U of C Student Information Compromised 143
fhqwhgads writes "SFTP access to the University of Chicago's web server has been temporarily blocked as Networking Services and Information Technology (NSIT) responds to 'the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site.' The Chicago Maroon is reporting that this was done without escalation of privileges, and that some files were accessible from the internet."
seen it before, will probably see it again. (Score:5, Interesting)
HI MY NAME IS COLLAGE FRESHMAN. MY SOCIAL SECURITY NUMBER IS XXX-XX-XXXX. i WASNT IN CLASS TODAY AND WANTED TO KNOW IF THERE WAS ANY HOMEWORK DUE.
Each entry (about 50) had students names and social security numbers.
I contacted the instructor via email and let him know about the problem. The email was acknowledged but 3 months later, the SSNs were still up.
I then contacted one of the students. The page was 'secured' in 1 day.
I do not see the need for Colleges to have our SSNs or track the students via that number. I don't think they care enough to be responsible.
Re:seen it before, will probably see it again. (Score:2, Informative)
Re:seen it before, will probably see it again. (Score:2)
City College of San Francisco used SSNs up until a couple years ago. They have changed to issuing a Student ID. SSN is still usable, particularly before the student is assigned a Student ID in the application process - something I think is ridiculous. The student should be given a Student ID as soon as he applies over the Web so he NEVER has to enter his SSN subsequent to his application.
We have begun issuing student ID cards with barcodes which are compatible with the college library barcode systems, but
Re:seen it before, will probably see it again. (Score:2, Funny)
But seriously, my college just last year switched from plastering SSNs on IDs and such, IDs used for meals, building entry, even registration at student government meetings, to a university-only number. This doesn't surprise me one bit, and really it could have happened at a lot of colleges a long time ago.
Re:seen it before, will probably see it again. (Score:3, Interesting)
But who cares if someone steals your SSN? Your library card # is what really matters to U of C students. I don't think they can survive long without access to the Reg.
Re:seen it before, will probably see it again. (Score:2)
You can use that id for university related business only and it works extremely well. For example to access the website to schedule courses and exams, i need to login with that university id string and my password. If someone gets to know your universit
Re:seen it before, will probably see it again. (Score:2)
That depends on which system they can access once they have your university ID. If you can use it to register for courses and such, then it must tie back to the main student information system (SIS), which stores all of your informaion (including SSNs, here in the States). But, at least the ID itself reveals little or
Re:seen it before, will probably see it again. (Score:2)
Without a password? Absolutely zero.
Re:seen it before, will probably see it again. (Score:2)
Christ. What exactly do you think "access" meant? Unfortunately, it isn't uncommon to find student workers who know the SIS username and password of the faculty or staff member they assist.
Re:seen it before, will probably see it again. (Score:2)
Re:seen it before, will probably see it again. (Score:3, Interesting)
You: If someone gets to know your university id, not much they can do with it, at max they can get your real name, but the rest is optional (user-selectable) to disclose, like email address, etc.
Me: That depends on which system they can access once they have your university ID. If you can use it to register for courses and such, then it must tie back to the main student information system (SIS), which stores all of your informaion (including SSNs, here in the St
Re:seen it before, will probably see it again. (Score:2)
That depends on the password strength, among other things.
The SCT Banner college MIS system, for instance, uses a Student ID and a minimalist six-digit PIN number to control access to the student's account. That PIN number would be trivial to break since most people use 6 of the same number or something like '123456'. If you can get the student id (and some instructors insist on posting it on grade reports tacked to their doors), you've got half the access right there.
If you have a standard system that r
But how else do you learn your SSN? (Score:2)
Re:seen it before, will probably see it again. (Score:2)
And therein lies the crux of the problem. On most college and uni campuses, the publishing of data isn't controlled by a "webmaster" or other campus employee. In our case, we give our
Re:seen it before, will probably see it again. (Score:1)
Re:seen it before, will probably see it again. (Score:2)
That's OK... neither does the Federal government. It is technically illegal to use a SSN for most purposes, as set forth in the Privacy Act of 1974, as well as the Social Security Act.
Re:seen it before, will probably see it again. (Score:2)
Re:seen it before, will probably see it again. (Score:1)
It sounds like to me this is more like there were some files out on the Web server that listed the SSNs of some of the students and had improper permissions.
But yes I know this can be a huge problem. I used to go to a small university where they did use the SSN for an ID, mostly due to laziness. They didn't want to go through the trouble of having to create another unique ID for each student. I w
Add it to the list (Score:2)
Seriously, doesn't anyone take privacy seriously?
Re:Add it to the list (Score:4, Insightful)
The sites dont take it seriously because the students dont take it seriously.
if privacy info was treated like money or like cars or like anything else people attach "worth" to then the blocks would have been patched 10 years ago and never allowed to leak!
but people dont care about privacy breaks. u could have a telemarketer phone 100,000 people and say "hi is your name xxxxx and social security number yyyyyyy? if so then we have a deal for you!!!" but nobody would care.
but if you had a telemarketer phone and say "hi I have your car here with me would you like a deal" well I bet law enforcement would close them down in days.
but its not going to happens because people in general dont care when their private details let out. like if people get emailed by a company to their own name and address, they accept it. they get viruses they accept it. they get telemarketer custom phonecalls and they accept it.
too used to it happening to care now are people.
Re:Add it to the list (Score:3, Interesting)
In a weird way, this problem seems like a bass-ackwards parallel to copyright infringement. In both cases, it is unlike a traditional theft because information is copied with no loss to the original holder. So the infringers do not value the information as much as the infringed-upon. (But in this case, the little guy is the one getting inf
Re:Add it to the list (Score:2)
Re:Add it to the list (Score:5, Interesting)
the problem is the "It cant happen to me, not in this little town, that only happens in the big city" mindset of old applied to technology. it seems like no one will learn untill it is too late for them.
the worst part is there is not a god damned thing I can do about it, everyone, like trained trones gives it out freely, without thought of the consequences, and when the policy is questioned, they look at me like my tin foil hat is too tight or something...
Re:Add it to the list (Score:2)
I would think that especially a formal letter to that regard should stirr up some things.
In any case, I do agree with others that the problem is with the value that a SSN (combined with some other personal data) has. But that's the reality of the situation. If people don't take you seriously, it would perhaps be an idea to mentio
Will not happen ... (Score:2)
Re:For once, (Score:1)
Adding Insult to Injury (Score:3, Funny)
Sysadmins are reporting a MASSIVE distributed denial of service attack... then they head over to
1 ... 2 ... 3 ... (Score:1, Troll)
What more is there to say?
SSNs as Student ID Numbers (Score:5, Interesting)
About 8 years ago, a City College of San Francisco sent out a bunch of postcards to the students (There are tens of thousands of part-time students there). The postcard (No envelope) contained some information on how to register, and a reminder of the students Student ID Number-- which was a SSN. On a fricken postcard.
Re:SSNs as Student ID Numbers (Score:2)
Re:SSNs as Student ID Numbers (Score:1)
Creepy as hell.
Re:SSNs as Student ID Numbers (Score:2)
Re:SSNs as Student ID Numbers (Score:2)
Re:SSNs as Student ID Numbers (Score:2)
Who knows, maybe thats where the numbers were showing up.
Re:SSNs as Student ID Numbers (Score:2)
Re:SSNs as Student ID Numbers (Score:1)
The only times I've ever needed my NI number have been:
a) When I got a job
b) When I registered to not have tax on my bank account interest.
c) When applying for a US visa
AFAIK my university doesn't know my NI number.
To identify us we get a 7-digit number, which is pretty much only useful in exams, where it's printed for us, and a six-letter (half's our initials) code/email address used to identify us on a
Re:SSNs as Student ID Numbers (Score:2)
Re:SSNs as Student ID Numbers (Score:2)
Yes, that WAS true eight years ago. Today City College uses a Student ID number - the SSN has been removed from the Student Schedule/Bill if I remember correctly (I had to rewrite it for the barcode project, but I think it was removed before that.)
They still need to only ask for the SSN during application and issue the Student ID IMMEDIATELY upon completion of the Web application. The problem is the Banner system uses a batch job to stage the Web applications, then move them into Banner later, so the Web
Re:SSNs as Student ID Numbers (Score:2)
Your bank and your school, etc, isn't supposed to be using the SSN at *all* for this sort of thing.
Alumni reaction (Score:5, Interesting)
Re:Alumni reaction (Score:1)
I was never overly impressed with the quality of staff that the university employed as systems administrators. By and large the students that worked the various posts made available to students were far more qualified and up-to-the-task.
That said, I realize that administrators can't be responsible for all the content posted on univeristy sites. However, any
For the last time! (Score:1)
Plural: Alumni
Can't anyone get this straight? It's absolutely rediculous!
Re:For the last time! (Score:1)
Re:Alumni reaction (Score:3, Insightful)
Re:Alumni reaction (Score:2)
Here at the UW we don't use SSN (Score:1)
But my sister works at UCSB and she says a lot of colleges and universities in the UC system still use SSN, at least just a while ago when she was working on a task force for data interchange.
Love the name... (Score:2)
Re:Love the name... (Score:1)
Re:Love the name... (Score:1)
I miss U. of C.
Wonder what the Chicago Weekly News' (the less disciplined, more anti-authoritarian, campus paper) take on this incident will be?
Re:Love the name... (Score:2)
Lighten up.
I knew that. I used to spend quite a bit of time at UofC years ago. Ran many a time on their old dirt indoor track (they used to hold indoor marathon's on that beast) as well as in their 'new' fieldhouse (well it was new in the later '70s). Spent many a summer at the productions of the Court Theatre when it was held outdoors on campus. One of my favorite bars in the world is Jimmy's (God rest his soul), dive that it is. A couple of friends have taken advanced degrees from there. As a result, e
Hey, you know what... (Score:3, Funny)
Bigger Problem (Score:2)
Re:Bigger Problem (Score:2)
I'll make the disclaimer now, I'm a UC employee and I work in IT. I'm not affiliated with NSIT, the group under who's watch this problem occurred.
First off. There are plenty of very smart people working at UC. The quality and the size of the central IT staff is superior, imho, to that of my previous employeer.. a State University that was actually larger (plenty of friends on staff at that State university and they are good sma
Re:Bigger Problem (Score:2)
So, some organization within the University (who I won't name) basically put up world-readable files with sensitive information on Krypton and, surprise, other pe
Re:Bigger Problem (Score:2)
In the post you replied to, I was specifically trying to quell the absoluteism and idiocity that is too common on slashdot (by a minority I like to believe).
I primarily wanted to point out that lower pay than the industry doesn't mean there aren't talented people. There are a lot of talented people in NSIT, on campus, and at most if not all Universities. I know plenty of people who are more than smar
Re:Bigger Problem (Score:2)
I went and reread my initial post and I can easily see that it appears to let NSIT off the hook too easily. I really intended to say 'don't crucify them yet till you know the facts' but it did come out as 'this isn't their fault, it's the outside web developers'.
I didn't intend that, I only ment to demonstrate that it's more complex an issue that nsit must have done it.
That's what I get for posting just before bed.
Re:Bigger Problem (Score:2)
Well, sometimes you DON'T get what you pay for. An IT administrator with no clue can be devastating to an organization regardless of what he's paid.
Case in point: City College bought the SCT Banner MIS system for over a million clams, along with $150K or so a year for "support".
Then, to get REAL support, they hire a consultantcy called SIG, and pay THEM $115K/year - just a couple weeks ago raised by another $85K to $195K just to "finish the conversion to Banner 6".
As I've said before, if the College spen
Google Search!! (Score:4, Informative)
They practically bleed information.
http://www.google.com/search?q=site:edu [google.com]
You can dig up SSN's, passwords, and various other juicy tidbits.
College mailing lists are also nice treasure trove. They tend to be publicly archived, but the people mailing stuff out don't seem to be aware of the fact.
They're also a good read just for the intra-office drama.
Focus is on the wrong problem. (Score:5, Insightful)
That is completely the wrong problem to solve.
The true problem is that we have developed a system where knowing somebody's identifying information (name, address, SSN, DOB, etc) gives you power. Instead of approaching the impossible task of keeping this information secure, we should instead approach the solvable task of dismantling the system that gives this information so much power.
Imagine that the "master tape" of SSNs for every citizen in the United States had been publicly leaked, and that it was being openly shared on P2P networks. How would we put the cat back in the bag? If you can solve that question, then you are on the right path.
One idea: pass a law prohibiting anyone, governmental or non-governmental, from using the SSN for any purpose other than administrating social security taxes. Take the power away from that number. Since nobody would ask for it, or care what it was, for anything except your social security taxes, no harm could come from sharing it.
Re:Focus is on the wrong problem. (Score:2)
Re:Focus is on the wrong problem. (Score:2)
When applying for a credit card, what would we use as personal identification if the SSN was omitted. Wouldn't that then mean that anyone who know my address, name and phone number, i.e. anyone who has access to the white pages would be able to take out a credit card in my name? Short of biometrics I don't see an alternative. Maybe I'm not creative enough.
Re:Focus is on the wrong problem. (Score:2)
And how exactly is that different from the current situation?
Re:Focus is on the wrong problem. (Score:2)
Re:Focus is on the wrong problem. (Score:1)
Re:Focus is on the wrong problem. (Score:1)
Wow... (Score:1)
I am not that concerned about identity theft as others, but it is happening so often that maybe these companies should be held accountable.
I mean, just last week alone 600,000 people had their identities sold from 6 seperate banks
@#$@#$ NSIT (Score:1, Informative)
Alumna reaction (Score:1)
Re:Alumna reaction (Score:1)
Re:Alumna reaction (Score:1)
Same thing for Purdue University (Score:2, Informative)
Only affected about 11,360 current and former employees...joy. They have switched over to a new numbering system, but only a few of the computer systems can handle the new numbers. They tell us to not use the new numbers just yet. Hehe...looks like by the _end_ of 2006 they'll have switched over...
Ignorance is Strength (Score:2, Interesting)
Re:Ignorance is Strength (Score:1, Offtopic)
100% Offtopic
The trend in SSN theft and SS destruction is "Offtopic" to the topic of U of C SSNs being published? TrollMods are antisocial and insecure.
Re:Ignorance is Strength (Score:2)
You blame some imaginary Social Security threat to the Constitution on FDR, though it's been 50 years, and we've become much more fascist, not Communist, ever since. With even the "Number of the Beast" remaining merely a bureaucratic metho
Question? (Score:1)
Re:Question? (Score:1)
It's not your information. It's information about you.
-- John Ford, Vice President, Equifax
365/24 SPAM (Score:2)
Just a quick FYI (Score:3, Informative)
That doesn't excuse the networking staff from allowing this breech to occur, but I thought I would set the record straight.
Re:Just a quick FYI (Score:2)
None of these files were ever, as far as I know, available directly from the internet. You had to have access to Krypton, at the least.
Re:Just a quick FYI (Score:2)
Second, Chicago does not use SSNs as student IDs.
Re:Just a quick FYI (Score:2)
Re:Just a quick FYI (Score:2)
I don't think you understand the size of Krypton and just how many files and users of various levels of access there are.
Google (Score:1, Troll)
Mod parent up (Score:2)
Not that it matters anyway - Google is merely the tool, and as anyone who has read a file swapping discussion on
big school ... (Score:1)
Wow. 656000+ people at that school. No wonder they can only put up one file apiece, and that the admins can't educate all of their people to not use that one file to post sensitive data.
if you are expecting... (Score:2, Interesting)
Why?
The U.S. could not avoid the hijacking of airplanes in front of everybody and you want your personal info to be safe? HA!!
Seriously, this country, the people, have no real respect for one's job. Why? Well, it was even on the Simpsons show. Homer even said "do it the American way, do it half ass!" or something like that.
It is that simple, many americans do it HALF ASS. And people wonder why other countries hate the US. The U.S. has
It happened at Purdue University just last week! (Score:2, Informative)
Yes, I'm one of the disgruntled staff who must watch his credit for the rest of my life, and I'm pissed off.
Re:It happened at Purdue University just last week (Score:2)
There needs to be an appropriate penalty for this. (Score:2)
Eye-for-eye. If an organization loses security on CC#, SSN, etc. of customers they must publicly post the SSN#s and CC#s of all their excecutives on the default page of a special web site run by the FTC for that purpose.
don crabb would have secured this (Score:1)
From someone who works with this data. (Score:1)
Re:From someone who works with this data. (Score:2)
Email errors do happen, you're right.
The Registration Center at CCSF sent out emails about completed registration to everybody in the campus GroupWise address book last week. Fortunately Groupwise lets you delete emails from other people's mailboxes that you have sent.
I've told them to stop using GroupWise to send out emails, and use the freakin' email list manager they have on the server! That's what list managers are FOR!
Flat files? (Score:2)
Technical solution (Score:3, Funny)
Re:Technical solution (Score:2)
When I went to U of C they did not use SSN! (Score:2)
This was in the mid-70s.
Sad that it changed.
Re:Meanwhile (Score:2)
Re:who actually needs to get your SSN# anyway? (Score:2)
Re:who actually needs to get your SSN# anyway? (Score:2)
Check your bank on that login ID.
I thought Wells Fargo needed that, too, until they informed me I could use any login name I want (which, however, is NOT tested for strength apparently). Check whatever account maintenance screen they give you, maybe you can give yourself a strong login name.