Forgot your password?
typodupeerror
Security Education Privacy

Viruses Stole City College of S.F. Data For Years 93

Posted by Soulskill
from the measuring-failure-in-decades dept.
An anonymous reader sends this quote from an article at the San Francisco Chronicle: "Personal banking information and other data from perhaps tens of thousands of students, faculty and administrators at City College of San Francisco have been stolen in what is being called 'an infestation' of computer viruses with origins in criminal networks in Russia, China and other countries, The Chronicle has learned. At work for more than a decade, the viruses were detected a few days after Thanksgiving, when the college's data security monitoring service detected an unusual pattern of computer traffic, flagging trouble."
This discussion has been archived. No new comments can be posted.

Viruses Stole City College of S.F. Data For Years

Comments Filter:
  • Human failure (Score:4, Insightful)

    by Anonymous Coward on Saturday January 14, 2012 @02:45PM (#38699314)

    "students and faculty have used college computers to do their banking"

    That's the main problem. Using sensitive data through public locations such as a college computer is not, in any way, safe.

    • Re:Human failure (Score:5, Insightful)

      by betterunixthanunix (980855) on Saturday January 14, 2012 @03:08PM (#38699488)
      After years of explaining this to people, I have come to the conclusion that no matter what people are going to do it. Simply put, if banks allow people to log in to their accounts from random computers, people are going to do so without any regard for security. It is convenient, and the one thing you can expect people to do is something that is convenient.
      • by hedwards (940851)

        Yeah, that's not something that I ever do. I logged into my email one time from a random computer, but that's the only time. I did change my password shortly thereafter and didn't have any trouble.

        These days what I do is run a virus scan from a write only thumbdrive before I do anything at all on a strange computer. (If anybody is curious, I'm using a kanguru flashblu 2 with a portable antivirurs program and it works just great for that)

        • by Anonymous Coward on Saturday January 14, 2012 @04:23PM (#38700102)

          write only thumbdrive

          That sounds pretty useless

        • by Wootery (1087023)

          These days what I do is run a virus scan from a write only thumbdrive before I do anything at all on a strange computer. (If anybody is curious, I'm using a kanguru flashblu 2 with a portable antivirurs program and it works just great for that)

          If you're making the effort, you could just as well keep an Ubuntu live-boot USB key.

          Your only security worry then would be hardware keyloggers, and you'd get the considerable bonus of not having to suffer a strange computer's browser - few things are more horrifying than IE with only half the window's real-estate usable for plugins.

          • by hedwards (940851)

            The only problem with that is that you're not necessarily going to be able to get online in that fashion. True it is more secure, but by the same token if one needs to go online one is going to have to take some risks.

            And since it wasn't clear, I don't personally visit banking sites like that nor do I log into sites where I don't have a OTP as part of the log in requirements.

        • by Anonymous Coward
          You can't trust the results of that scan unless you booted the machine using the thumbdrive. Otherwise, the rootkit installed on the machine will prevent the portable AV from seeing anything wrong. This is pretty basic. Yes, your process will catch a fair percentage of bad stuff. No, it doesn't make it safe at all. Of course, you may not be able to boot to your drive if the bios is out of your control or the machine's hard drive is protected with encryption. But the only way to be sure there is nothing on i
          • by hedwards (940851)

            It depends what you're doing. I shouldn't have implied that I'd be typing in passwords to such a machine because you are indeed correct about that. I also shouldn't have implied that I would be logging into a banking site like that. I load up my own web browser and don't log into any site where I'm not using an OTP as part of the set up.

            I'm mostly worried about viruses on the odd occasion where I'm needing to check email at a cyber cafe.

            • by Anonymous Coward

              It is now a basic technique of any "respectable" virus to inject itself into the windows kernel and assure any access to infected executables or other components of the virus is being masked.
              So scanning an already infected system is a very, very pointless endeavour. Actually it will lull you in a false sense of security. And believe, even the best virus scanner can't do anything against that. You would have to boot your own WinPE or something from that USB stick to stand any chance against modern viruses.
              If

          • by Bert64 (520050)

            Even if you boot from trusted media to run the malware scan, there is no guarantee that the system won't be infected with a piece of malware for which your scanner has no signature.

            A better approach, although obviously not foolproof...

            Boot from the thumbdrive, and then use that OS to access the internet...
            Make sure the OS has an on screen keyboard or a non standard key mapping so as to confuse any potential hardware keylogger.

        • is that manufactured by /dev/null technologies, inc?
        • by mrmeval (662166)

          You should boot from the USB drive and then scan. Kaspersky has one.

      • Yeah in a small town library several days ago I saw people doing their banking on public computers.

        • That happens a lot I am sure, there is no security, I bet the computers were running Windows XP. The local library I visit sometimes has Windows XP computers with SP2, in 2012! There needs to be a better default operating system we could deploy in these circumstances that would do a better job of security. But if there is a hardware keylogger hidden behind the machine, then the most secure OS in the world will not protect you.

          I can not manage my website on their computers as I need to use port 2083 to conne

          • by Bert64 (520050)

            The library here has a 50/50 mix of imacs and xp boxes, the imacs tend to be in use while the xp boxes sit idle...

      • Re:Human failure (Score:4, Informative)

        by tlhIngan (30335) <.slashdot. .at. .worf.net.> on Sunday January 15, 2012 @02:19AM (#38703870)

        After years of explaining this to people, I have come to the conclusion that no matter what people are going to do it. Simply put, if banks allow people to log in to their accounts from random computers, people are going to do so without any regard for security. It is convenient, and the one thing you can expect people to do is something that is convenient.

        It's called Dancing Pigs [wikipedia.org]. A user will most likely pick convenience over security.

        And any bank that prevents logging in from public computers will be laughed out of business - people expect to be able to bank anywhere and everywhere. Even on their cellphones (they can't wait to go home and do it then...).

        No way around it, unfortunately, and educating the user is a pointless exercise because they'll just go back to their old ways.

        Perhaps if the bank issued them special keypad calculators that could compute transaction hashes (for two-factor authorization) things would help. But no.

        And given banks already use Wish It Was Two-Factor [thedailywtf.com], things won't be improving at all.

        • by Bert64 (520050)

          Perhaps if the banks had better opening hours, people could actually go to the branch when they were out and about instead of having to use the cybercafe next door.

          • by tehcyder (746570)

            Perhaps if the banks had better opening hours, people could actually go to the branch when they were out and about instead of having to use the cybercafe next door.

            I've only gone into a physical bank in recent years to pay in accumulated bags of coins.. Apart from having ATMs I really don't know why they bother having branches any more.

        • by AmiMoJo (196126)

          Perhaps if the bank issued them special keypad calculators that could compute transaction hashes (for two-factor authorization) things would help. But no.

          My bank kinda does. HSBC gives you a little red keypad thing which generates a code you need to log in with. Once in you can repeat actions you have done in the past, e.g. paying off a bill, but if you want to do something new like set up a money transfer to an account you have never sent money to before then you have to enter another code.

    • by hitmark (640295)

      People doing taking care of private affairs during work hours is a old story.

    • by midtowng (2541986)
      As a recent former student of CCSF, I find this very disturbing. Fortunately, I always paid for my classes either in cash or by check. Never by credit card. I've always been paranoid about giving out personal information, especially online. Now it appears that I wasn't paranoid after all. You aren't paranoid when they really are out to get you.
    • by Bert64 (520050)

      The worst thing is, assuming you trust the staff, a college computer lab is managed by paid staff who you would assume have some level of competence...
      The average home computer on the other hand is not.

      The difference from a hacker's perspective is that the average home computer, while horrendously insecure and usually not managed by someone with an IT background, only has one user to steal bank details from... A lab computer may have several.

      A lab computer is also more likely to have a shared authentication

    • by tehcyder (746570)

      "students and faculty have used college computers to do their banking"

      That's the main problem. Using sensitive data through public locations such as a college computer is not, in any way, safe.

      So let's just get rid of internet banking entirely, as it can never be 100% secure?

  • Missing details (Score:3, Interesting)

    by msobkow (48369) on Saturday January 14, 2012 @02:46PM (#38699320) Homepage Journal

    The article really doesn't clarify whether these are viruses that are detected by anti-virus software on the market, or something novel and malicious that could only be detected recently. However, the tone of the article suggests poor management and an utter lack of protection from assault, rather than some incredibly creative black hats at work:

    Shortly before Hotchkiss arrived at City College, a new firewall was installed. Technicians set it up to block pornography sites, which are notorious for transmitting computer viruses.

    Then faculty began complaining to Hotchkiss that students needed access to porn sites. For research.

    Eventually, given examples of the academic necessity, Hotchkiss had to remove the porn block.

    I can see the need for some sociology or psychology students to access porn, but only a very few on very specific projects. Methinks some faculty spanking material was the greater concern than student access to "research data" which could have been addressed by granting specific machines a bypass in the firewall configurations.

    • I can see the need for some sociology or psychology students to access porn, but only a very few on very specific projects. Methinks some faculty spanking material was the greater concern than student access to "research data" which could have been addressed by granting specific machines a bypass in the firewall configurations.

      Methinks the porn blocker was probably overzealous*, and blocked way to much.

      * In general, those blockers come in two variations: The overzealous type, which gets in the way of normal usage, or the useless type, that blocks next to nothing.

      • by bmo (77928)

        >Methinks the porn blocker was probably overzealous*, and blocked way to much.

        This is the problem with filters. They don't block enough of the "bad" material and they block too much of the "legitimate" material.

        For instance, I am currently in the library down the road from my house, and the filter blocks scribd of all things. But getting around the filter is as simple as going to a proxy. Access to porn is as simple as just finding something that isn't in the filter, which is surprisingly easy, like si

    • by hedwards (940851)

      It's usually a matter of poor management when these things happen. There are malware programs popping up all the time that aren't detectable, but those tend not to remain undetectable for years.

    • From TFA you quoted:

      Technicians set it up to block pornography sites, which are notorious for transmitting computer viruses.

      So you KNOW that you'll be going to sites KNOWN for "viruses".

      Wouldn't you limit that kind of access to only a segment of the machines AND firewall them from the other machines so they cannot infect everyone AND erase the drives on a regular basis?

      And, just for fun, give the computer science people access to the drive contents to that they can use the viruses found as examples in their

      • by msobkow (48369)

        No, I'd suggest loading a VM for surfing questionable sites, and nuking it after you're done.

    • Re:Missing details (Score:4, Informative)

      by Anonymous Coward on Saturday January 14, 2012 @08:21PM (#38702018)

      I don't know WTF porn sites you guys are visiting, but there are PLENTY of them out there that have no popups, no viruses, and fewer ads than MSNBC. Serioiusly. Porn sites with viruses are NOT porn sites. They are VIRUS sites that use porn to attract virus clickers. Did you learn nothing from Anna Kournikova?

      • by msobkow (48369)

        Damn good point. I've never caught a virus from a porn site in 20+ years.

        In fact, they've only fired the anti-virus on REGULAR sites that had drive-by malware ad-banners hosted by GOOGLE of all places!

        • by Corbets (169101) on Sunday January 15, 2012 @05:29AM (#38704432) Homepage

          Damn good point. I've never caught a virus from a porn site in 20+ years.

          In fact, they've only fired the anti-virus on REGULAR sites that had drive-by malware ad-banners hosted by GOOGLE of all places!

          In fact, porn has probably helped me not catch many a virus from the local gentleman's establishment...

      • by Bert64 (520050)

        And porn sites are blocked by many filters, therefore reducing the potential targets for a malware spreader...

        Web distributed malware these days tends to come from legit sites, or legit banner hosts etc that have been hacked... When you have thousands of infected workstations running keyloggers it's not hard to capture a webmaster logging in to his site and then you can follow him in and add your malicious code to his genuine site.

      • by tehcyder (746570)

        Did you learn nothing from Anna Kournikova?

        Yes, that appearance trumps talent nowadays.

    • In a school / research area porn blocker just end block stuff like breast cancer research and other stuff Even more so in a med lab.

  • Since 1999? (Score:3, Insightful)

    by Anonymous Coward on Saturday January 14, 2012 @02:48PM (#38699336)

    Article says they've had viruses lurking since 1999. What kind of network could possibly contain equipment that old? Also, not exactly a detailed story we've got there.

    • Re:Since 1999? (Score:5, Insightful)

      by FoolishOwl (1698506) on Saturday January 14, 2012 @03:11PM (#38699516) Journal

      A network that is heavily used by a chronically underfunded institution -- that's what kind.

      • Why yes, it must be the under-funding. It couldn't be anything from clueless IT, clueless administrators, or bean-counters with too much power over the IT department.

        • All those things could have contributed to a security oversight. But I was answering the question of why the network would have ten-year-old equipment. CCSF has had several rounds of layoffs and course cancellations, and has had to completely drop summer courses. So under those conditions, old equipment may stick around for a while.

        • by shiftless (410350)

          Do you have evidence of those assertions? Just what is it about the fact "a computer from 1999 is still running somewhere" automatically implies cluelessness? Hell, there's still computers out there from the *1950s* still running...are their operators clueless too?

        • by midtowng (2541986)
          I never worked there, but I was a student there, so I have some insight. CCSF was like a lot of old educational institutions - departments have their own domains. Thus, some departments might have had good IT support, and some probably had almost none. What is likely is that the main computer labs are fine, but the small, less-used computer labs are the ones with the problems.
          • by CAIMLAS (41445)

            That's an "old" educational system? What's a "new" educational system? What you describe seems fairly common to me (regardless of the size of the school or its age, as I've seen both in hundred+ year institutions with under 2,000 students as well as in modern for-profit educational organizations with tens of thousands (and everything in between). I know that many, many universities still do this.

      • Guess that's why more are retiring with 6 figure salaries, six-figure pensions soar for California school administrators [sacbee.com].
        • I was talking about layoffs of instructors and support staff such as counselors, not about the retirement of administrators.

    • by CAIMLAS (41445)

      Virtualization may do that. Someone virtualizes an old machine with malware, and voila, there you go. You've just perpetuated the problem indefinitely.

      If they're using, say, Symantec products, it's really not difficult to see this problem being perpetuated, is it? Something from 1999 may not have had AV on it originally, but they realized later down the line it was necessary but thought it too old to be problematic... voila, instant perpetual malware vector.

      I recently found a machine which had malware on it

  • by Niris (1443675) on Saturday January 14, 2012 @02:48PM (#38699342)
    From what I've seen community college IT Tends to be pretty horrible. One of them out here had a server password of "password" and remoting on. Others tend to use a generic password on everything such as Mascot1 or gomascot1
    • by jampola (1994582)
      Ooooo, thanks for the tip!
    • Re: (Score:2, Informative)

      by FFOMelchior (979131)

      From what I've seen community college IT Tends to be pretty horrible. One of them out here had a server password of "password" and remoting on. Others tend to use a generic password on everything such as Mascot1 or gomascot1

      IT Dunce A: Crap! Someone out there knows our password "gomascot1"!
      IT Dunce B: No worries, I'll go ahead and change it to "gotigers1".
      IT Dunce A: Phew!

  • But enforcing laws on bad security should reign supreme on the likes of SOPA and friends.
  • CS Dept (Score:3, Interesting)

    by Mannfred (2543170) <mannfred@gmail.com> on Saturday January 14, 2012 @02:54PM (#38699388)
    FTA: "It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected." The college has a CS department providing courses for "seasoned IT professionals" (as per ccsf.edu) and nobody notices viruses on their flash drives (etc) over the past 10 years? Unlikely.
    • Re:CS Dept (Score:4, Interesting)

      by ArundelCastle (1581543) on Saturday January 14, 2012 @11:37PM (#38703224)

      The college has a CS department providing courses for "seasoned IT professionals" (as per ccsf.edu) and nobody notices viruses on their flash drives (etc) over the past 10 years? Unlikely.

      I don't think we're talking about the era of Stoned on a boot sector anymore. If this is a decade of organised crime, it's going to be a bit more sophisticated.

      You might want to check out Stuxnet [wikipedia.org] before you presume any amount of caution or aptitude can so easily subvert a sufficiently developed worm. Whatever someone might think about how people "over there" do things, I feel it's a safe assumption that the professionals working at a middle-east nuclear plant would also be qualified to work at a San Francisco college.

      • by Nyder (754090)

        ...

        I don't think we're talking about the era of Stoned on a boot sector anymore. ...

        oh the memories, my first infection. At the time, i was stoned, and my computer booted up and told me it was stoned, and I was like, sweet, dude...

        Then i realized something wasn't right, and proceeded to infect a few more disks.

        Good times!

        Also, I'm am currently stoned right now. =)

  • This is not the first time this has happened. It is just the first time we have heard about a virus being in place for a decade and not being detected.

    I am sure there are more colleges and government agencies that are compromised like this.

    As an added bonus. This is why you should post AC when posting from College.

  • Who, other than me, thinks that this would be a non-story if it weren't able to be blamed on THOSE EVIL FOREIGNERS. This story would be buried otherwise.
  • Correction (Score:4, Insightful)

    by dtmos (447842) * on Saturday January 14, 2012 @03:10PM (#38699504)

    when the college's data security monitoring service finally detected an unusual pattern of computer traffic. . .

    FTFY.

  • Marco. Paging Marco Polo. You need to go settle your debt with that China character. That is not Uncle Sam's debt. Marco. You were supposed to settle all of that a long time ago.

    Amerigo. Amerigo Vespucci. You're in debt. Your hip is dropping into the well. You need to go wrestle on that hill like Jacob did.

    "Eh. No way. Tell Colombus to get in the box and he'll cough one up when he gets back."

    Amerigo von Spratt (could eat no lean) wanted his name on something--he got two big ones. The really rich

  • So, exactly what viruses were installed on these machines? Were they internet common, or something more targeted?

    Is this simply a failure to install some decent anti-virus software, or something more involved?

  • What's right is to rely on the US justice system, which requires that there be evidence of criminal activity prior to most searches and seizures. Further, judges need to be involved in adjudicating what constitutes probable cause. That is the way forward. Technology brings new challenges to law enforcement, but it also provides new tools. It is, as always, the job of the legal community to keep learning and stay abreast of technology, same as it is for everyone else. And when corporations or individuals wan

    • by fruitbane (454488)

      WTF? How did my comment get appended to this topic? I thought I attached it to a different one. Sorry, folks.

  • It DOESN'T go without saying, except here.

    Relentlessly remind people that viruses are largely a consequence of running a "virus farm" OS.

    • by midtowng (2541986)
      CCSF is only partly Windows. The old, established part of the computer system is HPUX and Linux.
  • is to write a check, stuff it in an envelope, and drop it into the US Mail to pay your bills. Offline. Making withdrawals means drive to the bank, use your passbook, withdraw cash. If there's any computer viruses involved in those, it won't be YOUR fault and should be protected by FDIC insurance. Hopefully.

1 + 1 = 3, for large values of 1.

Working...