Carnegie Mellon Says Computers Breached

maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."

Is This Really News???

[ferrellcat]

Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported.

Casual attitude about SSNs

[bigtallmofo]

What exactly were social security numbers doing on that computer?

I'm still amazed at what companies ask me for my social security number and their casual attitude about what they do with it. My health insurance company uses it as my ID number. My dentist thinks nothing of asking for it and scribbling it on a post-it note along with my name while they enter a claim form into their computer and then they throw the post-it note away.

I always make an attempt to refuse to give my SSN. The shocked, negative reaction I get is absolutely amazing to me. It is apparently so ingrained to U.S. culture to give that number up to anyone that asks regardless of the totally insecure way they handle that number.

Re:Casual attitude about SSNs

[Angostura]

Well, I suppose there are two ways of thinking about things like the SSN. One way is to consider it a piece of privileged private information that can be used for security purposes.

The other way is to think of it as a piece of information information as public as your first name or hair colour.

It seems to me that SSN now has to be considered in the second category.

The problem is that there is a mismatch of perception in society, so some people see it as a secure item, some people think of it as insecure and some people don't really think.

It is this mismatch which is causing the potential identity theft and security problems.

I'm sure it is handy as a unique key in many people's databases, but it has to be realised that it is public and can be falsified.

Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.

Re:Casual attitude about SSNs

I'm sure it is handy as a unique key in many people's databases

Only for people who don't know any better. Social Security numbers are recycled and should never be considered unique.

It is possible for multiple living people to have the same SSN and even the same name.

SSNs are also poor "security" identifiers because they are usually tied to where you are born along with other patterns.

An everyday occurrence now....

[empty+drum]

Until a national Public Key Infrastructure is devised, requiring biometric input from each user, identity theft is not going to stop.

Re:An everyday occurrence now....

[beavis88]

That's not going to stop it either. It may, however, change who does the stealing.

So...

[Chris+Kamel]

I'm not going to moan about how frequently this seems to be happening lately, I've been thinking though
Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed
What is one supposed to do with such warning?

Looks like a departmental problem to me.

[morph-]

As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.

Why store the SSN?

[Ann+Elk]

Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.

I know, I know -- I shouldn't bother asking "why"...

Re:Why store the SSN?

[fourtyfive]

Because this would only be minutely more secure than storing the SSN itself. Theirs nine digits in a SS #, numbered 0-9, thats 10^9 Even at a meager brute force rate of 1.5 Million MD5Sums / sec, it would only take 11 minutes to break every possible combination.

Re:Why store the SSN?

Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.

I know, I know -- I shouldn't bother asking "why"...

No, that's just a diversion. Checksums are not a cure-all. In this case, it would be a false sense of security. The fact that you mention multiple checksum algorithms shows you haven't adequately thought this through. The strength of the algorithm has little to do with security when there are this few data points to map it back to.

You could easily get all of the SSNs by trying 9 digit numbers.

Remember, these aren't arbitrary 9 digit numbers. They are assigned by where you live, the middle 2 are (almost?) always even, and so on.

There are a whole lot less possibilities than you would initially think. When you restrict the domain to 9 digit numbers following a strict pattern, it IS computationally feasable to reverse the checksums.

Let's assume it wasn't possible today. You keep the same SSN throughout your life so at any point in the future the thieves could reverse the checksums when computing power is sufficient.

Unlike credit card numbers, SSN and other identity information has no expiration date.

The answer to this problem is to restrict access as much as possible. Then you can go with the secondary measures of encrypting the data -- which would be much better than checksums.

SSN versus ID-card

[Councilor+Hart]

I am not an American, but from Belgium. I am required to carry a ID-card with me. Although the only time the police asked for it, was one time I got hit (lightly) by a car while on my bike. My bank has seen my ID card more than the police. Which I think is a good thing. It's my money afterall.
So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?
It's something I have been trying to understand for years.
I don't feel harassed, having to cary my ID. I rarely use it. If I get in an accident, it can be used to identify me. It's rarely asked for. The police needs a justified reason to ask to see it. The bank can ask for, before giving out a lot of cash money, or before paying a check (also something which is very rarely used over here). I can travel freely across member states without showing it. Perhaps not yet with the 10 new ones, to be honest.
Just wondering...

Re:SSN versus ID-card

[bardothodal]

The reason is this . In America , you have the RIGHT to be left alone. We are not a democracy. We are a constitutional republic in which all citizens are the sovern entity with rights embued by the creator and some enumerated in the Constitution.The government is in place to protect those rights. The government has no inherent interest in knowing a citizen's identity other than the interest of tyranny.

Re:SSN versus ID-card

"The police needs a justified reason to ask to see it."

See, that's the sticking-point. In the US, lots of police officers are frustrated psychopaths who like to abuse their power. Not to mention others in higher powered positions in the government.

Therefore, people have a queasy feeling about a national ID card that includes even more information than before.

Re:um...

[dgatwood]

Of course, you should realize that CERT has been all but replaced by the new US-CERT, run by the Department of Homeland Insecurity. That new group's idea of computer security includes:

• Using WEP (ooh, so secure) to "prevent" terrorists using your base station.
• Sending out signed weekly messages to warn about vulnerabilities, but instead of sending out a detailed list, the message only contains a reference to their web address.
• That web server runs Windows.
• That web server is on a .gov address that I haven't been able to access in over a month because the .gov DNS servers time out. I can't access it from home or from my servers on the other side of the country....

I've given up on relying on CERT to keep our network secure. It's sad, but at this point, my best sources of security info are Slashdot and regular checks of certain daemons' web pages. IMHO, it's long past time to overthrow US-CERT and create an organization that actually understands security, but I don't see it happening....

IMHO, leaving our planet's cyber-security in the hands of the U.S. Government is like leaving our planet's physical security in the hands of the U.S. Military, or leaving your business's security in the hands of a ten-year-old child with a toy spy camera. Where is UN-CERT when you need it?

Tales out of School....

[catdevnull]

This really shouldn't surprise anyone who works at a university. There are several mitigating factors that make this sort of intrusion inevitable.

Here's why:

Unlike private companies, universities are difficult places to enforce security policies because PhDs feel that these policies somehow inhibit their freedoms or that the rules shouldn't apply to them. Profs and researchers each get their own computer money and they build their own little networks, server farms, and have their own methods. Because they often want to share their servers with other univerisities, they are usually not behind a firewall and/or given address space that is world addressable.

This usually creates a perfect place for intrusion--lack of cohesive security policy, machines that are run by novice sysadmins, and a really fat uplink the net.

To make things worse, the networks on campuses are generally a hodge-podge of technologies and topologies that have been piece-mealed together like some kind of electric crazy quilt. You might have aging border router equipment, old hubstacks with vulnerabilities in their management utilities, random unmanaged/non-seucre wireless networks in the dorms or offices, etc--a nice untraceable uplink to your LAN.

Managing the security for these networks is almost impossible unless the entire infrastructure has been updated--which costs millions of dollars that universities do not likely to spend (at least not without a major campaign).

All of these computers--Macs, PCs, Linux, Solaris, etc., have no real security policy, they're poorly managed by amatures, and they have a network with no real firewall. Talk about a honeypot!

Each node on this honeynet is now a prime place for root kit installations. They lie in wait for someone to log in to the right systems and, voila--a password and userid. A keylogger records a legit log-in. Now your cracker is using one of the unmanaged nodes on your network to have his way with your student/employee information system.

If any university has a better system, I think they're in the minority. Hopefully, this will change. But until then, the inmates run the asylum.

Re:Poster here

[randall_burns]

Mother's maiden name was commonly used for veification of credit card acounts when I worked in that field 10 years ago. With Name, DOB, SSN, Mother's Maiden name, credit card number, expiration date and verification number it was possible to hijack a credit card.