Slashdot Mirror
UT Austin Hit By Massive Security Breach
mrpuffypants writes "Reported in the Austin-American Statesman: The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty. Official word from the school can be found here. Most troubling of all is that, like most schools, UT still uses SSNs for student ID numbers, and that was part of the information taken from them in the attack."
"Those SSNs that matched selected individuals in a UT database were captured, together with e-mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed."
Phew, I feel so much better now!
What legal action may the students and faculty take? In Washington it is illegal to use a students SSN to identify students. There was groaning at every campus in Washington for weeks. I bet there as glad as me that Washington was so on top of this.
OK, so I can see how a university might come to use SSNs as an identifier. They're unique and everyone already has one. Easy.
But why are SSNs so sensitive? It's like a credit card number -- it's printed some places, gets bandied about in others. Not exactly confidential, and no intuitive or documented boundaries on who should be trusted to with it. So it's a scary number that can be used for bad things, but you'll have to give it out in many circumstances where you aren't fully aware of how it'll be used. Makes it tricky to know who has it, or to make an informed decision about where you use it.
Again, it's easy to see how the practice of using it as a credential has continued (and got worse), but when did it start?
I've seen a whole bunch of 'stolen credit card #' type stories on Slashdot lately... the thing is, we never hear about any repercussions of these thefts. Do the thieves ever use the stolen records in large quantities? Follow-up is good :). Any info people have, post it here (I'm thinking of, in response to the Amazon CC# thefts from a few weeks ago, etc.)
Karma: pi (Mostly due to circular reasoning in posts).
My school still uses SSN's as student id's. I've found that as a student employee I run into thousands of id's a day. I know it's the same way for a lot of student employees on campus. When will schools learn the benefits of a autogenerated key?
Do I contradict myself? Very well, then I contradict myself, I am large, I contain multitudes. -- Walt Whitman
Not to adapt a blame-the-victim mindset, but I mean really, why is this stuff on an internet-connected machine to begin with? I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked.
This stuff needs to be taken seriously, and not just in punishing the offenders. Look at it this way: If your bank got robbed tomorrow and all the items in your safe deposit box were made off with, would you blame the bank if you found out that the vault was left open and the deposit boxes were made of cardboard? I sure would.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
The UT link appears to be /.ed, but when I read it before it sounded like a simple brute force ssn lookup. The attacker simply generated random ssn and sent them against a page that returned information based on ssn. The attacker then simply harvested "positive" hits. The problem was that this interface was exposed to the public and that it had no means of throttling/preventing multiple requests/failed requests.
On another note, UT is phasing out SSN in many aspects of the students life. My wifes UT ID does not contain her ssn, it has a student # now. Though I assume that there are still many points of interface with the UT system that expects to see ssn.
"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."
/. has an opinion as to how this happened?
It is good to see the University being so frank and honest about this matter. I am sure some heads are gonna roll, but at least the people affected will be provided with information and know how it happened.
Speaking of how it happened... the article does not go into technical details, but I am curious how this database was accessible to the world and was spitting out data to qualifying queries of SSNs without any security context... I am sure someone here on
Northwestern recently sent this out to all students:
d /inde x.html
d /vend ing.html#refundloc
Dear Students:
The following three bulleted topics are of student interest:
* Social Security Number is removed from WildCARD ID
With complaints about identity theft nearly doubled last year as the fast-growing crime topped the government's list of consumer frauds for the third consecutive year, WildCARD offices on the Evanston and Chicago campuses have started issuing new WildCARD identifications without social security numbers.
The re-designed WildCARDS are being issued at no charge to faculty, staff and students who wish to exchange their existing card for one minus a social security number printed on the front. Those without a card to exchange because it was lost or stolen will be
charged a $15 replacement fee.
"The new purple WildCARD looks the same as the old one, but as opposed to printing the person's social security number that used to be their Northwestern "id" number, we have implemented a shortened "emplid" number which the University is issuing that has no association whatsoever with one's social security number," said Arthur Monge, manager of WildCARD and Vending.
"We are not mandating that WildCARD holders be issued a new card, but the option is available for anyone who feels concerned about having the social security number visible on their existing card. It is a matter of personal choice to replace their existing card for one with an "emplid" number, at no charge, unless they have lost their card or it has been stolen." Since switching to a new WildCARD is optional, it can be done at one's leisure. Existing WildCARDS will continue to work, so if someone doesn't feel the need to have one without a social security number immediately, they can continue using their existing card until it expires.
Northwestern University's multi-purpose, one-card program, WildCARD, was developed nine years ago to provide better identification for members of the University community and to simplify use of existing services, control access, reduce handling of cash, and enhance security. Students, faculty, staff, spouses and domestic partners of active, full-time faculty or staff, authorized contractors working within the University community, Research Park tenants, and individuals affiliated with a University department are all eligible for a WildCARD. For more information, call Art Monge (847) 467-3135 or check the WildCARD Web site at:
http://www.univsvcs.northwestern.edu/WildCar
* New vending machine refund bank locations
If you didn't already know it, there are vending machine refund banks located throughout both campuses. A complete list can be found on the WildCARD & Vending web site at:
http://www.univsvcs.northwestern.edu/WildCar
New locations include the Family Institute at 618 Library Pl (front desk), Lake Shore Center at 850 N. Lake Shore Drive (front desk) and at Wieboldt Hall, 339 E. Chicago (Administrative office, 2nd fl). One is also planned for Galter Library in the near future.
Each vending machine should have a sticker on it that indicates the nearest refund bank. If one is missing, please inform the Evanston Wildcard Office at 7-6843.
* Other tidbits of information:
--The Abbott Hall ATM now sells stamps
--A Pepsi vending machine promotion is taking place now. Pepsi is giving away 80 Willie the Wildcat bobble head dolls. Look for a sticker on your next Pepsi purchase.
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
I used to admin at a University. One of the most frustrating things I encountered was the incessant desire for there to be no restrictions on any of the computing systems that the students used. This includes the servers. The firewall was just an expensive router. We were not allowed to run blocks from the internet to inside IPs, as that defeated the spirit of free access. I tried to explain why it was a 'Bad Thing(tm)' repeatedly, but alway met with resistance from the shared governance committee. One cannot blame the administrators in this thing. I assure you they feel just as powerless as I did. This kind of thing will become more and more rampant as clueless faculty (or upper-management in the business world) are allowed to influence major IT decision-making.
They immediately disconnected the compromised database from the Internet, later hooking up a database of useless information.
They probably just copied over the DB containing the University's security procedures.
UT says:
Someone is more than a little bit confused about the nature of digital storage if they think they can `recapture the stolen data'.
`Ah, cool, we've managed to delete the copy they made of our data.'
(whispers)
`Another copy? How many copies did they steal?'
In principio creauit Linus Linucem.
It's like security through the obscurity of these numbers.
"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."
Unfortunately the literal translation of this is:
I am so fired!
"I'm just here to regulate funkyness." - James Gandolfini, as Winston in The Mexican
Private businesses can request your SSN if they want... you don't have to give it though. But if you don't, they don't have to give you whatever you're looking for either :)
However, UT is a public school and is subject to the restrictions on government agencies... here's a page with some info on the use of SSNs in public schools.
Anyways, as a former UT Austin student, I'd be annoyed if my SSN was one of the ones that got out... and if so, I wonder how UT plans on contacting me--as far as I know, they don't have my current address, phone number, or any other type of contact info. As a side note, the first year I was there (1988), a lot of professors posted exam grades outside the classroom indexed by SSN... I guess someone put a stop to that :)
I have both attended at work at UT in IT, so I can give you my observations.
For many years, UT had a non-centralized IT infrastructure. That is, the Colleges did one thing, the Administrative Computing Group did another thing, the Academic Computing Group did yet another thing, and the Libraries something else entirely. This was recently changed with the introduction of a new Office of Information Technology head by a new Vice Provost (Dan Updegrove, originally at Yale). One of the very first things I heard him address was the Social Security number problem in which every student, faculty, and staff member used their SSN as their ID. That practice had to change in order to meet both legal and privacy standards (see FERPA) , and UT has been trying for the past couple of years to make that happen. The trouble is, it was so integrated into all of the different services and departments that it is a slow process to remove it. They started to phase it out, but now UT is seeing the effects of this particular practice. I'm likely one of the ones who will be affected, so I'm waiting for them to announce where people can find that out. (It may be at the UT site, http://www.utexas.edu/datatheft/.
The Daily Texan (student newspaper) has an article about the theft, as does the Houston Chronicle.)
By the way, your Social Security Number isn't public information. It is required for use by some agencies of the government, but you are not required to provide your SSN to private groups unless they need to interact with certain government agencies (this includes your employers, who deal with the IRS). That being said, SSNs are so commonly used a search may pull up that information- but that doesn't mean it is legally public info.
1. Please mod the parent as insightful. (Or even funny). This is the best description of the problem I've ever heard.
2. It's an antiquated system. Back in the day, before massive amounts of information were available on computer, you'd occasionally hear about a guy who's number was stolen. It's a bad thing, but it was a rarity. The system worked because your number was secret, and there were few real ways to get it.
These days, SSN's are being compromised by thousands at a time. This is a broken system, and it should be fixed.
Perhaps thumbprints or retinal scans as a system of identification. But if you think about it, this leaves us with the same problem. The retinal or thumb image needs to be kept somewhere for the purposes of comparison. The files can be stolen just as easily as SSN's.
Maybe there is no solution.
Huh?
From that I can only assume that you live in the US ? Which, I guess, just proves my point that it is a system just waiting to be abused.
Never mind what those spams may say, in Europe you cannot get a bankaccount without applying in person. I guess there may be CC companies that are so eager to close that they trust me without proof. But I reckon that even those will send letters to your address that you have to return to them, signed. Which does prove at least two things to them: (A) you have physical access to the mailbox/streetaddress you supplied, and (B) they have your signature on paper, which can be useful to prove you signed it (and if need be, all the way though handwriting recognition experts).
In any case, that is better than nothing.
There's a solution if you use cryptography. Assign everybody a social security number. Also, give them a private key (or better, let them pick their own). Then, publish everyone's social security numbers and the public keys that match up with their private keys. (The government could even provide a service that allows people to look up public keys based on social security number.)
Then, everyone's number is out in the open. Whenever you want to do something with it, you create a message along the lines of this:
Then you sign that message with your private key. Once you've done that, anyone can use your public key to verify the signature. That means they can be assured that, unless someone has stolen your private key or broken the crypto, it could only have been you that wrote that message.
Thus, your social security number becomes public knowledge, but that doesn't help anybody because they'd need your private key to do anything with it. And, most importantly, there never is any situation where you have to give your private key to anyone. Your secret remains your own. No third-party ever gets a copy of it. This is important for two reasons:
Aside from the fact that the custodian of the information certainly has a lot to blame in this, there is another big part of the problem. That problem is what people can actually do with the information.
An SSN is identity. It is nothing more than that. The problem is people make the incorrect assumption that it is authenticity (I can recite the number, or read it off a little card in my wallet, so it must be me), and authority (this account has your SSN and is overdrawn, so you are liable for it).
If any law change is needed, it is a law change that says that it is illegal for an SSN to be accepted for any purpose other than identity. What that means is that if I walk into a bank and open an account citing some SSN, the bank needs to understand that all this does is identify someone, and not necessarily me. If the bank causes harm to the real owner of the SSN by having provided any derogatory credit information based on that SSN, then the bank shall be fully liable for having not taking reasonable measures to ensure accuracy of information. And by that, what I mean is that the bank can't simply say that the victim needs to track down the perpetrator to cover the costs. The banks need to be forced to properly authenticate the information they use, especially when and where it might be used in a negative way.
And I don't mean to pick on banks (I just happen to have an open case with Chase Manhattan bank which continues to allow someone to operate a credit card account with my SSN, reported on my credit reports, without my consent, and after I have advised them of the fraud). Such a law should apply to anyone and everyone who accepts and uses SSN data for anything. It's the negative things that can be done (like bad credit info) that needs to be stopped (in addition to other stupidities like running computers insecurely and connecting systems to the internet that have no business being there).
now we need to go OSS in diesel cars
In their newswire, Salon titled this story, "Computer crackers steal students social security numbers."
I thought the Slashdot community would appreciate Salon getting the terminology right on this one. It may seem like a silly point to some, but the distinction between "cracker" and "hacker" is huge in my mind, and it always makes me happy to see a journalistic outlet get it right, for a change.