Slashdot Mirror
Whopping-Big Data Theft At U.C. Berkeley
aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."
It's "copyright infringement".
Interesting. A few years ago there was a smaller such incident at the Berkeley Traffic Safety Center.
Should be quite easy to fix, now give new name and social security name to everyone involved.
Was the system in question still running BSD? ;)
I'd have a personalized plate on my car, but "toxic bachelor" won't fit into 7 letters.
The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.
Are they allowed to do that? Without notifying the state at all? Especially considering that the data that was lost belongs to the state.
Already UC is having a lot of trouble in the (mis)handling of national labs and a few other problems, this would only compound it. Damn.
I can smell an over-reaction brewing. This is just the sort of incident that can force the adoption of stringent laws. The thing is, the machine at Berkeley were the ones victimised but it seems to me that this type of information will be sought after regardless of where it is. What I mean is, although Berkeley should have hardened the machine against an intrustion they were victimised because of the info they had, not who they were. The government servers are going to be targeted too.
I didnt know the "SSN database.mdb" in /tmp was 'secret'!
Oh-nos!
The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study.
The title says it included SSNs but the article doesn't mention them. Were they included or not? What the hell does a researcher need to have SSNs for anyway? Can't they be identified by insignificant numbers?
The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.
And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...
No. It's only the worst intrusion they were made aware of. There could have been more...
Indy Media Watch-Proctologist of the Internet
It makes you wonder...
Why does a research program need access to social security numbers, phone numbers, and the like?
I think the real story is the State of California sharing too much personal information, regardless of how the hacker got access to it.
ayershome.org/users/eric
1.4 million Social Security numbers.
Universities are notorious for having poor network security! They typically don't have sufficient staff to maintain such tight control over network access. Why would such sensitive information be kept on inherently vulnerable networks in the first place?
This smacks of laziness on the part of the data provider and the researcher(s).
Preventive measures like changing their name, address, SSN and date of birth?
This seems to be a case when the privacy of the information could have been maintained despite the breach of security if they had been using a "translucent database". Peter Wayner wrote a good book about this, and as far as I know coigned the term.
It naturally requires some thought to do right but it seems like it could have worked in this case.
The thing that worries me about these sorts of news articles is the fact that there are probably 10x as many similar intrusions which go undetected. I imagine that most crackers worth their salt would be concerned with covering their tracks!
:)
Which is why I always say "NO" when asked by online stores, "Would you like us to remember your credit card number for future transactions?" I think they need a "HELL NO!" option
Visit the Game Programming Wiki!
I run FreeBSD at home and feel a little safer that a company
Will your FreeBSD installation prevent you from putting your data on an available Apache server?
What's given you the idea that this was a BSD vulnerability?
I'm not disputing that it might be the case (and yeah I know what BSD stands for) but how do you know it wasn't Windows or something else?
Iran has endorsed
A wise man once said "A society is stable when some nut guns down a schoolyard and the laws *don't* change."
You have two hands and one brain, so always code twice as much as you think!
The laws are already there. Too bad they are not enforced.
In Soviet Russia, I ruled you
Oddly enough, the large University I work for has been discussing making two or three seperate networks inside the univesrity to keep something like this from happening. Presently, the Hospital has their own private network interconnected to our network via a firewall. We have been toying with the idea of making a private network for sensitive university machines an faculty networks. Thus then leaving the students and other network users on a more normal public network, behind the border firewall of course. The discussion of data security has come more than once and now I'm just waiting for that email saying, 'it's on'. And the acronymns will fly.... VLAN, VPN et al. yay!
Yeah, but you have to realize that they don't have smart CS security expert professors doing their windows administration for them.
http://ist-socrates.berkeley.edu:7015/protected. data.html
Hope you find it to be as educational on this subject as I did
Chris Williams clw7500nc@gmail.com
This may be seen as slightly offtopic, but the company I work for has outsourced payroll. Payroll includes the information supposedly stolen from this database, Social security numbers, home addresses, age, date of birth as well as a lot of financial information giving access to the earnings of many for many years.
I'm wondering when the Indian company (or some person within that company) decides to legally sell that information to some Moldavian Mafiosi. I'll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans. Might violate a contract but who's paying more?
Does your company outsource payroll?
Gods don't kill people, people with gods kill people.
SecurityFocus's description is no better than CNet's, I thought they'd have more technical details. What system were the running? What exploit?
Oh, wait, I get it, they probably haven't patched the exploit yet.
They should have cleaned the data and removed the SSN. When we pass information outside the company we remove any reference to the SSN and replace it with a zero padded sequence to the same length as the SSN. If they ever need to know who the individual is they can give us this sequence number and we can look them up. Our plans are to remove any possible reference to the SSN in the database and replace them with a good old fashion sequence number (IE Customer number). Only payroll will have a table that links the sequence number to the SSN (a must when filing taxes).
My Sig indicates the end of the comment I posted.
Was it Windows, Linux, BSD, Solaris etc?? It doesn't say in the articles.
Stop giving everyone your social security number.
Only the government really needs it. For the sake of saving time and aggrevation, I'll provide mine to my employer and my bank as well but no one else needs to get it. Ever.
NTITE
-You can cry, but you'll still die. There'll be no tears in the end.
IMHO it is highly unlikely that this is BSD.
It was the government that
- required their information
- handed the info out to a third party
- failed to ensure that the third party took adequate care
Surprised? You shouldn't be. There's no market pressure on the government. If you're offended at their cavalier attitude, it's not like you can go with a competitor!One example of a government agency doing things the right way: about 15 years ago I worked on a university research project that used Census bureau data...but the data had been anonymized before we got it: some fields were removed, some were hashed, and the data had been pruned enough that you couldn't do an exhaustive match against a telephone book.
In this case, though, it looks like some California agency just handed over the entire database, raw.
Wonderful.
Can you provide a reference that it is illegal?
Seriously, this is not a troll....I see this statement often and I want to know if it's an urban myth or not.
The SSNo was never intended as an ID number. Yet, many businesses will take nothing else as a customer idendifier.
Myself, I am being hounded by my electric power supplier who wants me to give them my SSNo (which I didn't when I opened my account).
So why bother stealing the SSNs of victims who are old and broke? You can't steal their money - they don't have any! If you steal their identity you'll wind up laying in a hospital with a tube in your nose being pumped full of Demerol....
Oh, ok, now I understand.
My company also outsources payroll, like thousands of smaller businesses. ADP, founded in part by Senator Lautenberg (D-NJ), does payroll for my company. They are headquartered, as one would imagine, in New Jersey, not India.
Outsourcing means having another company do the work. It doesn't mean that the work is necessarily being done in another country.
I was working on this project, and I'll tell you I was extremeley disheartened to learn people would try and sabotage this project. It is for a really good cause (if you believe in unions that is, I don't, but it was still for a good cause) and I hope the project isn't jeapordized beyond repair because of this. For those who might have guessed, the system that was hacked was a Windows 2000 Pro box running SQL Server and a statistics program called STATA. The box was only up and running while retrieving data and was turned off the rest of the time while I was on the project. There were very strict rules about letting the box onto the network since it wasn't a Berkeley box, but then they took the box and put on their own security software which supposedly made the data safe. I can give you the name of the IT guy in charge if you want. Many of you are listing reasons for not having the SSN's on the database, and that they should have been kept at the state level and then the state give us unique identifier numbers. In actuality, the state does not provide that service, and only provides the data from several databases. We ourselves then created unique identifiers because we needed very specific samples from different populations of California. This identifier was made with a combination of people's relations, their ethnicity, and their social security number. You'd be surprised how many people in California have the same name. Also, although maybe not the best reason in some programmer's opinion - it was easier to separate people by their SSN because STATA didn't present a way to compare strings in a useful enough manner so as to use a combination of name and zipcode. And if you are wondering why we had names and addresses and phone numbers, it is because we called and mailed these people ourselves. Our first mailing - worked a 22 hour day, and tried about four different assembly lines! The state didn't help at all - and in the current time when we have idiot Republicans like Arnold (I can't spell his last name) who thinks fixing a state budget crisis involves cutting the budget of an already failing program and driving MORE people into poverty, I don't think you can expect them to help us tell them how and why they are wrong. I'm no longer on the project (got shipped overseas) but the people working on it are rock solid individuals, and personally, as a former IT guy myself, I blame the morons who worked IT at the division this project is taking place. I understand Berkeley is huge, but for a University that supposedly is "computers" - they have a lot of people with absolutely no clue.
I'm picking "Yusuf Islam", then I'm catching a flight.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
In cases involving over 500,000 people, the organization can warn the potential victims en masse through a website posting and by alerting the media.
Yeah, like bed ridden old people that need in-home care are going to be able to check a website for info on what's going on.
Try sending them a letter or something!
I still have my SS card issued in the 1960s. It says, and I quote:
"FOR SOCIAL SECURITY AND TAX PURPOSES -- NOT FOR IDENTIFICATION."
(The ALL CAPS is what's on my original card, I'm not "shouting"!)
I'm sure there are reams of Social "Security" (ok, my classical-liberal bias is showing with the quote-marks, but bear with me. After all, there's NO TRUST FUND, it's all a BUNCH OF I.O.U.s!!!) documents which form various interpretive rules and laws that can't be fathomed by mere mortal nonlawyers, but ask yourself a couple of questions:
1. Why would so many folks think it's illegal, if it's not?
2. Why does my card say what it says, but modern cards make NO MENTION of the fact that it's allegedly "not for identification"? Did something change? When?!? Who voted for it???!!!
Expanding government, when you lie to do it (and the lie was that the SSN was/is not gonna be used as a de-facto National ID card/number) is morally-wrong. Various events/excuses (I can see a 9/11 thread looming, so I'm trying to pre-squelch that now) don't make the moral-wrong of lying to expand government suddenly become right. If you want to expand government, say "I will make the government bigger, and this is why..." and then make an HONEST argument for once! Ok, rant-over. Back to work.
JMR
Try e-gold - (contact me). I'm NOT e-
No, I really do think it's nearly the perfect example of the dangers of righteousness.
The Grand Experiment in this case was apparently perceived as vastly more "important" than the individual privacy and even *lives* of actual living people. This is quite typical of people who are out to "save the world". It's a form of "the ends justify the means" thinking. I call bullshit.
BTW, in case it wasn't obvious: this isn't a liberal vs. conservative thing. Anti-abortionists have the same damn problem.
This is all assuming, of course, that the parent of my original comment wasn't itself flamebait :-).
Seems like the data on each individual should BELONG to the individual....
Shouldn't you own your own data, and be able to say who does what with it?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
The law that the previous poster thinks is protecting him is probably the Privacy Act of 1974, which is only binding on government agencies. It's discussed in the FAQ.
There is also a SSN FAQ at cpsr.org, but it formats like crap on Mozilla. You'd think "computer professionals" wouldn't screw up something like this.
Have you read my blog lately?
By law, the only places that can receive your SSN are government offices, employers, banks and landlords. Anyone else can't deny you any of their services based on you not giving them your SSN. I think banks and landlords are the ones that are most limited in what they can use the number for. Government and employers use the number for taxes and for government to turn you into a number (for medical benefits, social security payments, and so on). No one else has the right to ask for it.
Oh people will bitch and moan about not getting it from you. But who the hell at CompUSA needs your SSN?
And if a non-government or non-employer needs to verify that you are who you say you are, they can ask for your driver's license number. But the SSN is off limits to everyone else.
At least this is what my employer told me when I got hired (us government). They instructed me to safeguard my SSN as best I can, which includes not giving it to people that legally don't have a right to it. As they put it, 99% of the identity theft issues are from people giving their SSNs to folks or organizations that don't actually need it. And then those organizations don't know what a secure system is. To be honest, I'd rather have my SSN and other personal info stored on a DoD, DoJ, or whatever agency system, than on the computers at Joe Blow's Car Sales.
I applied for San Diego State University way back in 1998 when I was initially trying to find a school to attend. About 4 months ago I got a notice in the mail saying that Hackers had gained access to the data base that held all of the applicant information (drivers license, SSN, financial awards, PARENTS SSN's, etc.) and that we should all obtain a copy of our credit reports and report any suspicious activity. This apparantly happened in February of this year and I received a message in June notifying me. To be honest, I think it's pretty stupid to keep names and SSN's in a database that is linked to a network. It doesn't seem right, and now I have to worry about Identity Theft because I applied to a University 6 years ago.
jen0r all your base are belong to... me
If you have SSN as a required field with a unique constraint or index, you're setting yourself up for a denial of service attack -- User1 enters a bogus SSN which happens to belong to User2. Now User2 is effectively locked out of the system -- he can't enter his (valid) SSN because of the key constraint violation, so he either has to give up or give a bogus value as well.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Any DBA who uses SSN as a primary key needs to be flogged with a CAT-5 cable.
By her boss, maybe, but not by the government.
Privacy concerns aside, it's generally a bad idea to use any user-provided value as a PK because of the difficulty of guaranteeing uniqueness.
True, since there are at least some people out there with the same SSN.
If you have SSN as a required field with a unique constraint or index, you're setting yourself up for a denial of service attack -- User1 enters a bogus SSN which happens to belong to User2. Now User2 is effectively locked out of the system -- he can't enter his (valid) SSN because of the key constraint violation, so he either has to give up or give a bogus value as well.
Or you could just put the new account in a temporary table and have a human sort it out. It all depends on your application. If you're making a geocities site, OK. If the purpose of the database is to store company employees, then flagging identical SSNs is a feature, not a bug.