Security bloggers are focusing on another big security breach this
week. But some are starting to wonder if it's really worth paying
attention to anymore.
UCLA is among the latest in a long list of organizations forced
to acknowledge a
data security breach affecting those who do business with
them.
In this case, a hacker cracked a university database containing
the personal information of former students, faculty and staff,
exposing 800,000 people to potential identity fraud. The intrusions
apparently went on for more than a year before UCLA security staff
discovered it last month.
Reaction in the blogosphere ranges from disgust that the hacks
were allowed to go on for so long to amusement that the latest
victim is an organization that helped create the Internet.
Then there's the virtual yawn coming from the blog of security
luminary Bruce Schneier. With
security breaches becoming such a routine occurrence, he suggested
that there's no longer a reason to make big headlines out of each
new case.
"This is barely worth writing about: yet another database attack
exposing personal information," Schneier wrote. "My guess is that
everyone in the U.S. has been the victim of at least one of these
already."
Though it may not be worthy of the coverage it's getting, he did
point to one thing about the UCLA case he found troubling.
Jim Davis, UCLA's associate vice chancellor for information
technology, told media outlets that the attack was sophisticated
and used a program that exploited a flaw in a single software
application among the many hundreds used throughout the Westwood
campus.
"An attacker found one small vulnerability and was able to
exploit it, and then cover their tracks," Davis told The Los
Angeles Times.
To that, Schneier said, "It worries me that the associate vice
chancellor for information technology doesn't understand that all
attacks work like that."
BoingBoing is among the many blogs making mention of the UCLA
breach. One of its readers wrote in to describe the email he
received from the university. Illustrating how the breach affected
more than students and faculty, the reader noted that he has never
attended UCLA.
"I applied to their law school three years ago," he said.
Meanwhile, a CISO who frequently contributes to the
Emergent
Chaos blog under the name Arthur wrote that the breach showed a
lack of security controls on UCLA's part.
"It's a real shame they didn't have more effective security
controls and monitoring systems in place," he wrote. "Maybe then
this incident wouldn't have happened or been detected and stopped
much earlier."
The Independent
Sources blog noted the irony of the situation, given that UCLA
played a big role in the creation of
the Internet.
"Think of it as Frankenstein turning on its maker," the blog
said. "Years ago, UCLA played an active role in creating the
Internet. Then several years later, it is used to steal personal
information on 800,000 current and former UCLA students and
faculty."
UCLA may be proud of their computer science department, the blog
said, but "it'd be nice if the folks running the main computer
system did a little better job locking down the database."
Microsoft's massive patch tally
Elsewhere, Microsoft released its December patch load Tuesday,
fixing zero-day flaws in
Visual Studio and Windows Media Player as well as other
glitches in Internet Explorer and Windows.
Unless the software giant rushes an out-of-cycle patch into
circulation before the year is out, the company will have addressed
133 critical and important vulnerabilities in 2006, according to a
tally kept by McAfee in its Avert Labs
blog.
The blog includes two graphics showing the number of critical
and important flaw fixed this year compared to 2004 and 2005.