CSU Chico Identities Compromised

MisterFuRR writes "California State University Chico is the latest victim of Identity theft. Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media". An official response is available." From the article: "The names of 15,500 current students, 1,000 faculty, 1,500 staff and former students going back about five years were in a database that was potentially compromised. The files also included information on prospective students."

Comment removed

[account_deleted]

Comment removed based on user account deletion

RTFA, they don't use SSNs anymore.

[PornMaster]

CSUC said it has implemented new security measures. One of them is to issue randomly assigned nine-digit identification numbers to students and staff, in place of Social Security numbers.

RTFA (was Re:Food Service?)

[hpulley]

The summary above is not quite correct. The linked article actually states, "...someone had broken into a computer server at the university's housing and food service center last July", not a vending machine.

Re:unbreakable?

[hackstraw]

How about that thing called encryption?

I remember when a database got hacked and all of the usernames and passwords were in plaintext, which has of course been fixed. More about that breakin here.

Re:No Worries

The link is not very titillating to be honest. Just a tiny PR image of a girl on a bench with a laptop, an open notebook next to her legs is obscuring what is probably a pair of shorts. So, it's quite safe for work. And it will do you no good in bed- I tried hard enough sitting in my cube looking at it and nothing comes up.

Re:Proof, yet again, that SSNs should not be used!

[PhiltheeG]

The SSN is required if you receive most types of financial aid, if you are getting reimbursed in somes way where taxation is involved, and a couple other legitimate instances.

Part of the SSN is required to validate data for alumni against lists provided by subsidiaries of child companies owner or operated by larger companies like Seisint (LexusNexus).

Re:hmmm

[garnetlion]

No no no. Chico students are drunks. The stoners go upstate to CSU Humboldt.

Re:might be giving them too much credit

[FreeLinux]

I've seen it many times. Someone leaves an IIS default install exposed to the world without sufficient patches. A script kiddie opens them up with an FTP exploit. They then create a directory that is invisible to all, including the administrator, and is impossible to remove with the OS(I thought that was interesting when I first saw it). They then start uploading warez and posting the ip on warez web sites.

They haven't rooted the box, they just fill up the disk with warez because of unpatched holes in IIS FTP service. The disk space and bandwidth is owned but, nothing else.

Re:unbreakable?

I pointed this out to someone else when they asked why my application database wasn't encrypted.

If someone had access to the application database, they'd also have access to the application, which would (surprise surpise) have access to any encryption keys, making the whole thing pointless AND a waste of CPU cycles.

So yeah, we could make the server twice as slow and encrypt all your data so that if someone breaks in to the application server to get that data they'll just grep the application for the key and decrypt it and steal it. Or we could just focus on keeping people out of the application server who shouldn't be there, and if they do arrive there, keeping them from getting permissions required to access the database.