Slashdot Mirror
Carnegie Mellon Says Computers Breached
maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."
And credit given where credit due, I picked up this story from a post on a mailing list from Paul Ferguson and his tech news.
What I found to be so interesting about this story is that unlike the other thefts, this one did not require the theft of a computer or social engineering skills. This one looks like the works of a group of hackers and now has the FBI's computer crime squad joined in the investigation.
I'm a virgo and on Slashdot. Coincidence? Yes.
I go to CMU and work for the psychology departments comptuing support. Well about a month ago, our server crashed and our backups only partially restored. So I hopped on a new machine and installed linux. We switched it over to the network and created some accounts with easy logins so the teachers could get their stuff back up. Needless to say, less than 24 after being online it was hacked. While not malicious, the hacker did use our box as a staging point to make DOS attacks. I caught the guy a day later when I started getting emails from companies and kicked him off. The wierd thing is, the attack happened on the 10th of April. The same day Tepper was breached.
I don't know about replacing your SSN but I do know a lot about the market for getting SSN's. Some of our customers are construction companies and it isn't all that uncommon for a worker to come in and present a document that he says is an original and valid SS card. When checked, it is the same number as one already on file. I was in the office one day when a guy came in who had no fewer than 3 different SS cards on him. I think that it is reasonably clear that the SS number can no longer be considered any sort of valid identifier. It is, at this point, up to society and the government to move past it.
This, of course, is the sticky point. What do we use in place of that unique identifier? A national ID card? That rubs a lot of people the wrong way and with some justification. However, the move to "secure" drivers licenses is simply a move at the state level to provide the same thing.
Long and short of it is that someone smarter than me will have to figure it out. Shouldn't be that hard to find someone....;)
An interesting thing to note is that the media broke the story on Thursday, but CMU didn't tell the CMU community until late Friday. I heard it on the news first!
Another interesting note is that in the CMU internal announcement, the _second_ paragraph was effectively, "it isn't as if we're the _only_ school to lose information"
The third paragraph says that the data was stolen from desktop and laptops rather than servers. WTF was sensitive data doing there?
Sucks to be the business school, I guess.
That's why a lot of companies (health insurance, financial,etc) are switching from using your SSN to Personal IDs as the unique identifier in the system. HOWEVER, they will still need your SSN for reporting stuff to the government. At least your SSN won't be listed on the health insurance card when you go to the doctor. Right now your doctor's office has enough info about you - SSN, home address, "emergency contact info", phone numbers and even possibly bank routing and account number (if you pay by check)
Person who's handling all this can easily make copies and apply for new credit cards,etc.
There's absolutely no reason why they need your SSN, your health insurance card (with non-ssn personal ID should be enough)
Any information you are routinly asked to give up can not be considered secret. The problem with the SSN's is not that they get stolen, the problem is that they are useful to the thief. The idea that knowledge of a "secret" number entitles you to enter into financial obligations is simply insane. Adding other "secret" information to add further "safety", like mother's maiden name or place of birth, does very little to improve the situation and those extra pieces of information are likely to become available to the thief at the same time as the SSN's, from the same database.
The only reason you are able to get into debt just by knowing your SSN is that it suits the lenders. They can be based in one state but do business in all of the states, through mail, internet and telephone. They have then managed to make it your problem that they give money to someone pretending to be you, sticking you with the problem of clearing up the credit reports they use to decide if you are trustworthy and doing what you have to do to get out from under the debt. Basically the lenders punish you for them (the lenders) giving money to someone pretending to be you. (Yes, I know that sentence is twisted, it's a really twisted system). This is an outrageously good deal for them and they have no incentive to fix the system, at least not until the amount of fraudulent loans is more than the money saved by not implementing a secure system.
The solution is painfully obvious. When you apply for a credit card or enter into any contract, you should have to show your face and acceptable forms of id, either at an office of the lender or at a mutually trusted proxy. The proxy could perhaps be the closest USPS office. This proposed system is naturally not totally foolproof, no system can be, but it's a heck of a lot better than the current one. It's a lot more work to falsify id's than it is to harvest SSN's and the chance of capture is much higher. As there's no indication the lending business will self-regulate this, and it's really too big and diverse to ensure self-regulation, this will have to be implemented by laws.
It's really incomprehensible to me that party A stealing my SSN from party B and using it to get money from party C becomes my problem. It should be the problem of party C that gave money to someone without bothering to make sure he was who he said he was.
Making it a bit more work to get more credit cards is really not a bad thing either, most people have too many and practically everyone has too much credit card debt.
While we're at it, we can stop pretending that credit card numbers are secret. That problem has already been solved, the banks just need to implement a system like PayPal, where you sign in and ok each transaction. Again, painfully simple.
A furore Normanorum libera nos, O Domine! [From the fury of the norsemen deliver us, O Lord!] -- Medieval prayer
"Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported."
Right.
These breaches are inevitable. That's why, as I've said for a while, it doesn't really matter if an organization -- whether it's Google or the government -- promises to "do no evil".
Even an organization run by saints -- and no organization is run by saints -- can be breached.
So there are two things that need to be done: first, we need to convince organizations, both corporate and governmental, to limit the information they collect to what is actually necessary for their functioning. And access needs to limited and audited to prevent misuse.
Given prevailing corporate ethics -- that whatever is good for profits is ethical -- the "convincing" will have to be in the form of data-protection laws and privacy-protection laws that limit information collecting and impose penalties for misuse or failing to adequately safeguard it.
Second, what information is collected needs to be encrypted. While that won't prevent all hacking, it will mean that copies of data stolen in bulk will be pretty much useless to the thieves.
Again, it's not sufficient to think, "well, I trust Google (or the FBI or Social security administration or my bank) won't misuse my information" -- it's necessary to remember that organizations change sometimes without warning (see the first link, above), and that external hackers internal misusers can pervert any system (see the second link).
Our response has to be more than "whistling past the graveyard" hoping that nothing will go wrong. Breaches are inevitable, and our laws and our data-retention worse practices -- not the best practices we hope for, but the worst we allow -- must reflect that.
Opinions on the Twiddler2 hand-held keyboard?
1. A car hit you - you didn't do anything wrong, but the police wanted your ID. Why?
The last time we had ID cards here, a woman found some item in the street and tried to hand in in to the police as lost property. They demanded her ID. She had forgotten to carry it, so was arrested. This caused such a scandal that it led to the abolition of ID cards.
Criminals don't leave their ID number at the scene of the crime, so issuing ID cards will not help solve crimes. But it will create a useful new power that the police can use to harass any group they take a dislike to: the power to stop them and ask for their identity card.
2. The bank wants to see your ID. Why?
I've got a card from my bank too. When I want to take money out, it proves that I am the same person who put the money in. That's all they need to know. They don't need to know my nationality, or medical history, or police record. So I don't want a single ID that will link all that data together.
Well, it's ok that you ask. Because if it's a hash I can just generate all 900 million 9 digit numbers, calculate their hashes, and see which ones match the DB. Oh, and then profit.
Does this not highlight a major problem with the system?
The UK has a NI number which is kinda similar, used for taxes, pensions etc. but you sure as hell can't pretend to be someone just by knowing that and a name.
How many people can read hex if only you and dead people can read hex?
Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.
No. Actually, I think you have a rather good view of the situation. I thought almost the same thing: thieves want this information because it is "secret". So it has to be secured. What if we suddenly make all SSNs publicly listed and stop trating them like they're our very souls.
Isn't there some system that would replace our "security through obscurity" attitude by a "OpenSociety" way of dealing with personal information. I mean, I'm sure there some other -- and better -- way of verifyring someone's ID than to rely entirely on a few random numbers. I all those numbers are made public, what interest is left to steal them? We'd just have to think of a new, "open" way to deal with the issue.
You are more than the sum of what you consume. Desire is not an occupation.