Slashdot Mirror
Identity Theft from University Computers
Different River writes "Someone broke into the administrative computers at George Mason University and accessed personal information, including social security numbers, of 30,000 students, faculty, and staff. "Before the hacking, the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft." Looks like they just missed it."
Any corporation / school / government entity that uses SSN to identify a individual either on paper or digitalized is out for a harsh reality: Personal identity theft is real and here to stay. Now if I could just figure out how to talk these old timers to drop the SSN number they want labeled on their checks..
This just goes to show why using social security numbers for identification purposes is a bad idea. It always disturbs me how many places actually have that number. It was supposed to really be a secret number to identify your for social security, not everyday identification.
I always hated that about college. Where I went, EVERYTHING was connected to the SSN of a student. They knew it was, at the very least, imprudent. When a student first enrolled, there was an option somewhere that the student could check off signifying that he/she would like to be assigned a non-SSN ID. It was in an obscure place, though. I only found out about it when I started working for the University. It was almost as if they hid it, knowing that this is the last thing on most folks mind who are just enrolling at the university.
My other computer is a Jacquard loom.
no mention of the grades?
It seems like bit of a convenient coincidence that this happened just before they replaced their ID numbers with something other than Social Security numbers. Someone has obviously been paying attention in their Computer Science classes.
The most remarkable thing to consider regarding these types of stories is the fact that, more often than not, the hackers are incidentally detected (e.g. they send an email saying "give me money or I go public!").
How many of these incidents happen with no one the wiser. Just guessing, but I'd wager at least 10 major silent exploits for every 1 publicized event. How many employees of Big Corporation are doing a ZIP of the company database onto a USB key "just in case", and how many servers are silently owned month after month.
There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.
Stock up on canned goods, folks.
than from internal threats.
How many cases of internal theft do we know?
As someone who once created and maintained my high school information database, I know how easy the system can be abused.
What's very imporant is that Universities have strict and applied policies dealing with information and database handling.Limiting the numbers that have access is paramount.
Background checks for personnel involved should be done too.
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
I had an opportunity to work at a University in Canada as a development contractor, and literally had access to thousands of student numbers and personal information. There is a large push to web-ify a lot of applications, but the educational sector is lagging in terms of security. A strong initiative has to be undertaken at all levels of academic administration to better enforce security rules, from the registation process all the way to marking and evaluation.
just a web application developer and instructor in Toronto, ON Canada
Schools phase out SSN usage to prevent identity theft due to losing your wallet with your student ID therein. They still have the SSN on file for financial aid use and it's still part of your student record. It just isn't usually printed.
One of the National Privacy Principles introduced by the Privacy Act 2000, prohibits a private organisation from using such information to uniquely identify a person. Maybe other countries should follow suit and enforce such a law...
What OS was their server running????
We need more organisations using other unique identifiers for people than Social Security numbers. This will seem radical to you if you're a politician, but I recommend Social Security numbers should only ever be used for Social Security.
My mother a few years back pointed out that once upon a time, our politicians actually said, boldly, in front of the entire nation, that in Soviet Russia, the government numbered the citizens. They said this was proof that the soviets were an evil dictatorship sort of country, and not a democracy, where we can vote for naked petrified persons (so long as they are American-born).
She challenged me to imagine a beowulf cluster of Social Security numbers, and how easily such a cluster could be abused (a near-limitless supply of identities to steal).
Now, sadly, all our base are belong to the myriad entities that have our Social Security number (along with mother's maiden name, date of birth, income, and all the other things identity thieves might want). You'd expect us, as a society, to be smarter than that.
Hopefully others will follow the example of this school, and migrate away from using social security numbers for illegitimate purposes.
fifth sigma, inc.
and
The one thing that would make me suspicious would be the fact that the intrusion happened just as they were transforming the data to use some other sort of unique id - IMHO an insider alert if ever there was one.
So what legal recourse do the students have? As far as I'm concerned, the organization is liable, and the students should launch a class action lawsuit, if nothing else, but for lost productivity time, which is what companies usually seek when they go after hackers. The school is no better than the people that hacked them if they couldn't safeguard this personal and highly sensitive information.
You'll also notice that the asshole of a VP didn't even apologize for the situation. Just that he regrets it. Makes me sick how there's no sense of responsibility there.
Universities are notorious for not having good network and server security (hard to hire the required large staff to oversee so much data). I now work in the computer security field, and when I look back at my university experience I see lots of very frightening things -- besides just the extent of the records the university keeps, they also tend to print things like your birth date on records. Having your date of birth intercepted is bad news, and it is really disturbing to see it printed in so many places, especially along side your SSN / SIN.
On top of that, network security in general is weak and so there are all these students using unencrypted shell logins, and exchanging sensitive data over email. Or doing online banking on public machines, where key loggers could easily be installed. Lots of students live at the university, so they have to use computers for sensitive tasks like banking (unless they happen to have a laptop).
The whole experience made me resolve to keep tight control of aspects of my privacy. If someone tries to hijack your identity, the tell tale signs are: money disappearing, and new accounts being opened. So you must keep accurate records of where your money is, and watch those balances. Also order yearly credit checks, which are free to do. If someone is opening accounts under your name, you can at least catch it.
Some of the information freely available to anyone who cared to look at it was:
- Your full name
- Date of Birth
- Social Security Number
- Bank Name
- Bank Account Number
- The Amount of the Deposit
- The Date of the Deposit
It had more information than that, but plenty enough to call my bank and transfer money to another account. I assume they've improved since then, but they should have known better even then.The television will not be revolutionized.
Actually George Mason University is one of the few that have Ph.D programs in Information Technology, but it goes further such as they have "Information Technology with Concentration in Information Security."
Kind of ironic that they would have a graduate program there for information security and they just got hacked.
I think it might be an inside job though.
This was no coincidence. Someone saw this coming change and decided to cash-in while they still could.
The machine that was hacked was in the PhotoID Office and it was a Windows machine. Based on the bahaviour it was exhibiting, that is- it was scanning other machines to infect, it may have only been a worm and this whole story has been somewhat sensationalized. It may have been oblivious to the fact that data existed on the machine.
The fact that the machine may have been unpatched reflects poorly on University Administration (ITU) but not on the CS or IT programs.
Disclaimer: I work and go to school at GMU.
I bet they have been "in the process or replacing the system" since last century. They just didn't do any serious work on that until they got busted. Same as US Airways over christmas and countless companies with Y2K bug until 1999. Everyone with decision making power should take a serious pay cut and students should get tuition discounts to offset the cost of dealing with identity theft.
If they really took the problem seriously, an upgrade wouldn't take long at all. Just mechanically replace SSNs in the database with unique, randomly generated 9 digit numbers and set up a web page that maps SHA(SSN) to the new ID.
I worked for AT&T Wireless when they were breaking off from AT&T proper. One of things that needed to be done was to replace all of the AT&T employee ID numbers with new AWS employee ID numbers.
It. Took. For. Ever.
All sorts of disconnected systems keyed to that AT&T ID # that needed to be updated and changed and the change need to happen in one fell swoop and nothing could fail.
I'm betting a university setup is even worse.
Actually, it's a problem with both. When the SSN was first conceived is was specifically NOT supposed to be any sort of ID system. Obviously that changed.
Some states have solved the problem. In Texas, for example, people can "lock" their credit information. With it locked no one can get credit reports which makes it impossible to get credit, even if the person has the SSN, drivers license, birth certificate, etc.
Of course the credit companies are fighting these laws because they like the idea of fast and easy credit.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Read the Privacy Act of 1974, a quick Google will find it for you. We had to use it in the Military and it basically required you to give permission and sign a form that stated what the organization was going to do with your SSAN, covered a lot of different area's.
You could hack someone's finger off with a sharp implement, and then get their stuff.
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.