the fast-growing crime topped the government's list of consumer frauds for the third consecutive year, WildCARD offices on the Evanston and Chicago campuses have started issuing new WildCARD identifications without social security numbers.
The re-designed WildCARDS are being issued at no charge to faculty, staff and students who wish to exchange their existing card for one minus a social security number printed on the front. Those without a card to exchange because it was lost or stolen will be
charged a $15 replacement fee.
"The new purple WildCARD looks the same as the old one, but as opposed to printing the person's social security number that used to be their Northwestern "id" number, we have implemented a shortened "emplid" number which the University is issuing that has no association whatsoever with one's social security number," said Arthur Monge, manager of WildCARD and Vending.
"We are not mandating that WildCARD holders be issued a new card, but the option is available for anyone who feels concerned about having the social security number visible on their existing card. It is a matter of personal choice to replace their existing card for one with an "emplid" number, at no charge, unless they have lost their card or it has been stolen." Since switching to a new WildCARD is optional, it can be done at one's leisure. Existing WildCARDS will continue to work, so if someone doesn't feel the need to have one without a social security number immediately, they can continue using their existing card until it expires.
Northwestern University's multi-purpose, one-card program, WildCARD, was developed nine years ago to provide better identification for members of the University community and to simplify use of existing services, control access, reduce handling of cash, and enhance security. Students, faculty, staff, spouses and domestic partners of active, full-time faculty or staff, authorized contractors working within the University community, Research Park tenants, and individuals affiliated with a University department are all eligible for a WildCARD. For more information, call Art Monge (847) 467-3135 or check the WildCARD Web site at:
http://www.univsvcs.northwestern.edu/WildCar
* New vending machine refund bank locations
If you didn't already know it, there are vending machine refund banks located throughout both campuses. A complete list can be found on the WildCARD & Vending web site at:
http://www.univsvcs.northwestern.edu/WildCar
New locations include the Family Institute at 618 Library Pl (front desk), Lake Shore Center at 850 N. Lake Shore Drive (front desk) and at Wieboldt Hall, 339 E. Chicago (Administrative office, 2nd fl). One is also planned for Galter Library in the near future.
Each vending machine should have a sticker on it that indicates the nearest refund bank. If one is missing, please inform the Evanston Wildcard Office at 7-6843.
* Other tidbits of information:
--The Abbott Hall ATM now sells stamps
--A Pepsi vending machine promotion is taking place now. Pepsi is giving away 80 Willie the Wildcat bobble head dolls. Look for a sticker on your next Pepsi purchase.
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
Doesn't one of Bush's daughters go to UT?
Could this possibly be related?
Big deal. If anyone wants to know my ssn, it's "336721433".
SSN's are public information.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
They just should not be used by any third party, one thing I was amazed on after moving from the UK to the US was just how many companies/people here ask for that information when really its not necessary.
StarTux
Some helpful person probably setup a "phone search" databse where you could search via ID. Probably they just didn't know the IDs were SSNs, or didn't care, or didn't put 2&2 together to realise that in adition to finding people's phone numbers, you could find people's SSNs.
Then someone just wrote a script to brute force the SSN range it seems from the 2nd link
Ever dream you could fly? Get up from the Flight Sim. I Fly
kind of scary that just anybody can find all this info by getting some scrap paper from the recycle bins or wherever around campus. I do that a lot but most of it's junk. But if you work in on campus I'm sure you can find lots of confidential info in the recycle bins and such that should NEVER be released.
Stop the Slashdot Effect! Don't read the articles!
All numbers are public, by definition, but some numbers are more public than others. A SSN has value if you know that it belongs to a live human being of a certain age group, with a good credit rating and without a passport, if you have a bad credit rating, no passport and the same age. In contrast, a non-existent SSN, or one that belongs to a dead person has zero value. See for example an old guy who got arrested in South Africa recently, due to an FBI most wanted listing. A criminal stole his SSN and is probably a serial murderer, so this old guy spent a very hard time in a very tough jail for a few weeks. Not a nice holiday, but one he'll never forget.
Actually, my fiance goes to UT, and I can assure you that this is entirely the administrator's fault (well, and the hackers, but since we're in the "blame the victim" mindset here)... UT has no such "free access" restrictions in place. half the campus can't even send mail outside the UT mail systems.
I will say this in defense of the IT people there... its gotta be pretty fucking hard to lock down a system that has almost 70,000 users (between students, faculty, staff, alumni, etc).
Precisely. The problem isn't that people can find out your SSN. It's that far too many people think that SSNs are somehow a secret authentication key that only you could possess.
If you walked up to any organization and said, "Hi, I'm CmdrTaco, gimme the keys to Fort Knox", they'd ask for some ID. They don't take knowledge of a name as proof of ID. Yet far too many people will accept the one that walks up and say "Hi, I'm 123-45-6789, gimme the keys to Fort Knox". An SSN is just like a name. It's not a digital signature.
Note that the fuss a lot of people make over insisting their SSNs be "secure" actually makes the problem worse, not better. Increasing the obscurity slightly doesn't improve the technical security. But it does tend to make people sloppy and overconfident, and leads them to rely on the obscurity of the number as a substitute for authentication. The reason we have a problem in the first place is all those people that mistakenly believe that SSNs are somehow secure in the first place.
We'd be better off if you were _required_ to use SSN as your student ID, and drivers license ID, frequent shopper card ID, whatever. Plaster it all over the place, and make sure that everyone realizes the number is every bit as public as your name, and thus of no more value for proving an identity. Agitating for "privacy of SSNs" is counter-productive.
It may surprise some of you but in the rest of the world you actually need to show some real identity document, like a passport or drivers license, to get anyone to actually trust your identity.
So, do you provide those documents when you apply for a credit card via mail?
Then do you provide those documents via the web when you use that card to buy $5,000 worth of electronics on Amazon.com?
(Extra credit props points to anyone who can name the system that I am talking about... Hint, this was late 70s to early 80s)
It was probably some over-eager credit card company who will now use the information to send 60,000 "pre-approved" credit card applications to the students. I mean, come on. Everyone knows we have to keep these students drowning in a pool of debt. Otherwise, how would the economey function?
This space for rent.
Nice to see that UT used the term "attacker" instead of "hacker" or "cracker". It's a fair and reasonable compromise. Too bad the media report didn't follow UT's lead.
Stealing files with fingerprint information isn't as helpful as it sounds. Fingerpint scanners don't compare against graphic files, they look for similarities between distinct features of your fingerprint (where ridges are, how far apart loops, etc...) Not enough information is stored in these files to make a working duplicate of someone's fingerprint (you might could hit a few of the features, but not enough). On the other hand, you could always lift someone's print off a glass and use the ole gelatin trick...
;).
Not sure about retinal scans, maybe that's an answer
I agree though, the use of SSN is outdated, it is security through obscurity using a less than obscure number. If I want to steal your identity, all trying to hide your SSN from me does is make it take me a little longer and piss me off that much more, you'll be owned soon enough
I was bitching about their lack of security as early as 1997... by default, they shunt(ed) all contact information into a publicly accessable x500 server. It wasn't a commonly known thing, and you had to take proactive steps to remove yourself from it (go down to an office, fill out a form, etc)
:)
:p)...
:)
:)
:))
From ksparger@vaevictis.stf.org Fri Aug 1 10:42:46 1997
Date: Fri, 1 Aug 1997 10:42:45 -0500 (CDT)
From: Vaevictis
To: info@x500.utexas.edu
Subject: Questions regarding the x500 service.
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:
Hi
Sorry to pester you (I know how much of a pain it can be to administrate an internet service
I'm a freshman taking English 301 (Composition class), and we've just recently been assigned a proposal argument.
My proposal is that the university change the policy on the x500 so that instead of having the student's information accessable by default, the
student would need to sign a release form. (in other words, the exact opposite of the way it's done now... as a new student, I was horrified to find that my personal information (home address and telephone number, specifically) was being given to all comers..)
I would like to know the following information, if it's not too troublesome for you to give to me
What would need to be done to change the student's default from "distribute information" to "withhold information" in the x500
directory?
Would it require a change at the actual x500 site (ie, configuration files?), or would it require that some other group (the registrar, perhaps?) change policy?
What kind of security measures are installed to log accesses of information? For instance, I know for a fact that you don't attempt identd lookups, do you log access attempts by hostname, IP address, or do you log at all?
What are the scenarios if it is found that someone used information acquired from this database for illegal/unethical purposes? ie, could you even prove where a certain access came from if you had to in court?
Anyhow, thanks for your time, it's much appreciated
If you don't know the information for any of the above questions, I would
appreciate it if you could tell me who could (if you know, anyway
Thanks a lot,
Kyle Sparger
Date: Fri, 01 Aug 1997 11:13:04 -0500
To: Vaevictis
From: "William C. Green"
Subject: Re: Questions regarding the x500 service.
In-Reply-To:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Status: RO
You should read our FAQ and all associated links: http://x500.utexas.edu/x500info/faq.html
Specifically, Appendix C Subchapter 9 with special attention to section 9-201 of the General Information Catalog.
I would suggest you begin your inquiry with the Registrars office, although many other offices would be involved. My understanding is that any change would need to be approved by the Regents.
This question is more complicated than it would appear.
As part of your argument, you should consider the implications of not having a directory service, or, a service that is restricted to UT Austin
access only.
Host access information is kept in rolling logs.
If SSNs were only supposed to be used by the IRS, and the current system is so ripe for abuse, why hasn't there been a law against using SSNs for non-tax purposes? Easy - lobbyists and money. Credit card companies and credit bureaus see SSNs as a godsend. For them, it's cheaper and easier to have a central registry in order to troll for new credit accounts, regardless of the security problems inherent in using SSNs for everything.
Every effort to reduce the power of credit bureaus and protect individual privacy has been defeated or weakened by the credit bureaus and credit issuing companies. Their claim is that a central database tied to everyone's SSN is critical to doing business. Of course, they neglect to mention that they do plenty of business outside of the US without having such a system in place, AND the fact that SSNs are not guaranteed to be unique.
At this point, reasonable souls would start to question whether this is a government for the people, by the people, or a government for big business, buy the politicians! Face it, it won't be until the system is completely broken, with millions of people affected, and with the costs of keeping the current way of doing business too high to continue, that they'll change. By then, it'll be too damn late...
Had this same thing happen to me around Christmas time except they bought plane tickets. Tickets to be picked up at will call all the police had to do was go to the airport and wait. But no they said "the people picking up the tickets could be different from the ones who bought them". So when I said fine then forget the fraud charges and credit issues go arrest them for receiving stolen property, they got all-quiet and wanted to drop it. People can be so lazy.
I attend community college at night and in one class we have to telnet into a Solaris box from W2K. Our login name is the frist 3 letters of our last name, followed by the last four digits of our social security number. Guess what the password is? Yeah, our full social security number. One day I came to class early with a copy of Knoppix on a CD and booted off it and ran ettercap, poisioning the switch so all traffic goes through my machine first... One by one, as students came in, I was able to sniff the their login name and password (which was their social security number). I sent an email to the school using that as an example of why students passwords, or their ID number should be a SSN number. I have not yet gotten a response
A click on the travel.fp3 file listed a couple hundred SSNs. It was completely wide open.
UT made it sound like a deliberate attack, but it looks to me more like administrative incompetence (and cya).
I agree wholeheartedly that the abuse of SSN is a problem. However, realize that most US educational institutions will assign you another unique student ID which is not your SSN; it is not impossible to dodge their use, and if you truly care about your security you will never use this number except when forced to. You have the right to protest its use otherwise, but consider that this distinguishing characteristic may not be so good socially--the people around you might not be quite as apt to understand your rabid protection of this number, even if many of the more privacy-oriented do.
Moreover, as much as it is claimed (and perhaps rightly) that "the system" wants you to use this one unique identifier, there is a definite advantage to having an easy-to-remember number associated with almost everything, instead of separate account and unique personal identification numbers. However, some privacy experts agree, as do I, that the SSN should only be used for, well, Social Security when possible.Looking at that aformentioned letter, I find a passage which states that "from a technical viewpoint, the SSN is not a good identifier. It is not unique, [and] there are multiple users of a single SSN". While I can find no proof of this assertion elsewhere, I have heard anecdotally heard of people who used Richard Nixon's SSN throughout college (567-68-0515)--the results are obviously mixed. Overreliance on this number poses an undue threat to college students who, frustrated by this kind of wholesale theft which could lead to troubling financial consequences should the perpetrator preserve a copy of the data, might turn to forging SSN's--an OK idea until you get caught at it.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.