back to article Uni of Maryland hacked: 300,000 SSNs of staff, students, alumni swiped

Former and current staff and students at the University of Maryland are going to be getting a free year of credit score protection after hackers slurped the names, social security numbers, dates of birth, and university identification numbers for 309,079 people. "The University of Maryland was the victim of a sophisticated …

COMMENTS

This topic is closed for new posts.
Facepalm

Sophisticated computer security attack?

"The University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information"

You mean someone opened an executable attachment ..

10
0
Anonymous Coward

Re: Sophisticated computer security attack?

nah. Its more likely to have been "select * from users;" after getting onto a MySQL DB as root user with no password. 'sophisticated'...they say...

3
0

Re: Sophisticated computer security attack?

My bet is on a usb-stick plugged into the back because the front slots were taped over to prevent unauthorised plug-ins.

1
0

Re: Sophisticated computer security attack?

By "Sophisticated" what they actually mean is something along the lines of

union+select+1,2,

(FOR(SELECT

user.data

FROM(

info_Agent

)WHERE x = 0 : list(information_schema.size()) & DROP table_name[x]

)x+1),4,5,6

--

On a cfm page since university of maryland horribly sanitized their parameters for cfm pages. Let me correct horribly, I meant "they DIDNT EVEN TOUCH sanitization of params", thats quite said infact since coldfusion literally provides a security library for sanitization of parameter functions...

1
0

Perhaps it's time to think about security?

It's not just bored teenagers anymore, we're in a world where Billions of people in countries of low income have access to the internet and very little chance of being caught or punished. We, as an industry, need to put our quest for speed and cost reduction and bells and whistles on hold for a little while, and put some serious effort into security.

I think we should do it soon.

2
0
Silver badge
Holmes

Re: Perhaps it's time to think about security?

Pretty sure I have heard that speech back before the "Global Wars On Stuff" and possibly even the delicious Greenspan-fuelled dotcom bubble. Maybe back in President Clingon's times.

Been rummaging in old ASCII texts, have you?

0
0
Bronze badge
Joke

Re: ... and put some serious effort into security.

Didn't you get the memo???????

Security costs money, which can be better used to pad the executive bonus account, or give to the stockholders. Why should we pay out for security????

</sarcasm>

But, you do know that is the line of thinking of damagement.

1
1
Anonymous Coward

Are they sure it wasn't a training exercise for the lads and lasses up the road? Would they admit to the Feds that they were just trying out ideas/theories against local targets? Or would that information be classified as beyond the level the FBI are cleared for?

2
1
Bronze badge

Stupid

It's stupid that the U.S. government doesn't take the most obvious precaution against identity theft: routinely issuing replacement Social Security Numbers whenever something like this happens, so that the old number that was obtained becomes totally useless.

3
0

Re: Stupid

What is really stupid is anyone that treats the Social Security number as a secret and uses it as an authenticator rather than just as an identifier.

Also it isn't "identity theft" it is bank fraud. The whole identity theft meme is a victim and blame shifting exercise.

5
0
Silver badge
Holmes

Re: Stupid

This discussion has been had in the early 90's.

Nothing happened.

0
0
Silver badge

Re: Stupid

There are several mechanisms for replacing SSN's if the person it is assigned to, or people they associate with, is placed in danger by the number.

The problem is that, more on this in the next paragraph, when you start fiddling with SSN's it causes ripples and unseen consequences far, far away from the person who got a new number.

Those consequences are so far reaching because it is not only the governments primary method of identifying you, it is the primary method every company in the country uses to identify you. Obviously your employers, but also doctors, insurance companies, casinos, pharmacies, shopping 'clubs', golf courses, private clubs, stables, freight companies, trade unions, tax perpetration firms, schools, payroll companies, retirement funds managers, lawyers, political action committees, law enforcement, property management companies, commercial contractors, landlords, state voting authorities, movie rental places (are those still a thing) extended stay hotels, anyplace where you send your kids, your fucking veterinarian.

The list is fairly endless. People and places that you know don't need that info require it anyway. It's that last sentence that really screws everything up. It is illegal for anyone outside the government to force you to give them your SSN, but it is also legal for them to deny you service if you refuse to comply. No SSN, no glasses for your kid. No SSN, no emergency medical treatment for your dog.

All that's required is that someone requesting your SSN have a publicly available privacy notice. In accordance the rules that notice must be posted in a conspicuous place which is almost always behind the 7,300 pound yak they've somehow trained to sit in a chair and repeat a selection of absolutely meaningless statements while very preoccupied with People magazine from October, 1998.

Some states have laws that allow you to refuse putting your SSN on a paper form and have it manually entered into the computer. That's not a bad idea, it's rather a good idea actually. But those laws don't prevent them from putting the number on the form themselves. Which is exactly what they do. It's a service provided by whoever deals with your archives. They print labels with your SSN and stick them on the forms before moving the documents to long term archives.

It's all really dumb. The disconnects between any two entities has always provided a bit of a safety margin. But that's being broken as we speak as data centralization continues to expand. I expect a bunch more shit will happen before somebody steps in to correct the system.

1
0
Silver badge

Re: Stupid

The whole SSN regime needs to be redone. Part of the reason they probably don't issue new ones is that they already have to recycle numbers. You'd think with that many digits there's be more than enough not to worry about that. But they include some geographic identifiers in the number, so there aren't as many as you think there are.

After that, they were ONLY supposed to be used for purposes of tracking income tax, not as a replacement for a national id card. There's no good reason for any university to have your SSN number if you are only a student. And if you work for them, that information should be in a completely separate system with limited internet access. And I say that as someone who attended a university where my student number WAS my SSN. Of course given that was more than 20 years ago, I don't expect it will change.

0
0
Silver badge

"300,000 SSNs swiped "

Nope - the SSN's have not been stolen - I still have mine.

Identity can not be stolen, merely forged or copied. The solution to this problem is not to penalize the "victims" of this data copying but instead to make the banks and other organizations liable when they either hand out the data entrusted to them or sell services/make loans based of the information and then blame the "victim" - Identity Theft is a scam perpetrated the Banks to avoid admitting that they gave away money/goods without bothering to check.

5
1

Re: "300,000 SSNs swiped "

Actually, yes it can be "Stolen".

Take note, it's impossible to provoke the inevitable, and in our generation, this would be social engineering. Remember - "There's no patch for human stupidity" - Social society can easily be cloaked by some other identity, just as you use it online, except in this case it would be through

communications. A.K.A present day Nigerian scams - picture the same scenario, except in this

case they have all the information about you.

@_BugTracK

0
0
Silver badge

Re: Actually, yes it can be "Stolen".

Really? I woke up this morning and, after commenting in El Reg last night, I found that my identity had been stolen. I have no name, I don't know who I am and I'm sleeping on a park bench and my head hurts ...

Now, about those fifteen Pan Galactic Gargle Blasters that I drank last night ... I have no memory of them either because my identity has been stolen ... maybe I'll get my identity back when I sober up?

1
1
Silver badge
Trollface

Re: Actually, yes it can be "Stolen".

my head hurts

Luckily no body orifices emit painful signals. That's the good news.

maybe I'll get my identity back when I sober up?

Sure. "We can remember it for you wholesale".

3
0
Silver badge

Re: "300,000 SSNs swiped "

No the problem as Don correctly pointed out is that too many people who have no justifiable reason have the data. The law needs to revert to its original form where the only thing it was used for was tracking income for tax purposes. That leaves it with government, banks (or bank equivalents), investment firms and your employer. Nobody else should ever have need of your SSN.

0
0
This topic is closed for new posts.

Forums