Cornell Computer Theft Puts 45,000 At Risk of Identity Theft 91
PL/SQL Guy writes "This afternoon, Cornell alerted over 45,000 current and former members of the University community that their confidential personal information — including name and social security number — had been leaked when a University-owned computer was stolen. A Cornell employee had access to this data for troubleshooting purposes, and the files storing the sensitive information were being stored on a computer that was not physically secure. The university is not disclosing details about the theft. This isn't the first breach for Cornell; last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen."
Keeping User Data in a University.... (Score:5, Insightful)
Re:Keeping User Data in a University.... (Score:5, Interesting)
I was once emailed word file with about 300 student's names, birthdates, social security numbers, and yes, user passwords for their university accounts. It was not encrypted and it was unsolicited--she needed help "opening" it. I promptly encrypted the file, deleted the original from my pop account, and then went to her computer and changed the name to have a ".doc" suffix. She was magically able to open it after that.
These are the people we entrust with our sensitive information.
Re: (Score:1)
These are the people we entrust with our sensitive information.
You are only as strong as the weakest link, and they should really some really basic security training for every person in an office setting.
TrueCrypt should be required on all such computers (Score:2)
TrueCrypt can encrypt even the OS partition.
From Cornell's weak excuses, June 2009 Data Theft - Frequently Asked Questions [cornell.edu], a quote: "In June, 2009, a Cornell-owned computer that contained a large amount of administrative data was stolen. Our review of a current backup of the files on the system revealed that confidential personal data for about 45,000 cu
TrueCrypt is completely free and open source. (Score:2)
TrueCrypt: Vista/XP/2000, Mac OS X, and Linux (Score:2)
Re: (Score:1)
Sorry, I wasn't passionate enough. --grin-- (Score:2)
I didn't mean to be "bordering on advertising". I meant to be extremely intensely advertising.
I don't have any connection with the people who make TrueCrypt. I am only a very, very happy user. I've been using TrueCrypt for more than 3 years, through many versions, with no problems.
TrueCrypt is an excellent resolution of a huge problem.
Well, that's gotta' be mod abuse. (Score:1, Offtopic)
Re: (Score:1)
While we are being completely OT, I have a question about your sig - how is that supposed to work?
If I mod something up it is because I believe in what is being said in that post. If I did not personally believe what is being said (e.g. because I have counter arguments, my experience has been different etc.) I have absolutely no reason to mod someone up. The same is true vice versa for downmods.
I would appreciate help on how I should prevent my own beliefs/knowledge/opinions from interfering with my moderat
Re: (Score:2)
You're not supposed to moderate so much on the topic, as the amount of information and presentation of said info.
If they bring forward a point you don't agree with, but fully support it with evidence, logical arguments, etc, then you mod it up, or at least, don't mod it down.
If they just say "Lunix/Winblows/CrackOS sucks cuz my homie knows a guy who's friend got a virus on it!" well...then you troll mod into oblivion.
Comments of "I agree" don't add anything useful to the conversation, and only serve to fil
Re: (Score:1)
Thanks for your reply. What I really needed was gnapsters introduction though "The point of the moderation system is not to make sure that only "true" things get posted," - that really helped get the point accross :)
Re: (Score:1)
The point of the moderation system is not to make sure that only "true" things get posted, or that we only see what we agree with. It is to help sift through the comments for anything which is a worthwhile contribution to the discussion. From the FAQ [slashdot.org]: "The moderation system is designed to sort the gems and the crap from the steady stream of information that flows through the pipe." When all the comments are in and the moderators have finished their work, you should be able to read the thread at +3 (or so
Re: (Score:1)
Ok thanks, although I have read most of the FAQ I somehow missed that point. If that is the intention of the moderation system I will try to stick with it in the future. My only problem has been that it is very difficult to mod something "insightfull" if it is clear to me that the poster is obviously wrong - even if he supplies plenty of arguments. But if the moderation system is mostly about the, shall we say "form" of the post instead of the actual content I see the point.
Re: (Score:1)
Re: (Score:3, Insightful)
Hell, I once worked at a place where HR sent the spreadsheet that contained every employee and their salaries in it to ALLSTAFF, not once, but twice. At the time I was the mail administrator, and it was a gigantic pain in the ass. I really didn't even have time to write a script to do it, I had to login to the server, and use Pine to turn everyone's mail into just another folder that I could access and I manually went in and had to find and delete the mail from like 300 people's inboxes.
Obviously, to this
Re: (Score:2)
Hell, I once worked at a place where HR sent the spreadsheet that contained every employee and their salaries in it to ALLSTAFF, not once, but twice.
Try working for the state. I was sent such a spreadsheet twice myself in my current employment -- published in the campus newspaper. Salary information isn't always private; it depends who's footing the bill.
Re: (Score:3, Insightful)
Those lists become handy when you need to fire someone. You start with the highest salaried people, and then you slowly work yourself down the list until you recognize someone you dislike, or until you simply don't recognize a name.
Re: (Score:2)
I really didn't even have time to write a script to do it, I had to login to the server, and use Pine to turn everyone's mail into just another folder that I could access and I manually went in and had to find and delete the mail from like 300 people's inboxes.
Obviously, to this day, I'm nearly certain that a not insignificant fraction of the staff had actually downloaded it from the POP3 server before I could get to it, but I was too frenzied to actually get a count as I was tabbing around and deleting like a mad man.
Why wasn't your first thought to turn off the POP3 server and any webmail or other access people might have had?
Sure, it's a pain, and you'll get helpdesk calls asking "Why can't I get email?" Just say, "There's a problem with the server, we're working on it." If you have an internal technical website (and you should, which should also be policy that it's the first place for people to check when they have a problem with something other than their own computer not turning on), post a quick message on it st
Re: (Score:2)
I'm curious why universities need social security numbers at all. Last time I checked (never), the SS administration wasn't the one writing student aid checks. There's no federal database of who has what degrees (except perhaps MD degrees). Until 2004 or so the University of Texas Arlington used your initials and the last 4 digits of your SSN in your email address (which is the facebook login for most anyone who joined facebook at UTA prior to 2004, for you identity thieves).
UT Arlington (UTA) spec
It couldn't have happened when I went there (Score:2)
That kind of theft couldn't have happened back when I was a student at Cornell, in the mid-late 70s. First of all, there was only one computer used for most campus activities, a mainframe that lived in a data center out by the airport, so nobody could have stolen it :-) (There were some PDP-11s and such in a few engineering departments (though not CS - it was mostly the physics people and maybe a random department in the business or ag school), and the card readers that we used to talk to the mainframe re
Re: (Score:2)
Yeah, but back in MY day, we had to walk uphill BOTH ways, from the Dorm to the Library (where the mainframe terminals were), uphill to the cafeteria (where the food was), BACK uphill to the library, and finally uphill to the cafeteria again, and even further uphill to the dorm. Why the Dorm, Library and Cafeteria were on opposite ends of the campus, on top of steep hills, I'll never know.
And it snowed. Every day. In Texas. In August. All four years.
AND we didn't have the internet to plagiar
Re: (Score:1, Informative)
Cornell still uses the Cornell student ID (printed on your ID card) for everything internal. If someone knows that, they can -- with a little social engineering -- pretty much impersonate you for any in-person campus service like manually changing your schedule or getting meals in your name (if you have a meal plan).
I assume they need SSNs for any students they employ. Also, every college I applied to required it on the application as a unique identifier because they do not want to deal with names (your SSN
Re: (Score:2)
Sometimes I wonder if universities should just use some cryptographic hash of that material. If they had the SSN and user info, they can generate the ID, if a computer system didn't, the ID would still be useful for a primary or secondary key for that student, staff, or faculty.
A simple mechanism would be concatting the info that doesn't change information together in a predetermined way (the first first and last name registered with the school and the SSN), perhaps adding a random password that is a share
Re: (Score:2)
voila, a workable student ID that can be generated from the user's data on the secure systems, but finding any secret info from the student ID number is virtually impossible, other than the date they started with the university.
Until some dumbass admin who thinks "I know what I'm doing. It'll be fine." starts downloading trojanned cracks from infected-keygens.biz on the secure server....
Re: (Score:2)
Except for their current employees. Though by the sounds of things they don't bother to remove this information from the records of past employees...
Re: (Score:1)
My first question: what the hell were passwords doing in a .doc?
In the old days (C. 2000), students applied for an account and then the authentication info was mailed to them in hard-copy through the department. I don't know the exact route, but at some point, a secretary was required to create a "merge mail" with the info for the new batch of students each year. You can see how the merge mail database might be a handy document to send another (clueless) secretary if said secretary needed some trivial amount of information that might be in that database.
I'm sure this ki
Re: (Score:2)
I'm going to actually state this is a case where selective DRM (more specifically Microsoft's IRM in pre-2008, and RMS currently) would be a good thing.
Say this .doc file was protected with Microsoft's IRM and it got outside the company. Users who were authorized from the RM server would be able to view it, but to those who didn't have access, it would be encrypted and useless without the key. Yes, an authorized user likely could make a copy of it without the rights management encumberance, but IRM system
Re: (Score:2)
Yes, but IRM and DRM are two completely different things.
IRM allows a company to control who gets to see their own documents.
DRM allows a company to control what consumers have to repurchase.
The difference being, that the company using IRM is in control of their own use of their own internal documents, while the company using DRM is attempting to control the entire public's use of files that are meant to be used by the public.
Having said that, IRM can still be a pain for whistleblowers attempting to alert t
Re: (Score:2)
Let's face it: you can't educate users about security. Many people will understand, but many will not. And it just takes a few people who don't get it to cause a problem.
In the instance of your example, it would be useful if the person who created that original
Comment removed (Score:4, Interesting)
Social security numbers are worthless (Score:5, Interesting)
Re: (Score:2)
Did some work for an electrical union (the office managing people's pensions and such) a couple of summers during high school.
We'd have people's names, SSNs, partial addresses, etc.
We needed to get mailings out to them.
Just hop on this website, click the "yes I'm authorized to look at this information" button, and then type in a name, phone number, partial address, or ssn.
You get a neat list of all peopel with that name/number/address/ssn (often multiple people with the same ssn LOL). You even get a cool l
Creditor's problem (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
The point is they are "identifiers" rather than "authenticators".
so no one will be able to pretend they mean anything.
You underestimate the abilities of fools. Nothing is likely to stop them believing that a collection of identifiers equates to an authenticator.
from Ivy League to Bush League (Score:1)
Wow.. social security numbers.. on PERSONAL COMPUTERS!!!! Outrageous. What that data is doing on anything but computers locked behind doors in a data center is beyond comprehension.
Cornell has dropped out of the Ivy league and entered the bush league.
hosers.
Re: (Score:1, Insightful)
I was one of the 45K (Score:5, Insightful)
It is extremely frustrating. I encrypt my personal data when it is under my control. It is unforgivable that an institution that I pay this much can't do the same.
I wonder (Score:2, Interesting)
how many times identity theft isn't reported, the high school I went to had a case reported that some kids had stolen the SS numbers from the schools network. I know because I was called in and questioned about it. I didn't do it, and I don't know if they ever found out, I don't think they did as no one was expelled. The IT Department was totally fucked though as a network with vulnerability like that was... well you get the idea.
I was on the network and saw
Troubleshooting? (Score:2)
Re: (Score:2)
Re: (Score:2)
It appears to quite often be the case with such "breaches" that there wasn't an especially good reason to be storing said data at all. However without data protection laws which are strongly enforced there is little incentive to store and process only data which is actually needed.
How much is your personal information worth? (Score:2)
Sue them for that amount, x45,000.
Then maybe they'll take this seriously.
Re: (Score:1)
Re: (Score:2)
So, 0 * 45,000 = $0.00
CIT is completely incompetent (Score:2, Insightful)
This is the same IT department that recently switched over its management software to peoplesoft. A wonderful web app that randomly throws COBOL errors and refuses to function.
Suprise Suprise.
I personally think this person was probably pretty far up the food chain. There was no indication they were let go, and who else would think they were this far above the regulations regarding encryption of personal data.
Cross Cornell off the list (Score:2)
I had considered Cornell for obtaining my Bachelor's - not any longer with this.
Even I have better security practices and I run windows machines without firewalls or AV software.
Over four years without infection! Common fucking sense FTW.
Re: (Score:3, Funny)
someone forgot to run Spider (Score:1, Informative)
You'd think, the university that created the Cornell Spider -- http://www2.cit.cornell.edu/security/tools/ -- Would be more diligent to push that out on all their machines. But I work in the *real* world and know all about theory and practice.
Third time's the charm (Score:2)
Security (Score:1)
Absolute Liability? (Score:2)
Maybe the solution to this is absolute liability for anyone who keeps personal information on anyone else.
As a former student... (Score:2)
I have no idea how far back the stolen data goes, but I was a student at Cornell in the mid-90's. I can assure you that Cornell does not have my current email address (my university address expired after I left), and they do not have my current mailing address, either - I never receive mailed solicitations for money.
On their FAQ page, they assure everyone that they contacted everyone who had their data stolen via email or USPS. I am not saying that I was necessarily one of the victims here, but I am sure th
Full Disk Encryption is just too easy! (Score:1, Informative)
Fedora has full disk encryption, any newbie can activate it.
What is wrong with these people?
Re: (Score:2)
In reality, what is needed is FDE systems architected similar to Microsoft's BitLocker that use a TPM chip that is used to validate the boot process, then pass the encryption key to the OS. This will allow servers to boot unattended (although one can have the TPM request a PIN), but still protect the machines from unauthorized access via a live CD.
One can add additional mechanisms to this, for example, a GPS that the TPM can use to validate that a machine is still within the same physical area, or a hardwa
I am one of the unfortunate 45,000 (Score:1, Informative)
I've been reading about similar stuff happening at other places but I didn't think it would occur at Cornell. They are generally pretty good about IT/Security stuff. In any case, the email they sent out links to this FAQ:
http://faq-june2009.cuinfo.cornell.edu
Turns out that it wasn't so much the universities fault as it was the fault of some idiot IT person. An excerpt from the FAQ :
5. Why was this information on a computer?
A member of the Cornell technical staff, who is responsible for supporting our centra
Re: (Score:2)
Turns out that it wasn't so much the universities fault as it was the fault of some idiot IT person.
If the university hired that idiot IT person, then it's the university's fault. Full stop.
SSN = identity? (Score:1)
Let me understand...
There is a government site that returns your signature, photo, complete name, DNA, fingerprint, all passwords, a 3D model of you, your sex tapes, etc., in the case you've lost them... Just put your SSN and you get back your lost identity. Is this the problem with SSNs?
Maybe credit companies just accept that you are someone else just because you know his/her SSN and last name...
At least they admit it.... (Score:2, Insightful)
Isnt cornell.... (Score:2)
Isn't Cornell....supposed to be one of the biggest and brightest Universities to be out there...they cant afford a good admin with stronger group policies on the network?