Major Privacy Breach at UCLA

Hackers have gained access to a database containing personal information on 800,000 current and former UCLA students.

This is barely worth writing about: yet another database attack exposing personal information. My guess is that everyone in the U.S. has been the victim of at least one of these already. But there was a particular section of the article that caught my eye:

Jim Davis, UCLA's associate vice chancellor for information technology, described the attack as sophisticated, saying it used a program designed to exploit a flaw in a single software application among the many hundreds used throughout the Westwood campus.

"An attacker found one small vulnerability and was able to exploit it, and then cover their tracks," Davis said.

It worries me that the associate vice chancellor for information technology doesn't understand that all attacks work like that.

Posted on December 13, 2006 at 6:43 AM • 50 Comments

Comments

Clive RobinsonDecember 13, 2006 7:25 AM

@Bruce

"It worries me that the associate vice chancellor for information technology doesn't understand that all attacks work like that"

I don't know about the U.S. Universities, but in the U.K. posts at the V.C. level are mainly administrative not teaching or research so, no it does not surprise me that much.

In some cases the V.C.s are actually political apointments which means they are even less likley to understand the subject at "such a low level". But they will be able to put a lot of spin on the subject...

fromHistoryDecember 13, 2006 7:56 AM

@clive
What you say is true, but is also symptomatic of a culture in decay. In growing cultures, people who know and do rise to the top, otherwise - well, there are many things that float.

Carlo GrazianiDecember 13, 2006 7:57 AM

He may not be as clueless as he appears. His job, at this point, is to minimize the University's (and his own) legal exposure. Hence public statements lending credence to the view that an unbelievably sophisticated attack was required to get through their duly diligent security.

Admittedly, such statements do little to create an atmosphere of truly diligent security. It wouldn't be the first perverse incentive system induced by fear of lawyers.

PeterDecember 13, 2006 8:16 AM

As we said on SecurityMusings, the part that worries me is that according to the CNN article (http://www.cnn.com/2006/TECH/ptech/12/12/ucla.data.theft.ap/index.html) , "the attacks in October 2005 and ended November 21 of this year."

They went on for over a year unnoticed. Now that's troubling.

Dossy ShiobaraDecember 13, 2006 8:23 AM

Peter said: "They went on for over a year unnoticed. Now that's troubling."

No, what's truly troubling is what else is *still* compromised that they have yet to figure out or discover? I'm guessing there's probably some backdoors installed that are no longer detectable through userspace. :-)

Toast.

DuncanDecember 13, 2006 8:34 AM

"It worries me that the associate vice chancellor for information technology doesn't understand that all attacks work like that"

I don't think it's really true that all attacks work like that: only attacks against competently maintained databases. But universities are full of incompetently maintained databases, since they are so decentralized: each instructor maintains a grade spreadsheet, etc.

I would guess that the most common security breaches at a university would be from people putting confidential information on their web page, and Google finding it, or having a laptop containing confidential information stolen or lost, or people giving their password to others intentionally or by having it written somewhere that visitors see, etc.

I would guess that 99% of the time that's the sort of issue that a senior security official would have to worry about.

Joe PattersonDecember 13, 2006 9:17 AM

That's so funny... It's like saying "There was a sophisticated attack on the dam, where all the water flowed through at *exactly* the one spot where there was a hole.... Curse that clever water!"

jayDecember 13, 2006 9:19 AM

There should have been a method for verifying someone's social security number via a secure link to governments database other than storing it in the local databases. Also I see lot of company's and other institutes taking in DOB and other personal details and those information are redundant these days.

My personal opinion is that during registration the institute or organization should only store the name and a unique ID only. Other details should not be stored locally but be verified using other links. Because most of the data are On-Demand type which aren't used for day to day things but during special circumstances.

As bruce says "Security is a chain; it's only as secure as the weakest link." "Security is a process, not a product."

Miles BaskaDecember 13, 2006 9:28 AM

"It worries me that the associate vice chancellor for information technology doesn't understand that all attacks work like that"

The man is either a moron or a politician -- but I'm being redundant.

CosDecember 13, 2006 9:31 AM

I wouldn't be so sure it's Jim Davis' view you're seeing represented there. It's just as likely that the reporter thinks of the attack that way, and used an otherwise reasonable-sounding quotation from Davis to illustrate it.

When you see people quoted in a paper, never assume you're getting their story. You're getting the story the reporter wants to tell you. Whether the stories people quoted in the article want to tell happen to match that, is harder to guess at.

JamesDecember 13, 2006 9:34 AM

It sounds like he is just trying to cover their hides. Not that I'm giving him the benefit of the doubt, but sometimes you just have to feed the masses some bs so they think it's over their heads and don't ask any more questions. It could have also been an accepted risk that they couldn't fix for whatever reason.

jayhDecember 13, 2006 9:35 AM

I think the lesson from this is to work on the assumption that at least one application will hava an unknown vulnerability. It's simply impossible to guarantee that every application will be inviolate.

Security should be concentrated as close as possible to the sensitive information.

Prisoner #2347December 13, 2006 10:51 AM

They could have avoided this if they didn't store or use SSN for anything other than what is required by law (financial aid, employment, etc).

Using SSN (in part or whole) for student ID is incredibly stupid. When I attended UCLA last century, every student id was a 9 digit number.

Unfortunately, it is far too common practice to store SSN in databases/tables that do not require it, and then provide _no_ field security. So, if a user has access to the "student record" table, then he has access to the SSN field in the table, whether he needs it or not.

What is really sad is that it is functionally very easy to lock down a SSN column so it cannot be accessed by unauthorized users, and implement a policy where SSN access is only granted to those who can demonstrate a legit need for it. Because it requires effort, though, no one does it at all.

Bob ClayDecember 13, 2006 11:08 AM

As was done at Ohio State, the Vice Chancellor will now reorganize, fire some peons and get a bonus.

AndrewDecember 13, 2006 11:14 AM

As a former insider at UC Irvine, let me assure you that student records are very poorly protected. For one thing, neither student employees nor TAs (or even RAs) are backgrounded and at least two I knew for certain were convicted felons . . . I leave the rest to your imagination.

Where do you think some of this identity theft is coming from?

yehoshuaDecember 13, 2006 11:15 AM

If you spend enough time in academia, you learn that the old joke that "those who can, do. Those who can't, teach" isn't funny because the adminstration of many colleges is filled with men and women who could neither do nor teach, so they're going to tell everyone else what to do instead. In those environments, looking good in a suit and having a firm handshake is way more important than having any idea what the hell you're talking about.

Not that I am in any way bitter. Nope. Not me.

ZDecember 13, 2006 11:21 AM

@Prisoner
They ask for your SSN when you apply for admissions.
I don't think they use it for your ID number.

@Andrew
So that explains why the student and faculty directory is wide open, right? ;)

JustinDecember 13, 2006 12:06 PM

I applied to UCLA along with other UC's in the fall of 2004 and was accepted. However, I didn't attend UCLA (I'm at Berkeley now.)

I recieved the same e-mail informing student's their social security number was in the database. While it's understandable that no-one's security is perfect, I can't understand why they'd store non-students social security numbers or other sensitive information.

Universities can do some monumentally stupid things, all Berkeley Student IDs (I believe all UC Student IDs as well) contain RFIDs. I don't think they broadcast your student ID (they have a seperate code system for them) but it still enables the university to track students, should they wish.

JamesDecember 13, 2006 12:08 PM

I don't think their user ID is their SSN, even though it is nine digits long. I believe there are specific laws about this (FERPA). And UCLA students "can" setup and email alias so everyone doesn't know their identification number.

Davi OttenheimerDecember 13, 2006 12:14 PM

Anyone catch the quote in the cited LA Times article:

"They are places we send our children to share ideas, and it's hard to mix the open sharing of ideas with the need to tighten down on security."

Yeah, because preventing SQL injection attacks on a database with SSN will chill the freedom of speech? Give me a break (pun not intended).

A "secure" environment is also one where people feel free because they are safe from harm. Fail to "tighten security" properly and no one will share anything anymore for fear of theft, abuse, etc.

Randle FlaggDecember 13, 2006 12:20 PM


Half Cover Will Travel
By
Randle Flagg

This opinion article is submitted to be distributed freely and to generate opinions.

When is the government or better yet intelligence agencies going to get serious about cover for its employees? Now I know people might say, before 911 they had not a clue, well I am here to say in my opinion, after 911 they still are not doing enough. That is until someone proves me wrong. The CIA and others have recently told potential applicants not to tell anyone if possible of their intentions of applying as it might make it hard for them to do cover work.


The role of cover as defined is :To protect by contrivance or expedient, to hide from sight or knowledge. Let us take a for instance.

When a Person ( Bob) applies for a job at the National Security Agency or Central Intelligence Agency, Defense Intelligence Agency, Federal Bureau of Investigation or any of the others, that is considered of national security, it is usually done through several ways. First through the agency website. Now if I do not want anyone to know that I am going to apply there, how do I know that my connection is safe. For argument sake, I apply through my home computer, which uses a Internet connection supplied by the wonderfully fast XYZ Inc. Which is a USA owned company. Now I have been surfing, find the agency website and apply. Everything up to the point when I apply is open for my provider, XYZ to see. Unless I use a secure connection or anonymizer, but do we really think the government would let exist such communications without being able to monitor, ya right. For argument sake lets say XYZ is a growing company with billions of dollars, and in need of many people to handle administration to networks , router, switches and customer accounts. I am joe hiring manager and I need 100 service reps to handle customer accounts and phone issues. I need another 100 to handle the telecoms infrastructure and I need another 100 for software programming. XYZ is a consciousness company and is concerned about getting the right people hired and for argument sake they only advertise to hire US citizens. As joe hiring manager I am super busy and rely on my crack Human Resource team to vet all employees. Human Resources, has the best software and does online background checks on theses employees and all 300 pass muster. WOW, Human Resources must be really good and they did a background check, meaning they looked back 5 maybe 10 years on a credit report. Red Flag! Also, they did not call references or run names through FBI as they were too busy thinking of their next move to get Human Resources elevated to a boardroom seat and the FBI does not have the people to handle running names for every corporate company, even though it is only 300 people that XYZ has in their entire company. So now as joe hiring manager I have 300 people composed of Asian, Indian, American, Muslim, and other assorted people who are god loving USA loving patriots and I have nothing to worry about, WRONG.

Whats wrong with this picture? The fact is that XYZ has 80,000 employees not 300, is that no where in this chain can a company total guard against the potential wrong insider or foreign intelligence service. Worse yet, lets figure that of the 80,000 only 10 are bad folks and of that 10 only 5 are supplanted by a foreign country to gather Intel. Yes I said supplanted! Do you think for one second that foreign Intel services have not instructed their students going to college here for 10 years or more to assimilate, become one and then suck us dry. The fact is the FBI has said publicly that just china alone has over 3000 front businesses, never mind the tens of thousands of students. Foreign intelligence tells their people to go to the USA and set up a life, get a house, marry, join the local clubs, establish a credit history and perhaps a SS#. Oh did I mentioned that my crack Human Resources department ran social security numbers and none came back as bad. Why, because the system is broke and the social security administration cannot verify a foreign intelligence agent as they have been here for 10 years and got a number the legal way!


Do you think for one second that foreign intelligence services would rather milk our USA companies for intelligence rather then try to plant spies inside the intelligence agencies themselves as it is way to hard and the failure rate would be cost prohibitive, but I am sure they point a few of them that way for yucks. Now back to our bright, well educated person,Bob who has looked up every grain of sand on his next employer, with his XYZ connection -in this case the intelligence agencies and then applied. That might be a nice piece of info combined with their IP address, account on XYZ , where they live, what restaurants they like to research and eat at ( nice for a bump into meeting),who they email, what school they go to or current job, who they write love letters to - behind their spouses back, what porn they surf, what electronics they buy and might have in their house--( don't think for one minute that foreign Intel services are not capable of engineering a micro camera and or recording devices into your house, TV , stereo, alarm system or whatever if they know you are going to work for any Intel outfit or area of interest. Just because USA Intel does it does not mean they are the only game in town. The point is, Bob's cover is blown before he even starts. What about Bob's neighbors, are they hacking him by WiFi??

Let us go one step further; Bob uses a secure connection to surf and apply, he gets a interview and a letter is sent from the agency which he applied to his address at home or at the 600 unit apartment building he rents at and bang, the postal guy accidentally puts Bobs interview letter/ form that the agency sent into his neighbors box. His neighbor, might be someone he knows, does not know, is a blabber mouth, or just happens to be someone who is a collector of information and sees who it is from and it now ends up on the Internet or makes note of it or does not even give the letter to Bob and reads it himself (Numan) so much for Bob's cover. Lets say Bob has made it through the tests for the job and now has to have a background investigation. This now means that Bob, has to has atleasts 8 people he knows, know he is doing something a little out of the ordinary and the background investigator is going to knock on his neighbors doors who might be foreign Intel or blabber mouths or gossip kings and queens at their local country club. red flag. Even if the investigator tells all these people he works for the local consulting company and is just checking references, he still has to ask the questions on the SF86 and others that totally blow any covertness.


Moving on,now lets say Bob has not had a breach of security though the interview and is hired. He has to have direct deposit to his Bank, Bank of The United States and they only have 1000 employees ya right make that 200,000 and operate in several countries and/or share personal information for marketing purposes with companies that are of suspect origin. red flag! forget that last foe pa! Bob is under cover working for a Intel agency, what shows up in his bank statements??? I bet it has something to do with the government, red flag! What about his health insurance he has through the government, surely company XYZ has it under control. What does it look like when half his premium gets paid by a government entity? red flag! What about the life insurance, long term care, errors and emission insurance; which many Intel folks buy to CYA, but who is CYAing them and the company? So all these red flags, and lets say for argument sake he has not been found out. Wait a minute Bob gets sick and goes to the hospital and presents his health insurance card, the admission person see this and says, oh you work for the government, my friend I know has the same insurance and works for the intelligence agencies. red flag! Or one of Bob's family members has to use health ins or other covered service,if Bob had a family, were they given instructions on how to present themselves or will his wife or if it were Alice, her husband, blab about it the work? red flag.

How about this; one day Bob is mowing his lawn and sees his neighbor,our man Flynn,who starts talking to him and asks, hey Bob, what do you do for a living, ( Bob replies ) oh I work for the DOD, wrong answer. red flag. I work for a consulting company,XYZ, wrong answer, red flag,a lie that now must have to be proven true, you see our man Flynn is in the Intel business and knows already that several of the neighbors are consultants but really work for NSA,CIA etc.. You see Bob, was never given a ( Non Official Cover and story ) to aid him or never told not to tell anyone or trained in rehearsing the company line. In addition to Bobs latest foe par, Bob has been going to many meetings in the government sector, and private sector as a scientist and putting down his real name, agency email address and agency address on all the sign-in sheets, Bad Bob. He also was never given a cover name, because, well the agency did not think he needed it or it is to expensive to think up one with a cover story. Bob is FU&*ed throughout this entire process.


OK, I know you might be saying , your crazy , paranoid, ma sugar, bats in the belfry. Reverting back to the XYZ example, lets forget that it was a USA owned Internet company. How about a French owned telecoms or perhaps a china telecoms or how about Print, Herizon, Xtel ( Not there real names but sound like) get the picture. There are many companies both USA owned and foreign owned that have connections / business in the USA that Bob is F*c*ed before he even wakes up. Any company that thinks it can compartmentalize like a intelligence agency and still say they operate like a public business and can assure you that your privacy is safe, can now get up and leave the room single file. Lets take another example, I am a Intel officer of a foreign company outside the USA but surfing with Google. I plug the following inquiry in:XYZ.gov
Dam that returns Bob's email address and a leads right to a Intel agency along with all the other agencies Bob has been emailing, thus the names of people who might have thought they wanted to work under cover at one time but have been compromised and did not even know it. What if I only want excel spreadsheets,word docs, PDF's! That brings up meetings with all kinds of folks emails and affiliations

How about the other USA Intel domains. What about a search on the Intel agencies name plus Resume. I suspect folks who list there resume online and work history's at the government places mentioned are asking for foreign Intel to make a note so next time they travel on vacation to an overseas location, our man Flynn or one of his brothers will be on your left!


Its time for the applicants and Intel folks to work on a better plan!

PassTheBuckDecember 13, 2006 12:20 PM

Why don't we pass a broad law making such hacking illegal? That ought to stop it.

Or better yet, how about one requiring companies to make their software unhackable? That way, when their software does get hacked, we'll have someone to sue.

AnonymousDecember 13, 2006 12:22 PM

I see that UCLA recommends that you have each of the credit bureaus put a security freeze on your files. However, they don't offer to pay the $30 fee!

http://www.identityalert.ucla.edu/...

I think the California law requiring notification to victims of a breach should be extended to require that the breachee pay for this credit bureau security freeze.

When companies (and universities and government agencies) are held financially accountable for privacy breaches, they will better appreciate how to prevent them.

When insurance companies start underwriting these risks, I'm pretty sure that some best-practice guidelines will show up fast.

FoxyshadisDecember 13, 2006 12:26 PM

Some of you guys don't realize how widespread SSN-as-ID is! For decades, it's been simply the defacto standard ID for lazy uni IT departments (eg, most of them), from what I've gathered from colleagues - who mostly came from the California system, so it may only be accurate there. As far as I know, many will let you use any random ID if you specifically request it. In my case it was actually SSN as password, student ID # s username.

I hope by now they've taken to using real usernames & somewhat random passwords.

BobDecember 13, 2006 12:29 PM

My info was in the DB that was hacked.

At least UCLA is being *very* proactive in their response. They have set up a webpage and phone hotline, with links to the credit agencies.

Davi OttenheimerDecember 13, 2006 12:44 PM

Oh, and I say SQL injection because of this:

"He said the problem was spotted when computer security technicians noticed an unusually high number of suspicious queries to the database. It took several days for investigators to be sure that it was an attack and to learn that Social Security numbers were the target, he said."

I hope they explain at some point why they call this a sophisticated attack, as it seems amazingly common to me. I wouldn't say all attacks happen in this manner, but database injection is not on annual top-ten attack/warning lists (not to mention featured online in howto videos) for nothing.

another_bruceDecember 13, 2006 12:44 PM

if it weren't for the unique california law requiring disclosure of breaches (which is threatened by pending federal legislation establishing a watered-down standard) you would never have heard of this.

Andre LePlumeDecember 13, 2006 12:47 PM

Davi nailed it. Question is whether they needed to p0wn a box in a DMZ to launch the attack, and whether the ability to access the table with the SSNs was truly necessary. I suspect the principle of least privilege was violated here....

MattDecember 13, 2006 1:32 PM

I'm a grad student at UCLA (studying network security, no less). A couple of clarifying points:

* UCLA student ID numbers are 9 apparently-random digits, assigned by a black box when one becomes a student.

* The numbers, and the associated physical cards, are used for many purposes around campus, including web app logins and access to various facilities. (Web apps have recently migrated to a new single point of failure *cough* I mean, single sign-on system.)

* Student ID numbers are not considered to be confidential identifiers; e.g., as a TA I wouldn't be allowed to post a list of grades associated to SIDs.

* The cards have a magstripe and a bar code, but not (so far as I know) an RFID.

bobDecember 13, 2006 2:14 PM

@Joe Patterson: lol - I'll use that.

Reminds me of the story about some famous french guy once talking about the superiority of the french language who said "there is nothing inherently inferior about the english language; its just that in english the words are out of order but in french the words come to the tongue exactly as they are needed."

dilbertDecember 13, 2006 3:11 PM

Recall the 1988 saying:

Dr. Richard LeBlanc, associate professor of ICS, was quoted in "The Technique,"
Georgia Tech's newspaper, last November (after the computer worm hit the net):

"It turned out that the worm exploited three or four different holes in the
system. From this, and the fact that we were able to capture and examine some
of the source code, we realized that we were dealing with someone very sharp,
probably not someone here on campus."

seen in many places including here:
http://securitydigest.org/zardoz/archive/123

dilbertDecember 13, 2006 3:13 PM

Recall this saying from 1988.

Dr. Richard LeBlanc, associate professor of ICS,
was quoted in "The Technique,"
Georgia Tech's newspaper, last November (after the computer worm hit the net):

"It turned out that the worm exploited three or four different holes in the
system. From this, and the fact that we were able to capture and examine some
of the source code, we realized that we were dealing with someone very sharp,
probably not someone here on campus."

quincunxDecember 13, 2006 3:20 PM

"if it weren't for the unique california law requiring disclosure of breaches (which is threatened by pending federal legislation establishing a watered-down standard) you would never have heard of this."

Yes, and if it wasn't against the law for a third party to whistleblow, spread rumors, or otherwise get it out to the public without liability, there would be no need for an extra unique california law to do now what was legal before 1940.

So I'm not impressed that a magical law mitigates the problems brought about by other accumulations of ancient statute laws. Better to get rid of them all.

Scott CantorDecember 13, 2006 3:22 PM

"As was done at Ohio State, the Vice Chancellor will now reorganize, fire some peons and get a bonus."

In the interest of accuracy, it was Ohio University, not Ohio State, and FWIW, the people who were fired had nothing to do with the breach and were scapegoated for political reasons.

So you're 100% correct, but wrong university.

erichDecember 13, 2006 4:30 PM

Soon after I started at UC San Diego in fall 1988, they switched from non-SSN ID numbers to using SSNs as student IDs. Some time after I graduated (mid-90s maybe) they switched to some other numbering scheme.

As another poster commented, they frequently used the ID as the default password for computer accounts--this is how I know the SSN of one friend, who never changed her password but let me use her account.

Around 1999 or 2000 UCSD had a similar breach and leaked piles of personal information about past and present students. Well, smaller, because UCSD hasn't had as many students since it was founded. :)

sngDecember 13, 2006 4:41 PM

"There should have been a method for verifying someone's social security number via a secure link to governments database other than storing it in the local databases."

No. SSNs were never meant to be a form of identification. And we should stop using them as such.

Pat CahalanDecember 13, 2006 7:15 PM

@ Davi

Re: "They are places we send our children to share ideas, and it's hard to mix the open sharing of ideas with the need to tighten down on security."

This is something I hear all the time. It's baloney, yes. However, you can't argue against this with facts and reason -> this is a religious belief, not a reasoned position.

daleDecember 13, 2006 9:07 PM

Oh, if only it were only actual UCLA students. I received that e-mail quoted above. I applied (unsuccessfully) to UCLA... almost two years ago. And now I'm supposed to put a fraud alert on my credit report. UCLA is really not looking too good in the public eye lately.

averrosyDecember 14, 2006 12:03 AM

Encrypting SSNs stored in databases is stupid and useless (at least if the encrypted field is supposed to be used as a key). The entire space of SSNs (which is 9 digits, or 30 bits) can be exhaustively searched in seconds.

The only right solution for the SSN-based identity theft is to abolish SSNs (preferably together with Social Security).

solaraddictDecember 14, 2006 9:13 AM

"There should have been a method for verifying someone's social security number via a secure link to governments database other than storing it in the local databases."
I don't see an increased level of security by saying "of course the data is secure, it's with the government." WHEN the govt. database is cracked, the attacker collects the whole set: 300 000 000 SSNs and associated info, instead of 800 000.

antibozoDecember 14, 2006 10:52 AM

averrosy> The only right solution for the SSN-based identity theft is to abolish SSNs (preferably together with Social Security).

No, the right solution is to publish all of them. That eliminates them as authenticators so people in the finance industry have to actually solve the authentication problem instead of relying on an authenticator that everyone knows is not secret.

fubarDecember 14, 2006 12:01 PM

| Re: "They are places we send our
| children to share ideas, and it's hard
| to mix the open sharing of ideas with
| the need to tighten down on security."

Pat Cahalan:
| This is something I hear all the time.
| It's baloney, yes. However, you can't
| argue against this with facts and
| reason -> this is a religious belief, not
| a reasoned position.

I'm a database person at a california university. Bias disclosure: my background is in the humanities and biology. I'm an advocate of integral paradigms (Ken Wilber).

The conflict between "sharing ideas" and "tight security" isn't a "religious belief" as much as it is is a sociological reality that is wired into culture and human consciousness.

Techies (pure rationalists) do not, and will never, run the world, and for good reason. (see Habermas on the "colonization of lifeworld by systems", Ken Wilber on "I/We/It/Its", etc.). Rational thought does not explain the entire universe, it only explains the scientifically observable "physical" universe.

In case anyone hasn't noticed, there is no good "scientific" theory of politics at this point in human history, at least not one that has attained mainstream acceptance.

From a historical perspective, the organizational culture of academia is not rooted in a "systems" paradigm.

Attempting to force a highly "systems- centric" paradigm on academia is always going to be politically disruptive. I would say from my personally perspective that it would also create a psychic problem given that academia is already mired in intractable, futile conflicts between traditionalists, bureaucrats, post-modernists, pluralists, muulti-culturalists, etc., conflicts that have created a considerable form of overall political instability and chaos that makes centrally "managing" the politics of IT security very challenging.

In other words, academics are suspicious of the arrogance and hubris of systems people, in my opinion, probably rightly so most of the time. Any negative intrusion by IT ("systems") into the day-to-day life of academics will raise hackles.

So, the "organizational culture" of universities is typically such that the kind of paradigm that is required to have a highly effective information security framework is going to be seen as a political threat by other important political constituencies within academia.

The "imposition" of "tight secuity", which requires the exercise of power in order to change the ingrained bureaucracy of academia, has *considerable symbolism* as an "act of political will".

In a sense, the issue is similar to the general case of policing. If a university wanted to make sure that all of its members complied with any given (non-IT-related) law 100% of the time, you would need to have a pervasive fascistic mentality that is inconsistent with the tradition of intellectual openness, freedom, liberty, pursuit of happiness, etc. in the anglo-american (whig/libertarian) tradition.

(The fact that post-modernists have hijacked "liberty" is another issue.)

One "solution" to the mess is to place academics into IT management. The problem of course is that such "managers" are not going to be well trusted by hard core IT folk who tend to have distain for non-techie academics.

Another solution is to "decentalize" campus IT, and thereby dilute the power of the IT community. That of course is seen (rightly) by IT "systems purists" as an invitation to all sorts of problems with IT standards enforcement (including security standards).

A more pragmatic issue is cost of converting "legacy" applications that rely on SSN. It is one thing for the state of california to create laws about information security, it is anotherfor it to pay for the conversion to systems that store SSN as minimally and securely as possible.

Universities have to interface with many outside systems, including the federal government's massive financial aid systems (and numerous other funding sources that want student data by SSN because it is the only current "universal" identifier within american society). So, guess what? SSN is needed in order to get huge blocks of eduation money from the feds.

Even if the money was available to convert legacy systems that use SSN "too liberally", there is the issue of management competency.

For the reasons stated further above, the management paradigm of academia is rooted in paradigms that are not particularly suited to a pure "systems" perspective. In other words, managers in academia are, by their "political DNA", usually not going to be really good at IT.

I have not proposed any solutions, but hopefully by identifying some of the underlying structural problems in the sociology of academia, a solution will eventually develop by concensus.

Bye!

TimHDecember 14, 2006 12:32 PM

@fubar: Any examples in history supporting your assertion: "...a solution will eventually develop by concensus"?

aeschylusDecember 14, 2006 12:42 PM

fubar> I have not proposed any solutions, but hopefully by identifying some of the underlying structural problems in the sociology of academia, a solution will eventually develop by concensus.

Not bad, a misattached participle, a misspelling, and irony all in the same sentence. :^)

Otherwise interesting post though.

AndrewDecember 14, 2006 5:56 PM

@fubar

Centralized authorities is all that keep certain university departments from getting into very hot water. A strong central IT shop is vital to keeping the university network running. Good oversight by ethical people, and the campus community if such are lacking in administration, is essential.

In my limited experience at two UC campuses, I saw: a university hospital employee selling donated body parts; a fertility clinic mixing in a tech's sperm to get award-winning successes for infertile couples; blatant grade fixing; two sex-for-grades scandals; a statistician analyzing criminal justice data for prosecutors to sort the (minority) gang members out so they could get longer prison sentences; and last but certainly not least, corruption and diversion of public funds involving both the construction industry and student-run businesses. I gave up my quixotic quest to report some of this when it became apparent that the university administration and ombudsman's shop was in on most of it, up to and including certain Regents.

The academic environment is particularly prone to corruption and needs strong controls. Mostly by keeping talented academics out of positions of power which they are neither trained nor suited for -- and kicking untalented academics out of the university system.

Qualified public officials are not made from twenty years of publishing questionable science and defrauding Federal agencies out of grant money. The kind of IT systems they create are intended to identify and publish offenders, not create strong security for the "population."

Just my biased 0.02

quincunxDecember 14, 2006 7:30 PM

'In case anyone hasn't noticed, there is no good "scientific" theory of politics at this point in human history, at least not one that has attained mainstream acceptance.'

There aren't any, or you haven't found them? I understand you studied the humanities, but there is a whole field of study called political economy that suggests that there a quite a good amount of theories on politics, some of them rational.

Suffice it to say that the theories will never be recognized by the mainstream, because that would simply spell the death for politics.

Politics exists for the sole reason that it is not understood by many, and politics continues to educate the masses.

"a solution will eventually develop by concensus."

No, a conspiracy will eventually develop by concensus.

Science is not about building concensus. Never has been.

Pat CahalanDecember 14, 2006 7:45 PM

@ fubar

Well, lots to reply to here...

> The conflict between "sharing ideas" and "tight security" isn't a
> "religious belief" as much as it is is a sociological reality that is
> wired into culture and human consciousness.

I agree that many people believe that "sharing ideas" and "tight security" are in conflict, if that is what you are trying to say.

Let me rephrase what I was saying:

Those who stand by the position that "an open sharing of ideas" is in conflict with "tightening down security" are usually equating "an open sharing of ideas" with "running systems any way I please" and "tightening down security" with "preventing me from running systems any way I please", or perhaps, "I want the ability to shoot myself in the foot". That's fine, up to a point, but far too often nowadays you can't just shoot yourself in the foot, because everyone's carrying the technological equivalent of a bazooka and there's lots of bystanders.

Practically speaking, in a university environment, "tightening down security" has absolutly no impact whatsoever on the open sharing of ideas, it only has an impact on particular processes and technical implementations of how you share those ideas. That's not telling people how to think, it's telling people how to work.

> Attempting to force a highly "systems- centric" paradigm on
> academia is always going to be politically disruptive.

I disagree with this statement. I believe it is historically true, however, I do not believe that academia can continue to ignore the outside world. It's one thing to foster an ivory tower environment when the barbarians aren't in the country, let alone at the city gates or the university walls. Unfortunately, the current state of electronic communication means that the university network is topologically congruent to the bad guys.

> Any negative intrusion by IT ("systems") into the day-to-day life of
> academics will raise hackles.

I agree this is true. The severity of the hackle-raising is slightly astonishing.

People don't complain when the HR department tells them they have to fill out forms in triplicate to get their leave approved, or when Accounting tells them they have to file their expense report by such and so date after their return to be reimbursed, or when Security tells them they can't have a bbq indoors (well, they complain, but they don't presume to try and change it), or when their mechanic says they need new brakes, or their CPA tells them they can't file that deduction, or when the police officer hands them a ticket for running a red light. And yet they'll fight to the death against IT staff. Why is this? They've certainly got as much historical reason to distrust all of those examples as their IT guy, no?

> One "solution" to the mess is to place academics into IT management.
> The problem of course is that such "managers" are not going to be
> well trusted by hard core IT folk who tend to have distain for non-techie academics.

Actually, the right solution (IMO) is to have an IT steering committee that contains academic, staff, and IT people.

> Another solution is to "decentalize" campus IT, and thereby dilute the
> power of the IT community. That of course is seen (rightly) by IT "systems
> purists" as an invitation to all sorts of problems with IT standards
> enforcement (including security standards).

Decentralized (fedual) IT arrangements are pretty common in university settings. This isn't a solution, this is the current state of affairs, and it's demonstrably broken.

> A more pragmatic issue is cost of converting "legacy"
> applications that rely on SSN. It is one thing for the state of california to
> create laws about information security, it is anotherfor it to pay for the
> conversion to systems that store SSN as minimally and securely as possible.

You're confused about SB 1386. There is no funded enforcement arm of 1386 (nobody audits you to see if you comply) and more to the point you aren't required to *change* anything. You can store SSNs in plaintext on a university web site if you want, and you're not in violation of SB 1386... you just have to make sure that anytime someone looks at that web page who is not authorized, you inform everyone who is on the list.

> Universities have to interface with many outside systems, including
> the federal government's massive financial aid systems (and numerous
> other funding sources that want student data by SSN because it is the
> only current "universal" identifier within american society). So, guess
> what? SSN is needed in order to get huge blocks of eduation money from the feds.

True.

> Even if the money was available to convert legacy systems that use
> SSN "too liberally", there is the issue of management competency.

The money *is* available to convert legacy systems. The conversion is not a priority.

> In other words, managers in academia are, by their "political DNA", usually
> not going to be really good at IT.

the other GregDecember 14, 2006 11:11 PM

One fundamental problem is that the metaphor of the Agora is used to justify university policies or their lack, while real universities are more similar to factories and prisons.

fubarApril 5, 2007 6:21 PM

re: http://pub.ucsf.edu/today/cache/news/...


For your edification and/or grim amusement, see the below post from 2005 about another breach at UCSF.

| "management was unwilling to accord
| IT security any real support.
| Information management in a university
| environment is chaotically crazy by
| nature, but decisions were also made
| that demanding that we conform to
| our own IT management policies was
| impermissibly "rocking the boat.")

http://www.interesting-people.org/archives/...

Excerpt:

Subject: [IP] Yet another university data breach; Feinstein to demand encryption

From: David Farber
To: Ip
Date: Wed, 06 Apr 2005 16:13:54 -0400

---------------------------------------

------ Forwarded Message
From: Ross Stapleton-Gray
Date: Wed, 06 Apr 2005 10:57:18 -0700
To: , johnmac's living room
Subject: Yet another university data breach; Feinstein to demand encryption

The SF Chronicle's David Lazarus writes on yet another university data
breach, this time at UC San Francisco:
http://sfgate.com/cgi-bin/article.cgi?f=/c/a/...

(Disclaimer: I was the first and only IT Security Officer (a policy
position) in the UC Office of the President; I was hired by a CIO who'd
been recruited away from the Pentagon, but who left UC shortly after I was
hired... my position was eliminated after about a year. I do not think I
was effective, largely because management was unwilling to accord IT
security any real support. Information management in a university
environment is chaotically crazy by nature, but decisions were also made
that demanding that we conform to our own IT management policies was
impermissibly "rocking the boat.")

The new wrinkle in the Lazarus article is the news that California Senator
Dianne Feinstein will "introduce federal legislation within the next few
days requiring encryption of all data stored for commercial
purposes. "What this shows is that there is enormous sloppy handling of
personal data," Feinstein said."

It may be that UCSF is the final straw, but it feels like this is the
ChoicePoint breach talking. Hopefully any (useful) requirements in a
Feinstein bill aren't confined to "data stored for commercial purposes,"
unless she's willing to define that to include such things as university
admissions data (a la the previous UC Berkeley breach).

But I say "useful"... merely mandating, "data must be encrypted," is like
finding spoiled food in the 'fridge, and mandating that all foods will be
in containers, without an acknowledgement that corrugated cardboard is
different from plastic, that foods have shelf lives, and that some require
special handling, e.g., child-proof tops on some pharmaceuticals. And
goodness knows a poor implementation of encryption can be worse than none
at all.

At the root of this, really, is more a problem of records management than
one of IT security. What I saw in my year at UC was local IT security
administrators fighting fires (e.g., installing anti-viral software,
tending to IDSes) in an abandoned and decrepit building: records management
was so woefully neglected that one couldn't identify all of the sensitive
information holdings, let alone who was responsible for them; awareness of
responsibilities of those who owned sensitive records was minimal; tools
for protecting sensitive information, e.g., deidentifying personal information (there's far less of a problem in losing 100,000 records, if each record is tagged with a pseudonymous serial, instead of a name and SSN, say), absent; etc., etc.

The Chancellor of UC Berkeley has announced that he'll "engage one of the
nation's leading data-security management firms to conduct an immediate external audit of how the campus handles all personal information," this in response to their own March 11th breach (when a laptop with 100,000
personal records was stolen):
http://idalert.berkeley.edu/chancellorletter.html I think the scope of what's found will surprise him.

As another marker, I was intrigued while at UC to see a marked difference in paper vs. electronic, in the area of forms soliciting personal information. By California law, such forms are required to include something like eight different information elements, describing what the
information collected is to be used for, etc. If you find *paper* forms
reproduced on the Web in PDF, on various UC campus sites, they do bear
those required elements. If you find forms created for the Web, they often
do not. Why? Almost certainly because the former have passed through
well-worn, formal channels to publish administrative forms; the latter were
thrown up by anyone with a bright idea, a need and access to a Web server.

Ross

-----

Ross Stapleton-Gray, Ph.D.
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com


------ End of Forwarded Message

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..