Slashdot Mirror
Carnegie Mellon Says Computers Breached
maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."
And credit given where credit due, I picked up this story from a post on a mailing list from Paul Ferguson and his tech news.
What I found to be so interesting about this story is that unlike the other thefts, this one did not require the theft of a computer or social engineering skills. This one looks like the works of a group of hackers and now has the FBI's computer crime squad joined in the investigation.
I'm a virgo and on Slashdot. Coincidence? Yes.
Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported.
What exactly were social security numbers doing on that computer?
I'm still amazed at what companies ask me for my social security number and their casual attitude about what they do with it. My health insurance company uses it as my ID number. My dentist thinks nothing of asking for it and scribbling it on a post-it note along with my name while they enter a claim form into their computer and then they throw the post-it note away.
I always make an attempt to refuse to give my SSN. The shocked, negative reaction I get is absolutely amazing to me. It is apparently so ingrained to U.S. culture to give that number up to anyone that asks regardless of the totally insecure way they handle that number.
I'm a big tall mofo.
As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.
Can I have my social security number replaced legally ? I don't know for sure, but I suspect my number is just about worthless now. Hell, sometimes we don't here about these thefts till months or years later. That leads me to work under the assumption that my SS# has been stolen, from someone , somewhere.. it's utterly worthless (not that it had any value before, my credit was crapped out anyways.)
Something needs to be done about this, SS#'s are a joke. I was watching the local chicago news the other day and migrant workers can go down to the local 7-11, meet a shady character and have their own SS#, for $75-$100.. Come on, this is nuts.
but probably also CERTainly in need of a spell checker
The following statement is true
The preceding statement is false
That's not going to stop it either. It may, however, change who does the stealing.
I recently had a cyberstalker try to get some personal information about me from my alma mater. This yutz did this by contacting department secretaries, who were happy to oblige with all the information they had available. Luckily, this wasn't very much information, but it has caused some problems. So even though the registrar's office had things locked down fairly well apparently, these other points of entry into the system appear to be potential vulnerabilities: unattended laptops and workstations, and people who don't really think their job description involves a privacy/security aspect. I predict many more problems via remote access of a centralized institutional database.
Evil sig is livE.
I go to CMU and work for the psychology departments comptuing support. Well about a month ago, our server crashed and our backups only partially restored. So I hopped on a new machine and installed linux. We switched it over to the network and created some accounts with easy logins so the teachers could get their stuff back up. Needless to say, less than 24 after being online it was hacked. While not malicious, the hacker did use our box as a staging point to make DOS attacks. I caught the guy a day later when I started getting emails from companies and kicked him off. The wierd thing is, the attack happened on the 10th of April. The same day Tepper was breached.
Just a quick clarification, Carnegie Mellon itself was not hacked. This was a Tepper School of Buisness machine that was hacked and their student data lost. As seems to be fairly normal, the buisness school is almost its own entity, even running on a different schedule than the rest of the campus.
I don't use my own identity anymore anyway.
Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.
I know, I know -- I shouldn't bother asking "why"...
I am not an American, but from Belgium. I am required to carry a ID-card with me. Although the only time the police asked for it, was one time I got hit (lightly) by a car while on my bike. My bank has seen my ID card more than the police. Which I think is a good thing. It's my money afterall.
So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?
It's something I have been trying to understand for years.
I don't feel harassed, having to cary my ID. I rarely use it. If I get in an accident, it can be used to identify me. It's rarely asked for. The police needs a justified reason to ask to see it. The bank can ask for, before giving out a lot of cash money, or before paying a check (also something which is very rarely used over here). I can travel freely across member states without showing it. Perhaps not yet with the 10 new ones, to be honest.
Just wondering...
That's why a lot of companies (health insurance, financial,etc) are switching from using your SSN to Personal IDs as the unique identifier in the system. HOWEVER, they will still need your SSN for reporting stuff to the government. At least your SSN won't be listed on the health insurance card when you go to the doctor. Right now your doctor's office has enough info about you - SSN, home address, "emergency contact info", phone numbers and even possibly bank routing and account number (if you pay by check)
Person who's handling all this can easily make copies and apply for new credit cards,etc.
There's absolutely no reason why they need your SSN, your health insurance card (with non-ssn personal ID should be enough)
Any information you are routinly asked to give up can not be considered secret. The problem with the SSN's is not that they get stolen, the problem is that they are useful to the thief. The idea that knowledge of a "secret" number entitles you to enter into financial obligations is simply insane. Adding other "secret" information to add further "safety", like mother's maiden name or place of birth, does very little to improve the situation and those extra pieces of information are likely to become available to the thief at the same time as the SSN's, from the same database.
The only reason you are able to get into debt just by knowing your SSN is that it suits the lenders. They can be based in one state but do business in all of the states, through mail, internet and telephone. They have then managed to make it your problem that they give money to someone pretending to be you, sticking you with the problem of clearing up the credit reports they use to decide if you are trustworthy and doing what you have to do to get out from under the debt. Basically the lenders punish you for them (the lenders) giving money to someone pretending to be you. (Yes, I know that sentence is twisted, it's a really twisted system). This is an outrageously good deal for them and they have no incentive to fix the system, at least not until the amount of fraudulent loans is more than the money saved by not implementing a secure system.
The solution is painfully obvious. When you apply for a credit card or enter into any contract, you should have to show your face and acceptable forms of id, either at an office of the lender or at a mutually trusted proxy. The proxy could perhaps be the closest USPS office. This proposed system is naturally not totally foolproof, no system can be, but it's a heck of a lot better than the current one. It's a lot more work to falsify id's than it is to harvest SSN's and the chance of capture is much higher. As there's no indication the lending business will self-regulate this, and it's really too big and diverse to ensure self-regulation, this will have to be implemented by laws.
It's really incomprehensible to me that party A stealing my SSN from party B and using it to get money from party C becomes my problem. It should be the problem of party C that gave money to someone without bothering to make sure he was who he said he was.
Making it a bit more work to get more credit cards is really not a bad thing either, most people have too many and practically everyone has too much credit card debt.
While we're at it, we can stop pretending that credit card numbers are secret. That problem has already been solved, the banks just need to implement a system like PayPal, where you sign in and ok each transaction. Again, painfully simple.
A furore Normanorum libera nos, O Domine! [From the fury of the norsemen deliver us, O Lord!] -- Medieval prayer
Dear ______,
On Sunday, April 10, the Carnegie Mellon Computing Services Office of Information Security identified a breach of some computers at the Tepper School of Business. Upon investigating and recognizing the unusual activity, Computing Services worked to disable, inspect and secure all servers and personal computers.
We have no evidence that personal information on breached systems has been used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters, and the Tepper administration has chosen several precautionary steps to communicate with all affected students, graduate alumni, faculty and staff on safeguarding measures aimed at protecting privacy.
While we have not identified unauthorized use of information, we strongly encourage you to take steps to ensure your privacy. Personal information included in the databases that may have been accessed includes:
- For master's alumni Class of 1997 through the Class of 2004: Social Security number and grades included in a student services database.
- For master's alumni Class of 1985 through the Class of 2004: Job offer information you may have entered into the COC database as part of your job search process.
- For all alumni: Contact information you may have entered into the alumni directory/alumni database. (Note: All Personal Access Codes (PAC) for the alumni database have been automatically updated for increased security.
Your new PAC number is: **********
Your email address in the directory is: ****************
- For doctoral alumni Class of 1998 through 2004: Social Security number, GMAT, GPA and information submitted in your application to the doctoral program.
Please visit www.tepper.cmu.edu/******* for information regarding precautions and steps to take to protect your personal information.
We apologize and regret the inconvenience associated with this incident. Currently, the business school is in the early stages of investigation and does not have all details regarding the source of this breach. As further information is discovered, we will be sure to include it on the Web site listed above. In any event, please understand that we would not disclose details that would put any computer or network at risk of further intrusion or malicious attack.
The recent Tepper incident is similar to the computer breaches reported by other universities. As a campus that prides itself as a hub for technology innovation, Carnegie Mellon is extraordinarily mindful of issues regarding information security. The recent breach is a reminder of the sensitive business environment in which we operate and the need to consistently monitor and advance our infrastructure and processes.
If you have questions or concerns, we encourage you to contact John Sengenberger at jseng@andrew.cmu.edu
Thank you.
Steve Sharratt
Associate Dean for Advancement
So just to reiterate, this isn't CMU proper that got hacked, it's the business school. They're off on their own little planet on the far corner of campus and run on their own schedule and everything else. It's like going to a completely different world overthere because you've got folks who dress nicely and what not.
CERT is not really related to Tepper (the business school) in any way. In fact, CERT and the SEI are barely even related to CMU, they're off in their own little building a few blocks away and have their own security and networking. To associate the b-school getting hack to a failure of CERT would be like saying the CIA was vulnerable because the department of argiculture got hacked. It's just bad journalism to make an insinuation along those lines. CMU is a fairly large organization and it has its share of folks who understand computers and share of folks who are dolts.
On to the other question, why were SSNs on there? Well, CMU is still stupidly using them as your student ID number. Up until this year they were encoded on your magnetic stript of your student ID card. You can change it, but they look at you funny when you ask to do that.
So why would CMU even need SSNs? Well, like most institutions you've got to do a lot with financial aid to students. If you're doing financial aid and credit you need to use SSNs, simple as that. Tepper has its own financial aid department and thus probably needed the SSNs for that.
This is just another point that the credit industry probably needs an overhaul more than anything else. Allowing someone to get credit by simply providing the SSN and a few other easy questions seems a bit reckles.
My Slashdot account is old enough to drink...
- Using WEP (ooh, so secure) to "prevent" terrorists using your base station.
- Sending out signed weekly messages to warn about vulnerabilities, but instead of sending out a detailed list, the message only contains a reference to their web address.
- That web server runs Windows.
- That web server is on a
.gov address that I haven't been able to access in over a month because the .gov DNS servers time out. I can't access it from home or from my servers on the other side of the country....
I've given up on relying on CERT to keep our network secure. It's sad, but at this point, my best sources of security info are Slashdot and regular checks of certain daemons' web pages. IMHO, it's long past time to overthrow US-CERT and create an organization that actually understands security, but I don't see it happening....IMHO, leaving our planet's cyber-security in the hands of the U.S. Government is like leaving our planet's physical security in the hands of the U.S. Military, or leaving your business's security in the hands of a ten-year-old child with a toy spy camera. Where is UN-CERT when you need it?
Check out my sci-fi/humor trilogy at PatriotsBooks.
I'm not trying to get too personal -- but you don't sound too concerned & that concern's me psychology. :)
Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock.
I keep up on the latest exploits, re-visit old ones, keep critical (and new) machines well patched, write shellcode to understand BoF/Ret2Libc exploits & employ handfuls of hardening techniques & limits everywhere I can, especially in the Kernel. Then I keep images of my fav installs & nc+dd them onto new boxes when needed... _Then_ I go to work and do the same on many more computers in addition the job I was actaully hired for. I still maintain a social life and even -- gasp -- a lady friend.
So I do realize there are large factors that go into haveing enough time and infrastructure to admin 1000 vs 100 vs. 10 boxes. But is "easy" just considered routine due to time constraints, even at a fine establishment like CMU?
If your box was on the net for 24hrs, and it got cracked into, somethings gone wrong in your department.
I don't consider it much of a "hack" if the admin sets up a deficient system (i.e. easily guessable usernames/password) and puts it live on the Internet without montoring it for brute-forcing; which you allude to. One cannot rely on a 3rd party to inform them that machines in their domain are hacked. It only takes a few key punches to duplicate very good securiy efforts after you've done them once.
I'd be interested in knowing what the exploit vector was (if you did the above) if you guys are able do I.R. after a breach. Or even bother to image the drive for later...
I dunno, but I see a pattern here with locations that put busy, course-loaded students in the employ of guarding the subnets...
argan0n
Does this not highlight a major problem with the system?
The UK has a NI number which is kinda similar, used for taxes, pensions etc. but you sure as hell can't pretend to be someone just by knowing that and a name.
How many people can read hex if only you and dead people can read hex?