Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy Education

Carnegie Mellon Says Computers Breached 203

maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."
This discussion has been archived. No new comments can be posted.

Carnegie Mellon Says Computers Breached

Comments Filter:
  • Poster here (Score:5, Interesting)

    by maotx ( 765127 ) <maotx@@@yahoo...com> on Saturday April 23, 2005 @09:46AM (#12322489)
    And credit given where credit due, I picked up this story from a post on a mailing list from Paul Ferguson [blogspot.com] and his tech news.

    What I found to be so interesting about this story is that unlike the other thefts, this one did not require the theft of a computer or social engineering skills. This one looks like the works of a group of hackers and now has the FBI's computer crime squad joined [post-gazette.com] in the investigation.
    • "The entire school has been affected. Some of the information is more sensitive than others,"

      Besides the social security number, I can't really say I see the reason for anyone to retrive this kind of data.

      I know that most people feel uncomfortable with the feeling that someone got their entire student/employee history, but I can't see the harm in it either.
      • Re:Poster here (Score:3, Informative)

        by maotx ( 765127 )
        Well, with a SSN, mother's maiden name, and birthdate you can open almost any kind of account you want. And heaven forbid you also have their driver's license number. One could completely still an identity with this kind of information.
        • Re:Poster here (Score:2, Informative)

          With the mother's maiden name, you could finally get access to that person's hotmail account.

          That is unless they used another question, in which case this whole exercise was for 50 years of ass-pounding.

          I guess the hackers really like backdoor-ing.
        • Re:Poster here (Score:3, Informative)

          by AK Marc ( 707885 )
          Well, with a SSN, mother's maiden name, and birthdate you can open almost any kind of account you want.

          With SSN and birthdate. Mother's maiden name (MMN) is used only for local verification. It isn't printed on credit reports or other such shared documents. You can make up a different MMN for every account that asks for it and never have anyone question you. The SSN, address, DOB, and past history are what is on the reports that origanizations look at for opening accounts.
          • Re:Poster here (Score:3, Insightful)

            Mother's maiden name was commonly used for veification of credit card acounts when I worked in that field 10 years ago. With Name, DOB, SSN, Mother's Maiden name, credit card number, expiration date and verification number it was possible to hijack a credit card.
            • With Name, DOB, SSN, Mother's Maiden name, credit card number, expiration date and verification number it was possible to hijack a credit card.

              The question wasn't about a hijack, but opening a new account. I would guess that you never checked the mother's maiden name against some standard MMN database. It is completely unnecessary for opening new accounts in someone's name.

              I was in college at the same time as my sister. The phone registration used SSN and DOB. I knew my sister's SSN and DOB, so I cou
    • Yes, a group of coughRIAAcoughcoughMPAAcough hackers.
      I wonder if the "hackers" found any MP3 files in the information they stole?
    • Re:Poster here (Score:2, Interesting)

      by legirons ( 809082 )
      "This one looks like the works of a group of hackers and now has the FBI's computer crime squad joined in the investigation."

      Out of interest, how did they manage that? Did they have to declare a ludicrous dollar-cost for the problem, or was it just the publicity? FBI are notorious for being about as active as a large rock when it comes to investigating hacks.
  • by ferrellcat ( 691126 ) on Saturday April 23, 2005 @09:50AM (#12322513)
    Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported.
    • by BrK ( 39585 )
      Yup.

      Especially when you consider that there are products already available that can greatly reduce, or eliminate, these sorts of things.

      Guardium http://www.guardium.com/
      Tizor http://www.tizor.com
      Lumigent http://www.lumigent.com/
      (just to name a few) All have solutions to information access/identity theft problems. If a company is storing personal/private/sensitive info it would seem they would be more aggressive in deploying preventative measures.
  • by bigtallmofo ( 695287 ) on Saturday April 23, 2005 @09:51AM (#12322518)
    What exactly were social security numbers doing on that computer?

    I'm still amazed at what companies ask me for my social security number and their casual attitude about what they do with it. My health insurance company uses it as my ID number. My dentist thinks nothing of asking for it and scribbling it on a post-it note along with my name while they enter a claim form into their computer and then they throw the post-it note away.

    I always make an attempt to refuse to give my SSN. The shocked, negative reaction I get is absolutely amazing to me. It is apparently so ingrained to U.S. culture to give that number up to anyone that asks regardless of the totally insecure way they handle that number.
    • I've rarely found that a SSN is needed. If you make a membership-required website, you ask for a lot of information that just stays in the database, and nothing is done with it. Maybe companies feel the same about SSNs, they have it, and they have no need for it.
      I can't even get Google Ads on my sites because my father(I'm under 18 in US) to give his SSN to Google.
    • by Angostura ( 703910 ) on Saturday April 23, 2005 @09:59AM (#12322556)
      Well, I suppose there are two ways of thinking about things like the SSN. One way is to consider it a piece of privileged private information that can be used for security purposes.

      The other way is to think of it as a piece of information information as public as your first name or hair colour.

      It seems to me that SSN now has to be considered in the second category.

      The problem is that there is a mismatch of perception in society, so some people see it as a secure item, some people think of it as insecure and some people don't really think.

      It is this mismatch which is causing the potential identity theft and security problems.

      I'm sure it is handy as a unique key in many people's databases, but it has to be realised that it is public and can be falsified.

      Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.
      • by Anonymous Coward
        I'm sure it is handy as a unique key in many people's databases

        Only for people who don't know any better. Social Security numbers are recycled and should never be considered unique.

        It is possible for multiple living people to have the same SSN and even the same name.

        SSNs are also poor "security" identifiers because they are usually tied to where you are born along with other patterns.

      • Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.

        Nice sig
      • "Disclaimer: I'm British, so I may have misunderstood some aspect of the problem."

        I suppose it's analogous (sp?) to the British way of using public information such as mothers' maiden name, date of birth, place of birth, etc. as "secure" passwords. If you were around when someone got born, you can have their bank account.

        Opening new bank accounts, new driving licenses etc. is supposed to be nominally harder now, although we seem to have just shifted the security problem to the postal system (the DVLA sen
      • by Neurotoxic666 ( 679255 ) <<neurotoxic666> <at> <hotmail.com>> on Saturday April 23, 2005 @01:46PM (#12324002) Homepage
        Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.

        No. Actually, I think you have a rather good view of the situation. I thought almost the same thing: thieves want this information because it is "secret". So it has to be secured. What if we suddenly make all SSNs publicly listed and stop trating them like they're our very souls.

        Isn't there some system that would replace our "security through obscurity" attitude by a "OpenSociety" way of dealing with personal information. I mean, I'm sure there some other -- and better -- way of verifyring someone's ID than to rely entirely on a few random numbers. I all those numbers are made public, what interest is left to steal them? We'd just have to think of a new, "open" way to deal with the issue.
        • Shit, that's so brilliant that the government will fight you tooth and nail if you try to implement it. Sometimes I get so disgusted with this ever-increasing mania for "papers" that I want to cut up and burn every piece of insignia I own.

          Then I realize that, without the obligatory tokens of identity, the life of "convenience" I know will grind to a halt and I'll become a virtual pariah.

          No ID? Try boarding a airliner. See a house you like? Try approaching the seller with an attache case full of gold.

      • It is this mismatch which is causing the potential identity theft and security problems.

        Imagine if you could sign into a Slashdot account with only the UID! We'd all sign in as CmdrTaco and start posting news about Tribbles and whatever else met our approval.
    • by Anonymous Coward
      I was just hired by CMU (literally in the last few days).

      They still appear to be using Social InSecurity numbers as employee IDs. When I showed the personnel worker my newly minted CMU ID, she asked me my Social InSecurity number and only then was she able to find me in the system.

      I'm usually not anonymous but I'd better stay that way for this one.

      CMU Guy
    • When I went to CMU ('91 BS Physics), your student ID number was the same as your SSN unless you went to great lengths to change it.

      I don't know whether they changed the practice, but it would explain why they had the SSNs.
      • They didn't change for a while. SSNs were still used when I came in 1996, and they were printed on the front of your ID card. After much protest and a couple of years, they were removed. I hear that entering students can now choose non-SSN ID numbers.
    • I had a heck of a time buying a car last week without giving up my SSN - even though it was a cash deal for the seller (because I was financing through my Credit Union).

      What was worse, they said they needed the SSN due to a provision of the Patriot Act. And what's even worse than that, this practice must be widespread, becasue my Credit Union warned me in advance about this Patriot Act scam.

      And mind you, this car dealership was a very big one near Denver with hundreds of cars in stock - just the kind o

  • Until a national Public Key Infrastructure is devised, requiring biometric input from each user, identity theft is not going to stop.
    • That's not going to stop it either. It may, however, change who does the stealing.
  • So... (Score:1, Insightful)

    by Chris Kamel ( 813292 )
    I'm not going to moan about how frequently this seems to be happening lately, I've been thinking though
    Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed
    What is one supposed to do with such warning?
    • Re:So... (Score:1, Informative)

      by Anonymous Coward
      You could report it to the credit bureaus to watch for identity theft.
    • Re:So... (Score:1, Funny)

      by Anonymous Coward
      Check your credit card statements to see if you've recently ordered a bunch of Ferraris or Brioni suits
    • What frightens me more is how many more institutions *aren't* warning their employees/students/clients/members? And how many of those aren't issuing warnings because they don't yet know there's anything to warn about?

  • My company just deployed a new application to help manage employee data, calendars, timesheets, etc. Guess what? We didn't put SSN anywhere near this application. It's a simple enough matter for someone to go to the locked file cabinet in the HR office and grab a number if need be.

    It's not like this method is particularly secure, but it doesn't really matter -- a physical break-in seems much more "acceptable" in the eyes of customers etc than does an electronic break-in.
  • by morph- ( 171 ) on Saturday April 23, 2005 @09:58AM (#12322552)
    As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.
    • As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.

      True, but how long would it have taken to write a program that scans for SS#'s that are in insecure areas?

      Not
  • Can I have my social security number replaced legally ? I don't know for sure, but I suspect my number is just about worthless now. Hell, sometimes we don't here about these thefts till months or years later. That leads me to work under the assumption that my SS# has been stolen, from someone , somewhere.. it's utterly worthless (not that it had any value before, my credit was crapped out anyways.)

    Something needs to be done about this, SS#'s are a joke. I was watching the local chicago news the othe
    • Answer (Score:1, Funny)

      by Anonymous Coward
      Yes, please just fill out this short form and I will take care of it for you.

      Current Social Security Number: ___-__-____
      Full Legal Name: ____________
      Date of Birth: __/__/____
      Address: _____________
      City: __________ State: __
      ZIP: ______-____

      Thank you.
    • Re:question: (Score:3, Interesting)

      by prisoner ( 133137 )
      I don't know about replacing your SSN but I do know a lot about the market for getting SSN's. Some of our customers are construction companies and it isn't all that uncommon for a worker to come in and present a document that he says is an original and valid SS card. When checked, it is the same number as one already on file. I was in the office one day when a guy came in who had no fewer than 3 different SS cards on him. I think that it is reasonably clear that the SS number can no longer be considered
    • I have a fairly good memory, but not a lot of
      useful links. Social security numbers are/were
      supposed to be a privileged (or secret) number
      for a contract between a taxpayer and the government.

      Just a couple of years ago, a group of Social Security
      Administration employees at the Federal Hill (Baltimore, MD)
      facility were arrested for selling lists of SSNs.

      And in the past few years, employees of at least
      3 DMV (Department of Motor Vehicle) offices (VA,
      DC, CO) were arrested for selling bona fide drivers
      licenses
  • The weakest link (Score:4, Informative)

    by jokestress ( 837997 ) on Saturday April 23, 2005 @10:05AM (#12322588)
    I recently had a cyberstalker try to get some personal information about me from my alma mater. This yutz did this by contacting department secretaries, who were happy to oblige with all the information they had available. Luckily, this wasn't very much information, but it has caused some problems. So even though the registrar's office had things locked down fairly well apparently, these other points of entry into the system appear to be potential vulnerabilities: unattended laptops and workstations, and people who don't really think their job description involves a privacy/security aspect. I predict many more problems via remote access of a centralized institutional database.
  • I go to CMU and work for the psychology departments comptuing support. Well about a month ago, our server crashed and our backups only partially restored. So I hopped on a new machine and installed linux. We switched it over to the network and created some accounts with easy logins so the teachers could get their stuff back up. Needless to say, less than 24 after being online it was hacked. While not malicious, the hacker did use our box as a staging point to make DOS attacks. I caught the guy a day
    • I'm not trying to get too personal -- but you don't sound too concerned & that concern's me psychology. :)
      Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock.
      I keep up on the latest exploits, re-visit old ones, keep critical (and new) machines well patched, write shellcode to understand BoF/Ret2Libc exploits & employ handfuls of hardening techniques & limits everywhere I can, especially in the Kernel. Then I keep ima
      • Lately I've been getting the feeling that I take care of my home subnet, on my free time, better than most admins do on the clock.

        I think you'd be right. When I was consulting it never ceased to amaze me just how little was done to secure the network at most places. Whether corporate or government it didn't make a difference.

        I don't think this is a lackadaisical attitude towards security in particular, but the fact that IT departments tend to attract the least competent people in the computer sciences.
  • Just a quick clarification, Carnegie Mellon itself was not hacked. This was a Tepper School of Buisness machine that was hacked and their student data lost. As seems to be fairly normal, the buisness school is almost its own entity, even running on a different schedule than the rest of the campus.
  • by Darvin ( 878219 ) on Saturday April 23, 2005 @10:16AM (#12322630)
    I don't use my own identity anymore anyway.
  • This issue has arrisen periodically over the past several years. If you take a look at previos situations, commonalities can be discerned. However, it is unlikely that future implications are really that severe, and we should probably all just let this one go.

    My $0.02

  • Why store the SSN? (Score:4, Insightful)

    by Ann Elk ( 668880 ) on Saturday April 23, 2005 @10:29AM (#12322683)

    Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.

    I know, I know -- I shouldn't bother asking "why"...

    • Well, it's ok that you ask. Because if it's a hash I can just generate all 900 million 9 digit numbers, calculate their hashes, and see which ones match the DB. Oh, and then profit.
    • by fourtyfive ( 862341 ) on Saturday April 23, 2005 @11:25AM (#12323056)
      Because this would only be minutely more secure than storing the SSN itself. Theirs nine digits in a SS #, numbered 0-9, thats 10^9 Even at a meager brute force rate of 1.5 Million MD5Sums / sec, it would only take 11 minutes to break every possible combination.
      • Good point. A simple hash would not help that much. However, stretching the hash (repeating it several million times) would make each attempt take a few seconds (on today's hardware).

        You could also throw a salt into the mix, but this would complicate administration.

  • SSN versus ID-card (Score:5, Insightful)

    by Councilor Hart ( 673770 ) on Saturday April 23, 2005 @10:31AM (#12322695)
    I am not an American, but from Belgium. I am required to carry a ID-card with me. Although the only time the police asked for it, was one time I got hit (lightly) by a car while on my bike. My bank has seen my ID card more than the police. Which I think is a good thing. It's my money afterall.
    So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?
    It's something I have been trying to understand for years.
    I don't feel harassed, having to cary my ID. I rarely use it. If I get in an accident, it can be used to identify me. It's rarely asked for. The police needs a justified reason to ask to see it. The bank can ask for, before giving out a lot of cash money, or before paying a check (also something which is very rarely used over here). I can travel freely across member states without showing it. Perhaps not yet with the 10 new ones, to be honest.
    Just wondering...
    • The reason is this . In America , you have the RIGHT to be left alone. We are not a democracy. We are a constitutional republic in which all citizens are the sovern entity with rights embued by the creator and some enumerated in the Constitution.The government is in place to protect those rights. The government has no inherent interest in knowing a citizen's identity other than the interest of tyranny.
      • The government has no inherent interest in knowing a citizen's identity other than the interest of tyranny.
        What about taxes? You may not like them, but they pay for roads, school, military, healthcare,...
        And how do you identify yourself to your bank (e.g. your money)? If there is no uniform system of identification, then how can they know , for certain, it's you? Not every one is rich enough to know their banker in person.
        I always hear stories from USA about identify theft, but hardly any from the *ol
    • by zakezuke ( 229119 ) on Saturday April 23, 2005 @11:02AM (#12322907)
      So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?

      Your Social Security card is not identification except for bank, your employer, and the IRS. I should also say the phone company also asks for this, and other businesses preforming credit checks which would include rentals. It should be a method of tracking your earnings and paying federal or state taxes (if your state has an income tax). It has no picture, no address, and unless it's changed is a piece of paper that says specifically "do not laminate" unless you have an older one from before 1988 or so. Most places that would require it don't even look at the physical document, why would they it falls apart after a few years. A few employers require one in good physical condition but typically those are limited to places concerned with illegal aliens. Foreign nationals working in America are required to have a tax ID number, but as being non-nationals don't get social security benefits hence no social security card, but just put the tax id number in place of where it asks for social.

      For identification purposes, most places use the driver's license which is a state not national agency. Some people don't drive, or can't drive, so those places issue ID cards as well. You are not required by law to carry one, but if you want to buy booze, go into bars, or cigs, or have a checking account it's very helpful. Passport is an option, but some places don't accept passports as forms of ID, even though they are required to by law.

      There are many reasons to object to a national ID card.

      1. ID cards are already provided by the State, no need for federal involvement. Classic State vs Federal rights argument.
      2. There already exists a national ID, it's a passport.
      3. We presently are not required to have ID on our person.
    • by badfish99 ( 826052 ) on Saturday April 23, 2005 @11:17AM (#12322998)
      This illustrates nicely why we in Britain are opposed the the introduction of ID cards:

      1. A car hit you - you didn't do anything wrong, but the police wanted your ID. Why?
      The last time we had ID cards here, a woman found some item in the street and tried to hand in in to the police as lost property. They demanded her ID. She had forgotten to carry it, so was arrested. This caused such a scandal that it led to the abolition of ID cards.
      Criminals don't leave their ID number at the scene of the crime, so issuing ID cards will not help solve crimes. But it will create a useful new power that the police can use to harass any group they take a dislike to: the power to stop them and ask for their identity card.

      2. The bank wants to see your ID. Why?
      I've got a card from my bank too. When I want to take money out, it proves that I am the same person who put the money in. That's all they need to know. They don't need to know my nationality, or medical history, or police record. So I don't want a single ID that will link all that data together.

      • . A car hit you - you didn't do anything wrong, but the police wanted your ID. Why
        So that the cop had the adress of both me and the driver. Should there have been a problem with compensation (my bike needed repairs) either of us could have gone to the police.
        I am mostly certainly not under the impression that an ID card solves crime.
        If the police wants to harass a person or group they can do so without an ID. Why would not having an ID card stop them from stopping you, asking you questions, holding you u
      • But it will create a useful new power that the police can use to harass any group they take a dislike to: the power to stop them and ask for their identity card.

        The problem with that logic is police already act as if an ID is required. I remember back in 2001 a group 14 students [komotv.com] were stopped for 45min or so for jay-walking, the full treatment multi cars on the scene, id and record checks, the full 9yards which seems excessive and quite nuts given only one person got a ticket, the person who asked if the
      • Here in the US you need an ID for a lot of things, but you don't need to show it to anyone in law enforcement unless you are arrested or are involved in a traffic stop (we have funny automobile-related laws.) They actually specifically cannot arrest you for failing to provide identification.

        Also here in the US, your bank wants to see it any time you make a transaction. You are actually not allowed to put money into someone else's account here, because people stop checking IDs eventually and people used to

      • A car hit you - you didn't do anything wrong, but the police wanted your ID. Why?

        I was robbed last year. After telling the responding officer everything I knew, including the description of a shady character that had been hanging around recently, she pulled out her ticket book and asked me for "my description". What? You mean, the description I just gave you? No. Turns out, she wanted a description of me to write on her report, along with my SSN.

        God Bless America.
    • Although the only time the police asked for it, was one time I got hit (lightly) by a car while on my bike. I have to make an correction. I also showed my ID card at the police station when I had my bike marked as my property. That is done to prevent theft, and in case of theft the police can return it to me, should they stumble across it.
      My old crappy (inherited) bike got stolen in two years time. My new, marked bike is still with me after 4 years. And I live in a University town. As you know, in such a
      • So once again, my ID card is used in my favour. You could say, the same could have been accomplished with a driver ID card or a SSN. To which I will, again, ask: then what is the difference?

        A SSN / Tax IDmay be issued at birth, or may be issued at a later time and is not nor should it be used for identification. It's a tax id number issued by a federal agency. It's directly related to employment, income, education, and money (loans / rent). SSN for nationals, Tax ID for resident aliens. This is NOT a
        • Lett me first thank you for the reply.
          Another question. Regardless if it is state level or federal level. There are several different numbers, stored in several different DB's used for several different purposes. All in the hands of govn branches. What is to stop them from tying it all together?
          Suppose you have one ID number, rendering access to several different DB's. Acces to one DB is limited to the relevant govn branch. You offcourse have access to all data, since it's all about you. The govn can inde
          • Another question. Regardless if it is state level or federal level. There are several different numbers, stored in several different DB's used for several different purposes. All in the hands of govn branches. What is to stop them from tying it all together?

            We would. It's a very unpopular idea, so most Senators or Represenativive who want to be re-elected would vote for this, I would hope. I can't think of a good comercial reason national IDs so very little chance of business lobbying for this idea. St
    • Its because we're all certifiably insane. Just watch CNN or Fox news if you don't believe me. We're a bunch of loonies who get scared of our own shadow and try to kill it with our shotgun. The sad thing is sometimes we actually believe we're winning this fight for our sanity against those evil forces of darkness.
  • Personal IDs (Score:2, Interesting)

    by nxs212 ( 303580 )
    That's why a lot of companies (health insurance, financial,etc) are switching from using your SSN to Personal IDs as the unique identifier in the system. HOWEVER, they will still need your SSN for reporting stuff to the government. At least your SSN won't be listed on the health insurance card when you go to the doctor. Right now your doctor's office has enough info about you - SSN, home address, "emergency contact info", phone numbers and even possibly bank routing and account number (if you pay by check)
    P
  • Any information you are routinly asked to give up can not be considered secret. The problem with the SSN's is not that they get stolen, the problem is that they are useful to the thief. The idea that knowledge of a "secret" number entitles you to enter into financial obligations is simply insane. Adding other "secret" information to add further "safety", like mother's maiden name or place of birth, does very little to improve the situation and those extra pieces of information are likely to become available

    • This is an outrageously good deal for them and they have no incentive to fix the system, at least not until the amount of fraudulent loans is more than the money saved by not implementing a secure system.

      I have trouble believing that this hasn't happened yet. I'm guessing that there are institutional "prisoner's dilemma" issues here preventing this from happening - no one corporation wants to absorb the cost of fixing the system when everybody gets to reap the benefits, so nobody does anything. This is
  • Letter from Tepper (Score:5, Informative)

    by Snorpus ( 566772 ) on Saturday April 23, 2005 @10:53AM (#12322853)
    I'm an alumnus of Tepper (GSIA, the old name, actually) and here's the email I received on Wednesday, April 20.

    Dear ______,

    On Sunday, April 10, the Carnegie Mellon Computing Services Office of Information Security identified a breach of some computers at the Tepper School of Business. Upon investigating and recognizing the unusual activity, Computing Services worked to disable, inspect and secure all servers and personal computers.

    We have no evidence that personal information on breached systems has been used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters, and the Tepper administration has chosen several precautionary steps to communicate with all affected students, graduate alumni, faculty and staff on safeguarding measures aimed at protecting privacy.

    While we have not identified unauthorized use of information, we strongly encourage you to take steps to ensure your privacy. Personal information included in the databases that may have been accessed includes:

    - For master's alumni Class of 1997 through the Class of 2004: Social Security number and grades included in a student services database.

    - For master's alumni Class of 1985 through the Class of 2004: Job offer information you may have entered into the COC database as part of your job search process.

    - For all alumni: Contact information you may have entered into the alumni directory/alumni database. (Note: All Personal Access Codes (PAC) for the alumni database have been automatically updated for increased security.
    Your new PAC number is: **********
    Your email address in the directory is: ****************

    - For doctoral alumni Class of 1998 through 2004: Social Security number, GMAT, GPA and information submitted in your application to the doctoral program.

    Please visit www.tepper.cmu.edu/******* for information regarding precautions and steps to take to protect your personal information.

    We apologize and regret the inconvenience associated with this incident. Currently, the business school is in the early stages of investigation and does not have all details regarding the source of this breach. As further information is discovered, we will be sure to include it on the Web site listed above. In any event, please understand that we would not disclose details that would put any computer or network at risk of further intrusion or malicious attack.

    The recent Tepper incident is similar to the computer breaches reported by other universities. As a campus that prides itself as a hub for technology innovation, Carnegie Mellon is extraordinarily mindful of issues regarding information security. The recent breach is a reminder of the sensitive business environment in which we operate and the need to consistently monitor and advance our infrastructure and processes.

    If you have questions or concerns, we encourage you to contact John Sengenberger at jseng@andrew.cmu.edu

    Thank you.

    Steve Sharratt
    Associate Dean for Advancement

  • Not CMU per say (Score:5, Informative)

    by pridkett ( 2666 ) on Saturday April 23, 2005 @11:20AM (#12323028) Homepage Journal
    So just to reiterate, this isn't CMU proper that got hacked, it's the business school. They're off on their own little planet on the far corner of campus and run on their own schedule and everything else. It's like going to a completely different world overthere because you've got folks who dress nicely and what not.

    CERT is not really related to Tepper (the business school) in any way. In fact, CERT and the SEI are barely even related to CMU, they're off in their own little building a few blocks away and have their own security and networking. To associate the b-school getting hack to a failure of CERT would be like saying the CIA was vulnerable because the department of argiculture got hacked. It's just bad journalism to make an insinuation along those lines. CMU is a fairly large organization and it has its share of folks who understand computers and share of folks who are dolts.

    On to the other question, why were SSNs on there? Well, CMU is still stupidly using them as your student ID number. Up until this year they were encoded on your magnetic stript of your student ID card. You can change it, but they look at you funny when you ask to do that.

    So why would CMU even need SSNs? Well, like most institutions you've got to do a lot with financial aid to students. If you're doing financial aid and credit you need to use SSNs, simple as that. Tepper has its own financial aid department and thus probably needed the SSNs for that.

    This is just another point that the credit industry probably needs an overhaul more than anything else. Allowing someone to get credit by simply providing the SSN and a few other easy questions seems a bit reckles.
  • This really shouldn't surprise anyone who works at a university. There are several mitigating factors that make this sort of intrusion inevitable.

    Here's why:

    Unlike private companies, universities are difficult places to enforce security policies because PhDs feel that these policies somehow inhibit their freedoms or that the rules shouldn't apply to them. Profs and researchers each get their own computer money and they build their own little networks, server farms, and have their own methods. Because the

"Hello again, Peabody here..." -- Mister Peabody

Working...