Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Carnegie Mellon Says Computers Breached

CowboyNeal posted more than 9 years ago | from the back-door-left-open dept.

Security 203

maotx writes "Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. What makes this one even more interesting compared to other recent break-ins is that CMU is home to the famous CERT."

cancel ×

203 comments

Sorry! There are no comments related to the filter you selected.

Poster here (4, Interesting)

maotx (765127) | more than 9 years ago | (#12322489)

And credit given where credit due, I picked up this story from a post on a mailing list from Paul Ferguson [blogspot.com] and his tech news.

What I found to be so interesting about this story is that unlike the other thefts, this one did not require the theft of a computer or social engineering skills. This one looks like the works of a group of hackers and now has the FBI's computer crime squad joined [post-gazette.com] in the investigation.

Re:Poster here (1)

markild (862998) | more than 9 years ago | (#12322522)

"The entire school has been affected. Some of the information is more sensitive than others,"

Besides the social security number, I can't really say I see the reason for anyone to retrive this kind of data.

I know that most people feel uncomfortable with the feeling that someone got their entire student/employee history, but I can't see the harm in it either.

Re:Poster here (2, Informative)

maotx (765127) | more than 9 years ago | (#12322549)

Well, with a SSN, mother's maiden name, and birthdate you can open almost any kind of account you want. And heaven forbid you also have their driver's license number. One could completely still an identity with this kind of information.

Re:Poster here (1, Informative)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12322707)

With the mother's maiden name, you could finally get access to that person's hotmail account.

That is unless they used another question, in which case this whole exercise was for 50 years of ass-pounding.

I guess the hackers really like backdoor-ing.

Re:Poster here (2, Informative)

AK Marc (707885) | more than 9 years ago | (#12322959)

Well, with a SSN, mother's maiden name, and birthdate you can open almost any kind of account you want.

With SSN and birthdate. Mother's maiden name (MMN) is used only for local verification. It isn't printed on credit reports or other such shared documents. You can make up a different MMN for every account that asks for it and never have anyone question you. The SSN, address, DOB, and past history are what is on the reports that origanizations look at for opening accounts.

Re:Poster here (2, Funny)

Meagermanx (768421) | more than 9 years ago | (#12322554)

Yes, a group of coughRIAAcoughcoughMPAAcough hackers.
I wonder if the "hackers" found any MP3 files in the information they stole?

Re:Poster here (0)

Anonymous Coward | more than 9 years ago | (#12323029)

While I'll agree that his blog does keep track of some useful tech news, I don't think I'm the only person who's sick of all the news stories he posts on NANOG. I suspect he's forgotten that that is a mailing list for network operators and their issues, not his personal news feed. Whoever suggested that he create a website and post the RSS link ONCE had the right idea (though the link in his signature is alright too).

Wait... what? (0)

Anonymous Coward | more than 9 years ago | (#12322490)

Interesting. I'm a CMU student and I haven't heard anything about this.

Re:Wait... what? (1, Funny)

Anonymous Coward | more than 9 years ago | (#12323016)

Many hackers make the classic blunder of telling everyone and taking out ads on TV and radio. Obviously these ones are sneakier than that.

The internal network was smashed (0)

Anonymous Coward | more than 9 years ago | (#12322491)

They suspect Gallagher.

um... (0, Redundant)

loid_void (740416) | more than 9 years ago | (#12322500)

This CERTianly is an interesting piece of information.

Re:um... (0)

Anonymous Coward | more than 9 years ago | (#12322508)

You're a CERTified master of puns.

Re:um... (2, Funny)

Chris Kamel (813292) | more than 9 years ago | (#12322568)

but probably also CERTainly in need of a spell checker

Re:um... (1)

loid_void (740416) | more than 9 years ago | (#12322623)

using the Kamel spell checker; a great product.

Re:um... (2, Insightful)

dgatwood (11270) | more than 9 years ago | (#12323085)

Of course, you should realize that CERT has been all but replaced by the new US-CERT, run by the Department of Homeland Insecurity. That new group's idea of computer security includes:

  • Using WEP (ooh, so secure) to "prevent" terrorists using your base station.
  • Sending out signed weekly messages to warn about vulnerabilities, but instead of sending out a detailed list, the message only contains a reference to their web address.
  • That web server runs Windows.
  • That web server is on a .gov address that I haven't been able to access in over a month because the .gov DNS servers time out. I can't access it from home or from my servers on the other side of the country....
I've given up on relying on CERT to keep our network secure. It's sad, but at this point, my best sources of security info are Slashdot and regular checks of certain daemons' web pages. IMHO, it's long past time to overthrow US-CERT and create an organization that actually understands security, but I don't see it happening....

IMHO, leaving our planet's cyber-security in the hands of the U.S. Government is like leaving our planet's physical security in the hands of the U.S. Military, or leaving your business's security in the hands of a ten-year-old child with a toy spy camera. Where is UN-CERT when you need it?

Hacked you all! (0)

Dancin_Santa (265275) | more than 9 years ago | (#12322510)

sprintf(ssn , "000-00-0000");
while (1) {
do_bad_stuff(ssn++);
}


Now, having said that, I think it stands to reason that any number that can be automatically generated is automatically at risk of hacking.

Which is to say that it is at the same risk of hacking as any other random number. Which is to say that it is not at risk.

As long as your SSN is nothing more than a number, nothing bad can happen to it.

Now, if someone were to take it and try to do something with it, hopefully you guys over in the U.S. have something to protect yourself with. Some kind of legal recourse to protect SSN holders.

I know I'm not assuming too much here. Those Murkins have thought of everything.

Uh (0)

Anonymous Coward | more than 9 years ago | (#12322521)

"Social Security numbers and other personal information"

Which is probably enough for someone to steal your identity, get credit in your name, make your life miserable, etc.

Re:Hacked you all! (0)

Anonymous Coward | more than 9 years ago | (#12322538)

I'm sorry but your code almost only generates invalid serial numbers:

000-00-0000
0-00-0000
-00-0000
etc

Re:Hacked you all! (1)

WhatsAProGingrass (726851) | more than 9 years ago | (#12322563)

If the computer had ss numbers, then it most likely also had the name and address and maybe even information about birth date on that same computer. I think it sucks that this sort of thing happens. I'm in the military and my ss number is known by just about anyone that takes 5 minutes searching for it. So sad.

Re:Hacked you all! (1)

Drantin (569921) | more than 9 years ago | (#12322580)

But when your SSN is associated with your name, people can use it to pretend to be you and sign up for other forms of ID that can be used and show up as black marks against you...

Holy shit (1)

Dancin_Santa (265275) | more than 9 years ago | (#12322590)

But when your SSN is associated with your name, people can use it to pretend to be you and sign up for other forms of ID that can be used and show up as black marks against you...

Is this true? You'd think that at least the most basic protections would be in place to prevent this sort of fraud.

Is This Really News??? (5, Insightful)

ferrellcat (691126) | more than 9 years ago | (#12322513)

Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported.

Re:Is This Really News??? (2, Informative)

BrK (39585) | more than 9 years ago | (#12322653)

Yup.

Especially when you consider that there are products already available that can greatly reduce, or eliminate, these sorts of things.

Guardium http://www.guardium.com/
Tizor http://www.tizor.com
Lumigent http://www.lumigent.com/
(just to name a few) All have solutions to information access/identity theft problems. If a company is storing personal/private/sensitive info it would seem they would be more aggressive in deploying preventative measures.

Re:Is This Really News??? (1, Interesting)

orthogonal (588627) | more than 9 years ago | (#12322812)

"Sadly, it seems more astonishing if a day does by when a major personal information breech is NOT reported."

Right.

These breaches are inevitable. That's why, as I've said for a while [slashdot.org] , it doesn't really matter if an organization -- whether it's Google or the government -- promises to "do no evil".

Even an organization run by saints -- and no organization is run by saints -- can be breached.

So there are two things that need to be done: first, we need to convince organizations, both corporate and governmental, to limit the information they collect to what is actually necessary for their functioning. And access needs to limited and audited to prevent misuse [slashdot.org] .

Given prevailing corporate ethics -- that whatever is good for profits is ethical -- the "convincing" will have to be in the form of data-protection laws and privacy-protection laws that limit information collecting and impose penalties for misuse or failing to adequately safeguard it.

Second, what information is collected needs to be encrypted. While that won't prevent all hacking, it will mean that copies of data stolen in bulk will be pretty much useless to the thieves.

Again, it's not sufficient to think, "well, I trust Google (or the FBI or Social security administration or my bank) won't misuse my information" -- it's necessary to remember that organizations change sometimes without warning (see the first link, above), and that external hackers internal misusers can pervert any system (see the second link).

Our response has to be more than "whistling past the graveyard" hoping that nothing will go wrong. Breaches are inevitable, and our laws and our data-retention worse practices -- not the best practices we hope for, but the worst we allow -- must reflect that.

Casual attitude about SSNs (5, Insightful)

bigtallmofo (695287) | more than 9 years ago | (#12322518)

What exactly were social security numbers doing on that computer?

I'm still amazed at what companies ask me for my social security number and their casual attitude about what they do with it. My health insurance company uses it as my ID number. My dentist thinks nothing of asking for it and scribbling it on a post-it note along with my name while they enter a claim form into their computer and then they throw the post-it note away.

I always make an attempt to refuse to give my SSN. The shocked, negative reaction I get is absolutely amazing to me. It is apparently so ingrained to U.S. culture to give that number up to anyone that asks regardless of the totally insecure way they handle that number.

The doctor doesn't care (0)

Anonymous Coward | more than 9 years ago | (#12322534)

He just wants your insurance ID. Whether that's your SSN or your dog's birthday is of no matter to him. If you don't want him to have it, demand that your insurance company give you a different ID.

Re:Casual attitude about SSNs (1)

nsasch (827844) | more than 9 years ago | (#12322553)

I've rarely found that a SSN is needed. If you make a membership-required website, you ask for a lot of information that just stays in the database, and nothing is done with it. Maybe companies feel the same about SSNs, they have it, and they have no need for it.
I can't even get Google Ads on my sites because my father(I'm under 18 in US) to give his SSN to Google.

Re:Casual attitude about SSNs (0)

Anonymous Coward | more than 9 years ago | (#12322658)

Wouldn't Google be paying you for the ads?

Aren't those payments supposed to be declared as income?

Aren't those numbers used for tracking Social Security benefits?

I might be wrong, but in this case, I think they're allowed to ask for your SSN

Re:Casual attitude about SSNs (4, Insightful)

Angostura (703910) | more than 9 years ago | (#12322556)

Well, I suppose there are two ways of thinking about things like the SSN. One way is to consider it a piece of privileged private information that can be used for security purposes.

The other way is to think of it as a piece of information information as public as your first name or hair colour.

It seems to me that SSN now has to be considered in the second category.

The problem is that there is a mismatch of perception in society, so some people see it as a secure item, some people think of it as insecure and some people don't really think.

It is this mismatch which is causing the potential identity theft and security problems.

I'm sure it is handy as a unique key in many people's databases, but it has to be realised that it is public and can be falsified.

Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.

Re:Casual attitude about SSNs (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12322615)

I'm sure it is handy as a unique key in many people's databases

Only for people who don't know any better. Social Security numbers are recycled and should never be considered unique.

It is possible for multiple living people to have the same SSN and even the same name.

SSNs are also poor "security" identifiers because they are usually tied to where you are born along with other patterns.

Re:Casual attitude about SSNs (1)

kfg (145172) | more than 9 years ago | (#12322666)

It seems to me that SSN now has to be considered in the second category.

And just what is it about a number that, by law, is not a general ID, and whose only legitimate use is in dealing with government tax authorities, that makes it "public" information?

Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.

Yes, that would be my guess. It is a federal tax number that by law is not supposed to be used as ID for any other purpose and which you have the legal right to refuse to give for any nonlegitimate purpose.

KFG

KFG

Re:Casual attitude about SSNs (1)

badfish99 (826052) | more than 9 years ago | (#12322903)

OK, I'm British too, so I don't understand this either. Can anyone please answer this: is there any way that the people asking you for your SSN can validate the answer you give?
If so, what's the point in trying to keep your SSN secret, if anyone can find our what it is?
If not, why not just think up some other random number with the same number of digits, and give out that when anyone asks you for your SSN?

Re:Casual attitude about SSNs (1)

k8to (9046) | more than 9 years ago | (#12323130)

There are ways to validate a SSN but it's kind of clunky. Basically people check the SSN against other databases which are also keyed by SSN. But they're all nonauthoritative. The Government's tax collection can actually authoritatively check although I don't know if they do. I suppose credit agencies by hook or crook may have managed to gain access to this data. However, their databases do contain errors. I was refused to be sold a cellphone because my "SSN was wrong". It turned out to be a credit monitoring agency's database error.

So basically the fact that you have to use the same number consistently allows them to clumsily match it to itself from database to database.

You can make up a random set of numbers and eventually have to propogate from DB to DB, and illegal foreign workers use this technique regularly. There's some tricks to getting the process started that I don't know.

So in some ways, to make your life non-stressful, you end up having to give out the same number to everyone, and for the few times where the network of number use actually links back to tax information, you mostly have to give the valid one.

It's clumsy and sucks. But it's what we're using right now.

Re:Casual attitude about SSNs (1)

Hatta (162192) | more than 9 years ago | (#12322824)

Disclaimer: I'm British, so I may have misunderstood some aspect of the problem.

Nice sig

Re:Casual attitude about SSNs (3, Informative)

Anonymous Coward | more than 9 years ago | (#12322604)

I was just hired by CMU (literally in the last few days).

They still appear to be using Social InSecurity numbers as employee IDs. When I showed the personnel worker my newly minted CMU ID, she asked me my Social InSecurity number and only then was she able to find me in the system.

I'm usually not anonymous but I'd better stay that way for this one.

CMU Guy

Re:Casual attitude about SSNs (1)

bartwol (117819) | more than 9 years ago | (#12322663)

Hmmm...I think they all use your Social Security number because they all use your Social Security number. That is, after all, why it's so valuable; it's your cross-reference ID, your "foreign key," your "global unique identifier," and yes, the name by which you are truly known in the databases of this world.

Perhaps you might challenge their practices with a converse and more secure alternative: why don't they all use their own unique identifiers? Answer: that wouldn't be very useful.

<bart

Re:Casual attitude about SSNs (1)

tm2b (42473) | more than 9 years ago | (#12322861)

When I went to CMU ('91 BS Physics), your student ID number was the same as your SSN unless you went to great lengths to change it.

I don't know whether they changed the practice, but it would explain why they had the SSNs.

Re:Casual attitude about SSNs (1)

SnowZero (92219) | more than 9 years ago | (#12323075)

They didn't change for a while. SSNs were still used when I came in 1996, and they were printed on the front of your ID card. After much protest and a couple of years, they were removed. I hear that entering students can now choose non-SSN ID numbers.

Re:Casual attitude about SSNs (1)

timeOday (582209) | more than 9 years ago | (#12323092)

I had a heck of a time buying a car last week without giving up my SSN - even though it was a cash deal for the seller (because I was financing through my Credit Union).

What was worse, they said they needed the SSN due to a provision of the Patriot Act. And what's even worse than that, this practice must be widespread, becasue my Credit Union warned me in advance about this Patriot Act scam.

And mind you, this car dealership was a very big one near Denver with hundreds of cars in stock - just the kind of place that legally pulls credit and background checks on many, many people each day.

An everyday occurrence now.... (2, Insightful)

empty drum (876694) | more than 9 years ago | (#12322524)

Until a national Public Key Infrastructure is devised, requiring biometric input from each user, identity theft is not going to stop.

Re:An everyday occurrence now.... (2, Insightful)

beavis88 (25983) | more than 9 years ago | (#12322579)

That's not going to stop it either. It may, however, change who does the stealing.

Re:An everyday occurrence now.... (0)

Anonymous Coward | more than 9 years ago | (#12322668)

....requiring biometric input from each user...

That won't make it stop, just instead of your credit getting fscked, you would get a finger hacked off or an eyeball dug out or something.

CERT is excellent but not enough (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12322525)

I find it really helps to brush your teeth too

So... (1, Insightful)

Chris Kamel (813292) | more than 9 years ago | (#12322548)

I'm not going to moan about how frequently this seems to be happening lately, I've been thinking though
Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed
What is one supposed to do with such warning?

Re:So... (1, Informative)

Anonymous Coward | more than 9 years ago | (#12322557)

You could report it to the credit bureaus to watch for identity theft.

Re:So... (1, Funny)

Anonymous Coward | more than 9 years ago | (#12322569)

Check your credit card statements to see if you've recently ordered a bunch of Ferraris or Brioni suits

Re:So... (1)

Chris Kamel (813292) | more than 9 years ago | (#12322577)

I tend to have bad memory so I may not be able to differentiate those ordered fraudulently from those I did order myself :p

Re:So... (0)

Anonymous Coward | more than 9 years ago | (#12322682)

What is one supposed to do with such warning?

Use it as evidence for a class action lawsuit? Maybe a few, highly publicized lawsuits would finally convince companies and other institutions to take data security more seriously.

Re:So... (0)

Anonymous Coward | more than 9 years ago | (#12323185)

I'd like the moron mod who rated the parent "offtopic" to please stand up

This is precisely the reason to think about data (1)

beavis88 (25983) | more than 9 years ago | (#12322550)

My company just deployed a new application to help manage employee data, calendars, timesheets, etc. Guess what? We didn't put SSN anywhere near this application. It's a simple enough matter for someone to go to the locked file cabinet in the HR office and grab a number if need be.

It's not like this method is particularly secure, but it doesn't really matter -- a physical break-in seems much more "acceptable" in the eyes of customers etc than does an electronic break-in.

Looks like a departmental problem to me. (4, Insightful)

morph- (171) | more than 9 years ago | (#12322552)

As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.

Re:Looks like a departmental problem to me. (1)

HD Webdev (247266) | more than 9 years ago | (#12323157)

As far as I can tell from the article, this only affects business students in the school. Judging from that, I'm guessing someone in the department was keeping a few spreadsheets or something of that nature around on a public windows share. This strikes me as far more of a careless employee problem than a truly insecure infrastructure problem. Thus, comments about CERT may be a bit premature.

True, but how long would it have taken to write a program that scans for SS#'s that are in insecure areas?

Not only that, their firewall should have noticed SS#'s being transmitted to the outside. Norton Internet Security prevents my personal SS# from being transmitted even if someone else is using my computer and tries to send it. Why didn't they implement something like this especially with CERT there?

question: (2)

Adult film producer (866485) | more than 9 years ago | (#12322558)

Can I have my social security number replaced legally ? I don't know for sure, but I suspect my number is just about worthless now. Hell, sometimes we don't here about these thefts till months or years later. That leads me to work under the assumption that my SS# has been stolen, from someone , somewhere.. it's utterly worthless (not that it had any value before, my credit was crapped out anyways.)

Something needs to be done about this, SS#'s are a joke. I was watching the local chicago news the other day and migrant workers can go down to the local 7-11, meet a shady character and have their own SS#, for $75-$100.. Come on, this is nuts.

Answer (1, Funny)

Anonymous Coward | more than 9 years ago | (#12322585)

Yes, please just fill out this short form and I will take care of it for you.

Current Social Security Number: ___-__-____
Full Legal Name: ____________
Date of Birth: __/__/____
Address: _____________
City: __________ State: __
ZIP: ______-____

Thank you.

Re:Answer (1)

Adult film producer (866485) | more than 9 years ago | (#12322596)

heh, believe me I'm tempted.

Re:question: (2, Interesting)

prisoner (133137) | more than 9 years ago | (#12322693)

I don't know about replacing your SSN but I do know a lot about the market for getting SSN's. Some of our customers are construction companies and it isn't all that uncommon for a worker to come in and present a document that he says is an original and valid SS card. When checked, it is the same number as one already on file. I was in the office one day when a guy came in who had no fewer than 3 different SS cards on him. I think that it is reasonably clear that the SS number can no longer be considered any sort of valid identifier. It is, at this point, up to society and the government to move past it.

This, of course, is the sticky point. What do we use in place of that unique identifier? A national ID card? That rubs a lot of people the wrong way and with some justification. However, the move to "secure" drivers licenses is simply a move at the state level to provide the same thing.

Long and short of it is that someone smarter than me will have to figure it out. Shouldn't be that hard to find someone....;)

Re:question: (1)

dq5 studios (682179) | more than 9 years ago | (#12322700)

A quick Google [about.com] shows that, yes you can. That link is relating to changing it to escape an abusive spouse but I'm sure that there are (a few) other reasons they'll accept.

The weakest link (4, Informative)

jokestress (837997) | more than 9 years ago | (#12322588)

I recently had a cyberstalker try to get some personal information about me from my alma mater. This yutz did this by contacting department secretaries, who were happy to oblige with all the information they had available. Luckily, this wasn't very much information, but it has caused some problems. So even though the registrar's office had things locked down fairly well apparently, these other points of entry into the system appear to be potential vulnerabilities: unattended laptops and workstations, and people who don't really think their job description involves a privacy/security aspect. I predict many more problems via remote access of a centralized institutional database.

The wierd thing is... (2, Interesting)

J_T_Biggs (524705) | more than 9 years ago | (#12322591)

I go to CMU and work for the psychology departments comptuing support. Well about a month ago, our server crashed and our backups only partially restored. So I hopped on a new machine and installed linux. We switched it over to the network and created some accounts with easy logins so the teachers could get their stuff back up. Needless to say, less than 24 after being online it was hacked. While not malicious, the hacker did use our box as a staging point to make DOS attacks. I caught the guy a day later when I started getting emails from companies and kicked him off. The wierd thing is, the attack happened on the 10th of April. The same day Tepper was breached.

Not really CMU, but Tepper School of Buisness (5, Informative)

Rufus211 (221883) | more than 9 years ago | (#12322597)

Just a quick clarification, Carnegie Mellon itself was not hacked. This was a Tepper School of Buisness machine that was hacked and their student data lost. As seems to be fairly normal, the buisness school is almost its own entity, even running on a different schedule than the rest of the campus.

Re:Not really CMU, but Tepper School of Buisness (1)

eznihm (552487) | more than 9 years ago | (#12322723)

the buisness school is almost its own entity

this is a problem on many college campuses, and it serves them right. not that anyone deserves to be a victim of a crime, but a refusal to participate in enterprise computing along with the rest of the campus and guided by central IT is nothing but an ego/power trip for business school administrators

Re:Not really CMU, but Tepper School of Buisness (2, Informative)

NotoriousQ (457789) | more than 9 years ago | (#12322955)

That may be true if they were the only ones doing that. However that is not the case. All academic departments at CMU have their own networks. IT owns cmu.edu and andrew.cmu.edu, which provide connectivity, cluster services, student AFS space, and generally everything that has to do with undergrads. CS department on the other hand has its own space, and much more lax rules. Many people in CS have root access to their machines, and no bandwidth policies, arbitrary quotas on AFS servers, etc.

All of these are highly integrated, and frequently run on the single kerberos realm provided by IT. (You can log in and read files in CS with your Andrew account, etc)

It would be nice to have a single system, but the number of requests will be highly uneven, and it would be a nightmare to figure out who pays for what. Especially in terms of software. Should IT buy pro-e for the whole school, when only engineering requires it.

And really, this breach has nothing to do with bad network policy. Sure someone broke into an insecure computer, and probably downloaded the access database that was used to store some personal info. This will make the administrator annoyed, but not responsible. And definitely not as angry as when the same file has been lifted off an AFS without knowing someone's password.

Re:Not really CMU, but Tepper School of Buisness (1)

SnowZero (92219) | more than 9 years ago | (#12323228)

CS department on the other hand has its own space, and much more lax rules. Many people in CS have root access to their machines

And many of us need that, so I'm not sure what the point here is: CS=="doing things with computers". And in the case of CMU CS IT, they are still using a RedHat 7 derivative, and still use Kerberos 4, and I'd like to run software from this century.

and no bandwidth policies, arbitrary quotas on AFS servers, etc.

Uh, there's sort of a bandwidth policy, which I discovered when a 40MB video of our research was linked in the first comment to a Slashdot article. Of course that was the andrew people who asked the cs people who asked me: You've used a months' worth of alowed bandwidth in 2 days, what's going on? Quotas on AFS aren't arbitrary... you have to telnet to "jeeves" and then you get a menu that lets you set your quota. Ok never mind, that's pretty arbitrary.

All of these are highly integrated, and frequently run on the single kerberos realm provided by IT. (You can log in and read files in CS with your Andrew account, etc)

That's just Kerberos and AFS being cool. They are different realms, but it still works due to cross realm support. You can either klog to get tickets in both realms, or set ACLs on both sides allowing access from the foriegn account (but don't forget to cklog the first time).

You are spot on about IT though; This breach really sounds like some admissions' person had an insecure computer (laptop maybe even?) with a database left on it. It's up to the business school to make sure there are as few copies of the data as possible. That's just good security in general, which has nothing directly to do with computers.

Now if the CS department gets breached electronically, I really will be annoyed, because they really should know better. CS should fall only to social engineering attacks taking advantage of dorks, which the business school should be more immune to.

Re:Not really CMU, but Tepper School of Buisness (1)

Darth_Burrito (227272) | more than 9 years ago | (#12323153)

Complete centralized management of a large university's IT resources is not only impossible, but it is also undesirable. There are too many things that are needed by specific departments (library systems, career services systems, meal plan systems, course registration systems). These kinds of things all have to be developed and managed by people who are very close to the housing department. Besides, many universities, like mine, offer only basic service centrally managed. Sure we could use central IT's free email system, but we'd frequently experience long delivery delays and we'd have a 15 MB quota.

What's really needed at universities is not centralized management for everything, but institutionalized oversite and forced interdepartmental communication. Instead of having one fulltime administrator managing a department's assets by himself for 20 years, you should have two administrators spending half their time working at central IT and half their time working in their primary department. It improves security by adding an extra set of eyes and slightly different set of expertise while forcing exposure to the practices being used centrally and amonst other operating units. Of course, this will never happen and there's probably some scalability issues in terms of # people per departments and office resources.

Re:Not really CMU, but Tepper School of Buisness (1)

tuxliner (589414) | more than 9 years ago | (#12322797)

Tepper School of Business runs :
windows [netcraft.com]

What's the worst thing about niggers? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12322603)

No problem... (4, Funny)

Darvin (878219) | more than 9 years ago | (#12322630)

I don't use my own identity anymore anyway.

Re:No problem... (1)

Colin Smith (2679) | more than 9 years ago | (#12323141)

It's always worth having several of them lying about. When ID cards arrive in the UK, I plan to get a few of those too.

Media (1)

TrIp0d (671393) | more than 9 years ago | (#12322634)

The last two weeks has been a media hype job about computer security. Ever since the news about 500,000 credit card numbers being stolen two weeks ago from a major clothing retailer, there has been a rash of reports about credit card numbers and other personal information being hacked out of major retailers' databases. This has been going on for some time now, but the media just recently realized what a frenzy it creates, so there you have it. I'm sure these hackings have been going on some time now. It's just turned into a legal money maker now.

Can someone answer this question... (0)

Anonymous Coward | more than 9 years ago | (#12322648)

Why is it that every time that we see these reports about computers getting hacked into, that NONE of the reports list the number one fact that the public deserves to be told.

WHAT KIND OF COMPUTER/OS WAS HACKED???

Sheeesh. Isn't the news supposed to be about facts?

Re:Can someone answer this question... (0)

Anonymous Coward | more than 9 years ago | (#12322662)

When someone gets shot, they usually don't report the gunmaker.

Re:Can someone answer this question... (1)

colinrichardday (768814) | more than 9 years ago | (#12322709)

One might presume that there isn't enough difference between guns for that to matter. However, some OSes might be easier to hack than others.

An Alternative Response (1)

rdelsambuco (552369) | more than 9 years ago | (#12322649)

This issue has arrisen periodically over the past several years. If you take a look at previos situations, commonalities can be discerned. However, it is unlikely that future implications are really that severe, and we should probably all just let this one go.

My $0.02

The weak link in the chain (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12322660)

What sort of people in institutions and companies handle members/employee info on a daily basis you may ask ?

Well it's 99% women who do that sort of job, and we know women have a very small intellect and understanding when it comes to security. They sit around gossiping all day and thinking about trivial silly things all the time.

Answer is simple: get rid of women from the workplace and security will improved a 100 fold.

Why store the SSN? (3, Insightful)

Ann Elk (668880) | more than 9 years ago | (#12322683)

Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.

I know, I know -- I shouldn't bother asking "why"...

Re:Why store the SSN? (2, Interesting)

Al+Clocker (687416) | more than 9 years ago | (#12323043)

Well, it's ok that you ask. Because if it's a hash I can just generate all 900 million 9 digit numbers, calculate their hashes, and see which ones match the DB. Oh, and then profit.

Re:Why store the SSN? (4, Insightful)

fourtyfive (862341) | more than 9 years ago | (#12323056)

Because this would only be minutely more secure than storing the SSN itself. Theirs nine digits in a SS #, numbered 0-9, thats 10^9 Even at a meager brute force rate of 1.5 Million MD5Sums / sec, it would only take 11 minutes to break every possible combination.

Re:Why store the SSN? (1)

Ann Elk (668880) | more than 9 years ago | (#12323200)

Good point. A simple hash would not help that much. However, stretching the hash (repeating it several million times) would make each attempt take a few seconds (on today's hardware).

You could also throw a salt into the mix, but this would complicate administration.

Re:Why store the SSN? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12323098)

Why does a system like this even need to store the SSN? Why not a (md5/sha1/sha-256/whatever) hash of the SSN? This would still allow easy lookups and associations by SSN, but would not reveal the SSN to anyone who steals the data.

I know, I know -- I shouldn't bother asking "why"...

No, that's just a diversion. Checksums are not a cure-all. In this case, it would be a false sense of security. The fact that you mention multiple checksum algorithms shows you haven't adequately thought this through. The strength of the algorithm has little to do with security when there are this few data points to map it back to.

You could easily get all of the SSNs by trying 9 digit numbers.

Remember, these aren't arbitrary 9 digit numbers. They are assigned by where you live, the middle 2 are (almost?) always even, and so on.

There are a whole lot less possibilities than you would initially think. When you restrict the domain to 9 digit numbers following a strict pattern, it IS computationally feasable to reverse the checksums.

Let's assume it wasn't possible today. You keep the same SSN throughout your life so at any point in the future the thieves could reverse the checksums when computing power is sufficient.

Unlike credit card numbers, SSN and other identity information has no expiration date.

The answer to this problem is to restrict access as much as possible. Then you can go with the secondary measures of encrypting the data -- which would be much better than checksums.

SSN versus ID-card (4, Insightful)

Councilor Hart (673770) | more than 9 years ago | (#12322695)

I am not an American, but from Belgium. I am required to carry a ID-card with me. Although the only time the police asked for it, was one time I got hit (lightly) by a car while on my bike. My bank has seen my ID card more than the police. Which I think is a good thing. It's my money afterall.
So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?
It's something I have been trying to understand for years.
I don't feel harassed, having to cary my ID. I rarely use it. If I get in an accident, it can be used to identify me. It's rarely asked for. The police needs a justified reason to ask to see it. The bank can ask for, before giving out a lot of cash money, or before paying a check (also something which is very rarely used over here). I can travel freely across member states without showing it. Perhaps not yet with the 10 new ones, to be honest.
Just wondering...

Re:SSN versus ID-card (3, Insightful)

bardothodal (864753) | more than 9 years ago | (#12322738)

The reason is this . In America , you have the RIGHT to be left alone. We are not a democracy. We are a constitutional republic in which all citizens are the sovern entity with rights embued by the creator and some enumerated in the Constitution.The government is in place to protect those rights. The government has no inherent interest in knowing a citizen's identity other than the interest of tyranny.

Re:SSN versus ID-card (1)

StormyWeather (543593) | more than 9 years ago | (#12322852)

I would say you were spot on... BUT, the states already issue us licenses or state-ID's, and any other state can require we show them to conduct certain transactions, or be able to drive. I completely understand the tin foil hattery, because I don't trust our government as much as the next guy, but now that the national government has all of our drivers license information, what's the difference other than a centralized place to change ID numbers easily in case ours is stolen. That, and I live in Texas, and trust my State asshats less than the Washington asshats.

Re:SSN versus ID-card (1)

Councilor Hart (673770) | more than 9 years ago | (#12322993)

The government has no inherent interest in knowing a citizen's identity other than the interest of tyranny.
What about taxes? You may not like them, but they pay for roads, school, military, healthcare,...
And how do you identify yourself to your bank (e.g. your money)? If there is no uniform system of identification, then how can they know , for certain, it's you? Not every one is rich enough to know their banker in person.
I always hear stories from USA about identify theft, but hardly any from the *old* continent. But that could just be me.

Re:SSN versus ID-card (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12322850)

"The police needs a justified reason to ask to see it."

See, that's the sticking-point. In the US, lots of police officers are frustrated psychopaths who like to abuse their power. Not to mention others in higher powered positions in the government.

Therefore, people have a queasy feeling about a national ID card that includes even more information than before.

Re:SSN versus ID-card (4, Informative)

zakezuke (229119) | more than 9 years ago | (#12322907)

So, if every american has an SSN, and it's given out almost like candy. And since the the US govn knows this number. Then what is the difference with a national ID card? And why are Americans so opposed against such a card?

Your Social Security card is not identification except for bank, your employer, and the IRS. I should also say the phone company also asks for this, and other businesses preforming credit checks which would include rentals. It should be a method of tracking your earnings and paying federal or state taxes (if your state has an income tax). It has no picture, no address, and unless it's changed is a piece of paper that says specifically "do not laminate" unless you have an older one from before 1988 or so. Most places that would require it don't even look at the physical document, why would they it falls apart after a few years. A few employers require one in good physical condition but typically those are limited to places concerned with illegal aliens. Foreign nationals working in America are required to have a tax ID number, but as being non-nationals don't get social security benefits hence no social security card, but just put the tax id number in place of where it asks for social.

For identification purposes, most places use the driver's license which is a state not national agency. Some people don't drive, or can't drive, so those places issue ID cards as well. You are not required by law to carry one, but if you want to buy booze, go into bars, or cigs, or have a checking account it's very helpful. Passport is an option, but some places don't accept passports as forms of ID, even though they are required to by law.

There are many reasons to object to a national ID card.

1. ID cards are already provided by the State, no need for federal involvement. Classic State vs Federal rights argument.
2. There already exists a national ID, it's a passport.
3. We presently are not required to have ID on our person.

Re:SSN versus ID-card (4, Interesting)

badfish99 (826052) | more than 9 years ago | (#12322998)

This illustrates nicely why we in Britain are opposed the the introduction of ID cards:

1. A car hit you - you didn't do anything wrong, but the police wanted your ID. Why?
The last time we had ID cards here, a woman found some item in the street and tried to hand in in to the police as lost property. They demanded her ID. She had forgotten to carry it, so was arrested. This caused such a scandal that it led to the abolition of ID cards.
Criminals don't leave their ID number at the scene of the crime, so issuing ID cards will not help solve crimes. But it will create a useful new power that the police can use to harass any group they take a dislike to: the power to stop them and ask for their identity card.

2. The bank wants to see your ID. Why?
I've got a card from my bank too. When I want to take money out, it proves that I am the same person who put the money in. That's all they need to know. They don't need to know my nationality, or medical history, or police record. So I don't want a single ID that will link all that data together.

Re:SSN versus ID-card (1)

Councilor Hart (673770) | more than 9 years ago | (#12323247)

. A car hit you - you didn't do anything wrong, but the police wanted your ID. Why
So that the cop had the adress of both me and the driver. Should there have been a problem with compensation (my bike needed repairs) either of us could have gone to the police.
I am mostly certainly not under the impression that an ID card solves crime.
If the police wants to harass a person or group they can do so without an ID. Why would not having an ID card stop them from stopping you, asking you questions, holding you up or even arresting you? An ID card doesn't contain your religion or favourite sport team. They can't see it sitting in your pocket with their *x-ray* vision. As I said, they need a reason to ask for it. You in return can ask them why. If you decline to show it, they can take you downtown. You can make an official complaint if it was without merit. Now, suppose there are no ID cards. What would have stopped them from taking you down town, anyway? ID cards != harassment. Corrupt police/state = harassment.

The bank wants to see your ID. Why?
Because it's my money, and they want to be sure it's me. My ID has a picture of me. My bankcard doesn't. Both can be stolen, only one can be used by the thief by handing it over to a banker. Yes, I usually just give them my bankcard. But when I want to redraw 5000 euro (which I did once. I had both bankcard and ID. The banker didn't know me in person. It was a new person.), I was glad they asked for my ID in addition. (Although if the banker knows you well, it doesn't have to be this way.) The bank, by means of my ID has no access to my medical history of police record.

I am not in favour of ID cards, per se. But also not against. It has it uses. But I am always surprised by the *extreme* reactions against.
Oh, and if I have to chose between an ID card (which supposedly will only be used to track my every movement) and my fingerprints in some database, I sure know which one.

CMU internal announcement (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12322712)

An interesting thing to note is that the media broke the story on Thursday, but CMU didn't tell the CMU community until late Friday. I heard it on the news first!

Another interesting note is that in the CMU internal announcement, the _second_ paragraph was effectively, "it isn't as if we're the _only_ school to lose information"

The third paragraph says that the data was stolen from desktop and laptops rather than servers. WTF was sensitive data doing there?

Sucks to be the business school, I guess.

Information just wants to be free (0, Troll)

fprefect (14608) | more than 9 years ago | (#12322754)

I wonder how the P2P and "fight the copyright" crowd feel about this? Obviously it's just information, bits and bytes, so it's not like it's really stealing or anything -- nothing has been lost or stolen, only copied.

Oh wait, you mean data is only valuable if its *your* data. I see now.

Re:Information just wants to be free (0)

Anonymous Coward | more than 9 years ago | (#12322973)

There's a difference between creative or informative works and the numbers to access your SS files and bank accounts.

Personal IDs (2, Interesting)

nxs212 (303580) | more than 9 years ago | (#12322765)

That's why a lot of companies (health insurance, financial,etc) are switching from using your SSN to Personal IDs as the unique identifier in the system. HOWEVER, they will still need your SSN for reporting stuff to the government. At least your SSN won't be listed on the health insurance card when you go to the doctor. Right now your doctor's office has enough info about you - SSN, home address, "emergency contact info", phone numbers and even possibly bank routing and account number (if you pay by check)
Person who's handling all this can easily make copies and apply for new credit cards,etc.
There's absolutely no reason why they need your SSN, your health insurance card (with non-ssn personal ID should be enough)

SSN's are public, can't be secret (2, Interesting)

me_cynical (876442) | more than 9 years ago | (#12322806)

Any information you are routinly asked to give up can not be considered secret. The problem with the SSN's is not that they get stolen, the problem is that they are useful to the thief. The idea that knowledge of a "secret" number entitles you to enter into financial obligations is simply insane. Adding other "secret" information to add further "safety", like mother's maiden name or place of birth, does very little to improve the situation and those extra pieces of information are likely to become available to the thief at the same time as the SSN's, from the same database.

The only reason you are able to get into debt just by knowing your SSN is that it suits the lenders. They can be based in one state but do business in all of the states, through mail, internet and telephone. They have then managed to make it your problem that they give money to someone pretending to be you, sticking you with the problem of clearing up the credit reports they use to decide if you are trustworthy and doing what you have to do to get out from under the debt. Basically the lenders punish you for them (the lenders) giving money to someone pretending to be you. (Yes, I know that sentence is twisted, it's a really twisted system). This is an outrageously good deal for them and they have no incentive to fix the system, at least not until the amount of fraudulent loans is more than the money saved by not implementing a secure system.

The solution is painfully obvious. When you apply for a credit card or enter into any contract, you should have to show your face and acceptable forms of id, either at an office of the lender or at a mutually trusted proxy. The proxy could perhaps be the closest USPS office. This proposed system is naturally not totally foolproof, no system can be, but it's a heck of a lot better than the current one. It's a lot more work to falsify id's than it is to harvest SSN's and the chance of capture is much higher. As there's no indication the lending business will self-regulate this, and it's really too big and diverse to ensure self-regulation, this will have to be implemented by laws.

It's really incomprehensible to me that party A stealing my SSN from party B and using it to get money from party C becomes my problem. It should be the problem of party C that gave money to someone without bothering to make sure he was who he said he was.

Making it a bit more work to get more credit cards is really not a bad thing either, most people have too many and practically everyone has too much credit card debt.

While we're at it, we can stop pretending that credit card numbers are secret. That problem has already been solved, the banks just need to implement a system like PayPal, where you sign in and ok each transaction. Again, painfully simple.

Anyone remember the name of the IRC server? (0)

Anonymous Coward | more than 9 years ago | (#12322818)

CMU used to host an easily fooled IRC server, one that was commonly used in security breaches. Anyone remember it or know what happened? Last I heard, they weren't willing to shut it down, leading many folks to think CERT was a big joke.

Social Security # Secure Number (1)

brewpoo (789171) | more than 9 years ago | (#12322819)

SS# were not intended to be a secure ID number to be kept confidential. This is a complete fabrication of credit agencies and the like.

The intent is to provide a unique ID number for the social security system. In many state databases (NYS employees) this ID number is freely available (along with your salary).

To help keep yourself out of the "identity theft" arena, opt-out of instant credit. This is advisable for everyone, alas no more discounts at the GAP for opening a credit card...

Letter from Tepper (5, Informative)

Snorpus (566772) | more than 9 years ago | (#12322853)

I'm an alumnus of Tepper (GSIA, the old name, actually) and here's the email I received on Wednesday, April 20.

Dear ______,

On Sunday, April 10, the Carnegie Mellon Computing Services Office of Information Security identified a breach of some computers at the Tepper School of Business. Upon investigating and recognizing the unusual activity, Computing Services worked to disable, inspect and secure all servers and personal computers.

We have no evidence that personal information on breached systems has been used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters, and the Tepper administration has chosen several precautionary steps to communicate with all affected students, graduate alumni, faculty and staff on safeguarding measures aimed at protecting privacy.

While we have not identified unauthorized use of information, we strongly encourage you to take steps to ensure your privacy. Personal information included in the databases that may have been accessed includes:

- For master's alumni Class of 1997 through the Class of 2004: Social Security number and grades included in a student services database.

- For master's alumni Class of 1985 through the Class of 2004: Job offer information you may have entered into the COC database as part of your job search process.

- For all alumni: Contact information you may have entered into the alumni directory/alumni database. (Note: All Personal Access Codes (PAC) for the alumni database have been automatically updated for increased security.
Your new PAC number is: **********
Your email address in the directory is: ****************

- For doctoral alumni Class of 1998 through 2004: Social Security number, GMAT, GPA and information submitted in your application to the doctoral program.

Please visit www.tepper.cmu.edu/******* for information regarding precautions and steps to take to protect your personal information.

We apologize and regret the inconvenience associated with this incident. Currently, the business school is in the early stages of investigation and does not have all details regarding the source of this breach. As further information is discovered, we will be sure to include it on the Web site listed above. In any event, please understand that we would not disclose details that would put any computer or network at risk of further intrusion or malicious attack.

The recent Tepper incident is similar to the computer breaches reported by other universities. As a campus that prides itself as a hub for technology innovation, Carnegie Mellon is extraordinarily mindful of issues regarding information security. The recent breach is a reminder of the sensitive business environment in which we operate and the need to consistently monitor and advance our infrastructure and processes.

If you have questions or concerns, we encourage you to contact John Sengenberger at jseng@andrew.cmu.edu

Thank you.

Steve Sharratt
Associate Dean for Advancement

The Type Of People Running Things (0)

Anonymous Coward | more than 9 years ago | (#12322890)

I'm not sure wether or not was related, but as part of my application process for their InforSec degree, I noted to their sysadmin, a few security issues. Their application (e-file) is located on another department's server. What was found was that the application used would not force and SSL connection (subject to possibly a XSS attack and connection sniffing) as well as upon just a curious portscan, their Oracle instance was wide open. The application for admission requested Social Security Numbers, among other things, and that, if I poked further, I could probably get in and start querying the database for whatever I would have wanted. I think the business school was picked on because of the profile earlier this year with their "application status" system which also hit some other Ivy League schools.

It's a real shame to have received a rejection letter from the department, even after telling them what was wrong. I got more of an argumentative response from the sysadmin, with some level of bravado in his tone sayng it's not his responsiblity, and that they belive it to be secure. What a load of crap...

I'm maybe bitter that most of the class members of ther graduate program there are from countries that I regularly see attack the network I'm employed to defend. Kind of like "teaching the enemy"... and pushing those who are here defending companies that may be providing them corporate funding for the program aside.

Ah, heck.. just consirpacy theories... but it's a campus network, what could go wrong?!

The Low Down (0)

Anonymous Coward | more than 9 years ago | (#12322947)

Being a current grad student at CMU, I can tell you this. In a half assed attempt to implement swipe cards for access control it was decided that the SSN is a unique identifying number which could be coded into the card. Somebody raised a fuss about this and CMU went through the painful process of replacing the SSN's with a pseudo-random number.

Canada? (1)

blueadept1 (844312) | more than 9 years ago | (#12323006)

I wonder if there is a reason that this is not taking place in Canada or other countries. Is it just not being reported? That scares me.

Not CMU per say (4, Informative)

pridkett (2666) | more than 9 years ago | (#12323028)

So just to reiterate, this isn't CMU proper that got hacked, it's the business school. They're off on their own little planet on the far corner of campus and run on their own schedule and everything else. It's like going to a completely different world overthere because you've got folks who dress nicely and what not.

CERT is not really related to Tepper (the business school) in any way. In fact, CERT and the SEI are barely even related to CMU, they're off in their own little building a few blocks away and have their own security and networking. To associate the b-school getting hack to a failure of CERT would be like saying the CIA was vulnerable because the department of argiculture got hacked. It's just bad journalism to make an insinuation along those lines. CMU is a fairly large organization and it has its share of folks who understand computers and share of folks who are dolts.

On to the other question, why were SSNs on there? Well, CMU is still stupidly using them as your student ID number. Up until this year they were encoded on your magnetic stript of your student ID card. You can change it, but they look at you funny when you ask to do that.

So why would CMU even need SSNs? Well, like most institutions you've got to do a lot with financial aid to students. If you're doing financial aid and credit you need to use SSNs, simple as that. Tepper has its own financial aid department and thus probably needed the SSNs for that.

This is just another point that the credit industry probably needs an overhaul more than anything else. Allowing someone to get credit by simply providing the SSN and a few other easy questions seems a bit reckles.

Tales out of School.... (1, Insightful)

catdevnull (531283) | more than 9 years ago | (#12323188)

This really shouldn't surprise anyone who works at a university. There are several mitigating factors that make this sort of intrusion inevitable.

Here's why:

Unlike private companies, universities are difficult places to enforce security policies because PhDs feel that these policies somehow inhibit their freedoms or that the rules shouldn't apply to them. Profs and researchers each get their own computer money and they build their own little networks, server farms, and have their own methods. Because they often want to share their servers with other univerisities, they are usually not behind a firewall and/or given address space that is world addressable.

This usually creates a perfect place for intrusion--lack of cohesive security policy, machines that are run by novice sysadmins, and a really fat uplink the net.

To make things worse, the networks on campuses are generally a hodge-podge of technologies and topologies that have been piece-mealed together like some kind of electric crazy quilt. You might have aging border router equipment, old hubstacks with vulnerabilities in their management utilities, random unmanaged/non-seucre wireless networks in the dorms or offices, etc--a nice untraceable uplink to your LAN.

Managing the security for these networks is almost impossible unless the entire infrastructure has been updated--which costs millions of dollars that universities do not likely to spend (at least not without a major campaign).

All of these computers--Macs, PCs, Linux, Solaris, etc., have no real security policy, they're poorly managed by amatures, and they have a network with no real firewall. Talk about a honeypot!

Each node on this honeynet is now a prime place for root kit installations. They lie in wait for someone to log in to the right systems and, voila--a password and userid. A keylogger records a legit log-in. Now your cracker is using one of the unmanaged nodes on your network to have his way with your student/employee information system.

If any university has a better system, I think they're in the minority. Hopefully, this will change. But until then, the inmates run the asylum.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>