Speaking of Back Ends
“No, I don’t want my payroll data available online.”
“No, I don’t want the PIN for my online Annual Benefits Enrollment emailed to me in cleartext (with a new PIN emailed to me every time I go to the web site to change the old ‘exposed’ one).”
(Perhaps the ’bot I wrote to automatically change my PIN the instant the email containing the old one arrives was what convinced them to modify their software to allow people to “opt out” of having their PIN sent via email. Probably, I flatter myself.)“No I don’t want a ‘high assurance’ UTEID to use on your javascript-based UTDirect site (where we’re just one Cross-Site Scripting vulnerability away from disaster)”
I should not have worried. Why bother hacking the front-end when the University leaves a back-end database wide open to anyone on the internet? (For some reason, ITS has an aversion to firewalls.)
So, over the weekend, someone stole 55,000 names, addresses, and Social Security numbers. They hit the database server so hard that it crashed under the load (which is how the crack was discovered).
Now the University’s set up a web site for the victims and are working closely with law-enforcement to recover the stolen data. According to the Austin American Statesman, they’ve traced the attacks to computers in Austin and Houston. But, it seems to me that unless the hackers were incredibly stupid, those machines were just launchpads, and their innocent owners are about to get a rude awakening when the cops come busting through their front doors in the middle of the night.
But what do I know?
Hackers steal vital data about UT students, staff
Officials say they are closing in on thieves; university will begin telling those affected
By Ralph K.M. Haurwitz
American-Statesman Staff
Thursday, March 6, 2003
Computer hackers have obtained the names and Social Security numbers of about 59,000 current and former students, faculty members and staff at the University of Texas at Austin in one of the largest cases of potential identity theft ever reported.
Authorities do not know whether the information has been put to illegal uses such as obtaining credit cards or withdrawing money from financial accounts.
Law enforcement officials were expected to obtain and execute search warrants late Wednesday in Austin and Houston at homes where computers are thought to have been used in the cyberspace break-in.
UT officials suspect the attack was carried out by a student or students, or by people living with students. They said the computer breach could easily have been prevented with basic precautions, adding that the incident will prompt them to redouble security measures and to accelerate a plan to phase out most uses of Social Security numbers on campus.
“We flat out messed up on this one,” said Dan Updegrove, the university’s vice president for information technology. “Shame on us for leaving the door open, and shame on them for exploiting it. Our number one goal is to get those data back before they get misused.”
The incident comes at a time of growing concern about identity theft on college campuses. Many universities, including UT, use Social Security numbers as student identifiers, and the numbers are therefore found in many records. UT students have complained about the practice.
The ranks of current and former UT students, faculty and staff include hundreds of thousands of people.
University officials scrambled Wednesday to figure out how to advise those whose information was stolen. Some who are no longer affiliated with the university might not be reachable at the phone numbers and addresses on file.
The university has set up a Web site where it plans to post information. A telephone hot line will also be established, possibly staffed round the clock seven days a week, said Don Hale, vice president for public affairs.
The theft was discovered Sunday evening by administrators of university computer systems conducting routine checks, Updegrove said. They immediately disconnected the compromised database from the Internet, later hooking up a database of useless information.
Besides names and Social Security numbers, the hackers obtained e-mail addresses and, for some current faculty and staff members, office addresses and phone numbers. No grade, health or benefit records were obtained, Updegrove said.
Computer system logs indicate the information was seized by a computer in Austin on Feb. 26, Feb. 27 and Friday, and by a computer in Houston on Saturday and Sunday, he said. It’s likely that the intrusions from Austin and Houston were done by the same person or people, he added.
The compromised database contains training records on UT staff. However, it has a connection with a broader list of current and former UT students, faculty and staff.
The thief or thieves used a computer program to query the UT database with 3 million potential Social Security numbers, resulting in about 59,000 successful matches, Updegrove said.
“It was just a brute force attack on the system,” he said.
Updegrove said the UT records should never have been accessible to anyone off campus or to anyone who is not an employee supervisor. He said he did not know how such a serious violation of security procedures occurred, or why it was not discovered in periodic systems checks. He did not know how many years the database has existed.
“There are six to 12 ways we could have reduced the risk to the database,” Updegrove said. “The sad thing is, we didn’t do any of them.”
Those shortcomings will be examined in depth, but the more urgent task is to track down the perpetrators and recover the data, Updegrove said. To that end, the university has reported the theft to the FBI, the Austin Police Department, the Travis County district attorney’s office and other authorities.
“This could have grave consequences, so fast action is important to prevent further harm,” said District Attorney Ronnie Earle. “The public integrity unit with the district attorney’s office is working in partnership with the U.S. attorney’s office on this case.”
Updegrove defended the university’s decision not to announce the theft right away, thereby leaving the 59,000 people unaware that their information was compromised. It took time to understand the dimensions of the theft, he said.
In addition, when it became apparent that the theft originated from two locations, university officials focused on lining up law enforcement help in trying to seize the rogue computers, in hopes that any dissemination of data by the thieves could be prevented. Disclosing the theft widely at the outset might have put that plan at risk, he said.
Identity theft is a rapidly growing crime in which someone obtains key pieces of information such as Social Security and driver’s license numbers to obtain credit, merchandise and services in the name of the victim, according to the Identity Theft Resource Center, a nonprofit group based in San Diego.
“The victim is left with a ruined credit history and the time-consuming and complicated task of regaining financial health,” the center reports on its Web site.
© 2003, The Austin American Statesman.