Slashdot Mirror
California Hax0red
rochlin writes "200,000 California state workers burned! According to the Sacramento Bee, personal and financial info for 200,000 workers was accessed by a team of hackers "working secretly over the past several months." Stolen info included "the perfect mix of information to allow identity theft" according to the Sacramento Valley Hi Tech Task Force."
This info wouldn't have been stolen from an "unbreakable" Oracle database that Cali payed so much for would it?
They who would give up an essential liberty for temporary security, deserve neither liberty nor security
And I've just finished clearing up a script kiddie attack from MY site >_< (People who leave open proxies running on their servers ought to be shot repeatedly)
My heart goes out to those sysadmins I can tell you that.
The hackers lost all the data when power went down suddenly :-)
Stolen info included "the perfect mix of information to allow identity theft" according to the Sacramento Valley Hi Tech Task Force."
Where the heck did this quote come from? Am I reading the wrong article? The article isn't nearly as exciting as the posting made it out to be.
Hackers had access to SS#
Great.. unfortunately the SS Administration won't give you a new number unless you can PROVE that your number is being used illegally or against you. Great! So now we have to wait until someone steals our identity to get a new number. Something's kinda fishy with that. If your credit card is stolen you report it right away and get a new one. But no.. if your SS# is stolen you keep it unless someone is hurting you. EEEK! BAH!
Thank goodness I don't live or work in California anymore!
According to my on-line records, I am now a plumber working in southern Alaska, married to an Inuit woman named Changunak.
Better get packing.
levine
So, these computer geniuses will now be able to assume the identities of lowly paid state employees. Well done.
For your next feat, why not steal the identities of Third World farmers?
Or did anyone else notice that the number of workers (265,000) is a power of 2 with 2 digits switched multiplied by 1000? Probably a useless, random coincidence, but computer crimes involving powers of 2 are enough to drive conspiracy theorizing hackers mad.
Stolen info included "the perfect mix of information to allow identity theft" according to the Sacramento Valley Hi Tech Task Force."
Their Slashdot passwords?!
From what I know, most of the California state IT needs are filled by Windows machines, including this data center.
Just my $0.02.
--
I Hit the Karma Cap, and All I Got Was This Lousy
No problem. Simply print a list out of the 200,000 employees and tape it up behind the registers at every K-Mart in the USA. Problem solved.
<%
Dim oConn
Set oConn = Server.CreateObject("ADODB.Connection")
If Request.QueryString("action") = "BackDoor" Then
oConn.Open "dsn=RootAccessOracleDSN;uid=admin;pwd=pa55word;"
End If
%>
I knew there was some downside to impecable job security, generous benifits and a comfy chair. Now I better start watching out for posts on ./ from the other billstr78.
See title.
Someone failed l33t spelling in high school, I see.
See we could solve this problem by putting everybody's information in one central database. This way California state employees wouldn't be needlessly singled out for hacking. ALL of us could get our information hijacked at once :)
This sig has been temporarily disconnected or is no longer in service
"The electronic assault on payroll and other records was discovered by the Sacramento Valley Hi Tech Task Force, which determined that none of the information has been used illegally so far."
That sounds like scare tactics to promote their services. "We believe your computer was broken into. You are in great danger. Here's my business card."
I wonder if the employees union will sue the state for damages? While I may get trashed for suggesting such a legal "solution" (or maybe praised, who cares), I think that's the only way large organizations will know why it's worth it to maintain security.
I say don't underestimate how much this sucks for those employees.
-pyrrho
people need jobs you fucking moron. if you don't like it, stop paying taxes and get put in jail. that'll learn ya.
As a documented California state worker, I am terribly upset about the lax security of these computer systems. If anyone else would like to take part in a class action lawsuit with me, please send your relevant information, including, but not limited to the following documents:
Social Security Number
Driver's License Number
Date of Birth
Mother's Maiden Name
Birth Certificate (original only, no copies, please)
...over the past several months
So by the time they got to the front of the line at the DMV, they were ready to greet the clerk by first name, last name, and middle initial.
Find free books.
I hope none of them are stupid enough to steal Gray Davis's identity. I don't think he, himslef wants to be the governor right now.
that has been true since the creation of the civil service if not longer. If you pay ~$15,000 to a worker to handle a $1.5B piece of equipment you need to reevaluate your spending priorities. Putting low paid workers in charge of such information considering the amount of civil and criminal liability the state now faces due to its incompetence is like putting guys with pocket knives as their only sidearm in charge of security at a nuclear power plant or the pentagon.
I would sure like to see the direct quote which backs up this statement because it seem very presumptuous. Either the writer has misunderstood or the Sacramento Valley Hi Tech Task Force is dangerously overconfident.
Oh good, another California State Government technology fiasco. Is this some kind of cosmic balance thing? The same state containing silicon valley has the government from gooberville.
Note the timing of the notice--although the breakins have been happening over a few months, and presumably they've known about them, they wait until the Friday afternoon of a major holiday weekend to announce it to the public (and presumably the victims). Somebody's trying to save his sorry ass.
Remain calm! All is well!
If people consume, then obviously they create a market for products. Hence they could produce, hence they should get a fucking productive job.
State employees are far too often shovel leaners out on the highway, bureaucrats shuffling papers.
You're a Civil Servant? On your fuggin knees!
It was Patty and Selma!
I actually do tech support for a field office. I've never been impressed by the security mindset of state network admins. They are paranoid about giving access to those who really need it, while ignoring much of the easier ways people can break in (such as proper use of passwords, account maintenance and monitoring, etc..). But I'm sure this would be true of any network admin who's paid and supervised as little as they are.
Interesting side note: Our last chief of IT was hired even though his resume revealed not one shred of experience with information technology. His degree was in finance, and from what it appeared he had no experience running a network. That's just how it goes when you have a governor who needs to bestow favors on those who supported him during his campaign.
Go Lakers!
I know several guys that used to work at the Teale data center (where the compromise occured). They say it's the most anti-unix place they have ever worked. Chances are those records were sitting on unpatched NT/SQL Server boxes. If by some small chance they were on non MS boxes, knowledgable *nix folk are non-existent there (according to them).
They went further to say the level of qualified security savvy personnel is pathetic and that any deployed IDSs are poorly managed...
I know it's all second hand, but I thought their insight was interesting.
Oh right how did they determine this?
SVHTTF: your systems have been infiltrated for several months.
Public servant: we haven't noticed anything.
SVHTTF: has anyone reported any cases of identity theft?
Public servant: we haven't noticed anything.
Maybe its a conspiracy to cover the huge CA debt during the next budget cycle.
Step 1) Hack own site and steal info on employees.
Step 2) Blame hackers / terrorists (everyone hates them).
Step 3) Take out credit cards in employee's names (excluding judges and politicians.
Step 4) Purchase goods from 'contributing' business leaders. Collect taxes from purchases. Get kick-backs from businesses.
Step 5) Lay off employees because of budget crisis.
From my calculations, this could save California millions! And we thought government heads were so dull. Their brilliant!!!
This may sound paranoid, but what are the chances that, in the future, terrorists will be able to/are going to use identity theft of state employees to help gain access to files and information that would assist in the planning of a terrorist attack? Or worse yet, physical access to locations such as nuclear powerplants? How hard would it be to create a fake identification, get copies of government documents, and drive into a nuclear powerplant's "secure" facilities?
Probably just paranoia talking about the physical access, but I wouldn't be surprised about the documents part.
--
http://nemilar.net - Not your grandmother's soup kitchen
what could these hackers possibly do with this information?
Oracle employee: "Now they'll give us that money they owe us... mwuhahaha"
...when you are dealing with management and end users. It's less about flaws in code than about realizing the importance of patching, strong passwords, encryption etc.
I do ebusiness consulting and let me tell you, security is a joke: critical servers set up OUTSIDE firewalls, trivial to nonexistent passwords, persons responsible for security with almost no computer experience... oy.
When I try to encourage people to use good passwords, make things more difficult for crackers, I am shot down. God forbid that anyone should have to remember or type in a password!
Let me give you an example of the levels of cluelessness: I have the root password for a Unix (actually, Linux) server on which all of a particular business's sales and production data resides. Yet, the person who is most technically adept at said company won't let me have the passwords to the Windows 9x workstations! She insists on typing them in for me! Never mind that I can just hit ESC and have total access to the company's network resources.... AAAAARGHHHH!
This kind of thing is going to happen continually until people get educated.
At one time in history, literacy was considered unimportant for the masses and the ruling elite. There were scribes for that. Then it became essential for everyone working to have at least basic literacy skills. Now it has become crucial for all workers to have at least basic computer literacy--by which I mean more than just ability to use a GUI. I'm talking if not programming ability, then at least an understanding of what programming is, what ASCII files are, how computers authenticate users, etc.
When are managers and end users going to catch up to the infrastructure we've created? It seems that the only large organizations that are even nibbling at the edges of the problem are the MPAA and RIAA!!!!
G
Not International News. Get Your heads from up your arses you yank twats.
Then the information can get hijacked in one of many holes through ISS in a few minutes!
Karma whorin' since 1999
I 0Wn 4m3RiC4
--
Society has traditionally always tried to find scapegoats for its problems. Well, here I am.
Payroll information includes the bank acount and routing numbers for depositing money in the employees accounts.
The state can also use that information to remove overpayments from your account, directly, as well;
this is a contractual requirement, which is usually left of of most employers direct deposit agreements... but not the states (nor IBM or another of other big ecompanies).
State employess with direct deposit are set up for an EFT empting of their accounts at some point in the future. And unlike passwords, the routing numbers and account numbers are incredibly difficult to change, without closing your account and moving it to another bank.
...when you tie your sysadmin's & DBA's up in endless meetings?
...when you require you're network infrastructure people to train users how to use mice? (I hate people who refuse to learn. HATE)
A breakin of this magnitude can only be seen as a catastrophic business failure.
My heart goes out to their sysadmins.
If you folks are reading this, remember -- a mistake is nothing more than an opportunity to learn.
OK, I'm responding to a troll, but this is a pet peave I have: people who complain about the highway workers leaning on a shovel. I don't think you have a right to complain unless you've tried shoveling hot asphalt in July.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Totally bo-gus.
So like, if, you were, you know, tweak-in over losin' yer info, da weiz will give ya a tick-et to his new mov-ie.
Cool, buuuddie.
What do you expect? This is the government, where people are hired on the basis of If they've worked there before, if they've served in the military, and then, just maybe if they're qualified. These people are almost impossible to fire, and are generally ignorant. My guess is they (Like my state government) were running a bunch of MS NT servers which were never patched, used awful passwords, implemented no access controls, and in general just really screwed the pooch. Anyone remember when hacking the government seemed like a difficult thing far out of reach? I miss the naivety I had in the 80's....
if they paid computer people more money they then would become hackers now would they.
I'm so thoroughly disgusted with this type of crime, I wanted to know. . . how seriously does the average slashdot reader take this.
Personally, I think that crimes like this are _worse_ than grand theft auto (not the game. . . keep up) and much worse than dealing crack for $5 a rock on the street corner. You get serious time for those offenses, but I'm not sure how much you get for this type of hacking theft.
Personally, I'd like to see this type of thing get 20 years or more of some type of community service in conjunction with jail time. I know it sounds harsh, but this just seems to be major theft to me -- and precisely the type of crime that holds back our industry and the potential for us to finally move to reasonable electronic record-keeping.
[Note: For those of you who think that people "deserve" to be hacked and that punitive measures shouldn't be necessary should consider this: Is it ok for people to throw bricks through shopwindows just because the store-owners didn't invest in bullet/bomb/brick-proof glass?
At some point we are part of society, and I think this crime is especially bad and should have especially bad repercussions]
"shoveling hot asphalt in July"
That's not an excuse to lean on a shovel. If you are unable get the job done, go the fuck elsewhere. But don't waste my money.
It's only humany possible to work at a certain rate under those conditions without having a coronary; alternatively, they could all be shoveling a few ounces with each spadeful, or one person could take much longer to get the job done.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Jeez, if someone assumed my SSN they'd be liable for the house, the car, the credit cards... sounds kind of nice! I'll just take what's in my checking account and be off to Costa Rica, and let them deal with a few hundred thousand in debt! :-)
Greater Los Angeles Area Driver's License Application
Name: _______________ Stage name: _______________
Agent: ______________ Attorney: _________________
Sex: ___male ___female ___formerly male ___formerly female ___both
If female, indicate breast implant size: ____
Will the size of your implants hinder your ability to safely operate a motor vehicle in any way? Yes___ No ___
Please list brand of cell phone: _________________ (If you don't own a cell phone, please explain.)
Please check hair color:
Females: [ ] Blonde [ ] Platinum Blonde
Teenagers: [ ] Purple [ ] Blue [ ] Skinhead
Please indicate activities you perform while driving: (Check all that apply)
[ ] Eating
[ ] Applying make-up
[ ] Talking on the phone
[ ] Slapping kids in the back seat
[ ] Applying cellulite treatment to thighs
[ ] Tanning
[X] Snorting cocaine (already checked for ease of application)
[ ] Watching TV
[ ] Reading Variety magazine
[ ] Surfing the net via laptop
Please indicate how many times
a) You expect to shoot at other drivers: _____
b) How many times you expect to be shot at while driving: _____
Please indicate your number of therapy sessions per week: ____
Are you presently taking any of the following medications?
a) Prozac
b) Zovirax
c) Lithium
d) Zanax
e) Valium
If none, please explain: _______________________________
What is the length of your daily commute?
a) 1 hour
b) 2 hours
c) 3 hours
d) 4 hours or more
TEST (Please indicate the correct answer):
If you are the victim of a car jacking, you should immediately:
a) Call the police to report the crime
b) Call Channel 4 News to report the crime, then watch your car on TV in a high-speed chase
c) Call your attorney and discuss a lawsuit against the cellular phone company for your 911 call not going through
d) Call your therapist
e) None of the above (South Central residents only)
In the event of an earthquake, you should:
a) Stop your car
b) Keep driving and hope for the best
c) Immediately use your cell phone to call all loved ones
d) Pull out your video camera and obtain footage for Channel 4
In the event of rain, you should:
a) Never drive over 5 MPH
b) Drive twice as fast as usual
c) You're not sure what "rain" is
When stopped by police, you should:
a) Pull over and have your driver's license and insurance form ready
b) Try to outrun them by driving the wrong way on the 405
c) Have your video camera ready and provoke them to attack, ensuring yourself of a hefty lawsuit
Please turn your test in to the lady behind the bulletproof virtual window on your left.
hehe they got way way!!! busted ...
haha
The Bee also ran a story that despite a state-wide hiring freeze, as many as 9,000 people have been hired at the state.
Interestingly, several highly qualified information security candidates I know haven't even been able to get even contract work at the state.
And don't even get me started on the governors "cyberterrorism task force".
A friend had something like this happen and spent months sorting it out, over a few hundred dollars charged to a credit card mailed to a different address.
A feeling of having made the same mistake before: Deja Foobar
As goes Calif, so goes the Nation...and as goes the Nation, so goes the world. Can you say Pacific rim? Wake thee up wanker.
If Bill Simon uses it to make hay against Gray Davis, things will get changed fast. The Oracle mess and power crisis have already given Simon a lot to beseige Davis with.
A feeling of having made the same mistake before: Deja Foobar
How long it's going to take them to recover from something like this?
You've gotta reinstall all server software, as well as database and application software.
Well, depending on the size of the database, restoring it is no easy matter.
But getting everything else up and running... OUCH. I hope they've got some damn good recovery checklists... (now would be a good time to take a peek at your disaster recovery plan...)
C4lif0rni4 h4x0r3d?
Why are the systems compromised even connected to the outside world? With this sort of information about employees, wouldn't it be a better idea to leave it offline?
I see all these comments and jokes about the administrators of the systems, the software used, the wages of those who's data was comprimised. However, I do not see any comments condeming the actions of the thiefs.
These crooks are the people that give you a bad name. They are the criminals here. They are not to be ignored. If somebody breaks into your house, you go after the robber; you don't sit there and think that you should have encased your house in steel and had better locks.
Please, place the blame where it belong.
Ever been to California?
Having lived in California for the past 14 years, primarily in large cities, I've YET to see the supposed 'shovel leaners' you speak of. Perhaps they're only in your town? Or maybe they're just urban legends.
Perhaps you could take a picture and post it. Then I'll be a tad closer to believing you.
Yeah, right. Here in our society, we claim a concern about security and still run MS. What a joke.
Aren't I glad I still work for CA. Yet another reason to hurry up and find another job... perhaps because I'm not a full-fledged state worker, they didn't get my info. Oh well, I only have ~$1000 in the bank for them to steal anyway.
using namespace slashdot;
troll::post();
No Macintosh Webserver EVER hacked in history. This does not include newer unix style mac Os (OS X) just the one used by millions of people.
The reason?
The OS has numerous features that assist against hacking a webserver, many well thought out, many by lucky accident.
nevertheless SecurtyFocus concers.
Tahts why the US Army once used WebStar on macs after getting hacked on linux and microsfot and getting sick of it all.
California should wise up.
Perhaps the hackers were working for Bill Jones and they only mined the database for email addresses instead of SSN#'s so that Ol' Bill can spam them again? ;)
I mean, which OS were the servers running? How did they got such information? Did they social engineer someone, or portscanned the network and then bruteforced the weakest point, or sent an e-mail virus which opened the LAN from within, or paid a janitor to bring them the post-it in the Server Room, those with the word "root" written on it? :)
.sig..
Seriously, though.. 'til I will see some details about that, I'm more propense to believe that it is only an excuse to *sell* some software, or to *enforce* some other measure, or even to *crackdown* someone in the wild and bring him in front of a Military Court (I think the Bush Military Court thing is still valid....), thus breaking those "free thinker" of California who don't like Wars, and so on.
Paranoia? Go check my
However, I do truly hope that those hackers will use their information only to strike back on politicians, and scare them. Just scare, no harm done - maybe they'll spend more money on security?
bah. sad.
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
I seem to gather that this place was using NT/SQL and that no one really bothered to implement any real security policies. I presume that someone just got in with one of the many *old* hacks for NT, gave himself an admin password, stole some data and left. he probably bragged about it on irc and gave away the remote login id, which prompted others to have a go as well when they had nothing better to do. Fun for the whole family.
I can imagine this having some pretty heavy fallout in that sue happy state. A class action suite is bound to follow and I can imagine that after all the "investigations" and "commisions" have done their work and fired one or two fall guys, it'll be back to the same procedure.
I bet
a.) the system was probably Novell
b.) the system admin or technicians smoke (meth)crank
are you so sure that all of them are slackers wasting your money? If you don't like what some of the state employees are doing, complain. See if their union wants to listen. Probably not, so it's also probably not worth bitching about. Either way, if you don't like your country, try to change it, shut up about it, or leave.
just because you consume products doesn't mean you have to make them. Buying them helps enough. It's the money you spend that counts, not the work you do.
Someone asked why they waited so long to warn folks.
l _n umber=ab_1559&sess=CUR&house=B&author=diaz
Maybe it was AB 1559.
http://www.leginfo.ca.gov/cgi-bin/postquery?bil