
University of Maryland Data Breach - mahmoudimus
http://www.umd.edu/datasecurity/
======
jaydub
As an alum of UMD I'm really annoyed by this whole situation.

While I was an undergrad there, there was an incident with social security
numbers being revealed on parking mailers that were sent out
([http://marylandrha.blogspot.com/2008/07/social-security-
numb...](http://marylandrha.blogspot.com/2008/07/social-security-number-on-
parking.html))

At the time I was wondering why the heck do people sending out parking mailers
have access to my SSN?

After seeing this article I'm again wondering why the heck does the university
retain SSN for alumni?

edit: the reason I mention this is because I think having reasonable data
policies in place can help mitigate the severity of such events

~~~
freshyill
Oh that's nothing. At Penn State, Social Security Numbers were your student ID
numbers. I think this has been changed. I hope, anyway.

~~~
zacinbusiness
Same goes for my alma mater. They changed it in 2007 or so and it was a
GIGANTIC pain in the ass. Of course it's worth it to not have your photo, full
name, and SSN on your student ID card.

------
purephase
Having worked in higher ed for a number of years, I'm frankly surprised that
this doesn't happen more often. At least, to the level of being reported like
this.

Faculties regularly operate independently and have their own ideas about the
proper way to secure the information they have access to (which, in some
cases, is not at all). As a security representative in the central IT
department, I was often tasked with finding, reporting and attempting to work
with the various faculties that did not follow posted data access and privacy
policies but, almost every time my efforts were superseded by "academic
freedom".

Incredibly frustrating experience.

~~~
ef47d35620c1
I call this the "PhD from MIT Syndrome". A few of them actually ___think_
__that they know everything about everything no matter their field of study.
The are polymaths (in their own minds at least).

Years ago, a physics professor scoffed at me when I cautioned him about
storing 64-bit ints in 64-bit doubles. He said, "who is this that speaks to me
as though I needed advice?" He could not understand why his program failed
sporadically. Must be a bug in the compiler. It certainly wasn't ___his_
__code.

~~~
existencebox
You know, I once sat in on a discussion between one of the sysadmins on my
team and a researcher; that went something like (barely paraphrased, only
insofar as my memory is bad) "Did your code run in test? What is test? Do you
deploy your code to the test environment before steamrolling a running
production instance. No no, why would I ever do that." (after literally
cursing out one of our sysadmins for not fixing why his code was no longer
running for him.)

Things like this are why I left academia back to industry, unfortunately for
how many fantastic opportunities academia has to offer :/

------
Spooky23
Sounds like a strategic place to breach for identity theft purposes. Lots of
military and other folks get degrees from there.

------
joe_the_user
The scary thing about this is that it's happening when network security is no
longer a secondary thing to physical security but rather network security is
most crucial security out there.

And networks still have an inherent weakness compared to physical sites.
Physical sites don't have the problem that once one site is breached, another
thousands of miles away can fall almost instantly.

Interlocking networks, id's, passwords, credentials and so-forth create a
situation where there isn't really an inside or outside for the enterprising
criminal. I can't see any way that this isn't going to get worse and worse for
a while.

------
xjtian
I'm a student at UMD right now, and pretty frustrated to find out about this.
IMO, the university should do a lot more than just providing a year's worth of
credit monitoring, because once that year is up and people forget/choose
not/can't afford to renew, chances are 90% of those records are going to be
easy pickings for identity thieves.

300,000 SSN's, names, and DoB's is one helluva haul though. At least no
academic records were compromised, god forbid anybody takes a look at my
grades before making off with my identity! \s

------
eliteraspberrie
The blind leading the blind:

 _NSA designated the University of Maryland as a National Center of Academic
Excellence in Information Assurance Research. The University of Maryland was
also named an Intelligence Community "Center of Academic Excellence" by the
Department of Homeland Security. ... MC2 takes a unique approach in educating
the future cybersecurity workforce to serve industry and government needs in
Maryland and the Washington, DC metropolitan area._

[http://cyber.umd.edu/about](http://cyber.umd.edu/about)

~~~
adamio
The university IT is a separate entity from the comp sci dept at umd

------
zaroth
I wonder how they discovered they were hacked, and how they arrived at the
309,079 records number.

What logs are typically 'left behind' for forensics to analyze after the fact?
It's not like they have packet captures of all network communications they can
analyze, or a list of every SQL query that was run after the attacker found a
way to inject...

~~~
dmethvin
Something like they found a SQL dump file that shouldn't exist, looked at its
creation date, inspected the log files (e.g., web server logs) and found
network activity indicating it had been sent somewhere bad. Or they saw some
unusual activity when doing a monthly analysis of web log activity, dug into
it, and realized the whole DB had been sucked out through a SQL injection
exploit. Or...the possibilities are endless.

Since web servers are most reliably logged even on poorly maintained systems,
I'm guessing at least part of the attack hinged on that. It's really common to
have servers that end up with no disk space because web logs aren't being
rotated and archived/pruned properly.

------
jrochkind1
> our sophisticated, multi-layered security defenses

Is there anyone that has worked in higher ed IT who believes this?

~~~
btgeekboy
As someone who works for a vendor to higher education, I can say that it
_highly_ varies from institution to institution. I've noticed that size and
prestige do not seem to be correlated to the level of security they actually
have (or pretend to have).

~~~
pionar
I concur, as someone who also works for a vendor to higher ed.

I know of small universities that demand an independent audit of all vendor
code, to the large universities that are ok with having a four-character
password for database access.

It also seems that Canadian universities are far more serious about security
than American counteparts.

------
ihuman
You'd think the operators of one of the root DNS servers[1] would also have
the security to prevent this sort of breach.

[1] [http://d.root-servers.org/](http://d.root-servers.org/)

~~~
skennedy
Having gone to UMD for computer science I can say that the DNS servers are not
on the main campus. And certainly a completely separate group of people
managing them than basic infrastructure of the Registrar. That said,
collaboration would probably be a good thing if it does not already happen.
But who's to say any system is infallible?

------
kabdib
My alma mater. Fortunately, since I dropped out in 1982, I don't have to worry
about this breach :-)

