Slashdot Mirror

← Back to Stories (view on slashdot.org)

Carnegie Mellon Says Computers Breached

Posted by CowboyNeal on from the back-door-left-open dept.

maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."

11 of 203 comments (clear)

  1. Is This Really News??? by ferrellcat · · Score: 4, Insightful

    Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported.

  2. Casual attitude about SSNs by bigtallmofo · · Score: 5, Insightful

    What exactly were social security numbers doing on that computer?

    I'm still amazed at what companies ask me for my social security number and their casual attitude about what they do with it. My health insurance company uses it as my ID number. My dentist thinks nothing of asking for it and scribbling it on a post-it note along with my name while they enter a claim form into their computer and then they throw the post-it note away.

    I always make an attempt to refuse to give my SSN. The shocked, negative reaction I get is absolutely amazing to me. It is apparently so ingrained to U.S. culture to give that number up to anyone that asks regardless of the totally insecure way they handle that number.

    --
    I'm a big tall mofo.
    1. Re:Casual attitude about SSNs by Angostura · · Score: 4, Insightful

      Well, I suppose there are two ways of thinking about things like the SSN. One way is to consider it a piece of privileged private information that can be used for security purposes.

      The other way is to think of it as a piece of information information as public as your first name or hair colour.

      It seems to me that SSN now has to be considered in the second category.

      The problem is that there is a mismatch of perception in society, so some people see it as a secure item, some people think of it as insecure and some people don't really think.

      It is this mismatch which is causing the potential identity theft and security problems.

      I'm sure it is handy as a unique key in many people's databases, but it has to be realised that it is public and can be falsified.

      Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.

  3. Looks like a departmental problem to me. by morph- · · Score: 4, Insightful

    As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.

  4. Re:An everyday occurrence now.... by beavis88 · · Score: 2, Insightful

    That's not going to stop it either. It may, however, change who does the stealing.

  5. Why store the SSN? by Ann+Elk · · Score: 3, Insightful

    Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.

    I know, I know -- I shouldn't bother asking "why"...

    1. Re:Why store the SSN? by fourtyfive · · Score: 4, Insightful

      Because this would only be minutely more secure than storing the SSN itself. Theirs nine digits in a SS #, numbered 0-9, thats 10^9 Even at a meager brute force rate of 1.5 Million MD5Sums / sec, it would only take 11 minutes to break every possible combination.

  6. SSN versus ID-card by Councilor+Hart · · Score: 4, Insightful

    I am not an American, but from Belgium. I am required to carry a ID-card with me. Although the only time the police asked for it, was one time I got hit (lightly) by a car while on my bike. My bank has seen my ID card more than the police. Which I think is a good thing. It's my money afterall.
    So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?
    It's something I have been trying to understand for years.
    I don't feel harassed, having to cary my ID. I rarely use it. If I get in an accident, it can be used to identify me. It's rarely asked for. The police needs a justified reason to ask to see it. The bank can ask for, before giving out a lot of cash money, or before paying a check (also something which is very rarely used over here). I can travel freely across member states without showing it. Perhaps not yet with the 10 new ones, to be honest.
    Just wondering...

    1. Re:SSN versus ID-card by bardothodal · · Score: 3, Insightful

      The reason is this . In America , you have the RIGHT to be left alone. We are not a democracy. We are a constitutional republic in which all citizens are the sovern entity with rights embued by the creator and some enumerated in the Constitution.The government is in place to protect those rights. The government has no inherent interest in knowing a citizen's identity other than the interest of tyranny.

      --
      No matter where you go , there you are.
  7. Re:um... by dgatwood · · Score: 2, Insightful
    Of course, you should realize that CERT has been all but replaced by the new US-CERT, run by the Department of Homeland Insecurity. That new group's idea of computer security includes:

    • Using WEP (ooh, so secure) to "prevent" terrorists using your base station.
    • Sending out signed weekly messages to warn about vulnerabilities, but instead of sending out a detailed list, the message only contains a reference to their web address.
    • That web server runs Windows.
    • That web server is on a .gov address that I haven't been able to access in over a month because the .gov DNS servers time out. I can't access it from home or from my servers on the other side of the country....
    I've given up on relying on CERT to keep our network secure. It's sad, but at this point, my best sources of security info are Slashdot and regular checks of certain daemons' web pages. IMHO, it's long past time to overthrow US-CERT and create an organization that actually understands security, but I don't see it happening....

    IMHO, leaving our planet's cyber-security in the hands of the U.S. Government is like leaving our planet's physical security in the hands of the U.S. Military, or leaving your business's security in the hands of a ten-year-old child with a toy spy camera. Where is UN-CERT when you need it?

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  8. Re:Poster here by randall_burns · · Score: 2, Insightful

    Mother's maiden name was commonly used for veification of credit card acounts when I worked in that field 10 years ago. With Name, DOB, SSN, Mother's Maiden name, credit card number, expiration date and verification number it was possible to hijack a credit card.