You probably heard the news last week that hackers have infiltrated restricted computer databases at Cal Berkeley. 160,000 current and former students and alumni personal information “may” have been stolen. The University says social security numbers, health insurance information and non-treatment medical records dating back to 1999 were stolen. Within that data set was 97,000 Social Security Numbers, from both Berkeley and Mills College students who were eligible for medical treatment. I am going to make an educated guess that this was a database either for or located at Cowell Hospital, but there are [very few other details available. Not unusual in data breach cases, but annoyingly understandable and the reason I do not post comments on most data breaches.
This one is different. This is an offer to help UC Berkeley with their data security challenge. As a security professional and Berkeley alumnus, I want to offer my services to assist with security and product strategy to ensure this does not happen again. Free of charge. I am willing to help. This is a service Securosis provides: free strategic consultation services to end users. Within reason, of course, but we do. So I am extending an open offer of assistance to the University.
In 2008, when I was still with my previous employer, we had a couple meetings with IT staff members at UC Berkeley for some of the security challenges and to see if our products were of interest to them. As most initial conversations go, we covered as much background about the environment and goals as we could. While the people we were speaking with were smart and highly educated, the questions they asked and the order of their priorities suggested that they were naive about security. I do not want to provide too many details on this out of respect for confidentiality, but the types of products they were reviewing I would have assumed were already in place, and policies and procedures would have been more evolved. I can even hear Adam Dodge in the back of my head saying “Well … education is a lot different than the private sector”. He’s right, and I get that, but for an organization that has already had a data breach through a lost laptop in March 2005, I expected that they would have gotten ahead of the curve. The liability here goes all the way up to the UC Regents, and this is a problem that needs to be addressed.
My goal is not to insult the IT staff at UC Berkeley. Just look at the Privacy Rights web site, or the Open Security Foundation, and you will see that they are no better and no worse than any other university in the country. What pisses me off is that my alma mater, one of the best computer schools in the world, is below average in their data security! Come on!!! This is Berkeley we are talking about. UCLA, OK, I could understand that. But Berkeley? They should be leading the nation in IT security, not the new poster child for University data breaches.
Berkeley has among its student body some of the smartest people in computer science, who gather there from all over the world to learn. When I was there if you wanted to know about inner details of the UNIX kernel, say at 2:30 in the morning, there was someone in the lab who could answer your question. Want to know the smallest of details on network architecture? The ‘finger’ daemon could point you to the guys who had all the answers. You might need to pull them away from Larn for a couple minutes, but they knew scary levels of detail on every piece of software and hardware on the campus. It is no different today, and they are clearly not leveraging the talent they have effectively.
So go ahead. Ask for help. The university needs assistance in strategy and product suitability analysis, Securosis can help, and we will do it for free.
Now I am going to have the Cal fight song in my head for the rest of the day.
Reader interactions
5 Replies to “Open Invitation to the University of California at Berkeley IT Dept.”
When I was at University all those years ago there were two networks. One was pretty open and easy to get around the controls in place (or so I hear) and the other was tightly controlled (or so I hear). They were totally separate and only the “easy, open-ish” one was connected to the Internet.
Why not have two networks connected by a Firewall? If cost is an issue then consider using a BSD box.
All companies have financial information and HR information which need to be protected. They also have information flowing that runs the business – how they protect this information should be considered separate from the other information.
In a University most of this information may not need to heavily protected.
The problem is that many students, at least a few years ago, probably assumed that their private info was being safeguarded by some decent protective measures. Students, like most people, are probably more aware today about the risks, but retain the desire to behave in the way you describe.
The administration is probably more naive about the need for security than mainstream business executives are, but they may be more aware after a few admins at some universities were canned. I once asked Gene Spafford if the admins at Purdue listened to him, and he said no. So is it really a case of protecting academic freedom, or some elitists in a guilded cage that think that acting responsibly for their staff, student and alumni data is a low priority?
I was surprised to hear a parallel example in DOD last year. Younger recruits are interested in the latest technologies and social networking etc., and the military restrictions on their use was affecting staff retention adversely, so this was seen as a big problem. Our answer (of course) is that scalable MLS across the network protects the important data, while still allowing open access to everthing else without the adverse risk exposure that would result without it.
@ Rob
No, that was not the intention of the sentiment. Cost is not the primary issue. The thought, and often the practice, is that security should not get in the way of research, openness and encouragement for sharing ideas that promotes learning. Whether the motives are pure or simply they do not want to think about security or deal with security hassles needs to be taken on a case by case basis, but faculty are as resistant to security as the student body. Security is treated somewhat like a burden that does not support the primary mission of the University. It’s similar in many respects to the discussion of security vs. privacy, where these two are not orthogonal at all, but form a convenient cover for the desire of controlling behavior.
And to touch on your [rhetorical] question; nothing. But it is the wrong question for the audience we are talking about. I am willing to bet a student cares about sharing music and being able to surf the web for any freaking content that is of interest that their privacy or credit score. WAY more.
-Adrian
Huh. I just thought that statements like “Well … education is a lot different than the private sector” was just codespeak for not wanting to spend any money.
What exactly is the difference in protecting student’s private and credit information in education as opposed to the private sector, or protecting academic research from protecting intellectual property elsewhere?
You’d have thought they would have already learned their lesson. 🙂
http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book)
(Brilliant book, that I am reading once again.)