Carnegie Mellon Says Computers Breached 203
maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."
Poster here (Score:5, Interesting)
What I found to be so interesting about this story is that unlike the other thefts, this one did not require the theft of a computer or social engineering skills. This one looks like the works of a group of hackers and now has the FBI's computer crime squad joined [post-gazette.com] in the investigation.
The wierd thing is... (Score:2, Interesting)
Re:question: (Score:3, Interesting)
This, of course, is the sticky point. What do we use in place of that unique identifier? A national ID card? That rubs a lot of people the wrong way and with some justification. However, the move to "secure" drivers licenses is simply a move at the state level to provide the same thing.
Long and short of it is that someone smarter than me will have to figure it out. Shouldn't be that hard to find someone....;)
CMU internal announcement (Score:1, Interesting)
Another interesting note is that in the CMU internal announcement, the _second_ paragraph was effectively, "it isn't as if we're the _only_ school to lose information"
The third paragraph says that the data was stolen from desktop and laptops rather than servers. WTF was sensitive data doing there?
Sucks to be the business school, I guess.
Personal IDs (Score:2, Interesting)
Person who's handling all this can easily make copies and apply for new credit cards,etc.
There's absolutely no reason why they need your SSN, your health insurance card (with non-ssn personal ID should be enough)
SSN's are public, can't be secret (Score:2, Interesting)
Any information you are routinly asked to give up can not be considered secret. The problem with the SSN's is not that they get stolen, the problem is that they are useful to the thief. The idea that knowledge of a "secret" number entitles you to enter into financial obligations is simply insane. Adding other "secret" information to add further "safety", like mother's maiden name or place of birth, does very little to improve the situation and those extra pieces of information are likely to become available to the thief at the same time as the SSN's, from the same database.
The only reason you are able to get into debt just by knowing your SSN is that it suits the lenders. They can be based in one state but do business in all of the states, through mail, internet and telephone. They have then managed to make it your problem that they give money to someone pretending to be you, sticking you with the problem of clearing up the credit reports they use to decide if you are trustworthy and doing what you have to do to get out from under the debt. Basically the lenders punish you for them (the lenders) giving money to someone pretending to be you. (Yes, I know that sentence is twisted, it's a really twisted system). This is an outrageously good deal for them and they have no incentive to fix the system, at least not until the amount of fraudulent loans is more than the money saved by not implementing a secure system.
The solution is painfully obvious. When you apply for a credit card or enter into any contract, you should have to show your face and acceptable forms of id, either at an office of the lender or at a mutually trusted proxy. The proxy could perhaps be the closest USPS office. This proposed system is naturally not totally foolproof, no system can be, but it's a heck of a lot better than the current one. It's a lot more work to falsify id's than it is to harvest SSN's and the chance of capture is much higher. As there's no indication the lending business will self-regulate this, and it's really too big and diverse to ensure self-regulation, this will have to be implemented by laws.
It's really incomprehensible to me that party A stealing my SSN from party B and using it to get money from party C becomes my problem. It should be the problem of party C that gave money to someone without bothering to make sure he was who he said he was.
Making it a bit more work to get more credit cards is really not a bad thing either, most people have too many and practically everyone has too much credit card debt.
While we're at it, we can stop pretending that credit card numbers are secret. That problem has already been solved, the banks just need to implement a system like PayPal, where you sign in and ok each transaction. Again, painfully simple.
Re:Is This Really News??? (Score:1, Interesting)
Right.
These breaches are inevitable. That's why, as I've said for a while [slashdot.org], it doesn't really matter if an organization -- whether it's Google or the government -- promises to "do no evil".
Even an organization run by saints -- and no organization is run by saints -- can be breached.
So there are two things that need to be done: first, we need to convince organizations, both corporate and governmental, to limit the information they collect to what is actually necessary for their functioning. And access needs to limited and audited to prevent misuse [slashdot.org].
Given prevailing corporate ethics -- that whatever is good for profits is ethical -- the "convincing" will have to be in the form of data-protection laws and privacy-protection laws that limit information collecting and impose penalties for misuse or failing to adequately safeguard it.
Second, what information is collected needs to be encrypted. While that won't prevent all hacking, it will mean that copies of data stolen in bulk will be pretty much useless to the thieves.
Again, it's not sufficient to think, "well, I trust Google (or the FBI or Social security administration or my bank) won't misuse my information" -- it's necessary to remember that organizations change sometimes without warning (see the first link, above), and that external hackers internal misusers can pervert any system (see the second link).
Our response has to be more than "whistling past the graveyard" hoping that nothing will go wrong. Breaches are inevitable, and our laws and our data-retention worse practices -- not the best practices we hope for, but the worst we allow -- must reflect that.
Re:SSN versus ID-card (Score:5, Interesting)
1. A car hit you - you didn't do anything wrong, but the police wanted your ID. Why?
The last time we had ID cards here, a woman found some item in the street and tried to hand in in to the police as lost property. They demanded her ID. She had forgotten to carry it, so was arrested. This caused such a scandal that it led to the abolition of ID cards.
Criminals don't leave their ID number at the scene of the crime, so issuing ID cards will not help solve crimes. But it will create a useful new power that the police can use to harass any group they take a dislike to: the power to stop them and ask for their identity card.
2. The bank wants to see your ID. Why?
I've got a card from my bank too. When I want to take money out, it proves that I am the same person who put the money in. That's all they need to know. They don't need to know my nationality, or medical history, or police record. So I don't want a single ID that will link all that data together.
Re:Why store the SSN? (Score:2, Interesting)
Re:Poster here (Score:2, Interesting)
Out of interest, how did they manage that? Did they have to declare a ludicrous dollar-cost for the problem, or was it just the publicity? FBI are notorious for being about as active as a large rock when it comes to investigating hacks.
Re:Hacked you all! (Score:3, Interesting)
The UK has a NI number which is kinda similar, used for taxes, pensions etc. but you sure as hell can't pretend to be someone just by knowing that and a name.
Re:Casual attitude about SSNs (Score:5, Interesting)
No. Actually, I think you have a rather good view of the situation. I thought almost the same thing: thieves want this information because it is "secret". So it has to be secured. What if we suddenly make all SSNs publicly listed and stop trating them like they're our very souls.
Isn't there some system that would replace our "security through obscurity" attitude by a "OpenSociety" way of dealing with personal information. I mean, I'm sure there some other -- and better -- way of verifyring someone's ID than to rely entirely on a few random numbers. I all those numbers are made public, what interest is left to steal them? We'd just have to think of a new, "open" way to deal with the issue.