Uni of Maryland hacked: 300,000 SSNs of staff, students, alumni swiped Former and current staff and students at the University of Maryland are going to be getting a free year of credit score protection after hackers slurped the names, social security numbers, dates of birth, and university identification numbers for 309,079 people. "The University of Maryland was the victim of a sophisticated …
By "Sophisticated" what they actually mean is something along the lines of
union+select+1,2,
(FOR(SELECT
user.data
FROM(
info_Agent
)WHERE x = 0 : list(information_schema.size()) & DROP table_name[x]
)x+1),4,5,6
--
On a cfm page since university of maryland horribly sanitized their parameters for cfm pages. Let me correct horribly, I meant "they DIDNT EVEN TOUCH sanitization of params", thats quite said infact since coldfusion literally provides a security library for sanitization of parameter functions...
It's not just bored teenagers anymore, we're in a world where Billions of people in countries of low income have access to the internet and very little chance of being caught or punished. We, as an industry, need to put our quest for speed and cost reduction and bells and whistles on hold for a little while, and put some serious effort into security.
I think we should do it soon.
Didn't you get the memo???????
Security costs money, which can be better used to pad the executive bonus account, or give to the stockholders. Why should we pay out for security????
</sarcasm>
But, you do know that is the line of thinking of damagement.
There are several mechanisms for replacing SSN's if the person it is assigned to, or people they associate with, is placed in danger by the number.
The problem is that, more on this in the next paragraph, when you start fiddling with SSN's it causes ripples and unseen consequences far, far away from the person who got a new number.
Those consequences are so far reaching because it is not only the governments primary method of identifying you, it is the primary method every company in the country uses to identify you. Obviously your employers, but also doctors, insurance companies, casinos, pharmacies, shopping 'clubs', golf courses, private clubs, stables, freight companies, trade unions, tax perpetration firms, schools, payroll companies, retirement funds managers, lawyers, political action committees, law enforcement, property management companies, commercial contractors, landlords, state voting authorities, movie rental places (are those still a thing) extended stay hotels, anyplace where you send your kids, your fucking veterinarian.
The list is fairly endless. People and places that you know don't need that info require it anyway. It's that last sentence that really screws everything up. It is illegal for anyone outside the government to force you to give them your SSN, but it is also legal for them to deny you service if you refuse to comply. No SSN, no glasses for your kid. No SSN, no emergency medical treatment for your dog.
All that's required is that someone requesting your SSN have a publicly available privacy notice. In accordance the rules that notice must be posted in a conspicuous place which is almost always behind the 7,300 pound yak they've somehow trained to sit in a chair and repeat a selection of absolutely meaningless statements while very preoccupied with People magazine from October, 1998.
Some states have laws that allow you to refuse putting your SSN on a paper form and have it manually entered into the computer. That's not a bad idea, it's rather a good idea actually. But those laws don't prevent them from putting the number on the form themselves. Which is exactly what they do. It's a service provided by whoever deals with your archives. They print labels with your SSN and stick them on the forms before moving the documents to long term archives.
It's all really dumb. The disconnects between any two entities has always provided a bit of a safety margin. But that's being broken as we speak as data centralization continues to expand. I expect a bunch more shit will happen before somebody steps in to correct the system.
The whole SSN regime needs to be redone. Part of the reason they probably don't issue new ones is that they already have to recycle numbers. You'd think with that many digits there's be more than enough not to worry about that. But they include some geographic identifiers in the number, so there aren't as many as you think there are.
After that, they were ONLY supposed to be used for purposes of tracking income tax, not as a replacement for a national id card. There's no good reason for any university to have your SSN number if you are only a student. And if you work for them, that information should be in a completely separate system with limited internet access. And I say that as someone who attended a university where my student number WAS my SSN. Of course given that was more than 20 years ago, I don't expect it will change.
Nope - the SSN's have not been stolen - I still have mine.
Identity can not be stolen, merely forged or copied. The solution to this problem is not to penalize the "victims" of this data copying but instead to make the banks and other organizations liable when they either hand out the data entrusted to them or sell services/make loans based of the information and then blame the "victim" - Identity Theft is a scam perpetrated the Banks to avoid admitting that they gave away money/goods without bothering to check.
Actually, yes it can be "Stolen".
Take note, it's impossible to provoke the inevitable, and in our generation, this would be social engineering. Remember - "There's no patch for human stupidity" - Social society can easily be cloaked by some other identity, just as you use it online, except in this case it would be through
communications. A.K.A present day Nigerian scams - picture the same scenario, except in this
case they have all the information about you.
@_BugTracK
Really? I woke up this morning and, after commenting in El Reg last night, I found that my identity had been stolen. I have no name, I don't know who I am and I'm sleeping on a park bench and my head hurts ...
Now, about those fifteen Pan Galactic Gargle Blasters that I drank last night ... I have no memory of them either because my identity has been stolen ... maybe I'll get my identity back when I sober up?
No the problem as Don correctly pointed out is that too many people who have no justifiable reason have the data. The law needs to revert to its original form where the only thing it was used for was tracking income for tax purposes. That leaves it with government, banks (or bank equivalents), investment firms and your employer. Nobody else should ever have need of your SSN.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
