Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Privacy Education Your Rights Online

Whopping-Big Data Theft At U.C. Berkeley 380

aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."
This discussion has been archived. No new comments can be posted.

Whopping-Big Data Theft At U.C. Berkeley

Comments Filter:
  • by Anonymous Coward on Wednesday October 20, 2004 @08:40AM (#10574681)
    It's "copyright infringement".

    • "It's "copyright infringement".

      And yet, we care more about it. Why? Because it's privacy. If someone could link social security numbers to entertainment and pump it out on P2Ps, we'd be all over it.
  • by 2.7182 ( 819680 ) on Wednesday October 20, 2004 @08:40AM (#10574683)
    Interesting. A few years ago there was a smaller such incident at the Berkeley Traffic Safety Center.
  • Fix (Score:5, Funny)

    by rguiu ( 472301 ) on Wednesday October 20, 2004 @08:41AM (#10574694) Journal
    Should be quite easy to fix, now give new name and social security name to everyone involved.
    • My choice (Score:4, Funny)

      by Hoi Polloi ( 522990 ) on Wednesday October 20, 2004 @10:00AM (#10575370) Journal
      I'm picking "Yusuf Islam", then I'm catching a flight.
  • Was the system in question still running BSD? ;)
  • Guess What (Score:2, Insightful)

    by Moby Cock ( 771358 )
    I can smell an over-reaction brewing. This is just the sort of incident that can force the adoption of stringent laws. The thing is, the machine at Berkeley were the ones victimised but it seems to me that this type of information will be sought after regardless of where it is. What I mean is, although Berkeley should have hardened the machine against an intrustion they were victimised because of the info they had, not who they were. The government servers are going to be targeted too.
    • Re:Guess What (Score:5, Insightful)

      by garcia ( 6573 ) * on Wednesday October 20, 2004 @08:48AM (#10574756)
      I can smell an over-reaction brewing. This is just the sort of incident that can force the adoption of stringent laws.

      As you all probably know I'm the last person that thinks that we should create laws due to overreaction but in this case I have to say that we do need more stringent laws against protecting SSNs.

      There is absolutely no reason that a researcher needed access to SSNs. They should have all been assigned a random ID number and that should have been linked back to the SSNs and stored in the STATE OFFICES ONLY for later cross referencing.

      We have all these demands for SSNs and we are supposed to be protecting them as our entire history is linked to them yet we don't have any real protections when they are.
      • As you all probably know I'm the last person that thinks that we should create laws due to overreaction but in this case I have to say that we do need more stringent laws against protecting SSNs.

        What kind of laws would you suggest? I mean, it's just a friggen number.

        We have all these demands for SSNs and we are supposed to be protecting them as our entire history is linked to them yet we don't have any real protections when they are.

        I'm sure Berkeley can be sued for negligence in this case, especial

    • I agree -- this is the state, where anti-outsourcing lawmakers tried to illegalize exporting work to countries, whose "privacy laws" are not as good as in California. And according to these lawmakers, no country is good enough...
    • Re:Guess What (Score:4, Insightful)

      by GoofyBoy ( 44399 ) on Wednesday October 20, 2004 @09:09AM (#10574938) Journal
      >they were victimised because of the info they had, not who they were.

      No, universities, military, government are targetted for who they are.

      When a person starts cracking a new machine, its very rare they have any idea what data is on the machine.
  • WHAT!?! (Score:3, Funny)

    by Creepy Crawler ( 680178 ) on Wednesday October 20, 2004 @08:44AM (#10574712)
    I didnt know the "SSN database.mdb" in /tmp was 'secret'!

    Oh-nos!
  • SSNs or not? (Score:5, Interesting)

    by garcia ( 6573 ) * on Wednesday October 20, 2004 @08:44AM (#10574715)
    The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study.

    The title says it included SSNs but the article doesn't mention them. Were they included or not? What the hell does a researcher need to have SSNs for anyway? Can't they be identified by insignificant numbers?

    The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.

    And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...
    • They may need to use SSN as a key into other databases such as medical records or health insurance eligibility, for example. While SSN's aren't being used as identifiers for those accounts going forward, I imagine historical data is still indexed by SSN...
      • Schools and Universities essentially always use your SSN to identify you throughout a number of different databases. Universities are actually pretty much the worst culprits in this regard; I would hope that they've finally changed this policy but last I checked the majority of them used your SSN as your Student ID. Mind you, this is supposed to be illegal, your SSN is supposed to only be used for tax purposes, whether for submission of levies or for identifying your tax information.
    • Re:SSNs or not? (Score:4, Interesting)

      by Fedallah ( 25362 ) on Wednesday October 20, 2004 @09:10AM (#10574943) Homepage
      And here we are on October 20th hearing about it. I wonder if the people that were included in that database (that should have been kept on a completely secluded network IMHO) were contacted September 28th or if they had to wait until three bureaucratic agencies had done their own investigations...


      Both my wife and my mother-in-law are most likely contained in that database (my wife as a former IHSS caregiver, my mother-in-law as a current IHSS care-receiver), and this is the first I've heard of this break-in. To be honest, I feel betrayed the state of California's apparent lackadaisical approach to guarding these social security numbers. Why would these numbers be shared with a university for research purposes anyways? It really doesn't make sense anyways, and I don't recall my wife signing any type of release to allow this personal information being used for research purposes. I guess it's time to go safeguard against identity theft (not to mention contemplate the potential success of a class action lawsuit against the state of California on grounds of negligence.)
  • by Indy Media Watch ( 823624 ) on Wednesday October 20, 2004 @08:44AM (#10574720) Homepage
    CNET calls it the worst intrusion U.C. Berkeley has experienced

    No. It's only the worst intrusion they were made aware of. There could have been more...

  • by ericzundel ( 524648 ) * on Wednesday October 20, 2004 @08:45AM (#10574722) Homepage Journal

    It makes you wonder...

    Why does a research program need access to social security numbers, phone numbers, and the like?

    I think the real story is the State of California sharing too much personal information, regardless of how the hacker got access to it.

    • The victims were all receiving or providing at-home care under a state program to help the elderly and disabled.

      So why bother stealing the SSNs of victims who are old and broke? You can't steal their money - they don't have any! If you steal their identity you'll wind up laying in a hospital with a tube in your nose being pumped full of Demerol....

      Oh, ok, now I understand.

  • by ValuJet ( 587148 ) on Wednesday October 20, 2004 @08:45AM (#10574727)
    1.4 million Social Security numbers.
  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Wednesday October 20, 2004 @08:46AM (#10574729)
    Universities are notorious for having poor network security! They typically don't have sufficient staff to maintain such tight control over network access. Why would such sensitive information be kept on inherently vulnerable networks in the first place?
    • by jschottm ( 317343 ) on Wednesday October 20, 2004 @08:55AM (#10574814)
      On the contrary, most major universities have the staff, software, equipment, and knowhow to maintain tight control over the network, it's that their hands are tied by professors who demand complete access to whatever they want in the name of accademic freedom and by the students who are paying $X thousands dollars for the experience, and by god, are going to use their $P2PSOFT.

      My 27,000 student body university weathers most of the worms better than most large businesses, despite having little control over the computers on the network. And we keep our key servers safe. Assuming a lack of zero day exploits (as is true in this case), there's no reason an important server is any less safe in an accademic environment than a corporate one. Someone was asleep at the wheel, and you'll find that anywhere.
      • Well I disagree with you. University networks are not insecure because profs want to experiment with peer to peer software (is that what you're implying??). The hackers I have known locally gained root on our university's UNIX server via standard things, BIND, sendmail, rpc, imapd, wuftpd, etc. Compromises occured because our university is under staffed for UNIX admins and security people, and there are more people actively probing and trying attack paths on the system than an average system.
        • No, I was disagreeing the the parent article that stated that universities are inept at security. We are unable to use many best practices in security because some professors view any kind of restriction on them as suppression of accademic freedom, and because the people that pay our bills (the students) will throw a royal fuss if they don't have access to all their toys.
    • by mi ( 197448 ) <slashdot-2017q4@virtual-estates.net> on Wednesday October 20, 2004 @09:11AM (#10574959) Homepage Journal
      Indeed. It took years for my ex-school to switch to ssh and ban outside telnet-ing. At the conclusion of one discussion, the head admin said, that she is still not convinced, they need ssh, but that she might consider disabling rsh... May be, because it is a government-run school, I don't know.

      And there still is no SSL support on IMAP server(s). To protect my account, I have to ssh in and create a tunnel -- this way I am only exposed to a hacker already on the department net...

      The only real admin I know there seems quite competent, but either he is overloaded by work or the security just is not a high priority, I guess...

      They have a nice policy, of keeping accounts of alumnis alive for as long as they are active, though.

    • Universities are notorious for having poor network security! They typically don't have sufficient staff to maintain such tight control over network access. Why would such sensitive information be kept on inherently vulnerable networks in the first place?

      I'm not sure where this info comes from, but in my experience in working at universities they _do_ have sufficient and very good networking staff. University networks are some of the largest that there are. Universities lead networking in terms of things
  • by TuballoyThunder ( 534063 ) on Wednesday October 20, 2004 @08:47AM (#10574745)
    What purpose does it serve the researchers to have SSN's? The purpose of the study was to study the impact of wages on in-home care. Likewise, the names are irrelevant to the researchers. The agency that provided the data should have eliminated the names and SSN's and replaced them with a unique identifier.

    This smacks of laziness on the part of the data provider and the researcher(s).

  • Do What? (Score:2, Insightful)

    by Anonymous Coward
    The compromised system had the names, addresses, phone numbers, social security numbers and dates of birth of everyone ... Since it is sensitive data we figured it would be best to get word out to people so they can take preventive measures just in case."

    Preventive measures like changing their name, address, SSN and date of birth?

    • >> Preventive measures like changing their name, address, SSN and date of birth?

      "Who are you?"

      "The new Number Two"

      "Where is Number One?"

      "You are Number Six"

  • by Tucan ( 60206 ) on Wednesday October 20, 2004 @08:51AM (#10574773)
    This seems to be a case when the privacy of the information could have been maintained despite the breach of security if they had been using a "translucent database". Peter Wayner wrote a good book [amazon.com] about this, and as far as I know coigned the term.

    It naturally requires some thought to do right but it seems like it could have worked in this case.
  • by theluckyleper ( 758120 ) on Wednesday October 20, 2004 @08:52AM (#10574778) Homepage
    The thing that worries me about these sorts of news articles is the fact that there are probably 10x as many similar intrusions which go undetected. I imagine that most crackers worth their salt would be concerned with covering their tracks!

    Which is why I always say "NO" when asked by online stores, "Would you like us to remember your credit card number for future transactions?" I think they need a "HELL NO!" option :)
  • Oddly enough, the large University I work for has been discussing making two or three seperate networks inside the univesrity to keep something like this from happening. Presently, the Hospital has their own private network interconnected to our network via a firewall. We have been toying with the idea of making a private network for sensitive university machines an faculty networks. Thus then leaving the students and other network users on a more normal public network, behind the border firewall of course
    • why do you think segmenting the network is going to help, let me give you this senario which will show you that is not going to do shit.

      1. joe hacker takes a jpg image and inserts a zombie trojan.

      2. joe hacker uploads this to a web server.

      3. joe researcher who has user level access to the database navigates to joe's web page containing the zombie containing image.

      4. joe hacker now owns a client on the inside and has easy access to the data, but wait you say we got a firewall that will solve it.

      5. joe h
  • by Mstrgeek ( 820200 ) on Wednesday October 20, 2004 @08:55AM (#10574818)
    This is an outline of the University of California, Berkeley's Campus Plan Implementing the UC Requirements for Protection of Computerized Personal Information

    http://ist-socrates.berkeley.edu:7015/protected. data.html

    Hope you find it to be as educational on this subject as I did

  • Berkeley, khmm... (Score:2, Flamebait)

    by mi ( 197448 )
    Had it been the Bob Jones University [bju.edu] or some other ubber-conservative school, we'd never hear the end of conspiracy theories viz. rights-trampling and spying on fellow citizens (not that there was anything in there unknown to the government yet).

    Let's see, how it plays out for this ubber-liberal establishment.

    • I disagree. Regardless of the particular institution, I think we're all aware of the fact that providing sensitive information to a univerisity without tight controls is amazingly dangerous. I don't blame Berkeley here, nor would I blame any school. I do think they should take this as a warning, and improve their security, but the state has to ask themselves what they were thinking, and restrict future access to this kind of information.

      The process for releasing sensitive data should be:

      1. Establish the e
    • Ubber?

      At any rate, thanks for inanely speculating on what people would have said, then using that speculation to attack them. Very classy.
    • No, if this had happened at some udder-conservative school, we would talk about how stupid conservatives were.
  • by mhollis ( 727905 ) on Wednesday October 20, 2004 @09:05AM (#10574895) Journal

    This may be seen as slightly offtopic, but the company I work for has outsourced payroll. Payroll includes the information supposedly stolen from this database, Social security numbers, home addresses, age, date of birth as well as a lot of financial information giving access to the earnings of many for many years.

    I'm wondering when the Indian company (or some person within that company) decides to legally sell that information to some Moldavian Mafiosi. I'll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans. Might violate a contract but who's paying more?

    Does your company outsource payroll?

    • My company also outsources payroll, like thousands of smaller businesses. ADP, founded in part by Senator Lautenberg (D-NJ), does payroll for my company. They are headquartered, as one would imagine, in New Jersey, not India.

      Outsourcing means having another company do the work. It doesn't mean that the work is necessarily being done in another country.
    • I'll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans.

      BTW, it is not illegal in the US to "release" social security numbers and financial information. There are quite a few companies that make a nice profit from selling this information on a daily basis. I doubt that if it is legal in the US that it would be illegal in other countries like India (except perhaps Germany).

  • Looks like there might just be a job opening up in California.
    *prepares resume*

    Props to California for passing a law requiring them to notify those folks whose information was involved. Although, I'm sure UC Berekely would have made the ethical decision on it's own, I'm also sure *some* wouldn't.
  • What the hobag? (Score:3, Interesting)

    by sockonafish ( 228678 ) on Wednesday October 20, 2004 @09:10AM (#10574945)
    SecurityFocus's description is no better than CNet's, I thought they'd have more technical details. What system were the running? What exploit?

    Oh, wait, I get it, they probably haven't patched the exploit yet.
  • SSN (Score:5, Informative)

    by sxmjmae ( 809464 ) on Wednesday October 20, 2004 @09:10AM (#10574948)
    They should have cleaned the data and removed the SSN. When we pass information outside the company we remove any reference to the SSN and replace it with a zero padded sequence to the same length as the SSN. If they ever need to know who the individual is they can give us this sequence number and we can look them up. Our plans are to remove any possible reference to the SSN in the database and replace them with a good old fashion sequence number (IE Customer number). Only payroll will have a table that links the sequence number to the SSN (a must when filing taxes).
  • by Viol8 ( 599362 ) on Wednesday October 20, 2004 @09:14AM (#10574980) Homepage
    Was it Windows, Linux, BSD, Solaris etc?? It doesn't say in the articles.
  • Stop giving everyone your social security number.

    Only the government really needs it. For the sake of saving time and aggrevation, I'll provide mine to my employer and my bank as well but no one else needs to get it. Ever.

    NTITE
    • Stop giving everyone your social security number.

      Only the government really needs it.

      Yeah, but unfortunately this was government data, and the individuals represented by it had no choice nor say in the matter. So your advice is useless in this instance.

    • You miss the point: these people only gave their information to the government.

      It was the government that

      • required their information
      • handed the info out to a third party
      • failed to ensure that the third party took adequate care

      Surprised? You shouldn't be. There's no market pressure on the government. If you're offended at their cavalier attitude, it's not like you can go with a competitor!

      One example of a government agency doing things the right way: about 15 years ago I worked on a university r

    • Go back to sleep...

      The Gov't that you say is the only one who really needs the SS number IS the one that provided said number to UC Berkeley. RTFA. The SSS# and all personal info that Berkeley was using and had access to was provided to them by the California Govt, without the consent of the people whos info was being shared.

      If there is a wakeup call for anything it is that there should be a fight to keep the govt from farming out personal info like this to every Tom, Bill, and Larry that asks for it in
    • Only the government really needs it. For the sake of saving time and aggrevation, I'll provide mine to my employer and my bank as well but no one else needs to get it. Ever.

      As a recent new hire, I can recall putting my SSN on insurance forms, pension forms, etc. What do you do on these forms? Leave it blank?
    • "a state program" Of course the state is the government, so your advice is meaningless.

  • Stupid businesses (Score:4, Insightful)

    by Pig Hogger ( 10379 ) <pig.hogger@gmail ... m minus caffeine> on Wednesday October 20, 2004 @09:29AM (#10575107) Journal
    Now it's time to effectively ENFORCE the law that bans the usage of the SSNos as identification number for businesses, especially banks.

    The SSNo was never intended as an ID number. Yet, many businesses will take nothing else as a customer idendifier.

    Myself, I am being hounded by my electric power supplier who wants me to give them my SSNo (which I didn't when I opened my account).

  • THE NORTH KOREANS DID IT!!! What's their army for? To make money! How do they make money? They steal personal information and create fake IDs. Then they sell those fake IDs to whoever wants them to come bomb the US!
  • by bigbikkuri ( 768714 ) on Wednesday October 20, 2004 @09:53AM (#10575302)
    I was working on this project, and I'll tell you I was extremeley disheartened to learn people would try and sabotage this project. It is for a really good cause (if you believe in unions that is, I don't, but it was still for a good cause) and I hope the project isn't jeapordized beyond repair because of this. For those who might have guessed, the system that was hacked was a Windows 2000 Pro box running SQL Server and a statistics program called STATA. The box was only up and running while retrieving data and was turned off the rest of the time while I was on the project. There were very strict rules about letting the box onto the network since it wasn't a Berkeley box, but then they took the box and put on their own security software which supposedly made the data safe. I can give you the name of the IT guy in charge if you want. Many of you are listing reasons for not having the SSN's on the database, and that they should have been kept at the state level and then the state give us unique identifier numbers. In actuality, the state does not provide that service, and only provides the data from several databases. We ourselves then created unique identifiers because we needed very specific samples from different populations of California. This identifier was made with a combination of people's relations, their ethnicity, and their social security number. You'd be surprised how many people in California have the same name. Also, although maybe not the best reason in some programmer's opinion - it was easier to separate people by their SSN because STATA didn't present a way to compare strings in a useful enough manner so as to use a combination of name and zipcode. And if you are wondering why we had names and addresses and phone numbers, it is because we called and mailed these people ourselves. Our first mailing - worked a 22 hour day, and tried about four different assembly lines! The state didn't help at all - and in the current time when we have idiot Republicans like Arnold (I can't spell his last name) who thinks fixing a state budget crisis involves cutting the budget of an already failing program and driving MORE people into poverty, I don't think you can expect them to help us tell them how and why they are wrong. I'm no longer on the project (got shipped overseas) but the people working on it are rock solid individuals, and personally, as a former IT guy myself, I blame the morons who worked IT at the division this project is taking place. I understand Berkeley is huge, but for a University that supposedly is "computers" - they have a lot of people with absolutely no clue.
    • by hacksoncode ( 239847 ) on Wednesday October 20, 2004 @10:21AM (#10575613)
      This is a perfect example of why people who are out to save the world are dangerous.
      • by hacksoncode ( 239847 ) on Wednesday October 20, 2004 @11:00AM (#10576099)
        Hmmm. If I got modded flamebait I must have given the impression that I was just being flip.

        No, I really do think it's nearly the perfect example of the dangers of righteousness.

        The Grand Experiment in this case was apparently perceived as vastly more "important" than the individual privacy and even *lives* of actual living people. This is quite typical of people who are out to "save the world". It's a form of "the ends justify the means" thinking. I call bullshit.

        BTW, in case it wasn't obvious: this isn't a liberal vs. conservative thing. Anti-abortionists have the same damn problem.

        This is all assuming, of course, that the parent of my original comment wasn't itself flamebait :-).

    • by jonfelder ( 669529 ) on Wednesday October 20, 2004 @06:25PM (#10581177)
      So basically you blame IT, Microsoft, STATA, and Arnold instead of having the researchers take any of them blame themselves for being unable to generate usable random IDs. Why didn't they just generate their own random 9 digit identifier and delete the SSNs?

      Why didn't they make sure the box was secure by never putting it on the Internet?

      Granted yes, Microsoft software has vulnerabilities, STATA may suck, IT support may be stupid, and the state may have been negligent in distributing sensative data this way, but don't you think the researchers have some responsibility for this as well?

      The researchers knew it wasn't good to have SSNs in the data and (according to you) had strict rules about network access because it wasn't a Berkeley box. Yet, they put the box on the Internet anyway with unobfuscated SSNs.

      Don't you think those actions on the part of the researchers require them the share in the responsibility?

  • Why is a computer containing sensitive information attached to any public network? It can't be hacked if it isn't connected to the net.

    If it has to be connected to the net, any sensitive information should be encrypted.

  • In-Home care (Score:3, Insightful)

    by Danman6126 ( 817013 ) on Wednesday October 20, 2004 @10:11AM (#10575493)

    In cases involving over 500,000 people, the organization can warn the potential victims en masse through a website posting and by alerting the media.

    Yeah, like bed ridden old people that need in-home care are going to be able to check a website for info on what's going on.

    Try sending them a letter or something!

  • "..personal data on a staggering 1.4 million Californians who participated in a state social program, officials said Tuesday"

    State social program participants?
    Too fscking bad for this hacker - it's going to be pretty hard to scam out anything from the underprivileged crowd.

A triangle which has an angle of 135 degrees is called an obscene triangle.

Working...