Slashdot Mirror

← Back to Stories (view on slashdot.org)

CSU Chico Identities Compromised

Posted by Zonk on from the hack-the-cafeteria dept.

MisterFuRR writes "California State University Chico is the latest victim of Identity theft. Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media". An official response is available." From the article: "The names of 15,500 current students, 1,000 faculty, 1,500 staff and former students going back about five years were in a database that was potentially compromised. The files also included information on prospective students."

35 of 202 comments (clear)

  1. hmmm by Anonymous Coward · · Score: 2, Funny
    chico state? food service machine?


    sounds to me like someone got the munchies...

    1. Re:hmmm by mshaslam · · Score: 2, Funny

      I'm tired of all these jokes from my old alma mater. I don't remember rampant drug and alcohol use when I was at Chico State in the mid '80s. Come to think of it, I don't remember much of anything from when I was at Chico State in the mid '80s. Hmmm.... my Chico days are starting to make sense. Sort of. MSH

    2. Re:hmmm by garnetlion · · Score: 3, Informative

      No no no. Chico students are drunks. The stoners go upstate to CSU Humboldt.

  2. No Worries by fembots · · Score: 5, Funny

    It's still a good place for education as long as there are enough of chicks with no pants

    --
    Rock that crushes, Paper & Scissors that don't matter.
    1. Re:No Worries by JohnGrahamCumming · · Score: 2, Interesting

      :-)

      But I just checked her dietary habits in the hacked database and she looks more like tubgirl now.

      Can anyone explain why the parent directory: http://www.csuchico.edu/inf/new/ is browsable?

      John.

  3. Dangerous food service hacking by AtariAmarok · · Score: 3, Funny

    Anonymous 2:00 AM phone call: "Hello. This is Captain Nightbyte of the `0Hack L33T Legion`. It has come to my attention that you actually ordered a spam sandwich with Cheez Whiz, not once, but 18 times back in 2002."

    --
    Don't blame Durga. I voted for Centauri.
  4. Proof, yet again, that SSNs should not be used! by garcia · · Score: 4, Insightful

    Why oh why do people give out their SSNs even when registering for college courses? I work at a college and I went to college. You aren't required to give your SSN and when I register for courses now I certainly don't.

    Colleges shouldn't even ask applicants for their SSN. Yeah, it's a real pain in the ass 12 years from now when you try and get your transcripts and you can't remember your student ID. I graduated in 2001 and I remember mine... Maybe I won't in 10 more years but I will know that I can be searched for by name and graduation date.

    DO NOT GIVE OUT YOUR SSN TO ANYONE. If they ask then politely decline and ask if they will allow another ID number. Every college I know of has a student ID field.

    Here we are pushing students to use their student ID instead of their SSNs (a good majority of students give us the wrong SSN anyway).

    1. Re:Proof, yet again, that SSNs should not be used! by PhiltheeG · · Score: 2, Informative

      The SSN is required if you receive most types of financial aid, if you are getting reimbursed in somes way where taxation is involved, and a couple other legitimate instances.

      Part of the SSN is required to validate data for alumni against lists provided by subsidiaries of child companies owner or operated by larger companies like Seisint (LexusNexus).

      --
      -Phil
      Shoot questions, first ask later...
    2. Re:Proof, yet again, that SSNs should not be used! by rkcallaghan · · Score: 3, Insightful

      Why oh why do people give out their SSNs even when registering for college courses?

      Because its utterly impossible to get by without doing so?

      You aren't required to give your SSN.

      You are, if you need student loans, work study, or other financial aid.

      I'm a current student at Mesa Community College in Arizona, USA. I can tell you that there is absolutely no way I could have gotten through all the things I need to do to continue my education without using my SSN. I've personally asked about not using such information, and been told flat in several instances that I could not. Failure to cooperate results in poor service from the school, and likely revocation of privledges.

      If I wanted to park within a mile radius of campus? SSN, Drivers License Number, and License Plate.

      I'm normally quite concious about my personal information. There's just no way for me not to give my SSN to my school, though.

      ~Rebecca

  5. Re:unbreakable? by ArsenneLupin · · Score: 2, Interesting

    Nope, they uses Microsoft SQL server. That's how they got cracked ;-)

  6. might be giving them too much credit by htmlboy · · Score: 4, Interesting

    i'd be surprised if any of the student data actually made it off the computer. through a not-really-worth-explaining series of events, a former co-worker of mine had a machine exploited in such a fashion. it became a hub for trading shows of cedric the entertainer. the hard disk quickly filled up and we unplugged the machine after its network activity started looking odd. it turns out that the parties responsible didn't even take the time to notice there was a second drive on the machine they'd be able to use.

    i don't have any experience beyond that, but i've heard similar stories from other friends. it seems like the sort of exploit that took place isn't one that's likely to be targetted at retrieving potentially sensitive data from the exploited machine.

    of course, one should never assume a particular attacker was ignorant and single-minded based on others' experience.

    1. Re:might be giving them too much credit by FreeLinux · · Score: 3, Informative

      I've seen it many times. Someone leaves an IIS default install exposed to the world without sufficient patches. A script kiddie opens them up with an FTP exploit. They then create a directory that is invisible to all, including the administrator, and is impossible to remove with the OS(I thought that was interesting when I first saw it). They then start uploading warez and posting the ip on warez web sites.

      They haven't rooted the box, they just fill up the disk with warez because of unpatched holes in IIS FTP service. The disk space and bandwidth is owned but, nothing else.

  7. choose a purpose by MrLint · · Score: 4, Insightful

    Have any of these people ever heard of data segregation?

    Why on earth would a 'food service' computer either have on it, or have access to a list of prospective students? So they can preemptively issue dining cards in case of alien attack?

    1. Re:choose a purpose by ndege · · Score: 2, Insightful

      Why on earth would a 'food service' computer either have on it, or have access to a list of prospective students? So they can preemptively issue dining cards in case of alien attack?

      No. The meal cards were most likely issued because these prospective students were recruited to visit the campus. During their visit, the prospective students used their free meal cards. The cost of these meals would have been billed back to the recruiting/marketing department at the university and the recruiting/marketing department would have to account for the cost and associate it with a specific prospective student.

      This is pure speculation on my behalf for this university, but this is the exact process used at the university I attended and a few others that I considered.

      --
      Sig Return: 204 No Content
  8. What? by mboverload · · Score: 4, Insightful

    What the hell are these databases doing on machines connected to the internet?

  9. you bet. by AtariAmarok · · Score: 2, Funny
    "Are they running databases on their vending machines now?"

    You betcha. Would you like me to send you the database that has all 1,087 JPG files of everyone who purchased a Mountain Dew from 2002 to 2004? It was pretty easy for them to gather the information. They had a tiny camera that took a picture every time someone dropped money into the machine. The camera was hidden on the front of the "Diet Blue Dr Pepper" can, which ensured that it would never be disturbed by a purchase.

    --
    Don't blame Durga. I voted for Centauri.
  10. RTFA, they don't use SSNs anymore. by PornMaster · · Score: 2, Informative

    CSUC said it has implemented new security measures. One of them is to issue randomly assigned nine-digit identification numbers to students and staff, in place of Social Security numbers.

    --
    500GB of disk, 5TB of transfer, $5.95/mo
  11. RTFA (was Re:Food Service?) by hpulley · · Score: 4, Informative

    The summary above is not quite correct. The linked article actually states, "...someone had broken into a computer server at the university's housing and food service center last July", not a vending machine.

    --
    $#!^ happens, but why does it always have to happen to me???
  12. "The Last Lonely Man" by Thud457 · · Score: 2, Insightful

    If this keeps up, pretty soon we're all going to have the same identity!

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  13. Average CSU Chico student reply by cot · · Score: 3, Funny

    They stole my social security number? That's totally lame. Pass the bong.

    (gurgling sounds)

    What's a social security number?

    --

  14. In Related News... by sdcharle · · Score: 4, Funny

    Students at CSU Harpo and CSU Groucho breathed a sigh of relief on finding their campuses were not affected. No word at this time on CSU The Man.

  15. I wonder how they figured it out by Crimsane · · Score: 5, Funny

    Little Johnny suspected something might have been up when the lunch menu started to refer to today's special as 0-d4y meatloaf

  16. Re:unbreakable? by prgrmr · · Score: 2, Insightful

    In this day and age it's entirely possible to have the web server on one box, the application on another, and the database on a third. The systems and OSs on all of them can all be different from each other.

  17. Pr0n by bcmm · · Score: 2, Interesting
    and used to distribute "games, files, and other media".
    Briefly disregarding the fact that "files" probably covers everything that they were distributing, anyone worked out what the "other media" could be a euphemism for?
    --
    # cat /dev/mem | strings | grep -i llama
    Damn, my RAM is full of llamas.
  18. Pluto Data Inc by djirk · · Score: 3, Interesting

    My fiance was a student at Chico State within the last 5 years and she just found out last night that she had been hit for $39.99 from a Pluto Data Inc scam. http://www.broadbandreports.com/shownews/60769 I wonder if they are somehow connected? She has only used her credit card online a few times.

  19. Re:FYI by cot · · Score: 2, Insightful

    You're a bit too sheltered. Here's a remedial homework assignment to make up for your lack of education:

    Go to the store and buy
    -A 12 pack of pabst blue ribbon or equivalent
    -A funnel
    -four feet of plastic hose

    Your assigment is to find the fastest way to get the most beer into your stomach. Bonus points for finishing the 12 pack before you puke (with partial credit for fininshing the 12 pack even after you puke)

    --

  20. Food Service by Embedded+Geek · · Score: 4, Funny
    one of their "Food Service" machines was cracked

    That's it! I don't care how many bells and whistles the thing has. I'm never going to give my social security number or bank account number to the soft drink machine again!

    --

    "Prepare for the worst - hope for the best."

  21. Re:beer bongs by shrubya · · Score: 2, Insightful

    Is this an accessory for smoking or a new way to consume potent potables

    Dude, you must be using WAY too much of the other kind of bong if you couldn't even do a simple google (and for a few seconds more, the image search).

    And just to make sure this isn't Offtopic, here's some Chico info

  22. Your options by The+Bungi · · Score: 3, Funny
    Please deposit amount (quarters, dimes, nickels and $1 bills) in the machine and then make a selection:

    1. 3oz Snickers Bar
    2. Adobe Photoshop 7.0
    3. 7oz Dorito Ranch
    4. Windows XP Professional
    5. 3oz Baby Ruth Bar
    6. Your credit report (may be delayed)
    7. Can of coke (not, not that kind)
    8. 1yr Subscription to GothicJapaneseScoolGirls.cx (please share)
    9. Ham&Cheese Sandwich (may be delayed)
    10. Got milk?

    Press 1 + A + COIN RETURN for more options, including misc keygens and ketchup.

  23. Re:No, the real problem by Monkelectric · · Score: 2, Interesting

    The other half of the problem is illegal immigrants. My SSN has been used to buy a bunch of property in california, all under mexican surnames. However the privacy laws protect the fraudsters, i cant even find out who it is or where this property is. Only reason I found out was because I went to open an account at the bank and all these property transactions came up under my ssn -- the lady messed up and told me one of the names.

    --

    Religion is a gateway psychosis. -- Dave Foley

  24. Happens all the time by KidHash · · Score: 4, Interesting

    This kind of thing happens _all_ the time. When I knew people who did this, they'd get 10 or 15 unis whenever a new exploit came out. And that was just one 'fxp' team, of which there are hundreds. I'd be suprised if most of the unis in the US, and indeed around the world, don't have at least one compromised machine. And the guys don't care about sensitive data, they just want your hdd space and fast uni connection to serve the latest movies/games/apps/mp3s/whatever. This is the most un-news slashdot has posted in a _long_ time

  25. The DEA by ilduce · · Score: 4, Funny

    The DEA is going to be busy for a while, given, you know, that its CSU Chico.

  26. Re:Above Average CSU Chico student replying back by DA_MAN_DA_MYTH · · Score: 2, Funny

    Dude it's a tool that "The Man" uses to keep dibbs on you...

    (gurgling sounds)

    *COUGH* *COUGH*

    P.S. I was a CSUC CSCI student. And If I remember right that conversation actually did happen.

    --
    "It takes many nails to build a crib, but one screw to fill it."
  27. CSU, Chico -- the good computer school by ChicoLance · · Score: 4, Interesting

    I've spent the past 11 years of my professional life after my CSU, Chico Computer Engineering degree explaining to everybody that there really is a pretty good computer/engineering school there. Most of the engineering people spend too much time in the labs to really get out and party as much as some of the other people do.

    I try to claim that they know computers -- but then they do this! :)

    (It really is a very nice school, with an attractive campus and social life included).

    --Lance, CSUC Computer Engineering '93

  28. Re:Predictable response by vsprintf · · Score: 2, Funny

    Ah, yes. Of course it JUST HAD TO BE a Microsoft product. You present no evidence, just hear-say and you get moderated up for bashing MS.

    That little winkie thing on the end of his comment indicates that it was likely a joke. It's still working hours on the west coast. Shouldn't you be trying to get tabbed browsing working in IE instead of surfing Slashdot? :)