Whopping-Big Data Theft At U.C. Berkeley 380
aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."
It's not theft (Score:5, Funny)
Re:It's not theft (Score:2)
And yet, we care more about it. Why? Because it's privacy. If someone could link social security numbers to entertainment and pump it out on P2Ps, we'd be all over it.
Traffic Safety Center (Score:5, Interesting)
Re:Traffic Safety Center (Score:4, Informative)
Re:Traffic Safety Center (Score:5, Funny)
Re:Traffic Safety Center (Score:5, Funny)
Fix (Score:5, Funny)
My choice (Score:4, Funny)
Re:Fix (Score:3, Informative)
Though if your credit is crappy, being able to switch - without the crap leaking over - would be a great thing. Now what you want to do is get yourself classified as a non-profit organization - then you really reap benefits
At Berkeley? (Score:2, Funny)
Re:At Berkeley? (Score:5, Funny)
Guess What (Score:2, Insightful)
Re:Guess What (Score:5, Insightful)
As you all probably know I'm the last person that thinks that we should create laws due to overreaction but in this case I have to say that we do need more stringent laws against protecting SSNs.
There is absolutely no reason that a researcher needed access to SSNs. They should have all been assigned a random ID number and that should have been linked back to the SSNs and stored in the STATE OFFICES ONLY for later cross referencing.
We have all these demands for SSNs and we are supposed to be protecting them as our entire history is linked to them yet we don't have any real protections when they are.
Re:Guess What (Score:2)
As you all probably know I'm the last person that thinks that we should create laws due to overreaction but in this case I have to say that we do need more stringent laws against protecting SSNs.
What kind of laws would you suggest? I mean, it's just a friggen number.
We have all these demands for SSNs and we are supposed to be protecting them as our entire history is linked to them yet we don't have any real protections when they are.
I'm sure Berkeley can be sued for negligence in this case, especial
Re:Guess What (Score:4, Insightful)
Well I went to a video store once. They required an SSN to rent movies there. When I told her it was illegal to use them as an ID number she told me it wasn't illegal to refuse me service.
As long as there's no way to enforce the rules the rules are worthless.
Now, in this case SSNs were likely necessary in the first place but they are probably unnecessary for research and thus my suggestion that the records should have been linked to a random ID number that was only able to be cross-referenced later at the State office.
Re:Guess What (Score:2)
Re:Guess What (Score:3, Informative)
Anybody have a reference that'll prove it's illegal to use a SSN as an ID number?
How 'bout a reference that proves that it isn't? SSN FAQ [ifpeople.net].
I'm at a University that requires me to produce my SSN pretty much constantly. It's my student ID number, generally the number used to post exam scores online so as to "hide the identity" of the student receiving each grade.
If they're a public school, then they probably can't do this. But every school I've been to has had a procedure where one could change the
Re:Some states disallow using SSN as student ID (Score:3, Insightful)
Any DBA who uses SSN as a primary key needs to be flogged with a CAT-5 cable. Privacy concerns aside, it's generally a bad idea to use any user-provided value as a PK because of the difficulty of guaranteeing uniqueness. People (intentionally or accidentally) enter bogus SSNs or refuse to give them, making it a poor choice as a required field, let alone a key.
If you have SSN as a required field with a unique constraint
Re:Some states disallow using SSN as student ID (Score:3, Insightful)
Any DBA who uses SSN as a primary key needs to be flogged with a CAT-5 cable.
By her boss, maybe, but not by the government.
Privacy concerns aside, it's generally a bad idea to use any user-provided value as a PK because of the difficulty of guaranteeing uniqueness.
True, since there are at least some people out there with the same SSN.
If you have SSN as a required field with a unique constraint or index, you're setting yourself up for a denial of service attack -- User1 enters a bogus SSN which happ
Re:Guess What (Score:3, Informative)
I suggest immediately asking all your professors to cease and desist their actions. If they refuse bring it to the heads of their departments. If your requests are again ignored I suggest filing a complaint against them as shown below...
See the document posted below with regards to this (pasted because it's in DOC format [ed.gov] -- formatted after paste to avoid whitespace filter):
===
Dr. Evangelos J. Gizis
I
Not Illegal (Score:5, Informative)
Can you provide a reference that it is illegal?
Seriously, this is not a troll....I see this statement often and I want to know if it's an urban myth or not.
Re:Not Illegal (Score:5, Insightful)
Re:Not Illegal (Score:2)
So if you want to keep your SSN as private as possible you may have to live without electricity and water?
Why would you want to keep your SSN as private as possible in the first place? Trying to keep a good credit rating? But if you don't use your SSN, then your credit rating is meaningless anyway.
SSNs are identifiers, not security keys. Those who use them as security keys are the ones who are causing the problem, and they're the ones who pay, too. When someone takes out a credit card using your SSN
SSN as National ID card (was:Re:Not Illegal) (Score:4, Interesting)
"FOR SOCIAL SECURITY AND TAX PURPOSES -- NOT FOR IDENTIFICATION."
(The ALL CAPS is what's on my original card, I'm not "shouting"!)
I'm sure there are reams of Social "Security" (ok, my classical-liberal bias is showing with the quote-marks, but bear with me. After all, there's NO TRUST FUND, it's all a BUNCH OF I.O.U.s!!!) documents which form various interpretive rules and laws that can't be fathomed by mere mortal nonlawyers, but ask yourself a couple of questions:
1. Why would so many folks think it's illegal, if it's not?
2. Why does my card say what it says, but modern cards make NO MENTION of the fact that it's allegedly "not for identification"? Did something change? When?!? Who voted for it???!!!
Expanding government, when you lie to do it (and the lie was that the SSN was/is not gonna be used as a de-facto National ID card/number) is morally-wrong. Various events/excuses (I can see a 9/11 thread looming, so I'm trying to pre-squelch that now) don't make the moral-wrong of lying to expand government suddenly become right. If you want to expand government, say "I will make the government bigger, and this is why..." and then make an HONEST argument for once! Ok, rant-over. Back to work.
JMR
Re:SSN as National ID card (was:Re:Not Illegal) (Score:2)
Re:SSN as National ID card (was:Re:Not Illegal) (Score:2)
Probably what happened is that when SSNs first came out they were not plannying on using it as any form of identification. They later (20,30,40 years or something like that) someone came along and said "Hey! Everyone in the country has to have one of these things. Its great, we can use it for universal identification since we KNOW everyone will have on
Re:SSN as National ID card (was:Re:Not Illegal) (Score:3, Insightful)
Really? The IRS is part of the government, and they use that number to identify me. What exactly are the "social security and tax purposes" that it could POSSIBLY be used for, OTHER than identification?
Actually, I thought it was the card itself that wasn't supposed to be used for identification. I.e., you can't walk into airport security, flash 'em your SS card, and say, "I'm John Doe, here's my ID".
Re:SSN as National ID card (was:Re:Not Illegal) (Score:3, Informative)
Read the Social Security Number FAQ (Score:3, Insightful)
The law that the previous poster thinks is protecting him is probably the Privacy Act of 1974, which is only binding on government agencies. It's discussed in the FAQ.
There is also a SSN FAQ at cpsr.org, but it formats like crap on Mozilla. You'd think "computer professionals" wouldn't screw up something like this.
Re:SSNs should be completely public (Score:2)
Where would it end? Next you'll be suggesting that driving licenses be used to prove that you are qualified to drive and nothing else.
Re:Guess What (Score:2)
Re:Guess What (Score:4, Insightful)
No, universities, military, government are targetted for who they are.
When a person starts cracking a new machine, its very rare they have any idea what data is on the machine.
WHAT!?! (Score:3, Funny)
Oh-nos!
SSNs or not? (Score:5, Interesting)
The title says it included SSNs but the article doesn't mention them. Were they included or not? What the hell does a researcher need to have SSNs for anyway? Can't they be identified by insignificant numbers?
The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.
And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...
Re:SSNs or not? (Score:2)
Re:SSNs or not? (Score:2)
Re:SSNs or not? (Score:4, Interesting)
Both my wife and my mother-in-law are most likely contained in that database (my wife as a former IHSS caregiver, my mother-in-law as a current IHSS care-receiver), and this is the first I've heard of this break-in. To be honest, I feel betrayed the state of California's apparent lackadaisical approach to guarding these social security numbers. Why would these numbers be shared with a university for research purposes anyways? It really doesn't make sense anyways, and I don't recall my wife signing any type of release to allow this personal information being used for research purposes. I guess it's time to go safeguard against identity theft (not to mention contemplate the potential success of a class action lawsuit against the state of California on grounds of negligence.)
Re:SSNs or not? (Score:2)
An MD5 of fullname plus SSN would be more sensible I think.
Worst. Intrusion. Ever. (Score:4, Insightful)
No. It's only the worst intrusion they were made aware of. There could have been more...
are you trying to tell us something? (Score:2)
Why did they need all of that data? (Score:5, Insightful)
It makes you wonder...
Why does a research program need access to social security numbers, phone numbers, and the like?
I think the real story is the State of California sharing too much personal information, regardless of how the hacker got access to it.
Why bother stealing this data? (Score:3, Funny)
So why bother stealing the SSNs of victims who are old and broke? You can't steal their money - they don't have any! If you steal their identity you'll wind up laying in a hospital with a tube in your nose being pumped full of Demerol....
Oh, ok, now I understand.
Want to sell (Score:4, Funny)
Universities notorious (Score:4, Interesting)
Re:Universities notorious (Score:5, Informative)
My 27,000 student body university weathers most of the worms better than most large businesses, despite having little control over the computers on the network. And we keep our key servers safe. Assuming a lack of zero day exploits (as is true in this case), there's no reason an important server is any less safe in an accademic environment than a corporate one. Someone was asleep at the wheel, and you'll find that anywhere.
Re:Universities notorious (Score:2)
Re:Universities notorious (Score:2)
Re:Universities notorious (Score:2)
That's the exact thinking that got companies smacked down by worms inside the firewall. All data is untrusted until it's been untainted. All computers are untrusted. Regardless of whether I'm working at a college or in a corporation, my servers are locked down to talk to exactly who they're supposed to and none others through firewalls and server configurations. Until a zero day exploit for ssh hits, peo
Re:Universities notorious (Score:5, Interesting)
And there still is no SSL support on IMAP server(s). To protect my account, I have to ssh in and create a tunnel -- this way I am only exposed to a hacker already on the department net...
The only real admin I know there seems quite competent, but either he is overloaded by work or the security just is not a high priority, I guess...
They have a nice policy, of keeping accounts of alumnis alive for as long as they are active, though.
Re:Universities notorious (Score:2)
I'm not sure where this info comes from, but in my experience in working at universities they _do_ have sufficient and very good networking staff. University networks are some of the largest that there are. Universities lead networking in terms of things
One has to ask the question (Score:4, Insightful)
This smacks of laziness on the part of the data provider and the researcher(s).
Do What? (Score:2, Insightful)
Preventive measures like changing their name, address, SSN and date of birth?
Re:Do What? (Score:2)
"Who are you?"
"The new Number Two"
"Where is Number One?"
"You are Number Six"
Privacy of information in an insecure system (Score:4, Informative)
It naturally requires some thought to do right but it seems like it could have worked in this case.
How many intrusions went undetected? (Score:4, Interesting)
Which is why I always say "NO" when asked by online stores, "Would you like us to remember your credit card number for future transactions?" I think they need a "HELL NO!" option
Seperate networks... (Score:2, Informative)
Not informative but stupid (Score:2)
1. joe hacker takes a jpg image and inserts a zombie trojan.
2. joe hacker uploads this to a web server.
3. joe researcher who has user level access to the database navigates to joe's web page containing the zombie containing image.
4. joe hacker now owns a client on the inside and has easy access to the data, but wait you say we got a firewall that will solve it.
5. joe h
Information Technology Policy (Score:4, Informative)
http://ist-socrates.berkeley.edu:7015/protected. data.html
Hope you find it to be as educational on this subject as I did
Berkeley, khmm... (Score:2, Flamebait)
Let's see, how it plays out for this ubber-liberal establishment.
Nothing to do with Berkeley (Score:2)
The process for releasing sensitive data should be:
1. Establish the e
Re:Berkeley, khmm... (Score:2)
At any rate, thanks for inanely speculating on what people would have said, then using that speculation to attack them. Very classy.
Re:Berkeley, khmm... (Score:2)
Re:Berkeley, khmm... (Score:2)
Outsourcing anyone? (Score:4, Insightful)
This may be seen as slightly offtopic, but the company I work for has outsourced payroll. Payroll includes the information supposedly stolen from this database, Social security numbers, home addresses, age, date of birth as well as a lot of financial information giving access to the earnings of many for many years.
I'm wondering when the Indian company (or some person within that company) decides to legally sell that information to some Moldavian Mafiosi. I'll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans. Might violate a contract but who's paying more?
Does your company outsource payroll?
Outsource != Offshore (Score:3)
Outsourcing means having another company do the work. It doesn't mean that the work is necessarily being done in another country.
Re:Outsourcing anyone? (Score:3, Informative)
I'll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans.
BTW, it is not illegal in the US to "release" social security numbers and financial information. There are quite a few companies that make a nice profit from selling this information on a daily basis. I doubt that if it is legal in the US that it would be illegal in other countries like India (except perhaps Germany).
UC Berkeley - Job Opening (Score:2)
*prepares resume*
Props to California for passing a law requiring them to notify those folks whose information was involved. Although, I'm sure UC Berekely would have made the ethical decision on it's own, I'm also sure *some* wouldn't.
What the hobag? (Score:3, Interesting)
Oh, wait, I get it, they probably haven't patched the exploit yet.
SSN (Score:5, Informative)
Anyone know what OS this was that got hacked? (Score:3, Interesting)
Re:Anyone know what OS this was that got hacked? (Score:2, Funny)
Dunno about the OS, but it occured at UC Berkeley, so it was almost certainly a sendmail exploit.
Wake up call! (Score:2, Informative)
Only the government really needs it. For the sake of saving time and aggrevation, I'll provide mine to my employer and my bank as well but no one else needs to get it. Ever.
NTITE
Re:Wake up call! (Score:3)
Only the government really needs it.
Yeah, but unfortunately this was government data, and the individuals represented by it had no choice nor say in the matter. So your advice is useless in this instance.
you miss the point: this WAS the government (Score:2, Interesting)
It was the government that
Surprised? You shouldn't be. There's no market pressure on the government. If you're offended at their cavalier attitude, it's not like you can go with a competitor!
One example of a government agency doing things the right way: about 15 years ago I worked on a university r
Re:Wake up call! (Score:2)
The Gov't that you say is the only one who really needs the SS number IS the one that provided said number to UC Berkeley. RTFA. The SSS# and all personal info that Berkeley was using and had access to was provided to them by the California Govt, without the consent of the people whos info was being shared.
If there is a wakeup call for anything it is that there should be a fight to keep the govt from farming out personal info like this to every Tom, Bill, and Larry that asks for it in
Re:Wake up call! (Score:2)
As a recent new hire, I can recall putting my SSN on insurance forms, pension forms, etc. What do you do on these forms? Leave it blank?
Did you even read the summary? (Score:2)
Stupid businesses (Score:4, Insightful)
The SSNo was never intended as an ID number. Yet, many businesses will take nothing else as a customer idendifier.
Myself, I am being hounded by my electric power supplier who wants me to give them my SSNo (which I didn't when I opened my account).
North Korean hackers anyone? (Score:2)
I worked on this project... (Score:5, Informative)
Re:I worked on this project... (Score:4, Insightful)
Flamebait? Re:I worked on this project... (Score:4, Informative)
No, I really do think it's nearly the perfect example of the dangers of righteousness.
The Grand Experiment in this case was apparently perceived as vastly more "important" than the individual privacy and even *lives* of actual living people. This is quite typical of people who are out to "save the world". It's a form of "the ends justify the means" thinking. I call bullshit.
BTW, in case it wasn't obvious: this isn't a liberal vs. conservative thing. Anti-abortionists have the same damn problem.
This is all assuming, of course, that the parent of my original comment wasn't itself flamebait :-).
Re:I worked on this project... (Score:5, Insightful)
Why didn't they make sure the box was secure by never putting it on the Internet?
Granted yes, Microsoft software has vulnerabilities, STATA may suck, IT support may be stupid, and the state may have been negligent in distributing sensative data this way, but don't you think the researchers have some responsibility for this as well?
The researchers knew it wasn't good to have SSNs in the data and (according to you) had strict rules about network access because it wasn't a Berkeley box. Yet, they put the box on the Internet anyway with unobfuscated SSNs.
Don't you think those actions on the part of the researchers require them the share in the responsibility?
Network Security (Score:2)
If it has to be connected to the net, any sensitive information should be encrypted.
In-Home care (Score:3, Insightful)
In cases involving over 500,000 people, the organization can warn the potential victims en masse through a website posting and by alerting the media.
Yeah, like bed ridden old people that need in-home care are going to be able to check a website for info on what's going on.
Try sending them a letter or something!
Scamming the underprivileged? (Score:2)
State social program participants?
Too fscking bad for this hacker - it's going to be pretty hard to scam out anything from the underprivileged crowd.
Re:suprising... (Score:5, Interesting)
Are they allowed to do that? Without notifying the state at all? Especially considering that the data that was lost belongs to the state.
Already UC is having a lot of trouble in the (mis)handling of national labs and a few other problems, this would only compound it. Damn.
Re:suprising... (Score:2)
Re:suprising... (Score:3, Insightful)
Seems like the data on each individual should BELONG to the individual....
Shouldn't you own your own data, and be able to say who does what with it?
Re:suprising... (Score:2, Insightful)
Re:suprising... (Score:2)
Well, I've not accidentally allowed to be compromised a database of 1.4 million people's personal info.
To whom much is given, much shall be required
Re:BSD is causing death (Score:2)
Obviously I haven't RTFA but presumably they're doing somekind of analysis on the data?
Re:BSD is causing death (Score:2, Insightful)
Will your FreeBSD installation prevent you from putting your data on an available Apache server?
Re:BSD is causing death (Score:2, Interesting)
I'm not disputing that it might be the case (and yeah I know what BSD stands for) but how do you know it wasn't Windows or something else?
I troll because I must... (Score:2)
Does that mean I should have the warm fuzzies about using Microsoft Windows XP at work?
Re:Yeah (Score:5, Insightful)
Re:Yeah (Score:3, Informative)
Re:What OS (Score:2, Interesting)
IMHO it is highly unlikely that this is BSD.
Re:Another blow to Reichsmarshall Ashcroft's regim (Score:2, Flamebait)
Re:SSN should be public (Score:3, Informative)
Oh people will