Slashdot Mirror
UCLA Hacked, 800,000 Identities Exposed
An anonymous reader writes "The Washington Post reports that a central campus database at UCLA containing the personal information (including SSNs) of about 800,000 UCLA affiliates has been compromised for possibly over a year. The data may have been available to hackers since October 2005 until November 21, 2006, when the breach was finally detected and blocked. Several other UC campuses have also been involved in significant data security incidents over the past few years." From the article: "'To my knowledge, it's absolutely one of the largest,' Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association, told the Los Angeles Times. Petersen said that in a Educause survey release in October, about a quarter of 400 colleges said that over the previous 12 months, they had experienced a security incident in which confidential information was compromised, the newspaper reported."
Watch your bank accounts people this could be a long one,
800,000 people are going to be pissed as shit
WulframII - Free Online Mutiplayer 3D Tank Shooting Game
December 12, 2006
Dear Friend,
UCLA computer administrators have discovered that a restricted campus database containing certain personal information has been illegally accessed by a sophisticated computer hacker. This database contains certain personal information about UCLA's current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. The database also includes current and some former faculty and staff at the University of California, Merced, and current and some former employees of the University of California Office of the President, for which UCLA does administrative processing.
I regret having to inform you that your name is in the database. While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers. Therefore, I want to bring this situation to your attention and urge you to take actions to minimize your potential risk of identity theft. I emphasize that we have no evidence that personal information has been misused.
The information stored on the affected database includes names and Social Security numbers, dates of birth, home addresses and contact information. It does not include driver's license numbers or credit card or banking information.
Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, an unauthorized person exploited a previously undetected software flaw and fraudulently accessed the database between October 2005 and November 2006. When UCLA discovered this activity on Nov. 21, 2006, computer security staff immediately blocked all access to Social Security numbers and began an emergency investigation. While UCLA currently utilizes sophisticated information security measures to protect this database, several measures that were already under way have been accelerated.
In addition, UCLA has notified the FBI, which is conducting its own investigation. We began notifying those individuals in the affected database as soon as possible after determining that personal data was accessed and after we retrieved individual contact information.
As a precaution, I recommend that you place a fraud alert on your consumer credit file. By doing so, you let creditors know to watch for unusual or suspicious activity, such as someone attempting to open a new credit card account in your name. You may also wish to consider placing a security freeze on your accounts by writing to the credit bureaus. A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent. For details on how to take these steps, please visit http://www.identityalert.ucla.edu/what_you_can_do. htm.
Extensive information on steps to protect against personal identity theft and fraud are on the Web site of the California Office of Privacy Protection, a division of the state Department of Consumer Affairs, http://www.privacy.ca.gov.
Information also is available on a Web site we have established, http://www.identityalert.ucla.edu. The site includes additional information on this situation, further suggestions for monitoring your credit and links to state and federal resources. If you have questions about this incident and its implications, you may call our toll-free number, (877) 533-8082.
Please be aware that dishonest people falsely identifying themselves as UCLA representatives might contact you and offer assistance. I want to assure you that UCLA will not contact you by phone, e-mail or any other method to ask you for personal information. I strongly urge you not to rel
George W. Maschke
AntiPolygraph.org
When I was in a U.S. college, albeit a long time ago i.e. before Patriot Act and 9/11, I had the choide to use a random number as my student ID rather than my social security number. I remember hearing that the soc. security number is(was? pre 9/11) only required for social security and tax purposes. I think more places should start using other numbers. Although this wouldn't solve hacked identity theft, it is one less piece of information that the hackers get...
TFA doesn't mention what the "hack" was. My guess, the software (probably a website) is more of a hack than anything that was done to access the data.
It's scary how much information is being reported as leaked every couple months.
Security is hard to get right because you have to get *everything* right.
Make one mistake and you've got no security.
As such, it is problematic to have vast databases of highly valuable information protected by "security".
The result will be a constant flow of database violations.
Unfortunately, by and large, the a database provides a large and ongoing bureaucratic benefit to an organisation, whereas the pain of data loss is primarily born by the people described by the database.
The only response we have as individuals is to keep our details as secret as possible.
A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent.
Gee, it isn't that way by default? I would expect that that information too would be safeguarded...
What are the credit implications for placing a freeze on that information? Does it affect credit scores in any way? If not, I would like to place one on my own, just for fact that I don't want anybody looking at that information without my consent...
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
I imagine a University is the type of organization that kind of flies under the radar. Banks, hospitals, credit card companies, these are obvious repositories of personal information. UCLA, not so much. Factor that in with a large, old, complex computer network with volumes of historical data (Those of you that graduated 20 years ago can probably still get your transcript) and you are bound to have quite a bit of low hanging fruit.
If the SSN database were public, the SSN would cease to become such a valuable target for identity thieves - systems would have to be changed to account for the public nature of the information. The SSN is fine as a unique identifier, but it should never have become a security tool.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
All I know is that the school better not be heavily promoting its computer security courses.
Buy Steampunk Clothing Online!
They should really think about a better firewall for their Gibson.
Isn't what people get out of such a breach, but what can be PUT IN.
ohh.. look at Johnny's sparkly new Ph.d. or M.D.
meh
What imdemnification did the software developers provide in the event of such an occurance.
davecb5620@gmail.com
At first glance, I thought the headline read ACLU. Now that would have stirred up a hornets' nest!
"I regret having to inform you that your name is in the database."
He regrets having to inform us, not that they were hacked.
Computers are useless. They can only give you answers.
-- Pablo Picasso
...I'm willing to cut them a lot of slack since the USC game. So let's call this one a wash. Go Bruins!
What I'm listening to now on Pandora...
This was a Linux server running Apache. So hacking it is IMPOSIBLE!!!!!
http://uptime.netcraft.com/up/graph?site=www.ident ityalert.ucla.edu
Windows Server 2003 Microsoft-IIS/6.0 12-Dec-2006 164.67.134.79 University of California, Los Angeles
99 % of all CC thefts on the web involve Windows and IIS, and yet windows they occupy less than 1/3 of the http AND https space. Amazing that so many look over this simple stat. It seems that only the cracker and Al Qaeda are the only ones taking notice of that.
Jim Davis, UCLA's chief information officer, said a computer trespasser used a program designed to exploit an undetected software flaw to bypass all security measures and gain access to the restricted database that contains information on about 800,000 current and former students, faculty and staff, as well as some student applicants and parents of students or applicants who applied for financial aid.
So, a single software flaw got them past "all security measures." Sounds like some heads need to roll, starting with Jim Davis'.
Sort of. The problem with getting everything right is that you're dealing with non-physical concepts. If people were dealing with a physical structure it would be easier for them to understand and get it "right". Or at least closer to "right" than we currently see.
For example, important physical records are kept in a safe. The safe is in someone's office. The office is locked. If someone sees someone else going through the safe, most of the time they'll recognize whether that person should or should not be in that office, going through that safe.
But when we're talking about virtual systems, very few people can see who is accessing the data. Or what data is being accessed. And many will not even know what data is kept where. Or care (before the crack succeeds) about whether anyone would be interested in it.
The focus is not on security. It is on automation and work-force reduction. Letting the machines have access to EVERYTHING so that the machines can run the processes and send the results to other machines.
That's not going to work. It's too brittle. Once any of the sites with your data are compromised, your data is compromised.
Eventually, the criminals are going to wake up and really discover the power of the "database".
Imagine organized crime with a database on you similar to what the major credit tracking sites have. And it is almost as easy for them to collect it. "Identity theft" will take on a whole new dimension.
For the average person to understand it, virtual security needs to appear more like physical security.
You are assuming rational due diligence was in fact even attempted. These are institutions run by politicians.
Not if you have really done your homework. You NEVER rely on one system. When the second system catches a violation, you promptly deal with it.
One has to ask, why did it take so long to notice? Think about all the others that are not even watching?
Computer security is all about priorities, it isn't even technical. It is social/political.
Assume your SSN is public knowledge. The root cause of this issue is those that use SSN numbers f''k peoples lives up after they didn't verify it was being used correctly in the first place. The fundamental problem he is financial institutions are not making sure they deal with the correct person before handing over money.
Want to solve identity theft? Simple, put 100% of the onus on those that use it to make sure they are dealing with the right person when they use it. Make it a criminal offense with hefty fines and penalties for non-compliance. Make it cost ineffective for big credit to mess up. Because in reality, identity theft is a credit company issue. After a few dozen $10 million dollar settlements for incorrectly assigned $1000 collections the credit agencies will get the message.
"The data may have been available to hackers since October 2005 until November 21, 2006,"
Am I the only one who cringes when he reads this sentence.
The war with islam is a war on the beast
The war on terror is a war for peace
If the SSN's are now being flagged as compromised and watched for suspicious activity, perhaps the owners are better protected against fraud than they would have been otherwise.
I seem to be a magnet for large-scale computer identity data leakage. I'm not sure my overall percentage, but I managed to be in a big New York Times subscriber theft a few years ago, the American Express Financial Advisors theft last year, a T-Mobile one, and as a UCLA alum I get this one also. It seemed like everyone who has my name is volunteering it to intruders, and until I looked at this very long list of data loss incidents I was thinking it might just be me. At least I missed out on the big Veteran's Affairs ones by not being a veteran... Nothing bad has come of it as far as I can tell but who knows what the future holds?
...corporate types wonder why there are so many lawsuits. To effectively drop the ball on the security of almost a million students and then what you get as far as service is a letter saying "oops," it makes me glad that Bush couldn't get his "frivolous lawsuit" legislation through.
Maybe when companies/organizations trusted with information that leak it start getting sued by the people they are "protecting."
At my school they used the last 4 numbers of your social security number as part of your email. Organizations need to pay the price for being so lax on the security of their clients.
Judges and senates have been bought for gold; Esteem and love were never to be sold.
what if they took the people who's information they obtained, and then dropped it from the server.
/that/.
For eaxmple - they only went after applicants, collected the information, and dropped it from the server. There would be no existing student/faculty to wonder why there data was missing, and on top of that, if they did it at the right time, there might not even be a backup to verify it was ever there. Thus, the victim gets no warning whatsoever, and the thief gets an even longer time to escape.
I hope the investigators are considering
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
Definition of data Valdez, via a self-link.
Wordnik, a dictionary project which aims to collect
as frivolous. Most frivolous lawsuits are created without the intent to win but instead to settle.
This incident is negilgent, possibly bordering unto criminal if they can figure out if some people knew about it earlier. Seeing that their a school I wonder what their liability is? I didn't check but is UCLA still considered a government entity? If so they may be already protected by law. Lots of laws that come along that punish businesses purposely exclude government agencies from the very same.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Despite all of these large, high-profile security breaches of late, you don't hear a whole lot about people who actually became victims of fraud right afterwards. I'm sure it's happening, but it seems to be in the "best interest" of practically everyone EXCEPT the consumers owning the info to sweep it under the rug. (EG. "No problem sir! Just mail back the form we send you, detailing all the charges you didn't actually make on your VISA, and we'll take care of it. A new card is on its way out to you right away.")
You'd think that at some point, just about everyone in the U.S. will need to put "fraud alerts" on their credit profiles!
As bad as it sounds, I think it's going to take real financial losses of an almost unmanageable sort for the lenders and credit agencies to say "Enough!" and find new ways to protect consumer info.
I obtained the ages, names, addresses, potential employment profiles and many other details of many secondary school children from my local area. Sounds bad???
Walking along the street through the city one morning I passed a rubbish collection truck which had stopped to pick up a box at the side of the road. I approached the rubbish disposal tech and asked if I could procure the box to recycle it for home use. The RDT told me I would have to speak to the people in the office it came from. At that moment the manager person arrived at the offices external street door, I asked and was told I could take it in front of the RDT. Happy to have a new box for nothing I took it home and plugged it in with much anticipation in hope that it would boot far enough that I may use one of my own HDDs with it. It booted alright, straight into it's own o/s then sat there waiting for me to use it, windows! I carefully checked the file system until I found many large files of a database type which I opned with some type of progy that could veiw them. Inside was all this data about kids, serious data. I then got a witness to watch me going through the same method of opening and reading the data, then powered down the box and took the hdd out then smashed it to bits on some concrete outside, completely. Everything was witnessed.
It realy is surprising HOW data about your children CAN get into the wrong hands, the management person concerned was running the local carears office for all the school kids in the local area and would probiblly have known little about how the data on thier network was physicaly stored. The box was outside due to the network getting upgraded, probibly to cope with the size of data files on each pc. Why they were not using a thin client based system is beyond my understanding except to imagine that they had been sold bad technology.
At that time, which was a good few years ago, the pc would have probibly ended up in the local landfill. The landfill in question was walked daily by "beachcombers" looking for a penny or anything that might keep them warm etc.
Another serious security loophole created by beurocratic failings.
Pathetic. This was also "my" local carrears office when I was at school.
I could go on but I have better things to do.
I don't agree. Isn't one of the basic principles of security to use multiple layers? Firewall, IDS, TCP wrappers, strong passwords, etc. Insert various other security methods anywhere in the chain and you can be well defended. If I make a mistake in my firewall config, I should still be reasonably sure that I won't be totally compromised.
Nope. Unless you've specified such a freeze, anyone who has subscribed to the credit bureau can see your credit history. Credit card companies routinely scan such histories to determine who to send those unsolicited "You have been approved for
I wouldn't be a bit surprised to find out that con artists are accessing these credit histories to find suitable victims. All that such a criminal would need is an inside contact with a subscriber...
Don't tell me to get a life. I had one once. It sucked.
I think that a better security system would be to have one repository for such information something that is associated by a third party answering to the government as we know the government itself is never capable of establishing ground breaking development, always comes from outsourced work. Once this repository is created, then we could implement a security feature that anyone needing such information would have access to that persons associated record number, if they pass clearance, then based on the level of permission that the owner of that info (the person who has his records in the repository )gave that company....they have a limited access of info. The higher the permission , the more info, this could be tied into the hospitals, credit bureaus, banks etc...and also the government would have the highest access without need for permission of course...this would also stop such things as passed information for telemarketing, they cant get your info based on no clearance, someone giving them your record number would not give them their own access number so that would nip the telemaketing and such in the bud!
Agreed. According to the article, the school's CIO said "the trespasser used a program designed to exploit an undetected software flaw to bypass all security measures" (Quoting the article, not the CIO.)
There is no single software flaw than can bypass properly layered secured measures. The guy is flat-out admitting security incompetence, and he's probably too incompetent to even realize it.
He regrets having to inform us, not that they were hacked. For that matter, he doesn't even regret that your name was in the database -- only that he has to tell you about it.
I know it is a little offtopic, but I often hear this folk wisdom that "oh your SSN is completely public anyways." How easy is it to find a SSN? What does one need to know beforehand to get it?
Check the sites and see if they are running Windows (use netcraft). If so, then you are at risk. Then check their server. If it is IIS, avoid at ALL costs. The problem is that Windows indicates that security is NOT job 1. IIS guarentees that this shop will run MS at all costs. It is like driving a pinto on a track of a million drunk drivers, each having a lit flare. Keep in mind, that Windows is involved in nearly 100% of all online CC thefts. First off, Windows is about 96% of the servers that get cracked even though they run on less than 25% of the https space. And then for the none windows that have been cracked, generally, they involve a stolen CC from from a windows box. The last known incident that did not involve Windows was probably the playboy theft in 1999 which involved a Solaris system not being updated. That is a good record for *nix.
Sadly, 6 years ago, all the data was released about who got cracked and how. Once Bush came in, he shut that down in the first month. This is not about 9/11, but about paybacks. Hopefully the next pres. is not attached to Gates zipper and we can get info. Sadly, I think about the only way that will happen is if if is Gates himself.
Or at least fired. But neither will happen.
It always seems that it takes this type of break in, or some large DDoS to get Network/systems engs. to take security to heart. I do security for a living, and on a daily basis, I see people at ALL levels in companies blow it off as just too much of a hassle. Okay, Grated, it for sure can be a hassle at times, but would you rather have loss of information, broken systems, etc or a little inconvenience?!?!?
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
Yes, should be the default, but you can't even get a security freeze unless you live in a state that forces the credit bureaus to do it. California is one.
It should be illegal to treat the SSN as proof of identity anyway. What kind of password has the following properties?
o Less than a billion possible values
o Part of it based on your place of birth
o You're required to disclose it to dozens or hundreds of places
o Any credit-granting company can order a report and look at it
o It never changes
Obtain a prosperous future, money earning power, and the admiration of all. Diplomas from a prestigious California university based on your present knowledge and life experience. No required tests, classes, books, or interviews. Bachelors, masters, MBA, and doctorate (PhD) diplomas available in the field of your choice. No one is turned down. Confidentiality assured. :)
Just go to http://spammers-r-us.com/ucla.html
>Security is hard to get right because you have to get *everything* right.
>Make one mistake and you've got no security.
We're used to thinking that because good security design is so rare. Imagine if all ships and boats were guaranteed to sink the instant a hole opened in the hull. Good design contains failures. Maybe, just maybe, UCLA's database had a view that left out the SSNs and that almost all users were required to use. Anyone seriously think they did it that way? Not to mention how long it took to notice the breach.
The line I liked best was the last line of the second paragraph, "I emphasize that we have no evidence that personal information has been misused.
The line doesn't add anything except the realization that they are trying to cover their ass. Of course they don't have any evidence of what the intruder did with the data.
They do have proof of misuse though... Unauthorized access is misuse!
California has one asshat.
Everybody is required to be notified if their information has been exposed.
so..... get your fucking facts right.
Slashdot needs a -1 WRONG! moderation.
Yeah, the server that you mention may be 2003, but all of the other servers on netcraft show linux/apache. http://toolbar.netcraft.com/site_report?url=http:/ /www.ucla.edu
A Haiku: my language choices/assembler pascal lisp c/old school programmer
they incorrectly spelled "due to incompetent administration of the database used to house all this information."
that's right, personal responsibility is for everyone else.
i'm sure this hacker will be code named "keyser soze" before this is over - he was obviously an computer guru with einsteinian intellect to outsmart the "geniuses" over at ucla.
okay, this is a bit harsh and my words may well be one day cut and pasted and used against me, however, 1. i will actually feel bad should others lose out b/c i wasn't on my game and 2. they better tell others what this flaw was so others can avoid being attacked. if they don't - you can believe administration messed up badly.
Why spend that much money on something you can get for a few thousand in gambling debt or drugs?
You don't have to own the company if you can pwn an employee with the right kind of access.
And the payoff would be millions of times greater than that "investment".
And it wouldn't even have to be a single employee at a single company. Just build the databases based on the SSN's and cross-reference/add whatever you can get from other employees at other companies. Pretty soon you'll have enough specifics on individuals to start checking their credit ratings and taking out loans/cards in their names.
And the "best" part is that no single person would be committing the really "bad" crime. What's the sentence for downloading 800,000 names and SSN's such as in the story? I don't know. But it certainly would not be in the range I'd want for the financial damages those people would be facing.
We're seeing organized crime in the spam zombie business now. Because it is lucrative. Identity theft is a million times more lucrative.
I went to a state university that had 4 last digits of person's social security number as part of their (mandatory) e-mail address... :)
ALSO, students' grades were posted after every test on a 8.5"x11" paper outside of classroom.
To "protect" poor students from embarassment, students' social security numbers were used (except the last four digits) instead of names.
I am not a genius and definitely wasn't one when I was 18 but somehow I was able to put those two together
(everyone had a shell account and you could "finger" users to get their first name, mi and last name)
I haven't heard of any incidents but I am sure this security issue bit them in the ass.
You may also wish to consider placing a security freeze on your accounts by writing to the credit bureaus. A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent.
Why isn't this automatic? Nobody should have the ability to check someone's credit without their consent. It should be the 'default' setting.
Incompetent Academics
Always Blaming Hackers
To Cover Their Asses!
What happened to the days when your SSN for for government use only. I wasn't around when the SSN was first used, but I heard that is was sold the the American people as a number that only the government would be able to use. In fact, I've been told that it was illegal for non-government agencies to use it at all, or even request it. What happened to those laws? If this is such an important number, why is it so easy to get from someone? I know I've placed mine on many forms I've filled out. Forms for employment, to see doctors, to get car insurance, etc. I can understand needing it to track people's past for credit and such, but why use it as their customer number? Why not just keep it on file, securely, separate from the day to day data. Instead these companies and schools use it as THE number to identify customers and students. Why not just number these people with their own scheme? They don't need the SSN for everyday transactions, so the SSN shouldn't be in everyday data, like on my bill or with my alumni data. So I went to school at UCLA (actually I didn't, I'm role playing), to contact me for that next Alumni meeting you do NOT need my SSN.
Decode the bars and you'll find that it's true.
So, if you barcoded my SSN and forced me to wear it on my hand or forehead... Bingo, 2000-year-old prophecy fulfilled!
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Having worked as the IT person in charge of a University database...
...and that's just off the top of my head.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Subject: [URGENT-STUDENTS] Computer Network Intrusion
Date: Dec 12, 2006 12:15 PM
Approximately 5,000 students, faculty, and staff at the University of Texas at Dallas as well as other individuals potentially have had sensitive information exposed by a computer network intrusion.
The personally identifiable information that may have been exposed includes names, addresses, Social Security numbers, email addresses and telephone numbers.
There is no indication that the information has been disclosed, disseminated or used to anyone's detriment at this time. However, the University does not seek to minimize concerns raised by this intrusion, and in the best interests of those potentially affected seeks to notify anyone whose information may have been disclosed.
The individuals whose information is known to be involved at this time
include:
* In the Erik Jonsson School of Engineering and Computer Science, students and faculty as well as applicants for admission dating back as far back as 1993.
* All staff and faculty of the University who were employed from September 2003 through August 2005.
The potential disclosure of data was discovered Sunday, December 10, by The University of Texas at Dallas information resources staff. The University of Texas at Dallas is responding aggressively to defend the integrity of the system and to assess the level of the threat to information contained on the system. Most but not all of the networked computing resources on campus have been assessed. Investigation is ongoing and updated information will be issued via email and the University homepage.
The University is in the process of contacting those individuals whose information could have been exposed. Individuals who are concerned thatthey might be affected by this intrusion are encouraged to go to https://www.utdallas.edu/datacompromise/form.html to submit contact information so that the University can respond, or call 972-883-4325 to leave contact information. Further information about protecting yourself (whether your information has been disclosed or not) is available at http://www.utdallas.edu/datacompromise/
Staff will continue to assess and respond to the situation. As a part of that assessment, University computers are being automatically checked by a program that is continuously sweeping the network to search out attempted intrusions. If the sweep detects irregular activity, it will generate instructions regarding any action you need to take.
To assist with this process, be sure to log off of your computer at the end of your work day, and to log on at the beginning.
A press release on this incident will be issued shortly in an effort to contact as many affected individuals as possible. Please share this information with the UT Dallas community.
Thank you.
David E. Daniel
I went to UCLA in the 80s/90s and have called twice this morning and both times their hotline database was offline. Of course they say "uh, I think... yeah, the database is being updated, please call back in 10-15 minutes..." but when I worked at a call center "database is being updated" = "BROKEN!"
I'm waiting for the class-action lawsuit against a company that gets "hacked". The lawsuit will involve showing negligence by the defendant for putting data on an Operating System known to exploitable on a large scale (MS Windows), insufficient firewalling, out-of-date virus definitions, and failure to apply all vendor security updates. Or should I not be throwing chum to the sharks here?
It is so depressing and scary to see these types of stories popping up everyday. I mean this exploit was running for over a year before it was discovered. Every time I read one of these stories I undoubtedly hear the same line or two that provides me with little to know condolence; It doesn't appear the information was misused or there is no reason to believe there is intent to use any of the information. At least in this case UCLA did not do something that drastically contributed to loss of the information like http://www.iwantmyess.com/?p=134 Kaiser Permanente. Who have had laptops packed with patient records stolen when they are bringing them home from work. Hopefully companies will start to step up their security so that we won't have to live in fear of getting that "oops we lost your private info" letter in the mail.
As I'm reading this article, I receive an email that tells me that the same thing happened to "Approximately 5,000 students, faculty, and staff at the University of Texas at Dallas". Why does this keep happening? Schools need to be more careful with information they demand from students, and students need to be more reactive when something like this happens. We trust the school with "names, addresses, Social Security numbers, email addresses and telephone numbers" whether we like it or not. So when something like this happens, we should do something about it.
Read the email
It seems to me that several universities that have high-powered CS departments end up hiring complete tards to do their campus IT infrastructure... how does this happen, you ask?? ADMINISTRATION DOES NOT CONSULT ANYONE FROM CS ON COMPUTER RELATED MATTERS!
I wish universities on the whole would operate more like universities instead of bumbling corporate bureaucracies...
my 2p
-Ponga
Getting hacked is bad but having sensitive data outside of a secure environment is really bad. The powers that be at the University of Cincinnati have deemed that having sensitive information on unsecured laptops for purposes such as running payroll is perfectly acceptable business practice. Nobody knew this until we received a "whoops" letter from the university detailing the theft nearly three months after the fact. Everything is A-OK though for two reasons: 1) the person from whom the laptop was stolen was a senior employee; 2) UC has no reason to believe that our names and SSNs will be used to impact our financial accounts. Thank goodness!
Comment removed based on user account deletion
What was the actual problem? Bad software, bad configuration, bad programming, bad security practice, just a clever hacker?
Yes, I'm hoping it was a Microsoft shop, top-to-bottom. 8-)
Acts 17:28, "For in Him we live, and move, and have our being."
At least at the university I work for, having a CS degree, or being in the CS program, is no indication of having proper systems administration skills. Perhaps there should also be an SA degree. I don't write algorithms or programs; I manage systems for security, performance and availability.
Non impediti ratione cogitationis.
Sorry to post this AC, but I've recently become a victim of identity theft. In this instance, I belong to the 60% group of ID Theft victims: someone from my extended family screwed me. That's right, 60% of ID Theft cases come from cousins, nephews and the like.
It's all fine and well to be concerned about bulgarian hackers, but you're a bit more likely to get p0wn3d by that insincere, fast-living cousin with social engineering skills you bump into every couple of years.
This is ridiculous. I am already fed up with UCLA's handling of pretty much everything IT.
The school posts the email address of every resident in a public directory on its website. Lo and behold- once I moved in here, I started getting spammed to hell. As if that wasn't enough, last year there was a massive phishing scam that was performed by sending spoofed emails from the University Credit Union. Guess where they harvested the emails from?
UCLA took a week to respond to this attack, and by then many accounts had been compromised. It was a joke. And, on top of that, it still wasn't enough to make anyone realize that posting students' emails publically was a bad idea. I mean, it would not be a hard thing to move the directory into one of the many "login required" website services that the school provides.
I'm hoping that some heads roll over this, and something FINALLY gets done about the fucking monkeys that seem to run IT department.
One of these days, I'm going to cut you into little pieces.
The whole point of getting your SSN is to set up an account for your data.
If you lie, you had better be able to remember what you wrote - otherwise good luck getting access to your account.
You must consider, though, that at many schools, the CS department would not repsond to a request from the IT department for any sort of consultation. I am certainly not painting all faculty with the same brush; however, many of them hold tighter to their "job descriptions" than those parodies of union workers on Futurama. They teach, and they publish. Don't ask them to participate in anything outside of those two primary activities.
Granted, there are many college IT shops who would never make the call to the CS department, but in fairness to those who have, often that call is never returned.
So another 800,000 SSN's have been leaked into the gooey ether, with the typical "whoops!" form letter in tow. This has started to happen so often that I'm not the least bit suprised.
Am I a cynic, or are we approaching the breaking-point?
At last count, we had 300,000,000 Americans roaming about. Let us assume that 100% of these people were issued SSN's (wrong thread for an illegal immigration debate). 800k out of 300,000k is 0.26%. In other words, this single incident has compromised AT LEAST 0.26% of all SSN holders.
Granted, this leak is larger than most. However, given the scale involved in these databases, and the frequency of attack, I would wager it is only a matter of time until the MAJORITY of all SSNs have been compromised.
Then what? How can this system of credit survive? Is this really just simple incompetence, or is Tyler Durden hard at work?
barack to the future?
I'm an alum and yeah, I got the email this morning, automatically sent to my junk mail folder on Hotmail. :/ At first, I thought it was another one of those phishing attempts but then after typing the URL myself and looking around on the press, it turned out to be real . :(
I filed a fraud alert w/Experian and looked at my free online credit report. Fortunately, nothing looked out of the ordinary but I'm waiting for the two other agencies...
Don't go to school or college, don't get married, don't get a job, don't rent or buy a house, don't have kids, don't have a bank account or credit card, don't drive a car, don't use the internet, acid-burn off your fingerprints, always wear dark glasses, don't use a mobile phone, shoot on sight the first cop that speaks to you...
To have a right to do a thing is not at all the same as to be right in doing it
"Jim Davis, UCLA's chief information officer, said a computer trespasser used a program designed to exploit an undetected software flaw to bypass all security measures and gain access to the restricted database that contains information on about 800,000 current and former students, faculty and staff, as well as some student applicants and parents of students or applicants who applied for financial aid." Never trust in orange cats.
Friends come and go, but enemies accumulate.
The best way to protect data is not to collect it in the first place.