Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

March 12, 2003

Closing the Barn Door …

As reported earlier, 55,200 (give or take) names, addresses, and Social Security numbers were stolen from an unprotected database on the UT Administrative system. The “hack,” apparently, was nothing more sophisticated than submitting a query for a Social Security Number and seeing if the database returned a record.

Search warrants were issued, and there were police raids this weekend. But no arrests have followed.

In need of doing something, ITS has been searching through Google for UT web sites with Social Security numbers on them and peremptorily shutting them down. A colleague of mine was in the habit of posting his student grades online. Stupidly (security-consciousness is, alas, not his forté), he left the data file readable, which means that ITS shut his computer off from the 'net for three days.

I’ll come clean here.

I, too, have allowed students to retrieve their grades by entering their student ID number (aka their SSN) in a web form. The database is not retrievable, but the web form could be brute-forced exactly like that UT database. All I can say in my defence is that the effort required to brute-force it would be the same, but the maximum potential yield would be 40-50 SSN’s rather than several million. And the data for any given course is only available for a couple of months. Together, I think it’s fair to say that these make the attack unfeasible. But …

I’d love to key my database to something else. I’m still waiting for the day when student class rosters are keyed to ID numbers other than the students’ Social Security Numbers.
“Hello? ITS … when you can spare the time …”

Posted by distler at March 12, 2003 12:11 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/118

0 Comments & 0 Trackbacks

Post a New Comment