Slashdot Mirror
CSU Chico Identities Compromised
MisterFuRR writes "California State University Chico is the latest victim of Identity theft. Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media". An official response is available." From the article: "The names of 15,500 current students, 1,000 faculty, 1,500 staff and former students going back about five years were in a database that was potentially compromised. The files also included information on prospective students."
Nope, they uses Microsoft SQL server. That's how they got cracked ;-)
i'd be surprised if any of the student data actually made it off the computer. through a not-really-worth-explaining series of events, a former co-worker of mine had a machine exploited in such a fashion. it became a hub for trading shows of cedric the entertainer. the hard disk quickly filled up and we unplugged the machine after its network activity started looking odd. it turns out that the parties responsible didn't even take the time to notice there was a second drive on the machine they'd be able to use.
i don't have any experience beyond that, but i've heard similar stories from other friends. it seems like the sort of exploit that took place isn't one that's likely to be targetted at retrieving potentially sensitive data from the exploited machine.
of course, one should never assume a particular attacker was ignorant and single-minded based on others' experience.
:-)
But I just checked her dietary habits in the hacked database and she looks more like tubgirl now.
Can anyone explain why the parent directory: http://www.csuchico.edu/inf/new/ is browsable?
John.
Even if you make a stink about it your SSN will often "sneak" into your records. I went to the trouble of getting an ID number rather than using SSN (and put up with all the expasperated sighing and angry looks that come with taking such a stance), but had to give it for work study - and sure enough the number found its way into school records.
I worked for a state agency twice a while back. First as a consultant, then later as a dual LTE. As a consultant, I pointed out the issues with their state supported network, the lack of security, and the extremely poor services they were being provided. Unfortunatly, no one listened, and the few skilled network techs at the state IS dept were bailing left and right due to budget cuts.
Skip ahead about a year, I come back on deck, but find out that we lost one of the primary servers. I ask what happened to it, after a lot of asking arround I finally got the story. The server in question, a decent sized storage server had been hacked (more likily walked into) by someone looking for a warez/kiddie porn storage site on IRC. Turns out that it had been running as a kiddie porn distribution server for 6 months before the FBI came.
The issue is that many IT management groups do not take security seriously enough. I'm not saying everyone needs a Norlight securi-bunker. But hell, even my current employer's network staff haven't patched the workstations since XP SP1!
-Rick
# cat
Damn, my RAM is full of llamas.
My fiance was a student at Chico State within the last 5 years and she just found out last night that she had been hit for $39.99 from a Pluto Data Inc scam. http://www.broadbandreports.com/shownews/60769 I wonder if they are somehow connected? She has only used her credit card online a few times.
Long live the groupthink!
The other half of the problem is illegal immigrants. My SSN has been used to buy a bunch of property in california, all under mexican surnames. However the privacy laws protect the fraudsters, i cant even find out who it is or where this property is. Only reason I found out was because I went to open an account at the bank and all these property transactions came up under my ssn -- the lady messed up and told me one of the names.
Religion is a gateway psychosis. -- Dave Foley
This kind of thing happens _all_ the time. When I knew people who did this, they'd get 10 or 15 unis whenever a new exploit came out. And that was just one 'fxp' team, of which there are hundreds. I'd be suprised if most of the unis in the US, and indeed around the world, don't have at least one compromised machine. And the guys don't care about sensitive data, they just want your hdd space and fast uni connection to serve the latest movies/games/apps/mp3s/whatever. This is the most un-news slashdot has posted in a _long_ time
If I was a petty bureaucrat and some tinfoil hat wearing, snotnosed teenager whined at our using SSNs for IDs and insisted that we provide an alternate number, I'd be sure to put in their records - "Alternate ID # 3423-233-222 assigned in lieu of SSN # 773-39-9037"
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I've spent the past 11 years of my professional life after my CSU, Chico Computer Engineering degree explaining to everybody that there really is a pretty good computer/engineering school there. Most of the engineering people spend too much time in the labs to really get out and party as much as some of the other people do.
:)
I try to claim that they know computers -- but then they do this!
(It really is a very nice school, with an attractive campus and social life included).
--Lance, CSUC Computer Engineering '93