Slashdot Mirror
CSU Chico Identities Compromised
MisterFuRR writes "California State University Chico is the latest victim of Identity theft. Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media". An official response is available." From the article: "The names of 15,500 current students, 1,000 faculty, 1,500 staff and former students going back about five years were in a database that was potentially compromised. The files also included information on prospective students."
I wonder if CSU Chico was using the Oracle Datbase system to house all the students, staff, and faculty's information.
Anyone else know?
sounds to me like someone got the munchies...
It's still a good place for education as long as there are enough of chicks with no pants
Rock that crushes, Paper & Scissors that don't matter.
Anonymous 2:00 AM phone call: "Hello. This is Captain Nightbyte of the `0Hack L33T Legion`. It has come to my attention that you actually ordered a spam sandwich with Cheez Whiz, not once, but 18 times back in 2002."
Don't blame Durga. I voted for Centauri.
Are they running databases on their vending machines now?
Comment removed based on user account deletion
Why oh why do people give out their SSNs even when registering for college courses? I work at a college and I went to college. You aren't required to give your SSN and when I register for courses now I certainly don't.
Colleges shouldn't even ask applicants for their SSN. Yeah, it's a real pain in the ass 12 years from now when you try and get your transcripts and you can't remember your student ID. I graduated in 2001 and I remember mine... Maybe I won't in 10 more years but I will know that I can be searched for by name and graduation date.
DO NOT GIVE OUT YOUR SSN TO ANYONE. If they ask then politely decline and ask if they will allow another ID number. Every college I know of has a student ID field.
Here we are pushing students to use their student ID instead of their SSNs (a good majority of students give us the wrong SSN anyway).
i'd be surprised if any of the student data actually made it off the computer. through a not-really-worth-explaining series of events, a former co-worker of mine had a machine exploited in such a fashion. it became a hub for trading shows of cedric the entertainer. the hard disk quickly filled up and we unplugged the machine after its network activity started looking odd. it turns out that the parties responsible didn't even take the time to notice there was a second drive on the machine they'd be able to use.
i don't have any experience beyond that, but i've heard similar stories from other friends. it seems like the sort of exploit that took place isn't one that's likely to be targetted at retrieving potentially sensitive data from the exploited machine.
of course, one should never assume a particular attacker was ignorant and single-minded based on others' experience.
Have any of these people ever heard of data segregation?
Why on earth would a 'food service' computer either have on it, or have access to a list of prospective students? So they can preemptively issue dining cards in case of alien attack?
I am the only one with visions of a vending machine stuffed with warez instead of Kit-Kat bars?
What the hell are these databases doing on machines connected to the internet?
You betcha. Would you like me to send you the database that has all 1,087 JPG files of everyone who purchased a Mountain Dew from 2002 to 2004? It was pretty easy for them to gather the information. They had a tiny camera that took a picture every time someone dropped money into the machine. The camera was hidden on the front of the "Diet Blue Dr Pepper" can, which ensured that it would never be disturbed by a purchase.
Don't blame Durga. I voted for Centauri.
CSUC said it has implemented new security measures. One of them is to issue randomly assigned nine-digit identification numbers to students and staff, in place of Social Security numbers.
500GB of disk, 5TB of transfer, $5.95/mo
The summary above is not quite correct. The linked article actually states, "...someone had broken into a computer server at the university's housing and food service center last July", not a vending machine.
$#!^ happens, but why does it always have to happen to me???
Disreputable people might contact affected individuals to "help," falsely identifying themselves as affiliated with the University. CSU, Chico will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from individuals. Do not release any private information in response to contacts of this nature.
4 5220&tid=172&tid=218
IRS Employees Fall For Hackers
Perhaps a lot of IRS workers graduated from here...
http://it.slashdot.org/article.pl?sid=05/03/17/01
#include bier;
If this keeps up, pretty soon we're all going to have the same identity!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Is this where I can get the latest warez of BurgerTime?
They stole my social security number? That's totally lame. Pass the bong.
(gurgling sounds)
What's a social security number?
Students at CSU Harpo and CSU Groucho breathed a sigh of relief on finding their campuses were not affected. No word at this time on CSU The Man.
Is why we've set up a system where it's a problem that you SSN is known?
Your SSN is your taxpayer identification number. Giving you my SSN should enable you to pay my taxes.
Why have we set up a system where a nonsecure number has so much of a strangle hold over our financial lives?
Never confuse volume with power.
Little Johnny suspected something might have been up when the lunch menu started to refer to today's special as 0-d4y meatloaf
I remember back in high school filling out college applications, and seeing spaces for my SS#. I didn't give it out, of course. I wonder how many people who applied to CSU Chico now regret filling in that space...
If you had super powers, would you use them for good, or for awesome?
I worked for a state agency twice a while back. First as a consultant, then later as a dual LTE. As a consultant, I pointed out the issues with their state supported network, the lack of security, and the extremely poor services they were being provided. Unfortunatly, no one listened, and the few skilled network techs at the state IS dept were bailing left and right due to budget cuts.
Skip ahead about a year, I come back on deck, but find out that we lost one of the primary servers. I ask what happened to it, after a lot of asking arround I finally got the story. The server in question, a decent sized storage server had been hacked (more likily walked into) by someone looking for a warez/kiddie porn storage site on IRC. Turns out that it had been running as a kiddie porn distribution server for 6 months before the FBI came.
The issue is that many IT management groups do not take security seriously enough. I'm not saying everyone needs a Norlight securi-bunker. But hell, even my current employer's network staff haven't patched the workstations since XP SP1!
-Rick
Unless you want to steal some random frat dude who's incurred a few grand worth of debt in beer bongs and kegs
For some reason I misread that as beer borgs. *logs off*
You can hold down the "B" button for continuous firing.
Perhaps it's because they don't have anything under /inf/new/security/
It's just a guess though
It held that information to preform a check against data on food cards. Not in the database? You have to pay for the food instead of it being debted to your account.
This is how it was done at Purdue and Indiana University; albiet at Purdue and IU the card swipe was a dumb terminal and the data was stored on the school network, it is still a similar problem.
Stupid, but that seems to be the way things are done at most state universities.
Then again, I have been known to be wrong.
It wasn't anonymous. It was Captain Nightbyte.
No the victems are those in the database, the student and teachers.
The idiots are the IT departments.
Freedom or George Bush
Let's not forget the battle-cry of the Chico State Fighting Keggers:
Woooooooooo0000000000OOOOOOOOOOOOOOOooooo!!!!
(ladies, groggily add "I'm so wasted" towards the end).
...a few grand worth of debt in beer bongs and...
beer bongs?
Is this an accessory for smoking or a new way to consume potent potables more expediantly?
# cat
Damn, my RAM is full of llamas.
My fiance was a student at Chico State within the last 5 years and she just found out last night that she had been hit for $39.99 from a Pluto Data Inc scam. http://www.broadbandreports.com/shownews/60769 I wonder if they are somehow connected? She has only used her credit card online a few times.
You're a bit too sheltered. Here's a remedial homework assignment to make up for your lack of education:
Go to the store and buy
-A 12 pack of pabst blue ribbon or equivalent
-A funnel
-four feet of plastic hose
Your assigment is to find the fastest way to get the most beer into your stomach. Bonus points for finishing the 12 pack before you puke (with partial credit for fininshing the 12 pack even after you puke)
That's it! I don't care how many bells and whistles the thing has. I'm never going to give my social security number or bank account number to the soft drink machine again!
"Prepare for the worst - hope for the best."
-Is this where I can get the latest warez of BurgerTime?-
That, or Burglar Time.
The sooner somebody steals my ID the better! They are welcome to my debt and TAXES I pay.
:-/
I never was a student... dipped out AGAIN
The latter.
As seen being used by Frank "The Tank" in old school.
Ah, the Redneck beer dispenser. These were just starting to be sold in places likes Spencers when I was in college. Hadn't heard the "bong" moniker applied to them before. I honestly thought you just left out a comma.
Is this an accessory for smoking or a new way to consume potent potables
Dude, you must be using WAY too much of the other kind of bong if you couldn't even do a simple google (and for a few seconds more, the image search).
And just to make sure this isn't Offtopic, here's some Chico info
Chico State has one of the highest per capita of parents per student than other CSUs and UCs. You can tell, when you see the BMWs, Mercedes', and to a lesser extent '05 Mustangs parked in the freshmen lots. This isn't the first time either something like this has happened. A couple of years ago a former employee for the staff/faculty tech support organization stole all the information he could get his hands on, got caught trying to sell it.
Chicken fried butter sticks? Do
Indeed, in my day (said the old timer) it was just "funnels"
Not to be confused with funnel cake! Or ingested with funnel cake (eww, what a mess)
-- There is no sig line, only Zuul.
Press 1 + A + COIN RETURN for more options, including misc keygens and ketchup.
It was a computer in the Housing and Food Services department. Not a vending machine.
Chicken fried butter sticks? Do
Dude, you must be using WAY too much of the other kind of bong
Not at all, I'm just old. (Graduated college in '86.)
This kind of thing happens _all_ the time. When I knew people who did this, they'd get 10 or 15 unis whenever a new exploit came out. And that was just one 'fxp' team, of which there are hundreds. I'd be suprised if most of the unis in the US, and indeed around the world, don't have at least one compromised machine. And the guys don't care about sensitive data, they just want your hdd space and fast uni connection to serve the latest movies/games/apps/mp3s/whatever. This is the most un-news slashdot has posted in a _long_ time
The DEA is going to be busy for a while, given, you know, that its CSU Chico.
All of your students may have had their personal information compromised? Damn, bad PR. Oh, wait a minute, they are all from California, double damn.
There's nothing quite like being required by law to notify every single student that their information may have been compromised to help an organization take security a bit more seriously.
No, the IT department doesn't consist of idiots. It probably represents the best talent available for the salary offered. Nobody wants to pay programmers what they're worth nowadays, and obviously security breaches won't change this.
If I was a petty bureaucrat and some tinfoil hat wearing, snotnosed teenager whined at our using SSNs for IDs and insisted that we provide an alternate number, I'd be sure to put in their records - "Alternate ID # 3423-233-222 assigned in lieu of SSN # 773-39-9037"
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
"But we're a agency of the state, we aren't bound by the laws the legislature passes for the hoi-poli!"
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Considering it may have been a scenario like above, there's a good chance no sensitive data wandered elsewhere. But did it, or not? That would be important to know. Simply because it... matters.
From the official response linked in the summary, I couldn't find anything on that. I assume they just can tell for sure either way. For that reason, they informed the victims on how to spot/prevent identity theft. Sounds good, but maybe they should also invite some feedback from same victims, to determine if any misuse of compromised data actually occurs?
As for the compromised machine, that's easy. Compromised: take it offline, inspect the sorry remains for evidence on what/how it happened, and hookup a machine with software rebuilt from clean install discs/backups (as any admin should know, and from what I read, that was already done).
Dude it's a tool that "The Man" uses to keep dibbs on you...
(gurgling sounds)
*COUGH* *COUGH*
P.S. I was a CSUC CSCI student. And If I remember right that conversation actually did happen.
"It takes many nails to build a crib, but one screw to fill it."
I've spent the past 11 years of my professional life after my CSU, Chico Computer Engineering degree explaining to everybody that there really is a pretty good computer/engineering school there. Most of the engineering people spend too much time in the labs to really get out and party as much as some of the other people do.
:)
I try to claim that they know computers -- but then they do this!
(It really is a very nice school, with an attractive campus and social life included).
--Lance, CSUC Computer Engineering '93
You are mistaken, since person(s?) unknown seem to have robbed your identity from you, pal.
Sorry dude, shit happens. You think it won't happen to you, but before you know it, you're an Anonymous Cow.
So out of all the comprimised machines were people are able to get "customer or student" data. Which OS ran which database... I'm not talking about the idiots at choicepoint giving criminals access.
Given all of these security breaks, why do we still consider a persons SSN as "password" type data? Why don't we just assume that a SSN is know just like your name, and go from there. Find some other way to secure the call to you bank besides using the last four digits of your SSN.
I know the history here. SSNs are supposed to be used for tax purposes only, and early cards even said so. But it is a handy ID number in the computer age, and it's the only number that is unique to all US residents. Just because you know my ID number shouldn't mean you assume anything else about me. Nobody gives out senstive info just because they know my phone number.
--Lance
Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media".
You can do that with soda and candy machines?
Taco?
The parent comment to this was alot funnier than it got modded. That being said "leech off every zig".
"Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media". "
Hey, I ordered a ham sandwich and I got this copy of Doom III!
The race isn't always to the swift... but that's the way to bet!
Login into the student Unix accounts, I see that the school runs Sun4 on their servers. The system is obviously oudated and probly a prime target for exploits. Its no surprise to me that this happened.
or the I Tappa Keg fraternal initiation rites, where you must down a 6-pack in one bongload and just when you get to the finish they start adding tequila.
Guaranteed puke-fest. Be sure to keep the poison control center on speed-dial, because someone is guaranteed to see
I have something in common with Stephen Hawking...
I'm afraid that when Congress finally acts to protect our identities, all these thefts will have gone so far that when they say the only way is a national ID card, crossref'd to every authentication in our lives, their ultimatum will be well received. And, in fact, perhaps the only way. We're doomed.
--
make install -not war
Ah, yes. Of course it JUST HAD TO BE a Microsoft product. You present no evidence, just hear-say and you get moderated up for bashing MS.
That little winkie thing on the end of his comment indicates that it was likely a joke. It's still working hours on the west coast. Shouldn't you be trying to get tabbed browsing working in IE instead of surfing Slashdot? :)
And just why in the *F*S*C*K* were records on current, past, prospective, and future students kept on a FOOD SERVICE MACHINE?!?!?! ???!p>When a school is so stupid that it stores information like that on a food service machine, it should be the responsibility of the school to compensate each person whose records were stored thereon with at least $1,000,000,000 dollars. If the school cannot pay, then it should be put out of business, and all of its ex-assets distributed to these people.
I get free credit reports. Gee, all I had to do was give up my SSN to some unknown script kiddie.
Setting his threshold to 5, Sparky eliminated most of the trolls on /.
No, but we all know that the MPAA/RIAA/BSA isn't going to kick down doors over half a copy of Diablo II, and you'd pretty much have to prove your cluelessness if there's 50gigs of warez on your otherwise empty 60gig FTP server. Really, the law isn't as stupid as you people seem to think. For the most part, you'll never be able to get away with egregious violations by pleading ignorance. The law sets the rules, but it allows for a lot of latitude in judging culpability within those rules. You really can't exploit "technicalities" like that. If you're obviously guilty as fuck, but say "I didn't know", the (judge/jury) isn't going to snap their fingers and say "damn, now we can't find you guilty"; no, they're going to say "lying sack of shit, get thee to the state pen".
"Honest, your honor, I just set up a Windows box as a FTP server for my stamp club, I have no idea where these movies came from!!!"
For what it's worth, it was an old UMAX Mac clone running Linux.
If a job's not worth doing, it's not worth doing right.
Hey asshole, I happen to go to Chico. We're no more of a party school than most colleges. We aren't on any of the main "party school" lists out there, so shut your hole. Most of us are real students just trying to learn.
Chico was also named a while back (I believe it was by Newsweek or another magazine of the same type) as one of the best value schools. Chico isn't much of a party town since they cracked down on it over 15 years ago. In fact, the place is more locked down than most, as Halloween is strictly clamped down on by the police. Radio, TV and print ads tell people not to invite others to town. I tried to take my girlfriend out for dinner and we saw no less than 15 cops on foot, half a dozen mounted police officers, and 3 different car checkpoints. St. Patty's day happens during spring break when almost no one is here.
So pretty please with sugar on top, keep your jackass, uneducated opinions to yourself.
"They told me it was impossible. I replied with maniacal laughter." http://www.mydailyrant.com/
For several years, Hewlett-Packard has hired more graduates from CSU, Chico's Computer Science Department than from any other CS department in the country. In US News and World Report, CSU, Chico continues to rank in the top 5 public regional universities in the West.
I had recently graduated from Chico state 2002 with a degree in computer science option math/physics and minor in math. I have since go on to complete my master's degree in computer science and was duely prepared from my CSU Chico education. i.e. my gpa for master program is 3.9 and I have had to study very little as my undergrad work has prepared me for both work and future study. I often have found my UC master classes are recovering topics that were detailed in my CSU undergrad classes
While Chico State is know for its parties and good times it also has some of the finest professors and staff in the California state university system. Many professionals educators are attracted to chico as it offers a slower pace of live and a focus on education that is not found in other settings. Personally I was able to communicate with each of my professor an a daily basis. I could visit their office hours or they would be more than willing to answer my questions after lecture. I know you don't get this attention at a larger more prestigous universtity..
As for the Food service computer exploit. This goes to show that the computer science students at Chico are some of the brightest and most intelligent around. I actully worked for the computer service department at Chico state and was impressed by the ingenuity and aptitude of the students to find holes/exploits in campus system. During my short time I had witnessed several attacks on system, most of which were successful. I was also impressed by the amount of technology that csu Chico presents to it students.
As for the food service and housing computer being hijacked this is obviously a student who lived in the dorm and figured out how to distributed software to his fellow students. I do not believe that his/her intentions were negative other then gaining free access to high speed connections which existed on the university network.
I received my letter from csu, chico yesterday informing me of the exploit. You can also view this site if you wish to read more into the problem and what csu, chico is doing to prevent further attacks.
Link to information resources computer security incident
CSU CHICO Computer Administration Offices
CSU CHICO IS AN AWESOME SCHOOL AND I WOULD NOT HAVE CHOSSEN TO GO ANYWHERE ELSE AS I HAD MANY OTHER OPTIONS
IF YOU CAN MAKE IT IN CHICO YOU CAN MAKE IT ANYWHERE WE STUDY HARD AND KNOW HOW TO HAVE FUN..
I think people are jealous of what they missed out on when you hear negative comments about chico...
Walk around the campus and you will understand that CSU CHICO is by far one of the finest universities on the west coast!
Speaking as a current student of CSU, Chico: I gave the school my SSN because if I didn't, I wouldn't be able to: apply for financial aid or work study, utilize the school's clerical services, or set up online accounts to register for classes.
I only gave the school my SSN once when I initially registered to attend. Guess what was breached? The server that had that one instance of my SSN.
I agree that it's too bad that SSNs have to be used, but the blame here doesn't fall on students. It's not an issue of "you should give us your SSN because we would like it over a student ID;" it's an issue of "you should give us your SSN because we won't enroll you otherwise." I think the real issue hear is the failure of those in charge of data. For those of you who don't know how it works, CSU Chico has one department, called User Services, that is in charge of essentially every network and system on campus. User Services screwed up, bad, and not a single student on campus could do anything about it, regardless of how loose they may be with thier SSN.