Schneier: Data breach at UCLA barely newsworthy
This week in Security Blog Log: Security luminary Bruce Schneier and others sound off on the UCLA data breach that exposed 800,000 people to identity fraud.
Security bloggers are focusing on another big security breach this week. But some are starting to wonder if it's really worth paying attention to anymore.
UCLA is among the latest in a long list of organizations forced to acknowledge a data security breach affecting those who do business with them.
In this case, a hacker cracked a university database containing the personal information of former students, faculty and staff, exposing 800,000 people to potential identity fraud. The intrusions apparently went on for more than a year before UCLA security staff discovered it last month.
Reaction in the blogosphere ranges from disgust that the hacks were allowed to go on for so long to amusement that the latest victim is an organization that helped create the Internet.
 |
||||
|
|
|||
|
||||
Then there's the virtual yawn coming from the blog of security luminary Bruce Schneier. With security breaches becoming such a routine occurrence, he suggested that there's no longer a reason to make big headlines out of each new case.
"This is barely worth writing about: yet another database attack exposing personal information," Schneier wrote. "My guess is that everyone in the U.S. has been the victim of at least one of these already."
Though it may not be worthy of the coverage it's getting, he did point to one thing about the UCLA case he found troubling.
Jim Davis, UCLA's associate vice chancellor for information technology, told media outlets that the attack was sophisticated and used a program that exploited a flaw in a single software application among the many hundreds used throughout the Westwood campus.
"An attacker found one small vulnerability and was able to exploit it, and then cover their tracks," Davis told The Los Angeles Times.
To that, Schneier said, "It worries me that the associate vice chancellor for information technology doesn't understand that all attacks work like that."
BoingBoing is among the many blogs making mention of the UCLA breach. One of its readers wrote in to describe the email he received from the university. Illustrating how the breach affected more than students and faculty, the reader noted that he has never attended UCLA.
"I applied to their law school three years ago," he said.
Meanwhile, a CISO who frequently contributes to the Emergent Chaos blog under the name Arthur wrote that the breach showed a lack of security controls on UCLA's part.
"It's a real shame they didn't have more effective security controls and monitoring systems in place," he wrote. "Maybe then this incident wouldn't have happened or been detected and stopped much earlier."
The Independent Sources blog noted the irony of the situation, given that UCLA played a big role in the creation of the Internet.
"Think of it as Frankenstein turning on its maker," the blog said. "Years ago, UCLA played an active role in creating the Internet. Then several years later, it is used to steal personal information on 800,000 current and former UCLA students and faculty."
UCLA may be proud of their computer science department, the blog said, but "it'd be nice if the folks running the main computer system did a little better job locking down the database."
Microsoft's massive patch tally
Elsewhere, Microsoft released its December patch load Tuesday, fixing zero-day flaws in Visual Studio and Windows Media Player as well as other glitches in Internet Explorer and Windows.
Unless the software giant rushes an out-of-cycle patch into circulation before the year is out, the company will have addressed 133 critical and important vulnerabilities in 2006, according to a tally kept by McAfee in its Avert Labs blog.
The blog includes two graphics showing the number of critical and important flaw fixed this year compared to 2004 and 2005.
