Carnegie Mellon Says Computers Breached

maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."

Poster here

[maotx]

And credit given where credit due, I picked up this story from a post on a mailing list from Paul Ferguson and his tech news.

What I found to be so interesting about this story is that unlike the other thefts, this one did not require the theft of a computer or social engineering skills. This one looks like the works of a group of hackers and now has the FBI's computer crime squad joined in the investigation.

Is This Really News???

[ferrellcat]

Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported.

Casual attitude about SSNs

[bigtallmofo]

What exactly were social security numbers doing on that computer?

I'm still amazed at what companies ask me for my social security number and their casual attitude about what they do with it. My health insurance company uses it as my ID number. My dentist thinks nothing of asking for it and scribbling it on a post-it note along with my name while they enter a claim form into their computer and then they throw the post-it note away.

I always make an attempt to refuse to give my SSN. The shocked, negative reaction I get is absolutely amazing to me. It is apparently so ingrained to U.S. culture to give that number up to anyone that asks regardless of the totally insecure way they handle that number.

Re:Casual attitude about SSNs

[Angostura]

Well, I suppose there are two ways of thinking about things like the SSN. One way is to consider it a piece of privileged private information that can be used for security purposes.

The other way is to think of it as a piece of information information as public as your first name or hair colour.

It seems to me that SSN now has to be considered in the second category.

The problem is that there is a mismatch of perception in society, so some people see it as a secure item, some people think of it as insecure and some people don't really think.

It is this mismatch which is causing the potential identity theft and security problems.

I'm sure it is handy as a unique key in many people's databases, but it has to be realised that it is public and can be falsified.

Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.

Re:Casual attitude about SSNs

I was just hired by CMU (literally in the last few days).

They still appear to be using Social InSecurity numbers as employee IDs. When I showed the personnel worker my newly minted CMU ID, she asked me my Social InSecurity number and only then was she able to find me in the system.

I'm usually not anonymous but I'd better stay that way for this one.

CMU Guy

Re:Casual attitude about SSNs

[Neurotoxic666]

Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.

No. Actually, I think you have a rather good view of the situation. I thought almost the same thing: thieves want this information because it is "secret". So it has to be secured. What if we suddenly make all SSNs publicly listed and stop trating them like they're our very souls.

Isn't there some system that would replace our "security through obscurity" attitude by a "OpenSociety" way of dealing with personal information. I mean, I'm sure there some other -- and better -- way of verifyring someone's ID than to rely entirely on a few random numbers. I all those numbers are made public, what interest is left to steal them? We'd just have to think of a new, "open" way to deal with the issue.

Looks like a departmental problem to me.

[morph-]

As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.

The weakest link

[jokestress]

I recently had a cyberstalker try to get some personal information about me from my alma mater. This yutz did this by contacting department secretaries, who were happy to oblige with all the information they had available. Luckily, this wasn't very much information, but it has caused some problems. So even though the registrar's office had things locked down fairly well apparently, these other points of entry into the system appear to be potential vulnerabilities: unattended laptops and workstations, and people who don't really think their job description involves a privacy/security aspect. I predict many more problems via remote access of a centralized institutional database.

Not really CMU, but Tepper School of Buisness

[Rufus211]

Just a quick clarification, Carnegie Mellon itself was not hacked. This was a Tepper School of Buisness machine that was hacked and their student data lost. As seems to be fairly normal, the buisness school is almost its own entity, even running on a different schedule than the rest of the campus.

No problem...

[Darvin]

I don't use my own identity anymore anyway.

Why store the SSN?

[Ann+Elk]

Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.

I know, I know -- I shouldn't bother asking "why"...

Re:Why store the SSN?

[fourtyfive]

Because this would only be minutely more secure than storing the SSN itself. Theirs nine digits in a SS #, numbered 0-9, thats 10^9 Even at a meager brute force rate of 1.5 Million MD5Sums / sec, it would only take 11 minutes to break every possible combination.

SSN versus ID-card

[Councilor+Hart]

I am not an American, but from Belgium. I am required to carry a ID-card with me. Although the only time the police asked for it, was one time I got hit (lightly) by a car while on my bike. My bank has seen my ID card more than the police. Which I think is a good thing. It's my money afterall.
So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?
It's something I have been trying to understand for years.
I don't feel harassed, having to cary my ID. I rarely use it. If I get in an accident, it can be used to identify me. It's rarely asked for. The police needs a justified reason to ask to see it. The bank can ask for, before giving out a lot of cash money, or before paying a check (also something which is very rarely used over here). I can travel freely across member states without showing it. Perhaps not yet with the 10 new ones, to be honest.
Just wondering...

Re:SSN versus ID-card

[bardothodal]

The reason is this . In America , you have the RIGHT to be left alone. We are not a democracy. We are a constitutional republic in which all citizens are the sovern entity with rights embued by the creator and some enumerated in the Constitution.The government is in place to protect those rights. The government has no inherent interest in knowing a citizen's identity other than the interest of tyranny.

Re:SSN versus ID-card

[zakezuke]

So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?

Your Social Security card is not identification except for bank, your employer, and the IRS. I should also say the phone company also asks for this, and other businesses preforming credit checks which would include rentals. It should be a method of tracking your earnings and paying federal or state taxes (if your state has an income tax). It has no picture, no address, and unless it's changed is a piece of paper that says specifically "do not laminate" unless you have an older one from before 1988 or so. Most places that would require it don't even look at the physical document, why would they it falls apart after a few years. A few employers require one in good physical condition but typically those are limited to places concerned with illegal aliens. Foreign nationals working in America are required to have a tax ID number, but as being non-nationals don't get social security benefits hence no social security card, but just put the tax id number in place of where it asks for social.

For identification purposes, most places use the driver's license which is a state not national agency. Some people don't drive, or can't drive, so those places issue ID cards as well. You are not required by law to carry one, but if you want to buy booze, go into bars, or cigs, or have a checking account it's very helpful. Passport is an option, but some places don't accept passports as forms of ID, even though they are required to by law.

There are many reasons to object to a national ID card.

1. ID cards are already provided by the State, no need for federal involvement. Classic State vs Federal rights argument.
2. There already exists a national ID, it's a passport.
3. We presently are not required to have ID on our person.

Re:SSN versus ID-card

[badfish99]

This illustrates nicely why we in Britain are opposed the the introduction of ID cards:

1. A car hit you - you didn't do anything wrong, but the police wanted your ID. Why?
The last time we had ID cards here, a woman found some item in the street and tried to hand in in to the police as lost property. They demanded her ID. She had forgotten to carry it, so was arrested. This caused such a scandal that it led to the abolition of ID cards.
Criminals don't leave their ID number at the scene of the crime, so issuing ID cards will not help solve crimes. But it will create a useful new power that the police can use to harass any group they take a dislike to: the power to stop them and ask for their identity card.

2. The bank wants to see your ID. Why?
I've got a card from my bank too. When I want to take money out, it proves that I am the same person who put the money in. That's all they need to know. They don't need to know my nationality, or medical history, or police record. So I don't want a single ID that will link all that data together.

Letter from Tepper

[Snorpus]

I'm an alumnus of Tepper (GSIA, the old name, actually) and here's the email I received on Wednesday, April 20.

Dear ______,

On Sunday, April 10, the Carnegie Mellon Computing Services Office of Information Security identified a breach of some computers at the Tepper School of Business. Upon investigating and recognizing the unusual activity, Computing Services worked to disable, inspect and secure all servers and personal computers.

We have no evidence that personal information on breached systems has been used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters, and the Tepper administration has chosen several precautionary steps to communicate with all affected students, graduate alumni, faculty and staff on safeguarding measures aimed at protecting privacy.

While we have not identified unauthorized use of information, we strongly encourage you to take steps to ensure your privacy. Personal information included in the databases that may have been accessed includes:

- For master's alumni Class of 1997 through the Class of 2004: Social Security number and grades included in a student services database.

- For master's alumni Class of 1985 through the Class of 2004: Job offer information you may have entered into the COC database as part of your job search process.

- For all alumni: Contact information you may have entered into the alumni directory/alumni database. (Note: All Personal Access Codes (PAC) for the alumni database have been automatically updated for increased security.
Your new PAC number is: **********
Your email address in the directory is: ****************

- For doctoral alumni Class of 1998 through 2004: Social Security number, GMAT, GPA and information submitted in your application to the doctoral program.

Please visit www.tepper.cmu.edu/******* for information regarding precautions and steps to take to protect your personal information.

We apologize and regret the inconvenience associated with this incident. Currently, the business school is in the early stages of investigation and does not have all details regarding the source of this breach. As further information is discovered, we will be sure to include it on the Web site listed above. In any event, please understand that we would not disclose details that would put any computer or network at risk of further intrusion or malicious attack.

The recent Tepper incident is similar to the computer breaches reported by other universities. As a campus that prides itself as a hub for technology innovation, Carnegie Mellon is extraordinarily mindful of issues regarding information security. The recent breach is a reminder of the sensitive business environment in which we operate and the need to consistently monitor and advance our infrastructure and processes.

If you have questions or concerns, we encourage you to contact John Sengenberger at jseng@andrew.cmu.edu

Thank you.

Steve Sharratt
Associate Dean for Advancement

Not CMU per say

[pridkett]

So just to reiterate, this isn't CMU proper that got hacked, it's the business school. They're off on their own little planet on the far corner of campus and run on their own schedule and everything else. It's like going to a completely different world overthere because you've got folks who dress nicely and what not.

CERT is not really related to Tepper (the business school) in any way. In fact, CERT and the SEI are barely even related to CMU, they're off in their own little building a few blocks away and have their own security and networking. To associate the b-school getting hack to a failure of CERT would be like saying the CIA was vulnerable because the department of argiculture got hacked. It's just bad journalism to make an insinuation along those lines. CMU is a fairly large organization and it has its share of folks who understand computers and share of folks who are dolts.

On to the other question, why were SSNs on there? Well, CMU is still stupidly using them as your student ID number. Up until this year they were encoded on your magnetic stript of your student ID card. You can change it, but they look at you funny when you ask to do that.

So why would CMU even need SSNs? Well, like most institutions you've got to do a lot with financial aid to students. If you're doing financial aid and credit you need to use SSNs, simple as that. Tepper has its own financial aid department and thus probably needed the SSNs for that.

This is just another point that the credit industry probably needs an overhaul more than anything else. Allowing someone to get credit by simply providing the SSN and a few other easy questions seems a bit reckles.

More odd is your "easy account" practice & CMU

[argan0n]

I'm not trying to get too personal -- but you don't sound too concerned & that concern's me psychology. :)
Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock.
I keep up on the latest exploits, re-visit old ones, keep critical (and new) machines well patched, write shellcode to understand BoF/Ret2Libc exploits & employ handfuls of hardening techniques & limits everywhere I can, especially in the Kernel. Then I keep images of my fav installs & nc+dd them onto new boxes when needed... _Then_ I go to work and do the same on many more computers in addition the job I was actaully hired for. I still maintain a social life and even -- gasp -- a lady friend.
So I do realize there are large factors that go into haveing enough time and infrastructure to admin 1000 vs 100 vs. 10 boxes. But is "easy" just considered routine due to time constraints, even at a fine establishment like CMU?

If your box was on the net for 24hrs, and it got cracked into, somethings gone wrong in your department.
I don't consider it much of a "hack" if the admin sets up a deficient system (i.e. easily guessable usernames/password) and puts it live on the Internet without montoring it for brute-forcing; which you allude to. One cannot rely on a 3rd party to inform them that machines in their domain are hacked. It only takes a few key punches to duplicate very good securiy efforts after you've done them once.
I'd be interested in knowing what the exploit vector was (if you did the above) if you guys are able do I.R. after a breach. Or even bother to image the drive for later...

I dunno, but I see a pattern here with locations that put busy, course-loaded students in the employ of guarding the subnets...