Slashdot Mirror

← Back to Stories (view on slashdot.org)

California Hax0red

Posted by michael on from the san-andreas-fault dept.

rochlin writes "200,000 California state workers burned! According to the Sacramento Bee, personal and financial info for 200,000 workers was accessed by a team of hackers "working secretly over the past several months." Stolen info included "the perfect mix of information to allow identity theft" according to the Sacramento Valley Hi Tech Task Force."

27 of 229 comments (clear)

  1. Unbreakable by captain_craptacular · · Score: 5, Funny

    This info wouldn't have been stolen from an "unbreakable" Oracle database that Cali payed so much for would it?

    --
    They who would give up an essential liberty for temporary security, deserve neither liberty nor security
    1. Re:Unbreakable by Heironymus+Coward · · Score: 4, Informative
      This info wouldn't have been stolen from an "unbreakable" Oracle database that Cali payed so much for would it?

      probably not... unless things have changed drastically since I left stat service, the Teale Data Center did not use Oracle. it was some custom (read: out-of-date) database running on VMS. the Oracle database was for state clients -- in other words, citzens, licensees, businesses. it ran on Solaris.

      I'm a little disappointed in the amount of information in the article. as I just mentioned, I used to work for the state. was any information on former employees compromised? they don't say. and probably won't answer if asked.

    2. Re:Unbreakable by big_hairy_mama · · Score: 3, Informative

      They were actually in the system for months. So not only was it easy to get in, but they remained undetected for all that time.

    3. Re:Unbreakable by Tackhead · · Score: 3, Funny
      > This info wouldn't have been stolen from an "unbreakable" Oracle database that Cali payed so much for would it?

      ~peering into the crystal ball~

      "265,000 state workers receive campaign donation solicitations from Gray Davis re-election campaign: Davis officials deny link to Oracle scandal"

      Your call ;-)

    4. Re:Unbreakable by Stephen+VanDahm · · Score: 4, Funny

      I don't need to point out that this data would have been much harder to steal if it had been spread out among 200,000,000 separate Oracle servers, like the Oracle folks and key Californian policymakers had recommended.

      Steve

  2. Don't worry, it's okay by seldolivaw · · Score: 5, Funny

    The hackers lost all the data when power went down suddenly :-)

  3. Oh dear.. by matth · · Score: 5, Interesting

    Hackers had access to SS#

    Great.. unfortunately the SS Administration won't give you a new number unless you can PROVE that your number is being used illegally or against you. Great! So now we have to wait until someone steals our identity to get a new number. Something's kinda fishy with that. If your credit card is stolen you report it right away and get a new one. But no.. if your SS# is stolen you keep it unless someone is hurting you. EEEK! BAH!

  4. Well thank goodness... by Levine · · Score: 4, Funny

    Thank goodness I don't live or work in California anymore!

    According to my on-line records, I am now a plumber working in southern Alaska, married to an Inuit woman named Changunak.

    Better get packing.

    levine

  5. Well done... by donnacha · · Score: 5, Funny


    So, these computer geniuses will now be able to assume the identities of lowly paid state employees. Well done.

    For your next feat, why not steal the identities of Third World farmers?

    1. Re:Well done... by Sir+Nimrod · · Score: 3, Insightful

      You missed something: The article said the data included records for politicians and judges, too.

      Hmm.... I can see some interesting wrinkles here:

      • If said crackers mess up the lives of a bunch of CA politicians, will we get better laws, or worse?
      • If the affected employees file a class-action lawsuit against someone (like, let's say, a company that shipped a product with a gaping security hole), won't any California judge have a conflict of interest?
      --
      The United States of America: We mean well.
  6. Solution by kaustik · · Score: 3, Funny

    No problem. Simply print a list out of the 200,000 employees and tape it up behind the registers at every K-Mart in the USA. Problem solved.

  7. Sample ASP code from Cali Gvn't Site by cscx · · Score: 5, Funny


    <%
    Dim oConn
    Set oConn = Server.CreateObject("ADODB.Connection")

    If Request.QueryString("action") = "BackDoor" Then
    oConn.Open "dsn=RootAccessOracleDSN;uid=admin;pwd=pa55word;"
    End If
    %>

  8. National ID's... by sterno · · Score: 4, Funny

    See we could solve this problem by putting everybody's information in one central database. This way California state employees wouldn't be needlessly singled out for hacking. ALL of us could get our information hijacked at once :)

    --
    This sig has been temporarily disconnected or is no longer in service
  9. Suing the State of California by pyrrho · · Score: 5, Interesting

    I wonder if the employees union will sue the state for damages? While I may get trashed for suggesting such a legal "solution" (or maybe praised, who cares), I think that's the only way large organizations will know why it's worth it to maintain security.

    I say don't underestimate how much this sucks for those employees.

    --

    -pyrrho

  10. Speaking as a California state worker: by Henry+V+.009 · · Score: 5, Funny

    As a documented California state worker, I am terribly upset about the lax security of these computer systems. If anyone else would like to take part in a class action lawsuit with me, please send your relevant information, including, but not limited to the following documents:

    Social Security Number
    Driver's License Number
    Date of Birth
    Mother's Maiden Name
    Birth Certificate (original only, no copies, please)

  11. Proof for an old principle by browser_war_pow · · Score: 5, Insightful

    that has been true since the creation of the civil service if not longer. If you pay ~$15,000 to a worker to handle a $1.5B piece of equipment you need to reevaluate your spending priorities. Putting low paid workers in charge of such information considering the amount of civil and criminal liability the state now faces due to its incompetence is like putting guys with pocket knives as their only sidearm in charge of security at a nuclear power plant or the pentagon.

    1. Re:Proof for an old principle by hey! · · Score: 4, Insightful

      Let's hold off on the rush to judgement until we've got more details. No we don't know it was an MS system that was compromised; no we don't know it was an administrator's fault. Basically, at this point we know absolutely nothing, including how the security problem was discoverd. We'll have to wait a few days. Until now it's all speculation.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  12. Would like to view source by datastew · · Score: 5, Insightful
    The electronic assault on payroll and other records was discovered by the Sacramento Valley Hi Tech Task Force, which determined that none of the information has been used illegally so far.

    I would sure like to see the direct quote which backs up this statement because it seem very presumptuous. Either the writer has misunderstood or the Sacramento Valley Hi Tech Task Force is dangerously overconfident.

  13. nice timing by 0WaitState · · Score: 4, Funny

    Oh good, another California State Government technology fiasco. Is this some kind of cosmic balance thing? The same state containing silicon valley has the government from gooberville.

    Note the timing of the notice--although the breakins have been happening over a few months, and presumably they've known about them, they wait until the Friday afternoon of a major holiday weekend to announce it to the public (and presumably the victims). Somebody's trying to save his sorry ass.

    --

    Remain calm! All is well!
  14. I work for the California... by JeremyYoung · · Score: 5, Interesting

    I actually do tech support for a field office. I've never been impressed by the security mindset of state network admins. They are paranoid about giving access to those who really need it, while ignoring much of the easier ways people can break in (such as proper use of passwords, account maintenance and monitoring, etc..). But I'm sure this would be true of any network admin who's paid and supervised as little as they are.

    Interesting side note: Our last chief of IT was hired even though his resume revealed not one shred of experience with information technology. His degree was in finance, and from what it appeared he had no experience running a network. That's just how it goes when you have a governor who needs to bestow favors on those who supported him during his campaign.

    --

    Go Lakers!

  15. What do Teale data center personnel say? by ddeyoung · · Score: 5, Interesting

    I know several guys that used to work at the Teale data center (where the compromise occured). They say it's the most anti-unix place they have ever worked. Chances are those records were sitting on unpatched NT/SQL Server boxes. If by some small chance they were on non MS boxes, knowledgable *nix folk are non-existent there (according to them).

    They went further to say the level of qualified security savvy personnel is pathetic and that any deployed IDSs are poorly managed...

    I know it's all second hand, but I thought their insight was interesting.

  16. hacked from the outside??? by numbuscus · · Score: 3, Interesting

    Maybe its a conspiracy to cover the huge CA debt during the next budget cycle.

    Step 1) Hack own site and steal info on employees.
    Step 2) Blame hackers / terrorists (everyone hates them).
    Step 3) Take out credit cards in employee's names (excluding judges and politicians.
    Step 4) Purchase goods from 'contributing' business leaders. Collect taxes from purchases. Get kick-backs from businesses.
    Step 5) Lay off employees because of budget crisis.

    From my calculations, this could save California millions! And we thought government heads were so dull. Their brilliant!!!

  17. Security is impossible by Groucho · · Score: 3, Insightful

    ...when you are dealing with management and end users. It's less about flaws in code than about realizing the importance of patching, strong passwords, encryption etc.

    I do ebusiness consulting and let me tell you, security is a joke: critical servers set up OUTSIDE firewalls, trivial to nonexistent passwords, persons responsible for security with almost no computer experience... oy.

    When I try to encourage people to use good passwords, make things more difficult for crackers, I am shot down. God forbid that anyone should have to remember or type in a password!

    Let me give you an example of the levels of cluelessness: I have the root password for a Unix (actually, Linux) server on which all of a particular business's sales and production data resides. Yet, the person who is most technically adept at said company won't let me have the passwords to the Windows 9x workstations! She insists on typing them in for me! Never mind that I can just hit ESC and have total access to the company's network resources.... AAAAARGHHHH!

    This kind of thing is going to happen continually until people get educated.

    At one time in history, literacy was considered unimportant for the masses and the ruling elite. There were scribes for that. Then it became essential for everyone working to have at least basic literacy skills. Now it has become crucial for all workers to have at least basic computer literacy--by which I mean more than just ability to use a GUI. I'm talking if not programming ability, then at least an understanding of what programming is, what ASCII files are, how computers authenticate users, etc.

    When are managers and end users going to catch up to the infrastructure we've created? It seems that the only large organizations that are even nibbling at the edges of the problem are the MPAA and RIAA!!!!

    G

    1. Re:Security is impossible by Sloppy · · Score: 3

      When are managers and end users going to catch up to the infrastructure we've created?

      When they start being held accountable for their actions. This kind of stuff needs to be spoken about with the same tones of outrage or concern, as when someone leave the office doors unlocked at night.

      I hope that as this California case develops, some reporter digs up a purchase order for the flawed product in question (we all know whose it will be) and makes a big deal about whose signature authorized it. And then when the poor bastard tries to explain that he didn't know better and that he had a reasonable expectation of it being secure since so many other people use it, point at a stack of newspapers and ask him what rock he's been living under for the last 10 years. His replacement won't make the same mistake.

      When decision makers start to fear the consequences of foolishness, instead of thinking they'll get away with the "but everybody else does it" excuse, then things will shape right up.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    2. Re:Security is impossible by karlm · · Score: 3, Insightful
      Ehh... critical servers should stand on their own. There are always inside jobs or ways arround firewalls. Firewalls should be the backup plan. Too many people think "on, no, it's not behind a firewall" and "oh, don't worry about it, it's behind a frewall". If you're not extremely confident that your critiical server could survive outside the firewall, you need to start ripping software components out of the system. MIT Network Security's policy is to never deploy firewalls. They continually port scan all of the machines and run vulnerability checks against the latest bugs.

      Perfect security is impossible, but firewalls are bandaidsfor bullet holes. Don't fool yourselves. A good IDS box is much more usefull than a good firewall, or at least should be if you're doing htings right.

      --
      Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
  18. Funny? Not really... by ackthpt · · Score: 3, Insightful
    The combined taxable income for the county I work in, of public school employees is nearly a billion $. (nothing scandalous about mentioning this, as it's all a matter of public record, but I won't mention the county anyway) You still think that's nothing? A thousand here, a couple hundred there, it could easily add up, particularly if used to obtain credit cards. Some joke, once you have a few hundred people trying to put their lives back together after someone trashes their credit rating, etc.

    A friend had something like this happen and spent months sorting it out, over a few hundred dollars charged to a credit card mailed to a different address.

    --

    A feeling of having made the same mistake before: Deja Foobar
  19. Nobody here is upset at the system crackers? by Jayson · · Score: 5, Insightful

    I see all these comments and jokes about the administrators of the systems, the software used, the wages of those who's data was comprimised. However, I do not see any comments condeming the actions of the thiefs.

    These crooks are the people that give you a bad name. They are the criminals here. They are not to be ignored. If somebody breaks into your house, you go after the robber; you don't sit there and think that you should have encased your house in steel and had better locks.

    Please, place the blame where it belong.