csua.org/u/9ki -> it.slashdot.org/it/04/10/20/1329217.shtml?tid=172&tid=158&tid=146&tid=17
timothy on Wednesday October 20, @09:37AM from the what-pleasant-fellows dept. aceta writes "An intruder penetrated a research computer at UC Berkeley in August and had access to names, social security numbers and other da ta for 14 million Californians participating in a state social program.
SecurityFocus additional details: the hacker used a known vulnerabilit y, and state officials have yanked the university's research access to t he data because of the breach.
This is just the sort of incident t hat can force the adoption of stringent laws. The thing is, the machine at Berkeley were the ones victimised but it seems to me that this type o f information will be sought after regardless of where it is. What I mea n is, although Berkeley should have hardened the machine against an intr ustion they were victimised because of the info they had, not who they w ere.
This is just the sort of incident t hat can force the adoption of stringent laws. As you all probably know I'm the last person that thinks that we should c reate laws due to overreaction but in this case I have to say that we do need more stringent laws against protecting SSNs. There is absolutely no reason that a researcher needed access to SSNs. Th ey should have all been assigned a random ID number and that should have been linked back to the SSNs and stored in the STATE OFFICES ONLY for l ater cross referencing. We have all these demands for SSNs and we are supposed to be protecting t hem as our entire history is linked to them yet we don't have any real p rotections when they are.
org/) The problem is nobody actually cares about that minor little legal detail . I wish the government would crack down on this and take care of identi ty theft once and for all. When I told her it was illegal to use them as an ID number she told me it wasn't illegal to refuse me service. As long as there's no way to enforce the rules the rules are worthless. Now, in this case SSNs were likely necessary in the first place but they are probably unnecessary for research and thus my suggestion that the re cords should have been linked to a random ID number that was only able t o be cross-referenced later at the State office.
They're saying you can refuse to give it b ut that may mean you have to go without the service requesting it and th en they mention a utility as an example and say "the choice is yours". S o if you want to keep your SSN as private as possible you may have to li ve without electricity and water?
Friday September 17, @09:36AM) I still have my SS card issued in the 1960s. It says, and I quote: "FOR SOCIAL SECURITY AND TAX PURPOSES -- NOT FOR IDENTIFICATION." Expanding government, when you lie to do it (and the lie was that the SSN was/is not gonna be used as a de-facto National ID card/number) is mora lly-wrong. Various events/excuses (I can see a 9/11 thread looming, so I 'm trying to pre-squelch that now) don't make the moral-wrong of lying t o expand government suddenly become right.
org/) The data, which included home addresses, telephone numbers and dates of b irth, was being used at the state's authorization but without the consen t of the individuals whose information was being used in the study. The title says it included SSNs but the article doesnt mention them. What the hell does a researcher need to have SSN s for anyway? The university detected its computer system had been broken into at the e nd of August, but did not notify the state until Sept.
I wonder if the people that were included in that database (that should have been kept on a c ompletely secluded network IMHO) were contacted September 28th or if th ey had to wait until three bureaucratic agencies had done their own inv estigations Both my wife and my mother-in-law are most likely contained in that datab ase (my wife as a former IHSS caregiver, my mother-in-law as a current I HSS care-receiver), and this is the first I've heard of this break-in. T o be honest, I feel betrayed the state of California's apparent lackadai sical approach to guarding these social security numbers. Why would thes e numbers be shared with a university for research purposes anyways? It really doesn't make sense anyways, and I don't recall my wife signing an y type of release to allow this personal information being used for rese arch purposes.
Wednesday Sept ember 29, @10:22PM) It makes you wonder... Why does a research program need access to social security numbers, phone numbers, and the like? I think the real story is the State of California sharing too much person al information, regardless of how the hacker got access to it.
They typical ly don't have sufficient staff to maintain such tight control over netwo rk access. Why would such sensitive information be kept on inherently vu lnerable networks in the first place?
My 27,000 student body university weathers most of the worms better than most large businesses, despite having little control over the computers on the network. Assuming a lack of zer o day exploits (as is true in this case), there's no reason an important server is any less safe in an accademic environment than a corporate on e Someone was asleep at the wheel, and you'll find that anywhere.
It took years for my ex-school to switch to ssh and ban outside t elnet-ing. At the conclusion of one discussion, the head admin said, tha t she is still not convinced, they need ssh, but that she might consider disabling rsh... May be, because it is a government-run school, I don't know. To protect my accoun t, I have to ssh in and create a tunnel -- this way I am only exposed to a hacker already on the department net... The only real admin I know there seems quite competent, but either he is overloaded by work or the security just is not a high priority, I guess. They have a nice policy, of keeping accounts of alumnis alive for as long as they are active, though.
The purpose of the study was to study the impact of wages on in-home care. The agency that provided the data should have eliminated the names and SSN's and replaced them with a unique identifier. This smacks of laziness on the part of the data provider and the research er.
Since it is sensitive data we figured it would be best to get word out to people so they can t ake preventive measures just in case." Preventive measures like changing their name, address, SSN and date of bi rth?
org/) The thing that worries me about these sorts of news articles is the fact that there are probably 10x as many similar intrusions which go undetect ed. I imagine that most crackers worth their salt would be concerned wit h covering their tracks! Which is why I always say "NO" when asked by online stores, "Would you li ke us to remember your credit card number for future transactions?"
net/) Oddly enough, the large University I work for has been discussing making two or three seperate networks inside the univesrity to keep something l ike this from happening. Presently, the Hospital has their own private n etwork interconnected to our network via a firewall. We have been toying with the idea of making a private network for sensitive university mach ines an faculty networks. Thus then leaving the students and other netwo rk users on a more normal public network, behind the border firewall of course. The discussion of data security has come more than once and now I'm just waiting for that email saying, 'it's on'.
or some other ubber-c onservative school, we'd never hear the end of conspiracy theories viz. rights-trampling and spying on fellow citizens (not that there was anyth ing in there unknown to the government yet). Let's see, how it plays out for this ubber-liberal establishment.
Payroll includes the information supposedly stolen from this database, Social security numbers, home addresses, age, date of bi rth as well as a lot of financial information giving access to the earni ngs of many for many years. I'm wondering when the Indian company (or some person within that company ) decides to legally sell that information to some Moldavian Mafiosi. I' ll bet there are no Indian laws regarding the release of Social Security numbers and financial information of Americans.
When we pass...
|
http://csua.com/feed/