Carnegie Mellon Says Computers Breached 203
maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."
Is This Really News??? (Score:4, Insightful)
Casual attitude about SSNs (Score:5, Insightful)
I'm still amazed at what companies ask me for my social security number and their casual attitude about what they do with it. My health insurance company uses it as my ID number. My dentist thinks nothing of asking for it and scribbling it on a post-it note along with my name while they enter a claim form into their computer and then they throw the post-it note away.
I always make an attempt to refuse to give my SSN. The shocked, negative reaction I get is absolutely amazing to me. It is apparently so ingrained to U.S. culture to give that number up to anyone that asks regardless of the totally insecure way they handle that number.
An everyday occurrence now.... (Score:1, Insightful)
So... (Score:1, Insightful)
Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed
What is one supposed to do with such warning?
Looks like a departmental problem to me. (Score:4, Insightful)
Re:Casual attitude about SSNs (Score:5, Insightful)
The other way is to think of it as a piece of information information as public as your first name or hair colour.
It seems to me that SSN now has to be considered in the second category.
The problem is that there is a mismatch of perception in society, so some people see it as a secure item, some people think of it as insecure and some people don't really think.
It is this mismatch which is causing the potential identity theft and security problems.
I'm sure it is handy as a unique key in many people's databases, but it has to be realised that it is public and can be falsified.
Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.
Re:An everyday occurrence now.... (Score:3, Insightful)
Re:Casual attitude about SSNs (Score:1, Insightful)
Only for people who don't know any better. Social Security numbers are recycled and should never be considered unique.
It is possible for multiple living people to have the same SSN and even the same name.
SSNs are also poor "security" identifiers because they are usually tied to where you are born along with other patterns.
Why store the SSN? (Score:4, Insightful)
Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.
I know, I know -- I shouldn't bother asking "why"...
SSN versus ID-card (Score:5, Insightful)
So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?
It's something I have been trying to understand for years.
I don't feel harassed, having to cary my ID. I rarely use it. If I get in an accident, it can be used to identify me. It's rarely asked for. The police needs a justified reason to ask to see it. The bank can ask for, before giving out a lot of cash money, or before paying a check (also something which is very rarely used over here). I can travel freely across member states without showing it. Perhaps not yet with the 10 new ones, to be honest.
Just wondering...
Re:SSN versus ID-card (Score:3, Insightful)
Re:SSN versus ID-card (Score:1, Insightful)
See, that's the sticking-point. In the US, lots of police officers are frustrated psychopaths who like to abuse their power. Not to mention others in higher powered positions in the government.
Therefore, people have a queasy feeling about a national ID card that includes even more information than before.
Re:Why store the SSN? (Score:4, Insightful)
Re:um... (Score:3, Insightful)
IMHO, leaving our planet's cyber-security in the hands of the U.S. Government is like leaving our planet's physical security in the hands of the U.S. Military, or leaving your business's security in the hands of a ten-year-old child with a toy spy camera. Where is UN-CERT when you need it?
Re:Why store the SSN? (Score:1, Insightful)
Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.
I know, I know -- I shouldn't bother asking "why"...
No, that's just a diversion. Checksums are not a cure-all. In this case, it would be a false sense of security. The fact that you mention multiple checksum algorithms shows you haven't adequately thought this through. The strength of the algorithm has little to do with security when there are this few data points to map it back to.
You could easily get all of the SSNs by trying 9 digit numbers.
Remember, these aren't arbitrary 9 digit numbers. They are assigned by where you live, the middle 2 are (almost?) always even, and so on.
There are a whole lot less possibilities than you would initially think. When you restrict the domain to 9 digit numbers following a strict pattern, it IS computationally feasable to reverse the checksums.
Let's assume it wasn't possible today. You keep the same SSN throughout your life so at any point in the future the thieves could reverse the checksums when computing power is sufficient.
Unlike credit card numbers, SSN and other identity information has no expiration date.
The answer to this problem is to restrict access as much as possible. Then you can go with the secondary measures of encrypting the data -- which would be much better than checksums.
Tales out of School.... (Score:2, Insightful)
Here's why:
Unlike private companies, universities are difficult places to enforce security policies because PhDs feel that these policies somehow inhibit their freedoms or that the rules shouldn't apply to them. Profs and researchers each get their own computer money and they build their own little networks, server farms, and have their own methods. Because they often want to share their servers with other univerisities, they are usually not behind a firewall and/or given address space that is world addressable.
This usually creates a perfect place for intrusion--lack of cohesive security policy, machines that are run by novice sysadmins, and a really fat uplink the net.
To make things worse, the networks on campuses are generally a hodge-podge of technologies and topologies that have been piece-mealed together like some kind of electric crazy quilt. You might have aging border router equipment, old hubstacks with vulnerabilities in their management utilities, random unmanaged/non-seucre wireless networks in the dorms or offices, etc--a nice untraceable uplink to your LAN.
Managing the security for these networks is almost impossible unless the entire infrastructure has been updated--which costs millions of dollars that universities do not likely to spend (at least not without a major campaign).
All of these computers--Macs, PCs, Linux, Solaris, etc., have no real security policy, they're poorly managed by amatures, and they have a network with no real firewall. Talk about a honeypot!
Each node on this honeynet is now a prime place for root kit installations. They lie in wait for someone to log in to the right systems and, voila--a password and userid. A keylogger records a legit log-in. Now your cracker is using one of the unmanaged nodes on your network to have his way with your student/employee information system.
If any university has a better system, I think they're in the minority. Hopefully, this will change. But until then, the inmates run the asylum.
Re:Poster here (Score:3, Insightful)