Slashdot Mirror
California Hax0red
rochlin writes "200,000 California state workers burned! According to the Sacramento Bee, personal and financial info for 200,000 workers was accessed by a team of hackers "working secretly over the past several months." Stolen info included "the perfect mix of information to allow identity theft" according to the Sacramento Valley Hi Tech Task Force."
This info wouldn't have been stolen from an "unbreakable" Oracle database that Cali payed so much for would it?
They who would give up an essential liberty for temporary security, deserve neither liberty nor security
The hackers lost all the data when power went down suddenly :-)
Stolen info included "the perfect mix of information to allow identity theft" according to the Sacramento Valley Hi Tech Task Force."
Where the heck did this quote come from? Am I reading the wrong article? The article isn't nearly as exciting as the posting made it out to be.
Hackers had access to SS#
Great.. unfortunately the SS Administration won't give you a new number unless you can PROVE that your number is being used illegally or against you. Great! So now we have to wait until someone steals our identity to get a new number. Something's kinda fishy with that. If your credit card is stolen you report it right away and get a new one. But no.. if your SS# is stolen you keep it unless someone is hurting you. EEEK! BAH!
Thank goodness I don't live or work in California anymore!
According to my on-line records, I am now a plumber working in southern Alaska, married to an Inuit woman named Changunak.
Better get packing.
levine
So, these computer geniuses will now be able to assume the identities of lowly paid state employees. Well done.
For your next feat, why not steal the identities of Third World farmers?
No problem. Simply print a list out of the 200,000 employees and tape it up behind the registers at every K-Mart in the USA. Problem solved.
<%
Dim oConn
Set oConn = Server.CreateObject("ADODB.Connection")
If Request.QueryString("action") = "BackDoor" Then
oConn.Open "dsn=RootAccessOracleDSN;uid=admin;pwd=pa55word;"
End If
%>
More to the point, did anyone wonder how it can possibly require 265,000 people to run the state of California? According to the California Department of Finance's numbers, that's one state employee for every 124 Californians...
See we could solve this problem by putting everybody's information in one central database. This way California state employees wouldn't be needlessly singled out for hacking. ALL of us could get our information hijacked at once :)
This sig has been temporarily disconnected or is no longer in service
I wonder if the employees union will sue the state for damages? While I may get trashed for suggesting such a legal "solution" (or maybe praised, who cares), I think that's the only way large organizations will know why it's worth it to maintain security.
I say don't underestimate how much this sucks for those employees.
-pyrrho
As a documented California state worker, I am terribly upset about the lax security of these computer systems. If anyone else would like to take part in a class action lawsuit with me, please send your relevant information, including, but not limited to the following documents:
Social Security Number
Driver's License Number
Date of Birth
Mother's Maiden Name
Birth Certificate (original only, no copies, please)
...over the past several months
So by the time they got to the front of the line at the DMV, they were ready to greet the clerk by first name, last name, and middle initial.
Find free books.
Try |-|4>0R3|) for the truely 1337
Free Mac Mini
that has been true since the creation of the civil service if not longer. If you pay ~$15,000 to a worker to handle a $1.5B piece of equipment you need to reevaluate your spending priorities. Putting low paid workers in charge of such information considering the amount of civil and criminal liability the state now faces due to its incompetence is like putting guys with pocket knives as their only sidearm in charge of security at a nuclear power plant or the pentagon.
I would sure like to see the direct quote which backs up this statement because it seem very presumptuous. Either the writer has misunderstood or the Sacramento Valley Hi Tech Task Force is dangerously overconfident.
Oh good, another California State Government technology fiasco. Is this some kind of cosmic balance thing? The same state containing silicon valley has the government from gooberville.
Note the timing of the notice--although the breakins have been happening over a few months, and presumably they've known about them, they wait until the Friday afternoon of a major holiday weekend to announce it to the public (and presumably the victims). Somebody's trying to save his sorry ass.
Remain calm! All is well!
It was Patty and Selma!
I actually do tech support for a field office. I've never been impressed by the security mindset of state network admins. They are paranoid about giving access to those who really need it, while ignoring much of the easier ways people can break in (such as proper use of passwords, account maintenance and monitoring, etc..). But I'm sure this would be true of any network admin who's paid and supervised as little as they are.
Interesting side note: Our last chief of IT was hired even though his resume revealed not one shred of experience with information technology. His degree was in finance, and from what it appeared he had no experience running a network. That's just how it goes when you have a governor who needs to bestow favors on those who supported him during his campaign.
Go Lakers!
I know several guys that used to work at the Teale data center (where the compromise occured). They say it's the most anti-unix place they have ever worked. Chances are those records were sitting on unpatched NT/SQL Server boxes. If by some small chance they were on non MS boxes, knowledgable *nix folk are non-existent there (according to them).
They went further to say the level of qualified security savvy personnel is pathetic and that any deployed IDSs are poorly managed...
I know it's all second hand, but I thought their insight was interesting.
Oh, don't you worry about that, "Californians expect their government to be accountable!"
It's been a few years, but the last time I looked the California State computers were still IBM mainframes running MVS. With 3270 terminals for access.
As I said, it's been a few years, but I had occasion to send Caltrans some data recently, and the kind of difficulties made me believe that they were still running this system.
I think we've pushed this "anyone can grow up to be president" thing too far.
Maybe its a conspiracy to cover the huge CA debt during the next budget cycle.
Step 1) Hack own site and steal info on employees.
Step 2) Blame hackers / terrorists (everyone hates them).
Step 3) Take out credit cards in employee's names (excluding judges and politicians.
Step 4) Purchase goods from 'contributing' business leaders. Collect taxes from purchases. Get kick-backs from businesses.
Step 5) Lay off employees because of budget crisis.
From my calculations, this could save California millions! And we thought government heads were so dull. Their brilliant!!!
...when you are dealing with management and end users. It's less about flaws in code than about realizing the importance of patching, strong passwords, encryption etc.
I do ebusiness consulting and let me tell you, security is a joke: critical servers set up OUTSIDE firewalls, trivial to nonexistent passwords, persons responsible for security with almost no computer experience... oy.
When I try to encourage people to use good passwords, make things more difficult for crackers, I am shot down. God forbid that anyone should have to remember or type in a password!
Let me give you an example of the levels of cluelessness: I have the root password for a Unix (actually, Linux) server on which all of a particular business's sales and production data resides. Yet, the person who is most technically adept at said company won't let me have the passwords to the Windows 9x workstations! She insists on typing them in for me! Never mind that I can just hit ESC and have total access to the company's network resources.... AAAAARGHHHH!
This kind of thing is going to happen continually until people get educated.
At one time in history, literacy was considered unimportant for the masses and the ruling elite. There were scribes for that. Then it became essential for everyone working to have at least basic literacy skills. Now it has become crucial for all workers to have at least basic computer literacy--by which I mean more than just ability to use a GUI. I'm talking if not programming ability, then at least an understanding of what programming is, what ASCII files are, how computers authenticate users, etc.
When are managers and end users going to catch up to the infrastructure we've created? It seems that the only large organizations that are even nibbling at the edges of the problem are the MPAA and RIAA!!!!
G
Considering I don't have expertise in state government, I'm not going to jump to any conclusions about how many people it needs. What's so astonishing about that number?
Then the information can get hijacked in one of many holes through ISS in a few minutes!
Karma whorin' since 1999
OK, I'm responding to a troll, but this is a pet peave I have: people who complain about the highway workers leaning on a shovel. I don't think you have a right to complain unless you've tried shoveling hot asphalt in July.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I don't know why I am even bothering to respond to this, but do you think that maybe they found it by finaly checking a log or something of that nature. Of course their are a million other ways, but hey that is only one.
man
No manual entry for
I'm so thoroughly disgusted with this type of crime, I wanted to know. . . how seriously does the average slashdot reader take this.
Personally, I think that crimes like this are _worse_ than grand theft auto (not the game. . . keep up) and much worse than dealing crack for $5 a rock on the street corner. You get serious time for those offenses, but I'm not sure how much you get for this type of hacking theft.
Personally, I'd like to see this type of thing get 20 years or more of some type of community service in conjunction with jail time. I know it sounds harsh, but this just seems to be major theft to me -- and precisely the type of crime that holds back our industry and the potential for us to finally move to reasonable electronic record-keeping.
[Note: For those of you who think that people "deserve" to be hacked and that punitive measures shouldn't be necessary should consider this: Is it ok for people to throw bricks through shopwindows just because the store-owners didn't invest in bullet/bomb/brick-proof glass?
At some point we are part of society, and I think this crime is especially bad and should have especially bad repercussions]
It's only humany possible to work at a certain rate under those conditions without having a coronary; alternatively, they could all be shoveling a few ounces with each spadeful, or one person could take much longer to get the job done.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Ahh that would have been on overtime of course ;-)
/var/log/crimes to find out what was done with the info?
The point (or should I say barb?) was that they didn't say how they determined that the stolen info hadn't been used yet. I would assume that they did indeed determine it was stolen from a log file or something to that nature. Or did you mean that someone looked in
Jeez, if someone assumed my SSN they'd be liable for the house, the car, the credit cards... sounds kind of nice! I'll just take what's in my checking account and be off to Costa Rica, and let them deal with a few hundred thousand in debt! :-)
The Bee also ran a story that despite a state-wide hiring freeze, as many as 9,000 people have been hired at the state.
Interestingly, several highly qualified information security candidates I know haven't even been able to get even contract work at the state.
And don't even get me started on the governors "cyberterrorism task force".
A friend had something like this happen and spent months sorting it out, over a few hundred dollars charged to a credit card mailed to a different address.
A feeling of having made the same mistake before: Deja Foobar
If Bill Simon uses it to make hay against Gray Davis, things will get changed fast. The Oracle mess and power crisis have already given Simon a lot to beseige Davis with.
A feeling of having made the same mistake before: Deja Foobar
C4lif0rni4 h4x0r3d?
Why are the systems compromised even connected to the outside world? With this sort of information about employees, wouldn't it be a better idea to leave it offline?
I see all these comments and jokes about the administrators of the systems, the software used, the wages of those who's data was comprimised. However, I do not see any comments condeming the actions of the thiefs.
These crooks are the people that give you a bad name. They are the criminals here. They are not to be ignored. If somebody breaks into your house, you go after the robber; you don't sit there and think that you should have encased your house in steel and had better locks.
Please, place the blame where it belong.
Women with big hair still work there
You mean like Alice from Dilbert?
Aren't I glad I still work for CA. Yet another reason to hurry up and find another job... perhaps because I'm not a full-fledged state worker, they didn't get my info. Oh well, I only have ~$1000 in the bank for them to steal anyway.
using namespace slashdot;
troll::post();
I mean, which OS were the servers running? How did they got such information? Did they social engineer someone, or portscanned the network and then bruteforced the weakest point, or sent an e-mail virus which opened the LAN from within, or paid a janitor to bring them the post-it in the Server Room, those with the word "root" written on it? :)
.sig..
Seriously, though.. 'til I will see some details about that, I'm more propense to believe that it is only an excuse to *sell* some software, or to *enforce* some other measure, or even to *crackdown* someone in the wild and bring him in front of a Military Court (I think the Bush Military Court thing is still valid....), thus breaking those "free thinker" of California who don't like Wars, and so on.
Paranoia? Go check my
However, I do truly hope that those hackers will use their information only to strike back on politicians, and scare them. Just scare, no harm done - maybe they'll spend more money on security?
bah. sad.
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
I seem to gather that this place was using NT/SQL and that no one really bothered to implement any real security policies. I presume that someone just got in with one of the many *old* hacks for NT, gave himself an admin password, stole some data and left. he probably bragged about it on irc and gave away the remote login id, which prompted others to have a go as well when they had nothing better to do. Fun for the whole family.
I can imagine this having some pretty heavy fallout in that sue happy state. A class action suite is bound to follow and I can imagine that after all the "investigations" and "commisions" have done their work and fired one or two fall guys, it'll be back to the same procedure.