CSU Chico Identities Compromised

MisterFuRR writes "California State University Chico is the latest victim of Identity theft. Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media". An official response is available." From the article: "The names of 15,500 current students, 1,000 faculty, 1,500 staff and former students going back about five years were in a database that was potentially compromised. The files also included information on prospective students."

No Worries

[fembots]

It's still a good place for education as long as there are enough of chicks with no pants

Dangerous food service hacking

[AtariAmarok]

Anonymous 2:00 AM phone call: "Hello. This is Captain Nightbyte of the `0Hack L33T Legion`. It has come to my attention that you actually ordered a spam sandwich with Cheez Whiz, not once, but 18 times back in 2002."

Proof, yet again, that SSNs should not be used!

[garcia]

Why oh why do people give out their SSNs even when registering for college courses? I work at a college and I went to college. You aren't required to give your SSN and when I register for courses now I certainly don't.

Colleges shouldn't even ask applicants for their SSN. Yeah, it's a real pain in the ass 12 years from now when you try and get your transcripts and you can't remember your student ID. I graduated in 2001 and I remember mine... Maybe I won't in 10 more years but I will know that I can be searched for by name and graduation date.

DO NOT GIVE OUT YOUR SSN TO ANYONE. If they ask then politely decline and ask if they will allow another ID number. Every college I know of has a student ID field.

Here we are pushing students to use their student ID instead of their SSNs (a good majority of students give us the wrong SSN anyway).

Re:Proof, yet again, that SSNs should not be used!

[rkcallaghan]

Why oh why do people give out their SSNs even when registering for college courses?

Because its utterly impossible to get by without doing so?

You aren't required to give your SSN.

You are, if you need student loans, work study, or other financial aid.

I'm a current student at Mesa Community College in Arizona, USA. I can tell you that there is absolutely no way I could have gotten through all the things I need to do to continue my education without using my SSN. I've personally asked about not using such information, and been told flat in several instances that I could not. Failure to cooperate results in poor service from the school, and likely revocation of privledges.

If I wanted to park within a mile radius of campus? SSN, Drivers License Number, and License Plate.

I'm normally quite concious about my personal information. There's just no way for me not to give my SSN to my school, though.

~Rebecca

might be giving them too much credit

[htmlboy]

i'd be surprised if any of the student data actually made it off the computer. through a not-really-worth-explaining series of events, a former co-worker of mine had a machine exploited in such a fashion. it became a hub for trading shows of cedric the entertainer. the hard disk quickly filled up and we unplugged the machine after its network activity started looking odd. it turns out that the parties responsible didn't even take the time to notice there was a second drive on the machine they'd be able to use.

i don't have any experience beyond that, but i've heard similar stories from other friends. it seems like the sort of exploit that took place isn't one that's likely to be targetted at retrieving potentially sensitive data from the exploited machine.

of course, one should never assume a particular attacker was ignorant and single-minded based on others' experience.

Re:might be giving them too much credit

[FreeLinux]

I've seen it many times. Someone leaves an IIS default install exposed to the world without sufficient patches. A script kiddie opens them up with an FTP exploit. They then create a directory that is invisible to all, including the administrator, and is impossible to remove with the OS(I thought that was interesting when I first saw it). They then start uploading warez and posting the ip on warez web sites.

They haven't rooted the box, they just fill up the disk with warez because of unpatched holes in IIS FTP service. The disk space and bandwidth is owned but, nothing else.

choose a purpose

[MrLint]

Have any of these people ever heard of data segregation?

Why on earth would a 'food service' computer either have on it, or have access to a list of prospective students? So they can preemptively issue dining cards in case of alien attack?

What?

[mboverload]

What the hell are these databases doing on machines connected to the internet?

RTFA (was Re:Food Service?)

[hpulley]

The summary above is not quite correct. The linked article actually states, "...someone had broken into a computer server at the university's housing and food service center last July", not a vending machine.

Average CSU Chico student reply

[cot]

They stole my social security number? That's totally lame. Pass the bong.

(gurgling sounds)

What's a social security number?

In Related News...

[sdcharle]

Students at CSU Harpo and CSU Groucho breathed a sigh of relief on finding their campuses were not affected. No word at this time on CSU The Man.

I wonder how they figured it out

[Crimsane]

Little Johnny suspected something might have been up when the lunch menu started to refer to today's special as 0-d4y meatloaf

Pluto Data Inc

[djirk]

My fiance was a student at Chico State within the last 5 years and she just found out last night that she had been hit for $39.99 from a Pluto Data Inc scam. http://www.broadbandreports.com/shownews/60769 I wonder if they are somehow connected? She has only used her credit card online a few times.

Food Service

[Embedded+Geek]

one of their "Food Service" machines was cracked

That's it! I don't care how many bells and whistles the thing has. I'm never going to give my social security number or bank account number to the soft drink machine again!

Re:hmmm

[garnetlion]

No no no. Chico students are drunks. The stoners go upstate to CSU Humboldt.

Your options

[The+Bungi]

Please deposit amount (quarters, dimes, nickels and $1 bills) in the machine and then make a selection:

1. 3oz Snickers Bar
2. Adobe Photoshop 7.0
3. 7oz Dorito Ranch
4. Windows XP Professional
5. 3oz Baby Ruth Bar
6. Your credit report (may be delayed)
7. Can of coke (not, not that kind)
8. 1yr Subscription to GothicJapaneseScoolGirls.cx (please share)
9. Ham&Cheese Sandwich (may be delayed)
10. Got milk?

Press 1 + A + COIN RETURN for more options, including misc keygens and ketchup.

Happens all the time

[KidHash]

This kind of thing happens _all_ the time. When I knew people who did this, they'd get 10 or 15 unis whenever a new exploit came out. And that was just one 'fxp' team, of which there are hundreds. I'd be suprised if most of the unis in the US, and indeed around the world, don't have at least one compromised machine. And the guys don't care about sensitive data, they just want your hdd space and fast uni connection to serve the latest movies/games/apps/mp3s/whatever. This is the most un-news slashdot has posted in a _long_ time

The DEA

[ilduce]

The DEA is going to be busy for a while, given, you know, that its CSU Chico.

CSU, Chico -- the good computer school

[ChicoLance]

I've spent the past 11 years of my professional life after my CSU, Chico Computer Engineering degree explaining to everybody that there really is a pretty good computer/engineering school there. Most of the engineering people spend too much time in the labs to really get out and party as much as some of the other people do.

I try to claim that they know computers -- but then they do this! :)

(It really is a very nice school, with an attractive campus and social life included).

--Lance, CSUC Computer Engineering '93