UT Austin Hit By Massive Security Breach

mrpuffypants writes "Reported in the Austin-American Statesman: The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty. Official word from the school can be found here. Most troubling of all is that, like most schools, UT still uses SSNs for student ID numbers, and that was part of the information taken from them in the attack."

All they got...

"Those SSNs that matched selected individuals in a UT database were captured, together with e-mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed."

Phew, I feel so much better now!

Re:All they got...

They'll get the rest later using the SSN. That and a name are often all you need. Who cares about grades- when they know who you are and have your social you are screwed.

What's the big panic about SSNs?

Seriously. In the UK the closest equivalent is a National Insurance number, which you give out to quite a few people. Banks often want this (because it's unique to you, which makes record-keeping easier). Your employer will want it, so their accountants can calculate your tax. Your doctor will probably want it, again, because it's a unique identifier.

Why are Americans so paranoid about who knows their SSN?

Re:What's the big panic about SSNs?

Should someone get a hold of your SSN they can get a credit card in your name, or whatever.

I think I see where the problem lies.

It's like security through the obscurity of these numbers.

Re:What's the big panic about SSNs?

1. Please mod the parent as insightful. (Or even funny). This is the best description of the problem I've ever heard.

2. It's an antiquated system. Back in the day, before massive amounts of information were available on computer, you'd occasionally hear about a guy who's number was stolen. It's a bad thing, but it was a rarity. The system worked because your number was secret, and there were few real ways to get it.

These days, SSN's are being compromised by thousands at a time. This is a broken system, and it should be fixed.

Perhaps thumbprints or retinal scans as a system of identification. But if you think about it, this leaves us with the same problem. The retinal or thumb image needs to be kept somewhere for the purposes of comparison. The files can be stolen just as easily as SSN's.

Maybe there is no solution.

crypto is a solution

There's a solution if you use cryptography. Assign everybody a social security number. Also, give them a private key (or better, let them pick their own). Then, publish everyone's social security numbers and the public keys that match up with their private keys. (The government could even provide a service that allows people to look up public keys based on social security number.)

Then, everyone's number is out in the open. Whenever you want to do something with it, you create a message along the lines of this:

My name is John Doe, and my social security number is 987-65-4321. I hereby authorize CreditCards-R-Us to issue me a credit card linked with my social security number.

Then you sign that message with your private key. Once you've done that, anyone can use your public key to verify the signature. That means they can be assured that, unless someone has stolen your private key or broken the crypto, it could only have been you that wrote that message.

Thus, your social security number becomes public knowledge, but that doesn't help anybody because they'd need your private key to do anything with it. And, most importantly, there never is any situation where you have to give your private key to anyone. Your secret remains your own. No third-party ever gets a copy of it. This is important for two reasons:

1. Third-party institutions don't have much incentive to guard your secret well. Many of them will do their due diligence in guarding it, but the bottom line is that it's just not their ass on the line, so they won't try really hard. Even if they mean well, they're a busy corporation or university or whatever, and they have other things to get done.
2. If you are forced to give out your secret to get anything done (for example, register for classes), over time lots and lots of organizations will get (and store) a copy of it. This is bad, because the probability that information will get stolen is pretty close to proportional to the number of people who have a copy of it!

Re:crypto is a solution

Yeah, until they look under your keyboard and see the sticky with your private key. The weakest link in security is often the human.

Re:What's the big panic about SSNs?

Why are Americans so paranoid about who knows their SSN?

Because I can use your SSN to apply for a credit card in your name and then, when the bill comes due, it falls on your head (until you explain that that wasn't actually you). Then I can do it again.

Re:What's the big panic about SSNs?

So, do you provide those documents when you apply for a credit card via mail?

In Germany, the post offers a service called postident [deutschepost.de] - the mail carrier will only give you the letter if you show him your passport, and he'll send the passport number back to the sender of the letter.

The system is in place for years, afaik it's the only way to open accounts at internet only banks. No need for a magic SSN.

Re:What's the big panic about SSNs?

That's funny. Those ten or so credit card applications I get in the mail each week say nothing about coming to see them IN PERSON.

From that I can only assume that you live in the US ? Which, I guess, just proves my point that it is a system just waiting to be abused.

Never mind what those spams may say, in Europe you cannot get a bankaccount without applying in person. I guess there may be CC companies that are so eager to close that they trust me without proof. But I reckon that even those will send letters to your address that you have to return to them, signed. Which does prove at least two things to them: (A) you have physical access to the mailbox/streetaddress you supplied, and (B) they have your signature on paper, which can be useful to prove you signed it (and if need be, all the way though handwriting recognition experts).

In any case, that is better than nothing.

Why there hasn't been any reform on SSNs

If SSNs were only supposed to be used by the IRS, and the current system is so ripe for abuse, why hasn't there been a law against using SSNs for non-tax purposes? Easy - lobbyists and money. Credit card companies and credit bureaus see SSNs as a godsend. For them, it's cheaper and easier to have a central registry in order to troll for new credit accounts, regardless of the security problems inherent in using SSNs for everything.

Every effort to reduce the power of credit bureaus and protect individual privacy has been defeated or weakened by the credit bureaus and credit issuing companies. Their claim is that a central database tied to everyone's SSN is critical to doing business. Of course, they neglect to mention that they do plenty of business outside of the US without having such a system in place, AND the fact that SSNs are not guaranteed to be unique.

At this point, reasonable souls would start to question whether this is a government for the people, by the people, or a government for big business, buy the politicians! Face it, it won't be until the system is completely broken, with millions of people affected, and with the costs of keeping the current way of doing business too high to continue, that they'll change. By then, it'll be too damn late...

I wish I had known...

I wish I had known about it, I would have asked them to change my transcripts to give me a better GPA. :P

Action

What legal action may the students and faculty take? In Washington it is illegal to use a students SSN to identify students. There was groaning at every campus in Washington for weeks. I bet there as glad as me that Washington was so on top of this.

Re:Action

Why is it such a hassle for Unis to generate their own unique IDs for students?

As I undertsand, the SSN isn't even a *good* unique identifier - for one thing it has no built-in checksum, and it's possible that your number isn't unique (could be wrong on the latter, but it's not really my point..)

Just issuing consecutive numbers to students who enrol is just one extremely simple way to replace using SSNs.

My bank issues me a number that identifies my account, my mobile phone company gives me a number to identify my phone, why is it so hard for unis to issue numbers to identify students?

Why were the unis in Washington so unhappy with the change? Sure, a few thousand people need to be given numbers and that can take a while to physically issue - but if the law allowed, perhaps a phased implementation of the scheme, so new people are given one of the new numbers?

I used to go to UT Austin

and so far, there has been NO communication from UT about the possible theft - the only reason I heard about it is that someone forwarded the article to me this morning. UT seems to be adopting a 'lets-hope-nothing-screwy-happens' attitude to the whole thing, and that is very worrying. There is no way to tell if your ID was one of those stolen - which strikes me as being a little weird. It would make sense to inform the affected individuals as soon as possible, so that they could start being a little more vigilant about their credit histories. But apparently that goes against the wishes of the authorities up high.

Re:I used to go to UT Austin

from the following URL [slashdot.org]...
Am I Affected?
Is your SSN in the following ranges?

449-31-98xx - 450-91-24xx
451-12-32xx - 451-20-35xx
451-20-64xx - 452-20-40xx
If so, within these ranges, 55,200 people of the following types, including but not limited to:

Current students, faculty and staff
Former students, faculty and staff
Job applicants
Retirees
may be affected.

Slightly OT - choice of credentials

OK, so I can see how a university might come to use SSNs as an identifier. They're unique and everyone already has one. Easy.

But why are SSNs so sensitive? It's like a credit card number -- it's printed some places, gets bandied about in others. Not exactly confidential, and no intuitive or documented boundaries on who should be trusted to with it. So it's a scary number that can be used for bad things, but you'll have to give it out in many circumstances where you aren't fully aware of how it'll be used. Makes it tricky to know who has it, or to make an informed decision about where you use it.

Again, it's easy to see how the practice of using it as a credential has continued (and got worse), but when did it start?

Re:Slightly OT - choice of credentials

Google can answer most of your questions with nifty links like this [privacyrights.org], or this [cpsr.org].

Who would have thunk it?

Re:Slightly OT - choice of credentials

There's a problem with your statement "They're unique and everyone already has one." First, not everyone has one. You were not legaly required to have an SSN until 20 or so years ago. Of course, without one you can't get social security benefits.

A bigger problem is that everyone assumes SSNs are unique. They aren't. At best they can only uniquely identify 1 billion people. "Easy," you say, "There aren't 1 billion people in the United States." There were 281 million in 2000. The birth rate is 14.5 per 1000, and the death rate is 8.7 per 1000. While the birth rate is declining, the life expectancy of a person is lengthening. Additionally, it can not be expected that the birth rate will continue to decline to 0. This means that, while it won't happen any time soon, eventually there will be more than 1 billing people in the US.
The next problem is that when you die, your SSN is NOT REUSED until your estate is closed, at a minimum. My mother's estate was not closed for nearly two YEARS after her death, and hers was a simple estate. Some accounting setups could cause you SSN to be used for many years after your death.

Re:Slightly OT - choice of credentials

Because every company on the planet uses the number to identify you. When you apply for a loan, a driver's license, a credit card or insurance, the Social Security number is all they need. Given yours, I can request a car or home loan in your name, get a nice fat check and skip out of town or out of the country. And you might not ever know about it until the credit collectors catch up with you, you're denied credit or you don't get a job when they run a credit check on you. Assuming they even tell you your credit history is why they didn't hire to. Many employers ignore the laws stating that they have to tell you if that's why they don't hire you.

If someone is using a driver's license acquired in your name with your social security number, they could very well build up a criminal record in your name in some other state. A routine traffic stop could then lead to you getting arrested.

With that in mind, if someone asks you what yours is, the first thing that comes out of your mouth should not be that number. It should be "I don't think you need to know that information." Note that in the historical past (I don't know if this is still true) if you knew someone's name and birth date, you could use an Internet information service to find out their social security number and criminal history.

Are the stolen records ever used?

I've seen a whole bunch of 'stolen credit card #' type stories on Slashdot lately... the thing is, we never hear about any repercussions of these thefts. Do the thieves ever use the stolen records in large quantities? Follow-up is good :). Any info people have, post it here (I'm thinking of, in response to the Amazon CC# thefts from a few weeks ago, etc.)

Who needs to hack, just work for a university

My school still uses SSN's as student id's. I've found that as a student employee I run into thousands of id's a day. I know it's the same way for a lot of student employees on campus. When will schools learn the benefits of a autogenerated key?

Re:As a recent graduate...

What steps can one take to protect one's identity?

You can't (not to say that you shouldn't make it more difficult, but just don't fool yourself into thinking that it's possible to do absoultely). It's like your house or car, you can take steps to make it more difficult to break in/steal, but there is absolutely nothing you can do to stop someone is wants to target YOU. So the best thing to do is to introduce a bit of paranoia in your life and assume therefore that it COULD happen and adjust accordingly. So for you're indentity, you do regular checks of your credit report, you keeps tabs on your bank accounts, you review your credit card statements, etc. The absolute worse thing that can happen is for someone to grab your identity and use it for a length of time without your knowledge. Getting your cc company to forgive unauthorized purchases is easy, as long as you do it within 30 days of your statement. Having someone apply for a cc with your info can bite you in the butt if you're trying to buy that car or get that mortgage, so you make sure you check well in advance and make sure that window of exposure is a small as possible.

from what Ive seen

in schools, its very easy to retrieve information, I went round no less than 10 junior schools in my area to get information on the new students that are about to enter the new year in the secondary school I work as the information manager.. NOT ONE of the schools asked me for ID, they showed me to a machine and logged me in and let me walk out of the door with the information on floppy...

Its a very scary.. but what can you do..

Penalties

Am I the only one who thinks that there should be penalties for the hack-ee when private information is stolen?

Not to adapt a blame-the-victim mindset, but I mean really, why is this stuff on an internet-connected machine to begin with? I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked.

This stuff needs to be taken seriously, and not just in punishing the offenders. Look at it this way: If your bank got robbed tomorrow and all the items in your safe deposit box were made off with, would you blame the bank if you found out that the vault was left open and the deposit boxes were made of cardboard? I sure would.

Re:Penalties

"I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked. " Oh really? Something like 60% of breaches are internal. What are you going to do now? Put everyone on their own separate network? We are going to see a lot of medical data stolen since Bush took the teeth out of the HIPAA requirements.

Clarification?

The UT link appears to be /.ed, but when I read it before it sounded like a simple brute force ssn lookup. The attacker simply generated random ssn and sent them against a page that returned information based on ssn. The attacker then simply harvested "positive" hits. The problem was that this interface was exposed to the public and that it had no means of throttling/preventing multiple requests/failed requests.

On another note, UT is phasing out SSN in many aspects of the students life. My wifes UT ID does not contain her ssn, it has a student # now. Though I assume that there are still many points of interface with the UT system that expects to see ssn.

Yikes...

It's amazing how much information you can get kicked back by simply trolling SSN's. This reminds me of the scandal last year [infoworld.com] with Yale's admissions information, which a Princeton administrator obtained by simply entering SSN's and birthdates on their web site. A brute-force attack like this one, simply adding birthdate to the mix, could have successful results in other places, I'm sure.

Colleges and Universities need to fix systems!

This is NOT the first time, and I do not believe that it will be the last. I work and attend a medium sized college and I happen to know from other employees that our systems have been compromised on several occasions, and in fact they are still being compromised. I do not believe that any critical information has been stolen, but the security of the critical systems at our nations colleges and universities needs to improve. Our college refuses to publicly admit that they have had a serous breach or deny any knowledge of current security problems. It's quit frustrating to be a computer security enthusiast and attend a college that refuses to admit they have a serious problem.

At least the University is acting responsibly...

"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."

It is good to see the University being so frank and honest about this matter. I am sure some heads are gonna roll, but at least the people affected will be provided with information and know how it happened.

Speaking of how it happened... the article does not go into technical details, but I am curious how this database was accessible to the world and was spitting out data to qualifying queries of SSNs without any security context... I am sure someone here on /. has an opinion as to how this happened?

Re:At least the University is acting responsibly..

"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."

Unfortunately the literal translation of this is:

I am so fired!

The bigger breach . . .

This johnny-come-lately "UT" is ripping off the initials and the colors of the original UT [utk.edu] (est. 1794 thank you very much)!!

We demand that our child State of Texas cease and decist in the molestation of our look and feel.

Sincerely,
Volunteer Graduate of 1994

PS, The UTK English Department is the Home of the Vowels [harbrace.com] ;-)

Hey, here's an idea

SSN's are valuable because you can use them for identity theft. You can use them for identity theft because they're a national ID card. Something "they" (the mythical them) say they are not.

Apart from that all of the credit reporting, etc. goes through shadow companies that you can do nothing to if they screw you over (IE issue a credit card to a you that's not you).

We need to make using an SSN for identification purposes entirely illegal, credit card companies and banks be damned. Or say it is a National ID and come up with a better way of securing identities.