UT Austin Hit By Massive Security Breach 557
mrpuffypants writes "Reported in the Austin-American Statesman: The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty. Official word from the school can be found here. Most troubling of all is that, like most schools, UT still uses SSNs for student ID numbers, and that was part of the information taken from them in the attack."
Action (Score:5, Interesting)
Slightly OT - choice of credentials (Score:5, Interesting)
But why are SSNs so sensitive? It's like a credit card number -- it's printed some places, gets bandied about in others. Not exactly confidential, and no intuitive or documented boundaries on who should be trusted to with it. So it's a scary number that can be used for bad things, but you'll have to give it out in many circumstances where you aren't fully aware of how it'll be used. Makes it tricky to know who has it, or to make an informed decision about where you use it.
Again, it's easy to see how the practice of using it as a credential has continued (and got worse), but when did it start?
Are the stolen records ever used? (Score:5, Interesting)
One Copy? (Score:2, Interesting)
But nothing says that these cracker(s) are smart. Possibly just lucky.
robi
Who needs to hack, just work for a university (Score:5, Interesting)
from what Ive seen (Score:3, Interesting)
Its a very scary.. but what can you do..
Penalties (Score:5, Interesting)
Not to adapt a blame-the-victim mindset, but I mean really, why is this stuff on an internet-connected machine to begin with? I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked.
This stuff needs to be taken seriously, and not just in punishing the offenders. Look at it this way: If your bank got robbed tomorrow and all the items in your safe deposit box were made off with, would you blame the bank if you found out that the vault was left open and the deposit boxes were made of cardboard? I sure would.
Yikes... (Score:3, Interesting)
Colleges and Universities need to fix systems! (Score:3, Interesting)
At least the University is acting responsibly... (Score:5, Interesting)
It is good to see the University being so frank and honest about this matter. I am sure some heads are gonna roll, but at least the people affected will be provided with information and know how it happened.
Speaking of how it happened... the article does not go into technical details, but I am curious how this database was accessible to the world and was spitting out data to qualifying queries of SSNs without any security context... I am sure someone here on
Hey, here's an idea (Score:3, Interesting)
Apart from that all of the credit reporting, etc. goes through shadow companies that you can do nothing to if they screw you over (IE issue a credit card to a you that's not you).
We need to make using an SSN for identification purposes entirely illegal, credit card companies and banks be damned. Or say it is a National ID and come up with a better way of securing identities.
at least some are getting smarter (Score:5, Interesting)
Dear Students:
The following three bulleted topics are of student interest:
* Social Security Number is removed from WildCARD ID
With complaints about identity theft nearly doubled last year as the fast-growing crime topped the government's list of consumer frauds for the third consecutive year, WildCARD offices on the Evanston and Chicago campuses have started issuing new WildCARD identifications without social security numbers.
The re-designed WildCARDS are being issued at no charge to faculty, staff and students who wish to exchange their existing card for one minus a social security number printed on the front. Those without a card to exchange because it was lost or stolen will be
charged a $15 replacement fee.
"The new purple WildCARD looks the same as the old one, but as opposed to printing the person's social security number that used to be their Northwestern "id" number, we have implemented a shortened "emplid" number which the University is issuing that has no association whatsoever with one's social security number," said Arthur Monge, manager of WildCARD and Vending.
"We are not mandating that WildCARD holders be issued a new card, but the option is available for anyone who feels concerned about having the social security number visible on their existing card. It is a matter of personal choice to replace their existing card for one with an "emplid" number, at no charge, unless they have lost their card or it has been stolen." Since switching to a new WildCARD is optional, it can be done at one's leisure. Existing WildCARDS will continue to work, so if someone doesn't feel the need to have one without a social security number immediately, they can continue using their existing card until it expires.
Northwestern University's multi-purpose, one-card program, WildCARD, was developed nine years ago to provide better identification for members of the University community and to simplify use of existing services, control access, reduce handling of cash, and enhance security. Students, faculty, staff, spouses and domestic partners of active, full-time faculty or staff, authorized contractors working within the University community, Research Park tenants, and individuals affiliated with a University department are all eligible for a WildCARD. For more information, call Art Monge (847) 467-3135 or check the WildCARD Web site at:
http://www.univsvcs.northwestern.edu/WildCar
* New vending machine refund bank locations
If you didn't already know it, there are vending machine refund banks located throughout both campuses. A complete list can be found on the WildCARD & Vending web site at:
http://www.univsvcs.northwestern.edu/WildCar
New locations include the Family Institute at 618 Library Pl (front desk), Lake Shore Center at 850 N. Lake Shore Drive (front desk) and at Wieboldt Hall, 339 E. Chicago (Administrative office, 2nd fl). One is also planned for Galter Library in the near future.
Each vending machine should have a sticker on it that indicates the nearest refund bank. If one is missing, please inform the Evanston Wildcard Office at 7-6843.
* Other tidbits of information:
--The Abbott Hall ATM now sells stamps
--A Pepsi vending machine promotion is taking place now. Pepsi is giving away 80 Willie the Wildcat bobble head dolls. Look for a sticker on your next Pepsi purchase.
Bush's daughter (Score:3, Interesting)
Could this possibly be related?
SSN's? Big deal. (Score:3, Interesting)
Big deal. If anyone wants to know my ssn, it's "336721433".
SSN's are public information.
SSN's are used too much (Score:3, Interesting)
StarTux
Re:Illegal? (Score:3, Interesting)
(I don't remember the exact text)
How much force that warning has is debatable. Certainly, any individual student can protest "You've got no right to see my SSN!". When this happens, he typically gets bounced around a few offices until someone responds "Ok, just make up a random number and lets get on with it"
Re:Illegal? (Score:2, Interesting)
Re:At least the University is acting responsibly.. (Score:3, Interesting)
Then someone just wrote a script to brute force the SSN range it seems from the 2nd link
Google your SSN (Score:2, Interesting)
security leaks abound (Score:2, Interesting)
kind of scary that just anybody can find all this info by getting some scrap paper from the recycle bins or wherever around campus. I do that a lot but most of it's junk. But if you work in on campus I'm sure you can find lots of confidential info in the recycle bins and such that should NEVER be released.
Re:SSN's? Big deal. (Score:2, Interesting)
Re:It's not the IT department.. it's the provost (Score:3, Interesting)
I will say this in defense of the IT people there... its gotta be pretty fucking hard to lock down a system that has almost 70,000 users (between students, faculty, staff, alumni, etc).
Re:Google your SSN (Score:3, Interesting)
They took it down about 3 months later....
Re:What's the big panic about SSNs? (Score:3, Interesting)
Precisely. The problem isn't that people can find out your SSN. It's that far too many people think that SSNs are somehow a secret authentication key that only you could possess.
If you walked up to any organization and said, "Hi, I'm CmdrTaco, gimme the keys to Fort Knox", they'd ask for some ID. They don't take knowledge of a name as proof of ID. Yet far too many people will accept the one that walks up and say "Hi, I'm 123-45-6789, gimme the keys to Fort Knox". An SSN is just like a name. It's not a digital signature.
Note that the fuss a lot of people make over insisting their SSNs be "secure" actually makes the problem worse, not better. Increasing the obscurity slightly doesn't improve the technical security. But it does tend to make people sloppy and overconfident, and leads them to rely on the obscurity of the number as a substitute for authentication. The reason we have a problem in the first place is all those people that mistakenly believe that SSNs are somehow secure in the first place.
We'd be better off if you were _required_ to use SSN as your student ID, and drivers license ID, frequent shopper card ID, whatever. Plaster it all over the place, and make sure that everyone realizes the number is every bit as public as your name, and thus of no more value for proving an identity. Agitating for "privacy of SSNs" is counter-productive.
Re:What's the big panic about SSNs? (Score:2, Interesting)
So, do you provide those documents when you apply for a credit card via mail?
Then do you provide those documents via the web when you use that card to buy $5,000 worth of electronics on Amazon.com?
User logon names as SSNs (Score:4, Interesting)
(Extra credit props points to anyone who can name the system that I am talking about... Hint, this was late 70s to early 80s)
Who cares? (Score:2, Interesting)
Terminology (Score:1, Interesting)
nope, not as easily stolen (Score:2, Interesting)
Not sure about retinal scans, maybe that's an answer
I agree though, the use of SSN is outdated, it is security through obscurity using a less than obscure number. If I want to steal your identity, all trying to hide your SSN from me does is make it take me a little longer and piss me off that much more, you'll be owned soon enough
Gee, really? Hmm... (Score:2, Interesting)
From ksparger@vaevictis.stf.org Fri Aug 1 10:42:46 1997
Date: Fri, 1 Aug 1997 10:42:45 -0500 (CDT)
From: Vaevictis
To: info@x500.utexas.edu
Subject: Questions regarding the x500 service.
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:
Hi
Sorry to pester you (I know how much of a pain it can be to administrate an internet service
I'm a freshman taking English 301 (Composition class), and we've just recently been assigned a proposal argument.
My proposal is that the university change the policy on the x500 so that instead of having the student's information accessable by default, the
student would need to sign a release form. (in other words, the exact opposite of the way it's done now... as a new student, I was horrified to find that my personal information (home address and telephone number, specifically) was being given to all comers..)
I would like to know the following information, if it's not too troublesome for you to give to me
What would need to be done to change the student's default from "distribute information" to "withhold information" in the x500
directory?
Would it require a change at the actual x500 site (ie, configuration files?), or would it require that some other group (the registrar, perhaps?) change policy?
What kind of security measures are installed to log accesses of information? For instance, I know for a fact that you don't attempt identd lookups, do you log access attempts by hostname, IP address, or do you log at all?
What are the scenarios if it is found that someone used information acquired from this database for illegal/unethical purposes? ie, could you even prove where a certain access came from if you had to in court?
Anyhow, thanks for your time, it's much appreciated
If you don't know the information for any of the above questions, I would
appreciate it if you could tell me who could (if you know, anyway
Thanks a lot,
Kyle Sparger
Date: Fri, 01 Aug 1997 11:13:04 -0500
To: Vaevictis
From: "William C. Green"
Subject: Re: Questions regarding the x500 service.
In-Reply-To:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Status: RO
You should read our FAQ and all associated links: http://x500.utexas.edu/x500info/faq.html
Specifically, Appendix C Subchapter 9 with special attention to section 9-201 of the General Information Catalog.
I would suggest you begin your inquiry with the Registrars office, although many other offices would be involved. My understanding is that any change would need to be approved by the Regents.
This question is more complicated than it would appear.
As part of your argument, you should consider the implications of not having a directory service, or, a service that is restricted to UT Austin
access only.
Host access information is kept in rolling logs.
Why there hasn't been any reform on SSNs (Score:4, Interesting)
Every effort to reduce the power of credit bureaus and protect individual privacy has been defeated or weakened by the credit bureaus and credit issuing companies. Their claim is that a central database tied to everyone's SSN is critical to doing business. Of course, they neglect to mention that they do plenty of business outside of the US without having such a system in place, AND the fact that SSNs are not guaranteed to be unique.
At this point, reasonable souls would start to question whether this is a government for the people, by the people, or a government for big business, buy the politicians! Face it, it won't be until the system is completely broken, with millions of people affected, and with the costs of keeping the current way of doing business too high to continue, that they'll change. By then, it'll be too damn late...
Re:What's the big panic about SSNs? (Score:3, Interesting)
Same thing at my College (Score:2, Interesting)
Re:Illegal? (Score:3, Interesting)
UT dishonest about source of attack (Score:3, Interesting)
A click on the travel.fp3 file listed a couple hundred SSNs. It was completely wide open.
UT made it sound like a deliberate attack, but it looks to me more like administrative incompetence (and cya).
Re: Social Security Numbers (Score:2, Interesting)
I agree wholeheartedly that the abuse of SSN is a problem. However, realize that most US educational institutions will assign you another unique student ID which is not your SSN; it is not impossible to dodge their use, and if you truly care about your security you will never use this number except when forced to. You have the right to protest its use otherwise, but consider that this distinguishing characteristic may not be so good socially--the people around you might not be quite as apt to understand your rabid protection of this number, even if many of the more privacy-oriented do.
Moreover, as much as it is claimed (and perhaps rightly) that "the system" wants you to use this one unique identifier, there is a definite advantage to having an easy-to-remember number associated with almost everything, instead of separate account and unique personal identification numbers. However, some privacy experts [eff.org] agree, as do I, that the SSN should only be used for, well, Social Security when possible.Looking at that aformentioned letter, I find a passage which states that "from a technical viewpoint, the SSN is not a good identifier. It is not unique, [and] there are multiple users of a single SSN". While I can find no proof of this assertion elsewhere, I have heard anecdotally heard of people who used Richard Nixon's SSN throughout college [216.200.201.214](567-68-0515)--the results are obviously mixed. Overreliance on this number poses an undue threat to college students who, frustrated by this kind of wholesale theft which could lead to troubling financial consequences should the perpetrator preserve a copy of the data, might turn to forging SSN's--an OK idea until you get caught at it.