Slashdot Mirror
Carnegie Mellon Says Computers Breached
maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."
And credit given where credit due, I picked up this story from a post on a mailing list from Paul Ferguson and his tech news.
What I found to be so interesting about this story is that unlike the other thefts, this one did not require the theft of a computer or social engineering skills. This one looks like the works of a group of hackers and now has the FBI's computer crime squad joined in the investigation.
I'm a virgo and on Slashdot. Coincidence? Yes.
Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported.
What exactly were social security numbers doing on that computer?
I'm still amazed at what companies ask me for my social security number and their casual attitude about what they do with it. My health insurance company uses it as my ID number. My dentist thinks nothing of asking for it and scribbling it on a post-it note along with my name while they enter a claim form into their computer and then they throw the post-it note away.
I always make an attempt to refuse to give my SSN. The shocked, negative reaction I get is absolutely amazing to me. It is apparently so ingrained to U.S. culture to give that number up to anyone that asks regardless of the totally insecure way they handle that number.
I'm a big tall mofo.
Until a national Public Key Infrastructure is devised, requiring biometric input from each user, identity theft is not going to stop.
Creative Commons music that doesn't suck: emptydrum.com
I'm not going to moan about how frequently this seems to be happening lately, I've been thinking though
Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed
What is one supposed to do with such warning?
The following statement is true
The preceding statement is false
My company just deployed a new application to help manage employee data, calendars, timesheets, etc. Guess what? We didn't put SSN anywhere near this application. It's a simple enough matter for someone to go to the locked file cabinet in the HR office and grab a number if need be.
It's not like this method is particularly secure, but it doesn't really matter -- a physical break-in seems much more "acceptable" in the eyes of customers etc than does an electronic break-in.
As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.
Can I have my social security number replaced legally ? I don't know for sure, but I suspect my number is just about worthless now. Hell, sometimes we don't here about these thefts till months or years later. That leads me to work under the assumption that my SS# has been stolen, from someone , somewhere.. it's utterly worthless (not that it had any value before, my credit was crapped out anyways.)
Something needs to be done about this, SS#'s are a joke. I was watching the local chicago news the other day and migrant workers can go down to the local 7-11, meet a shady character and have their own SS#, for $75-$100.. Come on, this is nuts.
If the computer had ss numbers, then it most likely also had the name and address and maybe even information about birth date on that same computer. I think it sucks that this sort of thing happens. I'm in the military and my ss number is known by just about anyone that takes 5 minutes searching for it. So sad.
Mark
but probably also CERTainly in need of a spell checker
The following statement is true
The preceding statement is false
But when your SSN is associated with your name, people can use it to pretend to be you and sign up for other forms of ID that can be used and show up as black marks against you...
Actio personalis moritur cum persona. (Dead men don't sue)
Yes, please just fill out this short form and I will take care of it for you.
Current Social Security Number: ___-__-____
Full Legal Name: ____________
Date of Birth: __/__/____
Address: _____________
City: __________ State: __
ZIP: ______-____
Thank you.
I recently had a cyberstalker try to get some personal information about me from my alma mater. This yutz did this by contacting department secretaries, who were happy to oblige with all the information they had available. Luckily, this wasn't very much information, but it has caused some problems. So even though the registrar's office had things locked down fairly well apparently, these other points of entry into the system appear to be potential vulnerabilities: unattended laptops and workstations, and people who don't really think their job description involves a privacy/security aspect. I predict many more problems via remote access of a centralized institutional database.
Evil sig is livE.
But when your SSN is associated with your name, people can use it to pretend to be you and sign up for other forms of ID that can be used and show up as black marks against you...
Is this true? You'd think that at least the most basic protections would be in place to prevent this sort of fraud.
I go to CMU and work for the psychology departments comptuing support. Well about a month ago, our server crashed and our backups only partially restored. So I hopped on a new machine and installed linux. We switched it over to the network and created some accounts with easy logins so the teachers could get their stuff back up. Needless to say, less than 24 after being online it was hacked. While not malicious, the hacker did use our box as a staging point to make DOS attacks. I caught the guy a day later when I started getting emails from companies and kicked him off. The wierd thing is, the attack happened on the 10th of April. The same day Tepper was breached.
Just a quick clarification, Carnegie Mellon itself was not hacked. This was a Tepper School of Buisness machine that was hacked and their student data lost. As seems to be fairly normal, the buisness school is almost its own entity, even running on a different schedule than the rest of the campus.
using the Kamel spell checker; a great product.
Anyone seen my jagged little pill?
I don't use my own identity anymore anyway.
My $0.02
I comment occasionally so that I can mod others -1 overrated or -1 offtopic.
Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.
I know, I know -- I shouldn't bother asking "why"...
I am not an American, but from Belgium. I am required to carry a ID-card with me. Although the only time the police asked for it, was one time I got hit (lightly) by a car while on my bike. My bank has seen my ID card more than the police. Which I think is a good thing. It's my money afterall.
So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?
It's something I have been trying to understand for years.
I don't feel harassed, having to cary my ID. I rarely use it. If I get in an accident, it can be used to identify me. It's rarely asked for. The police needs a justified reason to ask to see it. The bank can ask for, before giving out a lot of cash money, or before paying a check (also something which is very rarely used over here). I can travel freely across member states without showing it. Perhaps not yet with the 10 new ones, to be honest.
Just wondering...
One might presume that there isn't enough difference between guns for that to matter. However, some OSes might be easier to hack than others.
An interesting thing to note is that the media broke the story on Thursday, but CMU didn't tell the CMU community until late Friday. I heard it on the news first!
Another interesting note is that in the CMU internal announcement, the _second_ paragraph was effectively, "it isn't as if we're the _only_ school to lose information"
The third paragraph says that the data was stolen from desktop and laptops rather than servers. WTF was sensitive data doing there?
Sucks to be the business school, I guess.
That's why a lot of companies (health insurance, financial,etc) are switching from using your SSN to Personal IDs as the unique identifier in the system. HOWEVER, they will still need your SSN for reporting stuff to the government. At least your SSN won't be listed on the health insurance card when you go to the doctor. Right now your doctor's office has enough info about you - SSN, home address, "emergency contact info", phone numbers and even possibly bank routing and account number (if you pay by check)
Person who's handling all this can easily make copies and apply for new credit cards,etc.
There's absolutely no reason why they need your SSN, your health insurance card (with non-ssn personal ID should be enough)
Any information you are routinly asked to give up can not be considered secret. The problem with the SSN's is not that they get stolen, the problem is that they are useful to the thief. The idea that knowledge of a "secret" number entitles you to enter into financial obligations is simply insane. Adding other "secret" information to add further "safety", like mother's maiden name or place of birth, does very little to improve the situation and those extra pieces of information are likely to become available to the thief at the same time as the SSN's, from the same database.
The only reason you are able to get into debt just by knowing your SSN is that it suits the lenders. They can be based in one state but do business in all of the states, through mail, internet and telephone. They have then managed to make it your problem that they give money to someone pretending to be you, sticking you with the problem of clearing up the credit reports they use to decide if you are trustworthy and doing what you have to do to get out from under the debt. Basically the lenders punish you for them (the lenders) giving money to someone pretending to be you. (Yes, I know that sentence is twisted, it's a really twisted system). This is an outrageously good deal for them and they have no incentive to fix the system, at least not until the amount of fraudulent loans is more than the money saved by not implementing a secure system.
The solution is painfully obvious. When you apply for a credit card or enter into any contract, you should have to show your face and acceptable forms of id, either at an office of the lender or at a mutually trusted proxy. The proxy could perhaps be the closest USPS office. This proposed system is naturally not totally foolproof, no system can be, but it's a heck of a lot better than the current one. It's a lot more work to falsify id's than it is to harvest SSN's and the chance of capture is much higher. As there's no indication the lending business will self-regulate this, and it's really too big and diverse to ensure self-regulation, this will have to be implemented by laws.
It's really incomprehensible to me that party A stealing my SSN from party B and using it to get money from party C becomes my problem. It should be the problem of party C that gave money to someone without bothering to make sure he was who he said he was.
Making it a bit more work to get more credit cards is really not a bad thing either, most people have too many and practically everyone has too much credit card debt.
While we're at it, we can stop pretending that credit card numbers are secret. That problem has already been solved, the banks just need to implement a system like PayPal, where you sign in and ok each transaction. Again, painfully simple.
A furore Normanorum libera nos, O Domine! [From the fury of the norsemen deliver us, O Lord!] -- Medieval prayer
SS# were not intended to be a secure ID number to be kept confidential. This is a complete fabrication of credit agencies and the like.
The intent is to provide a unique ID number for the social security system. In many state databases (NYS employees) this ID number is freely available (along with your salary).
To help keep yourself out of the "identity theft" arena, opt-out of instant credit. This is advisable for everyone, alas no more discounts at the GAP for opening a credit card...
Dear ______,
On Sunday, April 10, the Carnegie Mellon Computing Services Office of Information Security identified a breach of some computers at the Tepper School of Business. Upon investigating and recognizing the unusual activity, Computing Services worked to disable, inspect and secure all servers and personal computers.
We have no evidence that personal information on breached systems has been used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters, and the Tepper administration has chosen several precautionary steps to communicate with all affected students, graduate alumni, faculty and staff on safeguarding measures aimed at protecting privacy.
While we have not identified unauthorized use of information, we strongly encourage you to take steps to ensure your privacy. Personal information included in the databases that may have been accessed includes:
- For master's alumni Class of 1997 through the Class of 2004: Social Security number and grades included in a student services database.
- For master's alumni Class of 1985 through the Class of 2004: Job offer information you may have entered into the COC database as part of your job search process.
- For all alumni: Contact information you may have entered into the alumni directory/alumni database. (Note: All Personal Access Codes (PAC) for the alumni database have been automatically updated for increased security.
Your new PAC number is: **********
Your email address in the directory is: ****************
- For doctoral alumni Class of 1998 through 2004: Social Security number, GMAT, GPA and information submitted in your application to the doctoral program.
Please visit www.tepper.cmu.edu/******* for information regarding precautions and steps to take to protect your personal information.
We apologize and regret the inconvenience associated with this incident. Currently, the business school is in the early stages of investigation and does not have all details regarding the source of this breach. As further information is discovered, we will be sure to include it on the Web site listed above. In any event, please understand that we would not disclose details that would put any computer or network at risk of further intrusion or malicious attack.
The recent Tepper incident is similar to the computer breaches reported by other universities. As a campus that prides itself as a hub for technology innovation, Carnegie Mellon is extraordinarily mindful of issues regarding information security. The recent breach is a reminder of the sensitive business environment in which we operate and the need to consistently monitor and advance our infrastructure and processes.
If you have questions or concerns, we encourage you to contact John Sengenberger at jseng@andrew.cmu.edu
Thank you.
Steve Sharratt
Associate Dean for Advancement
Many hackers make the classic blunder of telling everyone and taking out ads on TV and radio. Obviously these ones are sneakier than that.
So just to reiterate, this isn't CMU proper that got hacked, it's the business school. They're off on their own little planet on the far corner of campus and run on their own schedule and everything else. It's like going to a completely different world overthere because you've got folks who dress nicely and what not.
CERT is not really related to Tepper (the business school) in any way. In fact, CERT and the SEI are barely even related to CMU, they're off in their own little building a few blocks away and have their own security and networking. To associate the b-school getting hack to a failure of CERT would be like saying the CIA was vulnerable because the department of argiculture got hacked. It's just bad journalism to make an insinuation along those lines. CMU is a fairly large organization and it has its share of folks who understand computers and share of folks who are dolts.
On to the other question, why were SSNs on there? Well, CMU is still stupidly using them as your student ID number. Up until this year they were encoded on your magnetic stript of your student ID card. You can change it, but they look at you funny when you ask to do that.
So why would CMU even need SSNs? Well, like most institutions you've got to do a lot with financial aid to students. If you're doing financial aid and credit you need to use SSNs, simple as that. Tepper has its own financial aid department and thus probably needed the SSNs for that.
This is just another point that the credit industry probably needs an overhaul more than anything else. Allowing someone to get credit by simply providing the SSN and a few other easy questions seems a bit reckles.
My Slashdot account is old enough to drink...
- Using WEP (ooh, so secure) to "prevent" terrorists using your base station.
- Sending out signed weekly messages to warn about vulnerabilities, but instead of sending out a detailed list, the message only contains a reference to their web address.
- That web server runs Windows.
- That web server is on a
.gov address that I haven't been able to access in over a month because the .gov DNS servers time out. I can't access it from home or from my servers on the other side of the country....
I've given up on relying on CERT to keep our network secure. It's sad, but at this point, my best sources of security info are Slashdot and regular checks of certain daemons' web pages. IMHO, it's long past time to overthrow US-CERT and create an organization that actually understands security, but I don't see it happening....IMHO, leaving our planet's cyber-security in the hands of the U.S. Government is like leaving our planet's physical security in the hands of the U.S. Military, or leaving your business's security in the hands of a ten-year-old child with a toy spy camera. Where is UN-CERT when you need it?
Check out my sci-fi/humor trilogy at PatriotsBooks.
This really shouldn't surprise anyone who works at a university. There are several mitigating factors that make this sort of intrusion inevitable.
Here's why:
Unlike private companies, universities are difficult places to enforce security policies because PhDs feel that these policies somehow inhibit their freedoms or that the rules shouldn't apply to them. Profs and researchers each get their own computer money and they build their own little networks, server farms, and have their own methods. Because they often want to share their servers with other univerisities, they are usually not behind a firewall and/or given address space that is world addressable.
This usually creates a perfect place for intrusion--lack of cohesive security policy, machines that are run by novice sysadmins, and a really fat uplink the net.
To make things worse, the networks on campuses are generally a hodge-podge of technologies and topologies that have been piece-mealed together like some kind of electric crazy quilt. You might have aging border router equipment, old hubstacks with vulnerabilities in their management utilities, random unmanaged/non-seucre wireless networks in the dorms or offices, etc--a nice untraceable uplink to your LAN.
Managing the security for these networks is almost impossible unless the entire infrastructure has been updated--which costs millions of dollars that universities do not likely to spend (at least not without a major campaign).
All of these computers--Macs, PCs, Linux, Solaris, etc., have no real security policy, they're poorly managed by amatures, and they have a network with no real firewall. Talk about a honeypot!
Each node on this honeynet is now a prime place for root kit installations. They lie in wait for someone to log in to the right systems and, voila--a password and userid. A keylogger records a legit log-in. Now your cracker is using one of the unmanaged nodes on your network to have his way with your student/employee information system.
If any university has a better system, I think they're in the minority. Hopefully, this will change. But until then, the inmates run the asylum.
I might know what I'm talkin' about, but then again, this is Slashdot...
I'm not trying to get too personal -- but you don't sound too concerned & that concern's me psychology. :)
Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock.
I keep up on the latest exploits, re-visit old ones, keep critical (and new) machines well patched, write shellcode to understand BoF/Ret2Libc exploits & employ handfuls of hardening techniques & limits everywhere I can, especially in the Kernel. Then I keep images of my fav installs & nc+dd them onto new boxes when needed... _Then_ I go to work and do the same on many more computers in addition the job I was actaully hired for. I still maintain a social life and even -- gasp -- a lady friend.
So I do realize there are large factors that go into haveing enough time and infrastructure to admin 1000 vs 100 vs. 10 boxes. But is "easy" just considered routine due to time constraints, even at a fine establishment like CMU?
If your box was on the net for 24hrs, and it got cracked into, somethings gone wrong in your department.
I don't consider it much of a "hack" if the admin sets up a deficient system (i.e. easily guessable usernames/password) and puts it live on the Internet without montoring it for brute-forcing; which you allude to. One cannot rely on a 3rd party to inform them that machines in their domain are hacked. It only takes a few key punches to duplicate very good securiy efforts after you've done them once.
I'd be interested in knowing what the exploit vector was (if you did the above) if you guys are able do I.R. after a breach. Or even bother to image the drive for later...
I dunno, but I see a pattern here with locations that put busy, course-loaded students in the employ of guarding the subnets...
argan0n
My old crappy (inherited) bike got stolen in two years time. My new, marked bike is still with me after 4 years. And I live in a University town. As you know, in such a town, stealing^H borrowing bikes is common as breathing air.
So once again, my ID card is used in my favour. You could say, the same could have been accomplished with a driver ID card or a SSN. To which I will, again, ask: then what is the difference?
Thanks for the replies so far.
Does this not highlight a major problem with the system?
The UK has a NI number which is kinda similar, used for taxes, pensions etc. but you sure as hell can't pretend to be someone just by knowing that and a name.
How many people can read hex if only you and dead people can read hex?
"Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock."
Fucking A. I'm with you on this 100%. Granted, I run OpenBSD at home, but that doesn't mean I just sit back and pretend like everything is okay. I check the errata at least twice a day and act on the updates/patches as soon as I get a free couple of seconds in my day. I have pf setup to my likings and haven't had a problem since I installed OpenBSD. No, I'm not an OpenBSD fanboy, I'm just making my claim--YMMV.
In short: there is simply no excuse to be lazy/relaxed about security. Call me paranoid, but I'd like to keep MY data to myself.
What can "identity theives" do with another person's SSN? (I'm not an American, I don't know)
I'm not an American, but I'm guessing that SSNs are only useful when combined with the Names (and maybe addresses) of the people. And that SSNs are not created serially, but randomly. Am I correct?
GSIA couldn't admin their way out of a wet paper bag, at least, not when I worked for Computing Services back in the day.
"Tepper School of Business"....LOLOLOLOL
Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock.
I think you'd be right. When I was consulting it never ceased to amaze me just how little was done to secure the network at most places. Whether corporate or government it didn't make a difference.
I don't think this is a lackadaisical attitude towards security in particular, but the fact that IT departments tend to attract the least competent people in the computer sciences.
I know my home network is more secure than most of the businesses/government agencies I consulted for even though I could certainly do more to improve it.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
I'd like to point out that picture id's are silly. How do you decide whether the person in front of you is the person on the card's picture?
I worked as an election judge in Colorado and they explicitly told us not to bother looking at the photo on the id. The law specified it had to be a photo id, but we were told not to care what the picture on it looks like. People change, you can't recognize them reliably.
What prevents someone from fraudulently opening a PayPal account for you and using it on your behalf? The system has problems, and there are no simple fixes.
Perhaps everyone should be required to carry a card with an RSA key on it, if you lose it you create a revocation certificate and get a new one. Doesn't that sound like fun? I'm sure grandma will love it.
Tharkban (It is a signature after all)
how does one opt out of instant credit?
who handles instant credit?
but a 10 year old with a spy camera can defend a business better than cert or rent-a-cops can ;)
Yes, I have. Salt was not mentioned. Besides, the point is that hashing does not encrytion make. But I'm sure you know that already.
I'm not an American, but I'm guessing that SSNs are only useful when combined with the Names (and maybe addresses) of the people.
You're very likely to have access to the name and address, since it'll usually be stored in the same place as the SSN.
And that SSNs are not created serially, but randomly. Am I correct?
Nope. Social Security Numbers are indeed created serially.
If it's not meant to be somewhat secure, then why was it illegal for a long time (perhaps even today) for anyone other than your employer and the IRS to require it?
Luke-Jr
Well, since the salt is the only piece that actually does anything, why not just dispense with the hash (which is useless in this small of a sample space) and use the salt as a symetric encryption key? That is basically what you are doing anyway.
Also there's only 1 billion possible SSNs, and the population of the US is 300 million. So, if you pick a number at random, you have a 30% chance of picking a valid number. And since there's a pattern (as you mentioned), the real odds are actually much better. I doubt you can do much with just a number and no name or other information.
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
Why? Was it covered in watermelon?
"OH SHIT, THERE'S A HORSE IN THE HOSPITAL!"
It is this mismatch which is causing the potential identity theft and security problems.
Imagine if you could sign into a Slashdot account with only the UID! We'd all sign in as CmdrTaco and start posting news about Tribbles and whatever else met our approval.
The dangers of knowledge trigger emotional distress in human beings.
Our University changed this particular item for just these reasons. We don't use SSNs as identifiers for anything but taxes for those getting paid. Still, that information *IS* in the system--if you're getting a paycheck. However, if a cracker gets in deep enough, he's going to have enough information about a given set of users to be dangerous.
I might know what I'm talkin' about, but then again, this is Slashdot...