Stanford Hack Exposes 10,000

Thu May 26 17:01:24 UTC 2005

People are missing the point a bit. Most schools HAVE switched over to new
numbering systems. Most student ID's have school-specific ID numbers. The
problems are:

1) Older student records are indexed by SSN and they must be retained.
2) Some information is still indexed by SSN out of necessity - student
financial aid for example

That means you have a translation database somewhere, with all those SSNs
and the new student index numbers.

SSNs are already forbidden going forward at pretty much all school. For
example, they can't be used to post grades. However, the need to retain them
for backwards compatibility remains. Education institutions need a clear set
of guidelines for handling sensitive data like that. A good start would be
that such data can only be stored in an encrypted format in a physically
secure facility. 

Yes, that seems obvious, but it doesn't happen. Considering the sort of free
wheeling environment prevalent in University networks, you would think they
would be a bastion of high security. Sadly, this isn't the case.

- Dan

On 5/26/05 6:10 AM, "Michael.Dillon at radianz.com"
<Michael.Dillon at radianz.com> wrote:

> 
>>> Around about whenever the US Federal Government gets the hint and
>>> passes a bill which makes it illegal to use social security numbers
>>> for any purpose other than the administration of social security.
> 
> Wrong answer. Federal laws do not stop people from doing stupid
> things and they do not stop people from doing illegal things.
> 
> What we need is a Hollywood blockbuster in which some highschool
> hackers wreak havoc by aquiring SSNs from gradesheets and using
> mother's maiden names to steal lots of money and identities.
> Then, pointy-haired bosses will ask their sysadmins to make sure
> that it can't happen in their department.
> 
> Hollywood movies change people's behavior. Federal laws do not.
> 
> --Michael Dillon
> 

-- 
Daniel Golding
Network and Telecommunications Strategies
Burton Group