Stanford Hack Exposes 10,000
Yet another unfortunate disclosure... http://www.techweb.com/showArticle.jhtml?articleID=163701121 - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
Howdy all, Somewhere in this thread there is the issue of description of data collection practices, and for those mammals who care (see "Ice Age" with someone under 10 if you need help decoding that), you can do the following: Review the latest working draft (4 January 2005) of the P3P Spec http://www.w3.org/TR/2005/WD-P3P11-20050104/Overview.html and send issues to public-p3p-spec@w3.org and/or post to Bugzilla http://www.w3.org/Bugs/Public/ The activity you'll be assisting is getting P3P 1.1 to (W3C) last call. Like all IMF work, its unpaid, and in the event of capture, the Secretary will disavow ... Eric
On Wed, May 25, 2005 at 11:59:17PM +0000, Fergie (Paul Ferguson) wrote:
Yet another unfortunate disclosure...
http://www.techweb.com/showArticle.jhtml?articleID=163701121
I wonder when schools are going to get the hint and stop using SSN's as ID numbers.. --Adam
On Wed, May 25, 2005 at 05:12:18PM -0700, Adam McKenna wrote:
On Wed, May 25, 2005 at 11:59:17PM +0000, Fergie (Paul Ferguson) wrote:
Yet another unfortunate disclosure... http://www.techweb.com/showArticle.jhtml?articleID=163701121
I wonder when schools are going to get the hint and stop using SSN's as ID numbers..
Around about whenever the US Federal Government gets the hint and passes a bill which makes it illegal to use social security numbers for any purpose other than the administration of social security. - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Systems Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
On Thu, May 26, 2005 at 09:49:06AM +0930, Mark Newton wrote:
On Wed, May 25, 2005 at 05:12:18PM -0700, Adam McKenna wrote:
On Wed, May 25, 2005 at 11:59:17PM +0000, Fergie (Paul Ferguson) wrote:
Yet another unfortunate disclosure... http://www.techweb.com/showArticle.jhtml?articleID=163701121
I wonder when schools are going to get the hint and stop using SSN's as ID numbers..
Around about whenever the US Federal Government gets the hint and passes a bill which makes it illegal to use social security numbers for any purpose other than the administration of social security.
Though that isn't the major problem. <ot record="broken"> The major problem, as has been pointed out in Privacy and RISKS digests in the past dozens of times, is that people persist in using as authenticators things (like SSN's, Mother's Maiden Name, etc) which are patently not suitable for that. </ot> Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Around about whenever the US Federal Government gets the hint and passes a bill which makes it illegal to use social security numbers for any purpose other than the administration of social security.
Wrong answer. Federal laws do not stop people from doing stupid things and they do not stop people from doing illegal things. What we need is a Hollywood blockbuster in which some highschool hackers wreak havoc by aquiring SSNs from gradesheets and using mother's maiden names to steal lots of money and identities. Then, pointy-haired bosses will ask their sysadmins to make sure that it can't happen in their department. Hollywood movies change people's behavior. Federal laws do not. --Michael Dillon
On Thu, May 26, 2005 at 11:10:08AM +0100, Michael.Dillon@radianz.com wrote:
Around about whenever the US Federal Government gets the hint and passes a bill which makes it illegal to use social security numbers for any purpose other than the administration of social security.
Wrong answer. Federal laws do not stop people from doing stupid things and they do not stop people from doing illegal things.
What we need is a Hollywood blockbuster in which some highschool hackers wreak havoc by aquiring SSNs from gradesheets and using /////// criminals mother's maiden names to steal lots of money and identities. Then, pointy-haired bosses will ask their sysadmins to make sure that it can't happen in their department.
Hollywood movies change people's behavior. Federal laws do not.
"Mr President, did you see that movie about an Ebola outbreak in the US a couple of years ago?" "Yes...?" "The budget for that movie was quite a bit more then the total annual funding in the US to study Ebola and related viruses." Cheers, -- jr '</OT>' a -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
On Thu, 26 May 2005 Michael.Dillon@radianz.com wrote:
Around about whenever the US Federal Government gets the hint and passes a bill which makes it illegal to use social security numbers for any purpose other than the administration of social security.
Wrong answer. Federal laws do not stop people from doing stupid things and they do not stop people from doing illegal things.
What we need is a Hollywood blockbuster in which some highschool hackers wreak havoc by aquiring SSNs from gradesheets and using
Or for some private university to be bankrupted by a class action suit brought by the students who had their identities stolen when the student records db was compromised. How hard is it for a university to generate their own student "serial numbers" as students register? Personally, I'd like to see much harsher penalties for identity theft though (and I'm including simple credit card fraud / use of stolen credit card info in "identity theft"). This is happening so much, and is so often just brushed under the rug by the big credit card companies (banks), that kids do it with impunity, knowing that odds are they won't be looked for, much less caught. Last time one of my cards was "stolen" (from an online merchant I assume), I managed to social engineer the IP from which it was used from one of the online establishments where they used my card. It was a Linux box on DSL in California. Did anybody care? Not that I'm aware of. I filed complaints with the appropriate government agencies, and AFAIK, nothing happened. Put a few credit card frauders up in front of a firing squad, and see if things change. But that would require actually picking them up first, which LE doesn't seem to be motivated or have the time to do. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
* Jon Lewis:
How hard is it for a university to generate their own student "serial numbers" as students register?
It's probably hard to restructure your databases and rewrite most of your software. 8-(
Of course, any unique identifier will do, but it's hard to make the switch.
Stanford's student/faculty/staff ID system is not based on SSN's, and it has been in place for a number of years. I don't think the previous system was based on SSN's either. Which brings up the question of why SSN's would be in the career center database in the first place. -- -- Welcome My Son, Welcome To The Machine -- Bob Vaughan | techie @ tantivy.net | | P.O. Box 19792, Stanford, Ca 94309 | -- I am Me, I am only Me, And no one else is Me, What could be simpler? --
On 27-May-05 the GW commando coersion squad reported Bob Vaughan said :
* Jon Lewis:
How hard is it for a university to generate their own student "serial numbers" as students register?
It's probably hard to restructure your databases and rewrite most of your software. 8-(
Of course, any unique identifier will do, but it's hard to make the switch.
Stanford's student/faculty/staff ID system is not based on SSN's, and it has been in place for a number of years. I don't think the previous system was based on SSN's either.
Which brings up the question of why SSN's would be in the career center database in the first place.
One thought. Sadly most universities are attended by those who need money from the goverment in some way or another. Be it a loan or grant that are often managed by the university. Thus one way or another, as far as I know, unless you pay in cash, they require all sorts of identification on file to be able to help you apply for the loan and to manage the loan. Also when people want to check if You have a degree, they have to have a way to translate You to the person who attented the university. So I think the original statement/suggestion stands. They perhaps need your information, but becouse of this, they have a responsibiity to guard that information as well as any swiss bank might guard gold. You can never be just a name again.. Just wait till the biometric data and ID cards come. Nicole
-- -- Welcome My Son, Welcome To The Machine -- Bob Vaughan | techie @ tantivy.net | | P.O. Box 19792, Stanford, Ca 94309 | -- I am Me, I am only Me, And no one else is Me, What could be simpler? --
-- |\ __ /| (`\ | o_o |__ ) ) // \\ - nmh@daemontech.com - Powered by FreeBSD - ------------------------------------------------------ "The term "daemons" is a Judeo-Christian pejorative. Such processes will now be known as "spiritual guides" - Politicaly Correct UNIX Page Opportunity is missed by most people because it is dressed in overalls and looks like work. - Thomas Edison
Thus spake "Jon Lewis" <jlewis@lewis.org>
How hard is it for a university to generate their own student "serial numbers" as students register?
Generating them is trivial. Getting students to remember them is difficult.
Personally, I'd like to see much harsher penalties for identity theft though (and I'm including simple credit card fraud / use of stolen credit card info in "identity theft"). This is happening so much, and is so often just brushed under the rug by the big credit card companies (banks), that kids do it with impunity, knowing that odds are they won't be looked for, much less caught.
My credit card number was stolen a couple months ago; they went on quite a shopping spree across several states before I discovered it and got the number cancelled. Here's my experience: I filed (or tried to file) police reports in each jurisdiction where the charges occurred, since my bank required the report numbers to process the charge disputes. Two cities simply refused to accept my report since I wasn't a resident, and another required that I file it in person (hundreds of miles away). All but one of the cities that accepted my reports stated flat-out that they wouldn't even attempt to investigate unless _I_ provided _them_ with a suspect. One PD, from a rural town in Oklahoma, was actually very helpful. They went out, pulled all the video tapes, interviewed cashiers and waitresses, etc. and the best they could do was provide a description of the man and his car. I tried forwarding this new info to the other PDs involved, and they uniformly said they still wouldn't investigate unless I provided them with the _name_ of a suspect. Since most of the items purchased were gift certificates from department stores, I called the various stores' loss-prevention departments to give them the transaction numbers and suggest they cancel the certificates before they were redeemed and try to check ID on the perp. Over half refused to talk to me, saying they needed official contact from the local PD (WalMart went so far as to say they'd destroy the tapes if they didn't hear from the cops within 24 hours). The ones that did were happy to provide tapes to the local PD of the person who had already redeemed several certificates, but they had no means to inform a cashier to check someone's ID when they presented the remaining ones which had been cancelled. Of course, the redemption stores were all in different cities than the purchase stores, so when I tried to get the local PDs involved, they refused saying "no crime occurred in our jurisdiction", and the stores wouldn't send the tapes to the PD where the certificates were purchased. All told, about $2300 worth of certificates was redeemed and about $1000 of liquor, food, and gasoline was purchased -- in under a week. Who says crime doesn't pay?
Put a few credit card frauders up in front of a firing squad, and see if things change. But that would require actually picking them up first, which LE doesn't seem to be motivated or have the time to do.
As long as the card networks are willing to chalk the fraud up to a "cost of doing business", nothing will change. When it starts getting out of hand, you can be sure they'll see to it a special task force in the FBI is started. And it won't help, because the vast majority of fraud is isolated incidents by opportunists, not the rings of professional criminals the FBI understands. S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov
People are missing the point a bit. Most schools HAVE switched over to new numbering systems. Most student ID's have school-specific ID numbers. The problems are: 1) Older student records are indexed by SSN and they must be retained. 2) Some information is still indexed by SSN out of necessity - student financial aid for example That means you have a translation database somewhere, with all those SSNs and the new student index numbers. SSNs are already forbidden going forward at pretty much all school. For example, they can't be used to post grades. However, the need to retain them for backwards compatibility remains. Education institutions need a clear set of guidelines for handling sensitive data like that. A good start would be that such data can only be stored in an encrypted format in a physically secure facility. Yes, that seems obvious, but it doesn't happen. Considering the sort of free wheeling environment prevalent in University networks, you would think they would be a bastion of high security. Sadly, this isn't the case. - Dan On 5/26/05 6:10 AM, "Michael.Dillon@radianz.com" <Michael.Dillon@radianz.com> wrote:
Around about whenever the US Federal Government gets the hint and passes a bill which makes it illegal to use social security numbers for any purpose other than the administration of social security.
Wrong answer. Federal laws do not stop people from doing stupid things and they do not stop people from doing illegal things.
What we need is a Hollywood blockbuster in which some highschool hackers wreak havoc by aquiring SSNs from gradesheets and using mother's maiden names to steal lots of money and identities. Then, pointy-haired bosses will ask their sysadmins to make sure that it can't happen in their department.
Hollywood movies change people's behavior. Federal laws do not.
--Michael Dillon
-- Daniel Golding Network and Telecommunications Strategies Burton Group
Yes, that seems obvious, but it doesn't happen. Considering the sort of free wheeling environment prevalent in University networks, you would think they would be a bastion of high security. Sadly, this isn't the case.
This isn't meant to be a bashing session on universities and other educational systems, just an observation. I would think, and I may be wrong, that a educational network would be subject to - stakeholders (students, faculty, alumni) that turn over quickly, calendar-tied fluctuations in activity, and a user base that tends to be more liberal and risk-tolerant than a typical end user network. I would think that these traits would work against the accumulation of tested operational techniques, appreciation of the time and cost of a reliable service, and stiff enough penalties for anti-cyber-social behavior. Also working against this is the availability of time (like between semesters) when major upgrades can be done, because in the rush to do so sound techniques can be over looked. I don't mean to cast dispersions on educational campus IT functions. There is a lot of good security research and energy available in those environment. I'm just saying the environment is harsher than for other end users. No - I'm not leading up to a suggestion to quarantine them from the rest of the Internet. Stories like this just serve as the example headlines of why any organization ought to take preventative measures when it comes to this kind of data. Hopefully, whatever vulnerabilities that were exploited will be patched, even if there is no public disclosure. (Word will get around when it needs to.) PS - I was more surprised by the case of identity data that was lost when a laptop was stolen. Why was something so valuable left in such a mobile form? http://informationweek.com/story/showArticle.jhtml?articleID=159907962 An example of following bad practices. Is the solution "more consultants?" ;) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar If you knew what I was thinking, you'd understand what I was saying.
On Wed, 25 May 2005, Jay R. Ashworth wrote:
The major problem, as has been pointed out in Privacy and RISKS digests in the past dozens of times, is that people persist in using as authenticators things (like SSN's, Mother's Maiden Name, etc) which are patently not suitable for that.
pre-existing sources of of unabigious uniqueness that map to people are hard to come by... fwiw, most universities that I'm aware of, have moved away from using ssn's as an authentication tool. joelja
Cheers, -- jra
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
participants (14)
-
Adam McKenna
-
Bob Vaughan
-
Daniel Golding
-
Edward Lewis
-
Eric Brunner-Williams in Portland Maine
-
Fergie (Paul Ferguson)
-
Florian Weimer
-
Jay R. Ashworth
-
Joel Jaeggli
-
Jon Lewis
-
Mark Newton
-
Michael.Dillon@radianz.com
-
Nicole
-
Stephen Sprunk