Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Privacy Security Education

U of C Student Information Compromised 143

Posted by Zonk from the watch-your-permissions-kids dept.
fhqwhgads writes "SFTP access to the University of Chicago's web server has been temporarily blocked as Networking Services and Information Technology (NSIT) responds to 'the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site.' The Chicago Maroon is reporting that this was done without escalation of privileges, and that some files were accessible from the internet."
This discussion has been archived. No new comments can be posted.

U of C Student Information Compromised More

U of C Student Information Compromised

Comments Filter:

  • seen it before, will probably see it again. (Score:5, Interesting)

    by lecithin ( 745575 ) on Friday May 27, 2005 @04:39PM (#12659153)
    About 3 years ago I ended up finding a site that had a similar problem. It was on a University site and was devoted to students asking their instructor a question. The questions were something like this:

    HI MY NAME IS COLLAGE FRESHMAN. MY SOCIAL SECURITY NUMBER IS XXX-XX-XXXX. i WASNT IN CLASS TODAY AND WANTED TO KNOW IF THERE WAS ANY HOMEWORK DUE.

    Each entry (about 50) had students names and social security numbers.

    I contacted the instructor via email and let him know about the problem. The email was acknowledged but 3 months later, the SSNs were still up.

    I then contacted one of the students. The page was 'secured' in 1 day.

    I do not see the need for Colleges to have our SSNs or track the students via that number. I don't think they care enough to be responsible.

    • The University of Illinois, and many other universities I suspect, issues everyone a Unique Identification Number which basically takes the place of the SSN for all university business. Makes a hell of a lot more sense if you ask me.

      • City College of San Francisco used SSNs up until a couple years ago. They have changed to issuing a Student ID. SSN is still usable, particularly before the student is assigned a Student ID in the application process - something I think is ridiculous. The student should be given a Student ID as soon as he applies over the Web so he NEVER has to enter his SSN subsequent to his application.

        We have begun issuing student ID cards with barcodes which are compatible with the college library barcode systems, but
    • Sad thing is, after four years of Collage, the student found that randomly assembling bits of paper and pictures and such to create works of art doesn't really pay that much.

      But seriously, my college just last year switched from plastering SSNs on IDs and such, IDs used for meals, building entry, even registration at student government meetings, to a university-only number. This doesn't surprise me one bit, and really it could have happened at a lot of colleges a long time ago.
    • The U of C uses 6 digit student ids for routine stuff. No doubt SSNs are somewhere, but the UCID number seems to be the most commonly used id, so it isn't a case of the Univeristy using SSNs willy nilly.

      But who cares if someone steals your SSN? Your library card # is what really matters to U of C students. I don't think they can survive long without access to the Reg.
    • Well, to point to a working system without the need for SSN to operate universities, in my country we use a university identification string, composed from initials, and some other unique parts based on a random algorithm to make sure they are unique indeed.

      You can use that id for university related business only and it works extremely well. For example to access the website to schedule courses and exams, i need to login with that university id string and my password. If someone gets to know your universit
      • If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.

        That depends on which system they can access once they have your university ID. If you can use it to register for courses and such, then it must tie back to the main student information system (SIS), which stores all of your informaion (including SSNs, here in the States). But, at least the ID itself reveals little or

        • That depends on which system they can access once they have your university ID.

          Without a password? Absolutely zero.
          • Without a password? Absolutely zero.

            Christ. What exactly do you think "access" meant? Unfortunately, it isn't uncommon to find student workers who know the SIS username and password of the faculty or staff member they assist.

            • That is no longer a problem with the system, it is up to the particular user to keep their passwords secret.
              • Okay. Let me try to spell it out for you.

                You: If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.

                Me: That depends on which system they can access once they have your university ID. If you can use it to register for courses and such, then it must tie back to the main student information system (SIS), which stores all of your informaion (including SSNs, here in the St


              • That depends on the password strength, among other things.

                The SCT Banner college MIS system, for instance, uses a Student ID and a minimalist six-digit PIN number to control access to the student's account. That PIN number would be trivial to break since most people use 6 of the same number or something like '123456'. If you can get the student id (and some instructors insist on posting it on grade reports tacked to their doors), you've got half the access right there.

                If you have a standard system that r
    • If my university hadn't used SSN's as individual identification numbers, I would have never learned it. At least I got something out of the pricey education.
    • Hey, I just shut one of those down the other day. One of our faculty slapped up a public query form and was writing the students results, which contained their SSN, name, and address, to a publically accessible Access db. When I contacted the instructor his response was, "But how can anyone download it if I don't link to it?"

      And therein lies the crux of the problem. On most college and uni campuses, the publishing of data isn't controlled by a "webmaster" or other campus employee. In our case, we give our
    • In WV there was a state law passed a few years ago that is now pahsing in that no state run institution could display or search off of anything more then the last 4 digits of an SSN. Last summer Marshall University and I'm guessing the other higher ed schools in the reissued all new ID numbers and cards to all the students.
    • You said: "I do not see the need for Colleges to have our SSNs or track the students via that number. I don't think they care enough to be responsible."

      That's OK... neither does the Federal government. It is technically illegal to use a SSN for most purposes, as set forth in the Privacy Act of 1974, as well as the Social Security Act.
    • try This page [mma.edu] Last semester this page included SSN's with the home addresses and emails. It also used to have phone numbers. Due to public outcry some of the personal details were removed. But not all. There is no reason this page is linked directly from http://www.mma.edu/ [mma.edu] (academics, Student Schedules spring/fall)
    • I am a student at the UofC and know that the university uses a seperate 6 digit ID number for identification.
      It sounds like to me this is more like there were some files out on the Web server that listed the SSNs of some of the students and had improper permissions.
      But yes I know this can be a huge problem. I used to go to a small university where they did use the SSN for an ID, mostly due to laziness. They didn't want to go through the trouble of having to create another unique ID for each student. I w
  • of companies who are losing data by the minute.

    Seriously, doesn't anyone take privacy seriously?

    • Re:Add it to the list (Score:4, Insightful)

      by Saven Marek ( 739395 ) on Friday May 27, 2005 @04:46PM (#12659226)
      > Seriously, doesn't anyone take privacy seriously

      The sites dont take it seriously because the students dont take it seriously.

      if privacy info was treated like money or like cars or like anything else people attach "worth" to then the blocks would have been patched 10 years ago and never allowed to leak!

      but people dont care about privacy breaks. u could have a telemarketer phone 100,000 people and say "hi is your name xxxxx and social security number yyyyyyy? if so then we have a deal for you!!!" but nobody would care.

      but if you had a telemarketer phone and say "hi I have your car here with me would you like a deal" well I bet law enforcement would close them down in days.

      but its not going to happens because people in general dont care when their private details let out. like if people get emailed by a company to their own name and address, they accept it. they get viruses they accept it. they get telemarketer custom phonecalls and they accept it.

      too used to it happening to care now are people.

      • Re:Add it to the list (Score:3, Interesting)

        by yali ( 209015 )
        If you call the cops and say "somebody has stolen my social security number," do you really think you'll get the same reaction as if you say somebody has stolen your car?

        In a weird way, this problem seems like a bass-ackwards parallel to copyright infringement. In both cases, it is unlike a traditional theft because information is copied with no loss to the original holder. So the infringers do not value the information as much as the infringed-upon. (But in this case, the little guy is the one getting inf
      • I disagree. There was a direct link to a webpage with SSN's of every student on the main page at http://www.mma.edu/ [mma.edu] Due to student outcry, the SSN's and phone numbers were removed. The page is still linked, however, and still contains home addresses and emails. That page is here [mma.edu]

    • Re:Add it to the list (Score:5, Interesting)

      by a_greer2005 ( 863926 ) on Friday May 27, 2005 @04:51PM (#12659268)
      It is hard to take security seriously when NO ONE around you does. Here at schiil i have to give my SSN for everything, and every document I recive from the school has my ssn on it, I have repeatedly complained but no one gives a rats ass, i point out situations like this and it falls on deaf ears.

      the problem is the "It cant happen to me, not in this little town, that only happens in the big city" mindset of old applied to technology. it seems like no one will learn untill it is too late for them.

      the worst part is there is not a god damned thing I can do about it, everyone, like trained trones gives it out freely, without thought of the consequences, and when the policy is questioned, they look at me like my tin foil hat is too tight or something...

      • Well, I'm certainly no expert on the subject of this matter as a resident (as opposed to a citizen), but perhaps you could mention that you will hold them responsible for damages?

        I would think that especially a formal letter to that regard should stirr up some things.

        In any case, I do agree with others that the problem is with the value that a SSN (combined with some other personal data) has. But that's the reality of the situation. If people don't take you seriously, it would perhaps be an idea to mentio
    • until law suits are started. I rarely give my CC to sites that run MS (40% of https but nearly 100% of CC stolen). If ever my ID is stolen via the web, I will be suing the company. If possible, I will try to sue the CIO as well. Until they folks are held personally accountable, nothing will change.

  • Adding Insult to Injury (Score:3, Funny)

    by booyah ( 28487 ) on Friday May 27, 2005 @04:42PM (#12659181)
    Now their webserver seems awfully slow and unresponsive...

    Sysadmins are reporting a MASSIVE distributed denial of service attack... then they head over to /. to see how the rest of the world is going.... aw shit!
  • OOPS!

    What more is there to say?

  • SSNs as Student ID Numbers (Score:5, Interesting)

    by EnronHaliburton2004 ( 815366 ) * on Friday May 27, 2005 @04:46PM (#12659223) Homepage Journal
    I bet a large chunk of this problem stems from the fact that many (or most) colleges use your SSN as your Student ID Number.

    About 8 years ago, a City College of San Francisco sent out a bunch of postcards to the students (There are tens of thousands of part-time students there). The postcard (No envelope) contained some information on how to register, and a reminder of the students Student ID Number-- which was a SSN. On a fricken postcard.
    • I was about to ask "Wasn't using SSN as student ID numbers outlawed?" but obviously it isn't. My second year of college (1989) is when my university switched from SSN to 6 digit numbers. I thought all colleges did that in the early 90's.
    • My alma mater used SSN's for student ids until 2 years ago. They then (for our protection) implemented new id cards that had only 2 things on the mag stripe. The first was your new student id (also printed on the card), the second was a counter, so if you got a replacement card it incremented and the old one was no good. So, an unscrupulous person could swipe your card, re-encode it with the updated count, and do whatever they felt like on your credentials.

      Creepy as hell.
    • U. of C. does not use SSNs as student id numbers (or at least they didn't when I was there.)
    • There was a recent discussion on NANOG on this topic which ended with a fairly definitive statement from One Who Knows This Shit (actually it was Dan Golding) that virtually no colleges use SSNs as unique IDs any more [merit.edu]; but that they have to maintain *old* data, which *did* use SSNs as UIDs. I'm paraphrasing, badly; go read the archived post.
    • What is it with the US and social security numbers? How different are they from, say, a UK NI number?

      The only times I've ever needed my NI number have been:
      a) When I got a job
      b) When I registered to not have tax on my bank account interest.
      c) When applying for a US visa

      AFAIK my university doesn't know my NI number.
      To identify us we get a 7-digit number, which is pretty much only useful in exams, where it's printed for us, and a six-letter (half's our initials) code/email address used to identify us on a
    • There's a reason why CCSF, and many other public colleges, uses the SSN. Most public colleges are funded by the state based on enrollment, and are required to regularly submit enrollment and financial aid reports to their funding agencies (in the case of CCSF, the CCC Chancellors Office). These reports are legally required to include the SSN for each listed student (used for a wide array of purposes ranging from fraud prevention to tax reporting). Since the basic structures of most school record databases h

    • Yes, that WAS true eight years ago. Today City College uses a Student ID number - the SSN has been removed from the Student Schedule/Bill if I remember correctly (I had to rewrite it for the barcode project, but I think it was removed before that.)

      They still need to only ask for the SSN during application and issue the Student ID IMMEDIATELY upon completion of the Web application. The problem is the Banner system uses a batch job to stage the Web applications, then move them into Banner later, so the Web

  • Alumni reaction (Score:5, Interesting)

    by JJ ( 29711 ) on Friday May 27, 2005 @04:46PM (#12659227) Homepage Journal
    As an alumni of the U of C, I have to say I'm not surprised. DCS was never permitted near the IS office and the enmity between the two just caused IS to be the most frequent target of pranks by DCS students.
    • As an alumni and one whose graduation date falls within the years where data may have leaked I can say I'm a little disappointed with administrators.

      I was never overly impressed with the quality of staff that the university employed as systems administrators. By and large the students that worked the various posts made available to students were far more qualified and up-to-the-task.

      That said, I realize that administrators can't be responsible for all the content posted on univeristy sites. However, any

    • Re:Alumni reaction (Score:3, Insightful)

      by aliebrah ( 135162 ) *
      I'm an alumnus of UChicago as well, I've posted a blog entry about how I think this event has been handled [ebrahim.org].
  • We have separate Student ID and Employee ID and we use those for everything except tax forms.

    But my sister works at UCSB and she says a lot of colleges and universities in the UC system still use SSN, at least just a while ago when she was working on a task force for data interchange.

  • ... of the campus paper.


    • Those morons(Maroons) are the same ones that will be saving your life! ------ You made my girlfriend cry.
    • Personally, i always loved the campus motto: "Where Fun Comes to Die".

      I miss U. of C.

      Wonder what the Chicago Weekly News' (the less disciplined, more anti-authoritarian, campus paper) take on this incident will be?

  • Hey, you know what... (Score:3, Funny)

    by Goronmon ( 652094 ) * on Friday May 27, 2005 @04:53PM (#12659295)
    At least they don't use your SSN as your ID number and print it on everyone's ID card like my school does =|
  • I think this is so common because of the flat refusal of many organizations to pay programmers and administrators anything close what they're worth. You get what you pay for, but nobody seems to care.
    • This is true, and it's absolutely wrong at the same time. How cool is that.

      I'll make the disclaimer now, I'm a UC employee and I work in IT. I'm not affiliated with NSIT, the group under who's watch this problem occurred.

      First off. There are plenty of very smart people working at UC. The quality and the size of the central IT staff is superior, imho, to that of my previous employeer.. a State University that was actually larger (plenty of friends on staff at that State university and they are good sma
      • No, it's not even that. The server which had the sensitive data was not a server on which anyone should be putting anything sensitive. Dozens and dozens of people have some level of access, from students unaffiliated with NSIT to people working on the server itself, and the policy is clear: don't do stupid things like put up private information!

        So, some organization within the University (who I won't name) basically put up world-readable files with sensitive information on Krypton and, surprise, other pe
        • Thanks for the additional info. I'll admit, I've still not read the other links like that Maroon article.

          In the post you replied to, I was specifically trying to quell the absoluteism and idiocity that is too common on slashdot (by a minority I like to believe).
          I primarily wanted to point out that lower pay than the industry doesn't mean there aren't talented people. There are a lot of talented people in NSIT, on campus, and at most if not all Universities. I know plenty of people who are more than smar
        • I wish I could edit posts. :-)
          I went and reread my initial post and I can easily see that it appears to let NSIT off the hook too easily. I really intended to say 'don't crucify them yet till you know the facts' but it did come out as 'this isn't their fault, it's the outside web developers'.
          I didn't intend that, I only ment to demonstrate that it's more complex an issue that nsit must have done it.

          That's what I get for posting just before bed.

    • Well, sometimes you DON'T get what you pay for. An IT administrator with no clue can be devastating to an organization regardless of what he's paid.

      Case in point: City College bought the SCT Banner MIS system for over a million clams, along with $150K or so a year for "support".

      Then, to get REAL support, they hire a consultantcy called SIG, and pay THEM $115K/year - just a couple weeks ago raised by another $85K to $195K just to "finish the conversion to Banner 6".

      As I've said before, if the College spen

  • Google Search!! (Score:4, Informative)

    by TubeSteak ( 669689 ) on Friday May 27, 2005 @04:56PM (#12659309) Journal
    Uni & Colleges are notorious for their insecure networks.
    They practically bleed information.

    http://www.google.com/search?q=site:edu [google.com]

    You can dig up SSN's, passwords, and various other juicy tidbits.

    College mailing lists are also nice treasure trove. They tend to be publicly archived, but the people mailing stuff out don't seem to be aware of the fact.

    They're also a good read just for the intra-office drama.

  • Focus is on the wrong problem. (Score:5, Insightful)

    by Distan ( 122159 ) on Friday May 27, 2005 @04:56PM (#12659312)
    It seems like most of the focus is on how universites and companies aren't doing enough to secure this data, and that somehow if they try hard enough identity theft will go away.

    That is completely the wrong problem to solve.

    The true problem is that we have developed a system where knowing somebody's identifying information (name, address, SSN, DOB, etc) gives you power. Instead of approaching the impossible task of keeping this information secure, we should instead approach the solvable task of dismantling the system that gives this information so much power.

    Imagine that the "master tape" of SSNs for every citizen in the United States had been publicly leaked, and that it was being openly shared on P2P networks. How would we put the cat back in the bag? If you can solve that question, then you are on the right path.

    One idea: pass a law prohibiting anyone, governmental or non-governmental, from using the SSN for any purpose other than administrating social security taxes. Take the power away from that number. Since nobody would ask for it, or care what it was, for anything except your social security taxes, no harm could come from sharing it.

  • Either companies (or schools in this case) are getting more careless with delicate information, or it is being publicized more. I would tend to think that some organizations are getting so large that they can't possibly keep track of where all their information is at all times.

    I am not that concerned about identity theft as others, but it is happening so often that maybe these companies should be held accountable.

    I mean, just last week alone 600,000 people had their identities sold from 6 seperate banks

  • @#$@#$ NSIT (Score:1, Informative)

    by Anonymous Coward
    I *work* in Desktop support at U of C and this is how I find out about it...
  • I have sent three letters to the U of C Registrar's Office this year after two department secretaries supplied information to a cyberstalker about me from their available files. Cal Black, the Registrar, said he'd get back to me, but of course he didn't. What a bunch of Maroons. Not surprised here.
  • http://www.itap.purdue.edu/newsroom/news.cfm?newsI D=436 [purdue.edu]

    Only affected about 11,360 current and former employees...joy. They have switched over to a new numbering system, but only a few of the computer systems can handle the new numbers. They tell us to not use the new numbers just yet. Hehe...looks like by the _end_ of 2006 they'll have switched over...

  • Ignorance is Strength (Score:2, Interesting)

    by Doc Ruby ( 173196 )
    These SSN "leaks" will all be fixed by Bush. He'll replace the SSNs with an actual universal ID#, used throughout the American Hegemony, and destroy Social Security itself. Everyone knows socialism is dead, so Social Security is no security at all, right? Instead, we'll have Capital Security, in an "ownership society", where anyone's identity can be bought for a price, and security is just another profitable industry.
    • Moderation -1
      100% Offtopic

      The trend in SSN theft and SS destruction is "Offtopic" to the topic of U of C SSNs being published? TrollMods are antisocial and insecure.
  • How long it will take some one to compile complete (nearly) database of all US citizens. That will include almost vital information. What will be its use?

  • Just a quick FYI (Score:3, Informative)

    by skwang ( 174902 ) on Friday May 27, 2005 @05:22PM (#12659540)
    As a UC student I just want to let slashdotters know that the university does not use our SSN as our student ID.

    That doesn't excuse the networking staff from allowing this breech to occur, but I thought I would set the record straight.

    • Krypton was never designed to be a secure place to store files, and has thousands of users. This is no different than making files in your home directory world readable and then being surprised when users on the same machine can -- *gasp* -- read your files.

      None of these files were ever, as far as I know, available directly from the internet. You had to have access to Krypton, at the least.
  • From TFA "And there are 656,000 files on this system, each created by different people.

    Wow. 656000+ people at that school. No wonder they can only put up one file apiece, and that the admins can't educate all of their people to not use that one file to post sensitive data.

  • your info to be secure in this country... you are nuts. PERIOD

    Why?

    The U.S. could not avoid the hijacking of airplanes in front of everybody and you want your personal info to be safe? HA!!

    Seriously, this country, the people, have no real respect for one's job. Why? Well, it was even on the Simpsons show. Homer even said "do it the American way, do it half ass!" or something like that.

    It is that simple, many americans do it HALF ASS. And people wonder why other countries hate the US. The U.S. has

  • It happened at Purdue University just last week! (Score:2, Informative)

    by Anonymous Coward
    They dubbed it affectionately the "data incident [purdue.edu]." From a few computers, hackers were able to glean 11,000 (eleven thousand!) staff records, including names, social security numbers, pants sizes, and favorite flavors of ice cream. (OK, so maybe I'm making the last two up.)

    Yes, I'm one of the disgruntled staff who must watch his credit for the rest of my life, and I'm pissed off.

  • Eye-for-eye. If an organization loses security on CC#, SSN, etc. of customers they must publicly post the SSN#s and CC#s of all their excecutives on the default page of a special web site run by the FTC for that purpose.

  • As a student employee at my university I was amazed at how little security there is on personal information. Sure the data is secure when the admissions department has it but once you start taking classes you are added into countless access databases where most of your information is stored in plain text form and usually not password protected. If someone were to type a wrong email when sending the database as an attachment or if someone's spouse used their laptop they would have access to thousands upon

    • Email errors do happen, you're right.

      The Registration Center at CCSF sent out emails about completed registration to everybody in the campus GroupWise address book last week. Fortunately Groupwise lets you delete emails from other people's mailboxes that you have sent.

      I've told them to stop using GroupWise to send out emails, and use the freakin' email list manager they have on the server! That's what list managers are FOR!
  • What are SSN's doing in unencrypted flat files anyway? At least encrypt them, better yet store them in an encrypted database field. No human should be able to see someone else's SSN (or CC#, or CC verification code, etc.) on a system, not even the admins. All that should be visible is the variable, not its value.

  • Technical solution (Score:3, Funny)

    by 44BSD ( 701309 ) on Friday May 27, 2005 @07:10PM (#12660485)
    ~badass$ echo > /etc/motd && chmod 444 /etc/motd

    Hello, fellow Maroonian.

    This server is connected to the big bad internet.

    University policy prohibits the storage of sensitive data upon it.

    Employees who violate policy will be fired. Students who violate policy will be expelled.

    Have a Nice Day.
    ^D
  • They made a big deal about students being known to the University by our names not a number!

    This was in the mid-70s.

    Sad that it changed.

Slashdot Top Deals

Neutrinos have bad breadth.

Close