Carnegie Mellon Says Computers Breached 203
maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."
Re:Poster here (Score:3, Informative)
Re:So... (Score:1, Informative)
The weakest link (Score:4, Informative)
Not really CMU, but Tepper School of Buisness (Score:5, Informative)
Re:Casual attitude about SSNs (Score:3, Informative)
They still appear to be using Social InSecurity numbers as employee IDs. When I showed the personnel worker my newly minted CMU ID, she asked me my Social InSecurity number and only then was she able to find me in the system.
I'm usually not anonymous but I'd better stay that way for this one.
CMU Guy
Re:Is This Really News??? (Score:3, Informative)
Especially when you consider that there are products already available that can greatly reduce, or eliminate, these sorts of things.
Guardium http://www.guardium.com/
Tizor http://www.tizor.com
Lumigent http://www.lumigent.com/
(just to name a few) All have solutions to information access/identity theft problems. If a company is storing personal/private/sensitive info it would seem they would be more aggressive in deploying preventative measures.
Re:Poster here (Score:2, Informative)
That is unless they used another question, in which case this whole exercise was for 50 years of ass-pounding.
I guess the hackers really like backdoor-ing.
Letter from Tepper (Score:5, Informative)
Dear ______,
On Sunday, April 10, the Carnegie Mellon Computing Services Office of Information Security identified a breach of some computers at the Tepper School of Business. Upon investigating and recognizing the unusual activity, Computing Services worked to disable, inspect and secure all servers and personal computers.
We have no evidence that personal information on breached systems has been used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters, and the Tepper administration has chosen several precautionary steps to communicate with all affected students, graduate alumni, faculty and staff on safeguarding measures aimed at protecting privacy.
While we have not identified unauthorized use of information, we strongly encourage you to take steps to ensure your privacy. Personal information included in the databases that may have been accessed includes:
- For master's alumni Class of 1997 through the Class of 2004: Social Security number and grades included in a student services database.
- For master's alumni Class of 1985 through the Class of 2004: Job offer information you may have entered into the COC database as part of your job search process.
- For all alumni: Contact information you may have entered into the alumni directory/alumni database. (Note: All Personal Access Codes (PAC) for the alumni database have been automatically updated for increased security.
Your new PAC number is: **********
Your email address in the directory is: ****************
- For doctoral alumni Class of 1998 through 2004: Social Security number, GMAT, GPA and information submitted in your application to the doctoral program.
Please visit www.tepper.cmu.edu/******* for information regarding precautions and steps to take to protect your personal information.
We apologize and regret the inconvenience associated with this incident. Currently, the business school is in the early stages of investigation and does not have all details regarding the source of this breach. As further information is discovered, we will be sure to include it on the Web site listed above. In any event, please understand that we would not disclose details that would put any computer or network at risk of further intrusion or malicious attack.
The recent Tepper incident is similar to the computer breaches reported by other universities. As a campus that prides itself as a hub for technology innovation, Carnegie Mellon is extraordinarily mindful of issues regarding information security. The recent breach is a reminder of the sensitive business environment in which we operate and the need to consistently monitor and advance our infrastructure and processes.
If you have questions or concerns, we encourage you to contact John Sengenberger at jseng@andrew.cmu.edu
Thank you.
Steve Sharratt
Associate Dean for Advancement
Re:SSN versus ID-card (Score:5, Informative)
Your Social Security card is not identification except for bank, your employer, and the IRS. I should also say the phone company also asks for this, and other businesses preforming credit checks which would include rentals. It should be a method of tracking your earnings and paying federal or state taxes (if your state has an income tax). It has no picture, no address, and unless it's changed is a piece of paper that says specifically "do not laminate" unless you have an older one from before 1988 or so. Most places that would require it don't even look at the physical document, why would they it falls apart after a few years. A few employers require one in good physical condition but typically those are limited to places concerned with illegal aliens. Foreign nationals working in America are required to have a tax ID number, but as being non-nationals don't get social security benefits hence no social security card, but just put the tax id number in place of where it asks for social.
For identification purposes, most places use the driver's license which is a state not national agency. Some people don't drive, or can't drive, so those places issue ID cards as well. You are not required by law to carry one, but if you want to buy booze, go into bars, or cigs, or have a checking account it's very helpful. Passport is an option, but some places don't accept passports as forms of ID, even though they are required to by law.
There are many reasons to object to a national ID card.
1. ID cards are already provided by the State, no need for federal involvement. Classic State vs Federal rights argument.
2. There already exists a national ID, it's a passport.
3. We presently are not required to have ID on our person.
Re:Not really CMU, but Tepper School of Buisness (Score:3, Informative)
All of these are highly integrated, and frequently run on the single kerberos realm provided by IT. (You can log in and read files in CS with your Andrew account, etc)
It would be nice to have a single system, but the number of requests will be highly uneven, and it would be a nightmare to figure out who pays for what. Especially in terms of software. Should IT buy pro-e for the whole school, when only engineering requires it.
And really, this breach has nothing to do with bad network policy. Sure someone broke into an insecure computer, and probably downloaded the access database that was used to store some personal info. This will make the administrator annoyed, but not responsible. And definitely not as angry as when the same file has been lifted off an AFS without knowing someone's password.
Re:Poster here (Score:3, Informative)
With SSN and birthdate. Mother's maiden name (MMN) is used only for local verification. It isn't printed on credit reports or other such shared documents. You can make up a different MMN for every account that asks for it and never have anyone question you. The SSN, address, DOB, and past history are what is on the reports that origanizations look at for opening accounts.
Not CMU per say (Score:5, Informative)
CERT is not really related to Tepper (the business school) in any way. In fact, CERT and the SEI are barely even related to CMU, they're off in their own little building a few blocks away and have their own security and networking. To associate the b-school getting hack to a failure of CERT would be like saying the CIA was vulnerable because the department of argiculture got hacked. It's just bad journalism to make an insinuation along those lines. CMU is a fairly large organization and it has its share of folks who understand computers and share of folks who are dolts.
On to the other question, why were SSNs on there? Well, CMU is still stupidly using them as your student ID number. Up until this year they were encoded on your magnetic stript of your student ID card. You can change it, but they look at you funny when you ask to do that.
So why would CMU even need SSNs? Well, like most institutions you've got to do a lot with financial aid to students. If you're doing financial aid and credit you need to use SSNs, simple as that. Tepper has its own financial aid department and thus probably needed the SSNs for that.
This is just another point that the credit industry probably needs an overhaul more than anything else. Allowing someone to get credit by simply providing the SSN and a few other easy questions seems a bit reckles.
More odd is your "easy account" practice & CMU (Score:3, Informative)
Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock.
I keep up on the latest exploits, re-visit old ones, keep critical (and new) machines well patched, write shellcode to understand BoF/Ret2Libc exploits & employ handfuls of hardening techniques & limits everywhere I can, especially in the Kernel. Then I keep images of my fav installs & nc+dd them onto new boxes when needed... _Then_ I go to work and do the same on many more computers in addition the job I was actaully hired for. I still maintain a social life and even -- gasp -- a lady friend.
So I do realize there are large factors that go into haveing enough time and infrastructure to admin 1000 vs 100 vs. 10 boxes. But is "easy" just considered routine due to time constraints, even at a fine establishment like CMU?
If your box was on the net for 24hrs, and it got cracked into, somethings gone wrong in your department.
I don't consider it much of a "hack" if the admin sets up a deficient system (i.e. easily guessable usernames/password) and puts it live on the Internet without montoring it for brute-forcing; which you allude to. One cannot rely on a 3rd party to inform them that machines in their domain are hacked. It only takes a few key punches to duplicate very good securiy efforts after you've done them once.
I'd be interested in knowing what the exploit vector was (if you did the above) if you guys are able do I.R. after a breach. Or even bother to image the drive for later...
I dunno, but I see a pattern here with locations that put busy, course-loaded students in the employ of guarding the subnets...
Re:More odd is your "easy account" practice & (Score:1, Informative)
Fucking A. I'm with you on this 100%. Granted, I run OpenBSD at home, but that doesn't mean I just sit back and pretend like everything is okay. I check the errata at least twice a day and act on the updates/patches as soon as I get a free couple of seconds in my day. I have pf setup to my likings and haven't had a problem since I installed OpenBSD. No, I'm not an OpenBSD fanboy, I'm just making my claim--YMMV.
In short: there is simply no excuse to be lazy/relaxed about security. Call me paranoid, but I'd like to keep MY data to myself.
Re:Not really CMU, but Tepper School of Buisness (Score:3, Informative)
The thing that IT is making sure of however is that the passwords are used only via the main kerb. CMU had plenty of problems of people giving passwords to OLR, housing in order to use online services. The current policy is that there must be no site that asks for password, instead site must forward to a ticket granting site. That is good policy. But it still does not help the secretary on a windows laptop with bonzibuddy preloaded.