What The Hell Was He Thinking?

Fri Jul 20 17:40:29 EST 2007

Lyger and Jericho

For those who haven't heard, a recent data loss incident involving the Louisiana Board of Regents was recently disclosed to the media. In short, about 80,000 Social Security numbers were inadvertently exposed over the internet, and the media seemed to be very quick in picking up on the story. An independent researcher by the name of Aaron Titus made this discovery, contacted a media source and made the disclosure. Fairly interesting.

Here's the problem: Aaron Titus made a mistake. He asked for advice regarding responsible disclosure of a known vulnerability (i.e. an exposure of personal information in a public location), and then proceeded to ignore almost every bit of rational advice given to him.

-----Original Message-----
From: lyger [mailto:lyger@attrition.org]
Sent: Monday, June 18, 2007 5:44 PM
To: Aaron Titus
Subject: RE: Arkansas Psychology Board Data Breach

On Mon, 18 Jun 2007, Aaron Titus wrote:

": " Lyger,
": " I'm sorry also for the late reply.  Got sent out of town on business, so I'm
": " coming up for air.  Yes, please include the Arkansas Psychology Board Data
": " Breach on the data loss mail.

I'll try to look it over tonight.

": " Also, I'd appreciate some advice- I just discovered that the Louisiana State
": " Board of Regents has compromised almost 91,000 (yes, thousand) names, SSNs,
": " DOBs, old addresses, race & gender indications, etc.  They are mostly former
": " high school students and staff in Louisiana, born between 1982-1985. They
": " appear to have been online since around 2001.
": "
": " I am trying to decide the best course of action that will meet two goals: 1.
": " Most effectively notify the individuals at risk. 2. Cause change and action.
": "
": " My inclination is to put a sanitized version of the data in an online
": " searchable database, so that individuals could search for their name and
": " find out whether their information was compromised (but not find out what
": " the information is).
": "
": " I'd appreciate your thoughts.

My initial reaction is to treat this like most of the security community
tends to treat vulnerability disclosures:  contact the vendor (or in this
case, the Louisiana State Board of Regents) FIRST.  Make them aware of the
problem.  If they're unwilling to respond or do the right thing and
"provide a patch" (or remove the data), then contact the community (or in
this case, the media).  Taking the data and posting it on your own could
lead to misuse of the data, much like 0-day exploits end up being used by
hackers (or in this case, identity thieves).  Even sanitized, you would be
providing information better left private, which, despite your good
intentions, could be against the best interests of those affected.

Let the Board take the measure of handling the situation, including
notification, after they've been contacted.  Just my opinion, but the
change and action you hope for will hopefully happen after you contact
them and the media gets wind of what will likely be a big story.

Note that we redacted Aaron's email address in the email above. It is worth mentioning that we also redacted his work telephone number from the same email. We would really hate to invade his personal privacy since he values it so much, but with that said, why would a "privacy advocate" ask for advice regarding responsible disclosure, email us at attrition.org, receive our advice, and then do this:


Why, after the suggestions above, did Aaron Titus set up a web page that would allow anyone to search for a potential breach of their personal information? Setting up a web site that allows people to randomly search for ANY type of personal information on other people is a definite security and privacy risk. If you care to visit the site and run a search (which I don't), plug in a random common last name like Smith, Jones, or Johnson. You won't get a Social Security number or a date of birth, but exactly how ethical is it for a "privacy advocate" to make ANY of this information publicly available? Before this database, we only knew that X people were affected. Now we know that Maximilian Smith, Dustin C Smith and Juketrica Goldsmith were affected by the breach that prompted him to create the site. Thanks for the information there Aaron, that is definitely serving the victims well.

More Problems with ssnbreach.org

At the top of the page they proudly declare "Currently Documenting 25,631 Data Breaches" which is confusing. Since attrition.org has been tracking data breaches for years and only has an archive of about 725, and other sites such as PRC have similar numbers, where does 25,619 come from? The breach that prompted this web site had roughly 80,000 records compromised, so the use of 'data breaches' isn't erroneously being used in place of 'records'. What does it mean?

When you input information into the search box, what does ssnbreach.org do with it? Checking their privacy policy we only see "Check back soon for a complete Privacy Policy". So it was more important to get all of those names up and available, which they weren't previously to most people, than to establish a privacy policy covering their own use of your data.

While their intention is for you to plug in your name to determine if you were affected, the search mechanism is very weak. Searching for the last name "Smith" yields a lot of results, and the display only gives you 100 names. In fact, searching for the letter "a" yields 100 names containing the letter "a". With fifteen minutes and a simple script, it would be fairly trivial to harvest the entire database of names.

While we can appreciate the disclaimer at the bottom, "The information given by this website is presented "AS-IS," without any warranty as to its accuracy or fitness for a particular purpose.", it is worth noting that searching for "Aaron Titus" yields no results. Wasn't he impacted by this breach and what lead to him getting all fired up? Nice that he may have removed his own information, but what else may he have removed and why?

Protecting us from criminals?

Titus was quoted in mainstream media as saying "I'd be shaking in my boots. I'd be really, really freaked out. All of my information is available to anyone who wants it right now", but then makes certain aspects of people's private information available on the Internet?

Regardless of the intentions of Titus or the Liberty Coalition, the information they are using was taken from the Louisiana Board of Regents, a government web server. They are now using this information to "help the public" and promote the Liberty Coalition organization. The site and its owner have ZERO rights to that information, ZERO rights for making any of it available and their actions could easily be considered criminal.

If nothing else, the site should be taken down out of respect for "privacy". Isn't that what you care about, Aaron?

main page ATTRITION feedback