Slashdot Mirror
CSU Chico Identities Compromised
MisterFuRR writes "California State University Chico is the latest victim of Identity theft. Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media". An official response is available." From the article: "The names of 15,500 current students, 1,000 faculty, 1,500 staff and former students going back about five years were in a database that was potentially compromised. The files also included information on prospective students."
I wonder if CSU Chico was using the Oracle Datbase system to house all the students, staff, and faculty's information.
Anyone else know?
sounds to me like someone got the munchies...
It's still a good place for education as long as there are enough of chicks with no pants
Rock that crushes, Paper & Scissors that don't matter.
Right on, chico state.
Anonymous 2:00 AM phone call: "Hello. This is Captain Nightbyte of the `0Hack L33T Legion`. It has come to my attention that you actually ordered a spam sandwich with Cheez Whiz, not once, but 18 times back in 2002."
Don't blame Durga. I voted for Centauri.
Are they running databases on their vending machines now?
Shouldn't that read "latest victim of their own stupidity"?
Comment removed based on user account deletion
Well with a name as stupid as "Chico", its no wonder some agigated cracker took action.
Why oh why do people give out their SSNs even when registering for college courses? I work at a college and I went to college. You aren't required to give your SSN and when I register for courses now I certainly don't.
Colleges shouldn't even ask applicants for their SSN. Yeah, it's a real pain in the ass 12 years from now when you try and get your transcripts and you can't remember your student ID. I graduated in 2001 and I remember mine... Maybe I won't in 10 more years but I will know that I can be searched for by name and graduation date.
DO NOT GIVE OUT YOUR SSN TO ANYONE. If they ask then politely decline and ask if they will allow another ID number. Every college I know of has a student ID field.
Here we are pushing students to use their student ID instead of their SSNs (a good majority of students give us the wrong SSN anyway).
i'd be surprised if any of the student data actually made it off the computer. through a not-really-worth-explaining series of events, a former co-worker of mine had a machine exploited in such a fashion. it became a hub for trading shows of cedric the entertainer. the hard disk quickly filled up and we unplugged the machine after its network activity started looking odd. it turns out that the parties responsible didn't even take the time to notice there was a second drive on the machine they'd be able to use.
i don't have any experience beyond that, but i've heard similar stories from other friends. it seems like the sort of exploit that took place isn't one that's likely to be targetted at retrieving potentially sensitive data from the exploited machine.
of course, one should never assume a particular attacker was ignorant and single-minded based on others' experience.
Have any of these people ever heard of data segregation?
Why on earth would a 'food service' computer either have on it, or have access to a list of prospective students? So they can preemptively issue dining cards in case of alien attack?
I am the only one with visions of a vending machine stuffed with warez instead of Kit-Kat bars?
What the hell are these databases doing on machines connected to the internet?
You betcha. Would you like me to send you the database that has all 1,087 JPG files of everyone who purchased a Mountain Dew from 2002 to 2004? It was pretty easy for them to gather the information. They had a tiny camera that took a picture every time someone dropped money into the machine. The camera was hidden on the front of the "Diet Blue Dr Pepper" can, which ensured that it would never be disturbed by a purchase.
Don't blame Durga. I voted for Centauri.
CSUC said it has implemented new security measures. One of them is to issue randomly assigned nine-digit identification numbers to students and staff, in place of Social Security numbers.
500GB of disk, 5TB of transfer, $5.95/mo
The summary above is not quite correct. The linked article actually states, "...someone had broken into a computer server at the university's housing and food service center last July", not a vending machine.
$#!^ happens, but why does it always have to happen to me???
Disreputable people might contact affected individuals to "help," falsely identifying themselves as affiliated with the University. CSU, Chico will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from individuals. Do not release any private information in response to contacts of this nature.
4 5220&tid=172&tid=218
IRS Employees Fall For Hackers
Perhaps a lot of IRS workers graduated from here...
http://it.slashdot.org/article.pl?sid=05/03/17/01
#include bier;
If this keeps up, pretty soon we're all going to have the same identity!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Chico State, man (heh heh) man, hope they don't get my weed, maaaannn...
Is this where I can get the latest warez of BurgerTime?
They stole my social security number? That's totally lame. Pass the bong.
(gurgling sounds)
What's a social security number?
Students at CSU Harpo and CSU Groucho breathed a sigh of relief on finding their campuses were not affected. No word at this time on CSU The Man.
Is why we've set up a system where it's a problem that you SSN is known?
Your SSN is your taxpayer identification number. Giving you my SSN should enable you to pay my taxes.
Why have we set up a system where a nonsecure number has so much of a strangle hold over our financial lives?
Never confuse volume with power.
Little Johnny suspected something might have been up when the lunch menu started to refer to today's special as 0-d4y meatloaf
I remember back in high school filling out college applications, and seeing spaces for my SS#. I didn't give it out, of course. I wonder how many people who applied to CSU Chico now regret filling in that space...
If you had super powers, would you use them for good, or for awesome?
I worked for a state agency twice a while back. First as a consultant, then later as a dual LTE. As a consultant, I pointed out the issues with their state supported network, the lack of security, and the extremely poor services they were being provided. Unfortunatly, no one listened, and the few skilled network techs at the state IS dept were bailing left and right due to budget cuts.
Skip ahead about a year, I come back on deck, but find out that we lost one of the primary servers. I ask what happened to it, after a lot of asking arround I finally got the story. The server in question, a decent sized storage server had been hacked (more likily walked into) by someone looking for a warez/kiddie porn storage site on IRC. Turns out that it had been running as a kiddie porn distribution server for 6 months before the FBI came.
The issue is that many IT management groups do not take security seriously enough. I'm not saying everyone needs a Norlight securi-bunker. But hell, even my current employer's network staff haven't patched the workstations since XP SP1!
-Rick
Unless you want to steal some random frat dude who's incurred a few grand worth of debt in beer bongs and kegs
For some reason I misread that as beer borgs. *logs off*
You can hold down the "B" button for continuous firing.
Perhaps it's because they don't have anything under /inf/new/security/
It's just a guess though
It held that information to preform a check against data on food cards. Not in the database? You have to pay for the food instead of it being debted to your account.
This is how it was done at Purdue and Indiana University; albiet at Purdue and IU the card swipe was a dumb terminal and the data was stored on the school network, it is still a similar problem.
Stupid, but that seems to be the way things are done at most state universities.
Then again, I have been known to be wrong.
It wasn't anonymous. It was Captain Nightbyte.
Let's not forget the battle-cry of the Chico State Fighting Keggers:
Woooooooooo0000000000OOOOOOOOOOOOOOOooooo!!!!
(ladies, groggily add "I'm so wasted" towards the end).
...a few grand worth of debt in beer bongs and...
beer bongs?
Is this an accessory for smoking or a new way to consume potent potables more expediantly?
# cat
Damn, my RAM is full of llamas.
Perhaps you would have been taken more seriously if you knew how to fucking spell!!!
And people think this is rair?
WTF is that???
My fiance was a student at Chico State within the last 5 years and she just found out last night that she had been hit for $39.99 from a Pluto Data Inc scam. http://www.broadbandreports.com/shownews/60769 I wonder if they are somehow connected? She has only used her credit card online a few times.
You're a bit too sheltered. Here's a remedial homework assignment to make up for your lack of education:
Go to the store and buy
-A 12 pack of pabst blue ribbon or equivalent
-A funnel
-four feet of plastic hose
Your assigment is to find the fastest way to get the most beer into your stomach. Bonus points for finishing the 12 pack before you puke (with partial credit for fininshing the 12 pack even after you puke)
That's it! I don't care how many bells and whistles the thing has. I'm never going to give my social security number or bank account number to the soft drink machine again!
"Prepare for the worst - hope for the best."
...wow
time to come out from under your rock
-Is this where I can get the latest warez of BurgerTime?-
That, or Burglar Time.
The sooner somebody steals my ID the better! They are welcome to my debt and TAXES I pay.
:-/
I never was a student... dipped out AGAIN
You laugh, but one of these days people are going to realize that piracy isn't a "victumless" crime.
The latter.
As seen being used by Frank "The Tank" in old school.
Long live the groupthink!
Ah, the Redneck beer dispenser. These were just starting to be sold in places likes Spencers when I was in college. Hadn't heard the "bong" moniker applied to them before. I honestly thought you just left out a comma.
All Your Lays Are Belong To Us
I'm sorry, I'm not as smart as you, cloudkj. We didn't all go to Gudger College
I went to Chico from '84 to '89, and it's true it's a party school (ranked number 2 under Fort Lauderdale).
Keep in mind, however, that it's "party" status made it the target of a wide variety of recruitment for buisness interested in employees with robust "people" skills and experiences gained from the hyper-active social life while attending Chico.
Is this an accessory for smoking or a new way to consume potent potables
Dude, you must be using WAY too much of the other kind of bong if you couldn't even do a simple google (and for a few seconds more, the image search).
And just to make sure this isn't Offtopic, here's some Chico info
What school cafeteria has 0-d4y meatloaf? Everyone knows that there is no such thing.
The very implication that the meatloaf was fresh should have been enough to tip off anyone.
Chico State has one of the highest per capita of parents per student than other CSUs and UCs. You can tell, when you see the BMWs, Mercedes', and to a lesser extent '05 Mustangs parked in the freshmen lots. This isn't the first time either something like this has happened. A couple of years ago a former employee for the staff/faculty tech support organization stole all the information he could get his hands on, got caught trying to sell it.
Chicken fried butter sticks? Do
Indeed, in my day (said the old timer) it was just "funnels"
Not to be confused with funnel cake! Or ingested with funnel cake (eww, what a mess)
-- There is no sig line, only Zuul.
Press 1 + A + COIN RETURN for more options, including misc keygens and ketchup.
It was a computer in the Housing and Food Services department. Not a vending machine.
Chicken fried butter sticks? Do
Dude, you must be using WAY too much of the other kind of bong
Not at all, I'm just old. (Graduated college in '86.)
This kind of thing happens _all_ the time. When I knew people who did this, they'd get 10 or 15 unis whenever a new exploit came out. And that was just one 'fxp' team, of which there are hundreds. I'd be suprised if most of the unis in the US, and indeed around the world, don't have at least one compromised machine. And the guys don't care about sensitive data, they just want your hdd space and fast uni connection to serve the latest movies/games/apps/mp3s/whatever. This is the most un-news slashdot has posted in a _long_ time
The DEA is going to be busy for a while, given, you know, that its CSU Chico.
I recall vaguely having beer bongs at my 21st birthday party in `87...
"We're gonna need a bigger boat"
All of your students may have had their personal information compromised? Damn, bad PR. Oh, wait a minute, they are all from California, double damn.
There's nothing quite like being required by law to notify every single student that their information may have been compromised to help an organization take security a bit more seriously.
Nobody's identity was stolen!
The definition of theft is a very conrete and solid definition.
No physical property was taken, nor anyone deprived access to their property.
Ridiculous.
I notice people love to moderate -1 anyone that mentions legal definitions or post facts to counteract inaccurate stories.
If I was a petty bureaucrat and some tinfoil hat wearing, snotnosed teenager whined at our using SSNs for IDs and insisted that we provide an alternate number, I'd be sure to put in their records - "Alternate ID # 3423-233-222 assigned in lieu of SSN # 773-39-9037"
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
"But we're a agency of the state, we aren't bound by the laws the legislature passes for the hoi-poli!"
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Considering it may have been a scenario like above, there's a good chance no sensitive data wandered elsewhere. But did it, or not? That would be important to know. Simply because it... matters.
From the official response linked in the summary, I couldn't find anything on that. I assume they just can tell for sure either way. For that reason, they informed the victims on how to spot/prevent identity theft. Sounds good, but maybe they should also invite some feedback from same victims, to determine if any misuse of compromised data actually occurs?
As for the compromised machine, that's easy. Compromised: take it offline, inspect the sorry remains for evidence on what/how it happened, and hookup a machine with software rebuilt from clean install discs/backups (as any admin should know, and from what I read, that was already done).
Dude it's a tool that "The Man" uses to keep dibbs on you...
(gurgling sounds)
*COUGH* *COUGH*
P.S. I was a CSUC CSCI student. And If I remember right that conversation actually did happen.
"It takes many nails to build a crib, but one screw to fill it."
I've spent the past 11 years of my professional life after my CSU, Chico Computer Engineering degree explaining to everybody that there really is a pretty good computer/engineering school there. Most of the engineering people spend too much time in the labs to really get out and party as much as some of the other people do.
:)
I try to claim that they know computers -- but then they do this!
(It really is a very nice school, with an attractive campus and social life included).
--Lance, CSUC Computer Engineering '93
You are mistaken, since person(s?) unknown seem to have robbed your identity from you, pal.
Sorry dude, shit happens. You think it won't happen to you, but before you know it, you're an Anonymous Cow.
So out of all the comprimised machines were people are able to get "customer or student" data. Which OS ran which database... I'm not talking about the idiots at choicepoint giving criminals access.
Revenge of the proles and all that.
Start here.
And note:
...which looks to me like a way through that "privacy law" barrier.Just go to alturacu.com and apply as a client business. Cough up the $$$, review your records, sell the rest!
Given all of these security breaks, why do we still consider a persons SSN as "password" type data? Why don't we just assume that a SSN is know just like your name, and go from there. Find some other way to secure the call to you bank besides using the last four digits of your SSN.
I know the history here. SSNs are supposed to be used for tax purposes only, and early cards even said so. But it is a handy ID number in the computer age, and it's the only number that is unique to all US residents. Just because you know my ID number shouldn't mean you assume anything else about me. Nobody gives out senstive info just because they know my phone number.
--Lance
Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media".
You can do that with soda and candy machines?
Taco?
"Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media". "
Hey, I ordered a ham sandwich and I got this copy of Doom III!
The race isn't always to the swift... but that's the way to bet!
Login into the student Unix accounts, I see that the school runs Sun4 on their servers. The system is obviously oudated and probly a prime target for exploits. Its no surprise to me that this happened.
Funny, I worked for Chico State and students HAD to use their SNN in order to get their student ID.
"Honest, your honor, I just set up a Windows box as a FTP server for my stamp club, I have no idea where these movies came from!!!"
or the I Tappa Keg fraternal initiation rites, where you must down a 6-pack in one bongload and just when you get to the finish they start adding tequila.
Guaranteed puke-fest. Be sure to keep the poison control center on speed-dial, because someone is guaranteed to see
I have something in common with Stephen Hawking...
Better yet, get 8 feet of hose so you can stand on the ground while your friends pour beer into the funnel while standing on the balcony of the apartment above you.
Ahh, good times. CSUC, class of '95.
Because your mother decided to have a child, and here you are a part of the alimentary canal is the largest gland in the name of him who sat on it was death, and hell followed with him. And power was given to them that security is something that does affect them directly.
A katana was a scottish inventor. He invented the telephone whilst working at a school for teachers of the body with the instigators victimized. The means to quench a selfish lust brings eden's demise. Mass-murder, demonic cruelty. Absolute fascism.
You really are the least interesting person i've talked to today.
The acorn is the acceptance of those obligations.
Socrates was a scottish inventor. He invented the telephone whilst working at a pathetically small number.
You are the computer program, and i want to eat them and chew them and suck on them.
I'm afraid that when Congress finally acts to protect our identities, all these thefts will have gone so far that when they say the only way is a national ID card, crossref'd to every authentication in our lives, their ultimatum will be well received. And, in fact, perhaps the only way. We're doomed.
--
make install -not war
Now you would think with the millions of bucks they are pouring into these PeopleSoft / Oracle CMS products that they could actually protect their users.
You would also think they would stop using SSN's but since no one is riding them to comply, Most CSU's actually still use em.
Hopefully this will be a wakeup call for administration to stop talking IT and start implementing it. Prehistoric policies and guidelines only hinder the folks trying to do the tech work. Those old geezers working up in the Chancellor's office need to get their head out their ass and do something!
One pissed off Wildcat! (our mascot for the leyman)
When I was going to school in Chico, we knew for a fact that they update the student's info from library to the main servers in another building including SSNs without any kind of encryption, in plain text. Hope this incident will force them to make an overhaul of the whole system.
And just why in the *F*S*C*K* were records on current, past, prospective, and future students kept on a FOOD SERVICE MACHINE?!?!?! ???!p>When a school is so stupid that it stores information like that on a food service machine, it should be the responsibility of the school to compensate each person whose records were stored thereon with at least $1,000,000,000 dollars. If the school cannot pay, then it should be put out of business, and all of its ex-assets distributed to these people.
I get free credit reports. Gee, all I had to do was give up my SSN to some unknown script kiddie.
Setting his threshold to 5, Sparky eliminated most of the trolls on /.
Remember the Slashbot mantra: "Information wants to be free."
Information, correction, FACTS, were copied. No unique digital bits were moved anywhere. One's "identity" cannot be stolen, last I checked about these crying "identity theft" victims, they were still who they said they were.
So get over this. All that happened is some facts were duplicated.
crap now they have the list of all the good weed dealers, now hes going to jack up the price
How can the first post be redundant? Isn't that pretty much impossible?
Everything I need to know about copyrights I learned from Slashdot.
Hey asshole, I happen to go to Chico. We're no more of a party school than most colleges. We aren't on any of the main "party school" lists out there, so shut your hole. Most of us are real students just trying to learn.
Chico was also named a while back (I believe it was by Newsweek or another magazine of the same type) as one of the best value schools. Chico isn't much of a party town since they cracked down on it over 15 years ago. In fact, the place is more locked down than most, as Halloween is strictly clamped down on by the police. Radio, TV and print ads tell people not to invite others to town. I tried to take my girlfriend out for dinner and we saw no less than 15 cops on foot, half a dozen mounted police officers, and 3 different car checkpoints. St. Patty's day happens during spring break when almost no one is here.
So pretty please with sugar on top, keep your jackass, uneducated opinions to yourself.
"They told me it was impossible. I replied with maniacal laughter." http://www.mydailyrant.com/
Notice Regarding Possible Exposure of Personal Information
so it is a party school. they have to plan things so people dont get wild.
they have to have police out in force otherwise all hell would break lose.
and you just sound like a cocksucking loser.(girlfriend aka tranny you picked up a few mins before)
For several years, Hewlett-Packard has hired more graduates from CSU, Chico's Computer Science Department than from any other CS department in the country. In US News and World Report, CSU, Chico continues to rank in the top 5 public regional universities in the West.
I had recently graduated from Chico state 2002 with a degree in computer science option math/physics and minor in math. I have since go on to complete my master's degree in computer science and was duely prepared from my CSU Chico education. i.e. my gpa for master program is 3.9 and I have had to study very little as my undergrad work has prepared me for both work and future study. I often have found my UC master classes are recovering topics that were detailed in my CSU undergrad classes
While Chico State is know for its parties and good times it also has some of the finest professors and staff in the California state university system. Many professionals educators are attracted to chico as it offers a slower pace of live and a focus on education that is not found in other settings. Personally I was able to communicate with each of my professor an a daily basis. I could visit their office hours or they would be more than willing to answer my questions after lecture. I know you don't get this attention at a larger more prestigous universtity..
As for the Food service computer exploit. This goes to show that the computer science students at Chico are some of the brightest and most intelligent around. I actully worked for the computer service department at Chico state and was impressed by the ingenuity and aptitude of the students to find holes/exploits in campus system. During my short time I had witnessed several attacks on system, most of which were successful. I was also impressed by the amount of technology that csu Chico presents to it students.
As for the food service and housing computer being hijacked this is obviously a student who lived in the dorm and figured out how to distributed software to his fellow students. I do not believe that his/her intentions were negative other then gaining free access to high speed connections which existed on the university network.
I received my letter from csu, chico yesterday informing me of the exploit. You can also view this site if you wish to read more into the problem and what csu, chico is doing to prevent further attacks.
Link to information resources computer security incident
CSU CHICO Computer Administration Offices
CSU CHICO IS AN AWESOME SCHOOL AND I WOULD NOT HAVE CHOSSEN TO GO ANYWHERE ELSE AS I HAD MANY OTHER OPTIONS
IF YOU CAN MAKE IT IN CHICO YOU CAN MAKE IT ANYWHERE WE STUDY HARD AND KNOW HOW TO HAVE FUN..
I think people are jealous of what they missed out on when you hear negative comments about chico...
Walk around the campus and you will understand that CSU CHICO is by far one of the finest universities on the west coast!
Speaking as a current student of CSU, Chico: I gave the school my SSN because if I didn't, I wouldn't be able to: apply for financial aid or work study, utilize the school's clerical services, or set up online accounts to register for classes.
I only gave the school my SSN once when I initially registered to attend. Guess what was breached? The server that had that one instance of my SSN.
I agree that it's too bad that SSNs have to be used, but the blame here doesn't fall on students. It's not an issue of "you should give us your SSN because we would like it over a student ID;" it's an issue of "you should give us your SSN because we won't enroll you otherwise." I think the real issue hear is the failure of those in charge of data. For those of you who don't know how it works, CSU Chico has one department, called User Services, that is in charge of essentially every network and system on campus. User Services screwed up, bad, and not a single student on campus could do anything about it, regardless of how loose they may be with thier SSN.
damn, the chicks at parties here don't look as good as the ones in those photos (havasu and katie) even after beer goggles. this college sucks.