Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy

CSU Chico Identities Compromised 202

MisterFuRR writes "California State University Chico is the latest victim of Identity theft. Aparently one of their "Food Service" machines was cracked and used to distribute "games, files, and other media". An official response is available." From the article: "The names of 15,500 current students, 1,000 faculty, 1,500 staff and former students going back about five years were in a database that was potentially compromised. The files also included information on prospective students."
This discussion has been archived. No new comments can be posted.

CSU Chico Identities Compromised

Comments Filter:
  • unbreakable? (Score:2, Redundant)

    by dmf415 ( 218827 ) *
    I wonder if CSU Chico was using the Oracle Datbase system to house all the students, staff, and faculty's information.
    Anyone else know?
    • Re:unbreakable? (Score:2, Interesting)

      Nope, they uses Microsoft SQL server. That's how they got cracked ;-)
    • Re:unbreakable? (Score:2, Informative)

      by hackstraw ( 262471 ) *

      How about that thing called encryption?

      I remember when a database got hacked and all of the usernames and passwords were in plaintext, which has of course been fixed. More about that breakin here [cnet.com].
  • hmmm (Score:2, Funny)

    by Anonymous Coward
    chico state? food service machine?


    sounds to me like someone got the munchies...

    • Let's not forget the battle-cry of the Chico State Fighting Keggers:

      Woooooooooo0000000000OOOOOOOOOOOOOOOooooo!!!!

      (ladies, groggily add "I'm so wasted" towards the end).
    • Re:hmmm (Score:2, Funny)

      by mshaslam ( 688800 )
      I'm tired of all these jokes from my old alma mater. I don't remember rampant drug and alcohol use when I was at Chico State in the mid '80s. Come to think of it, I don't remember much of anything from when I was at Chico State in the mid '80s. Hmmm.... my Chico days are starting to make sense. Sort of. MSH
    • Re:hmmm (Score:3, Informative)

      by garnetlion ( 786722 )
      No no no. Chico students are drunks. The stoners go upstate to CSU Humboldt [humboldt.edu].
  • No Worries (Score:5, Funny)

    by fembots ( 753724 ) on Tuesday March 22, 2005 @04:00PM (#12015786) Homepage
    It's still a good place for education as long as there are enough of chicks with no pants [csuchico.edu]
    • *Sigh* if only I knew it were work friendly, otherwise I'll keep this post in mind for home...
      • by Anonymous Coward
        make your window real small and click fast.

        YOU CAN DO EEET!!!!
      • Re:No Worries (Score:1, Informative)

        by Anonymous Coward
        The link is not very titillating to be honest. Just a tiny PR image of a girl on a bench with a laptop, an open notebook next to her legs is obscuring what is probably a pair of shorts. So, it's quite safe for work. And it will do you no good in bed- I tried hard enough sitting in my cube looking at it and nothing comes up.
    • Thank you very much. I'd hack her identity anytime.

      Besides, I'm sure the laptop does a lot better at warming than K-Y.*

      *not speaking from experience
    • Re:No Worries (Score:3, Interesting)

      :-)

      But I just checked her dietary habits in the hacked database and she looks more like tubgirl now.

      Can anyone explain why the parent directory: http://www.csuchico.edu/inf/new/ is browsable?

      John.

  • by AtariAmarok ( 451306 ) on Tuesday March 22, 2005 @04:00PM (#12015795)
    Anonymous 2:00 AM phone call: "Hello. This is Captain Nightbyte of the `0Hack L33T Legion`. It has come to my attention that you actually ordered a spam sandwich with Cheez Whiz, not once, but 18 times back in 2002."
  • by Anonymous Coward
    Are they running databases on their vending machines now?
    • you bet. (Score:3, Funny)

      by AtariAmarok ( 451306 )
      "Are they running databases on their vending machines now?"

      You betcha. Would you like me to send you the database that has all 1,087 JPG files of everyone who purchased a Mountain Dew from 2002 to 2004? It was pretty easy for them to gather the information. They had a tiny camera that took a picture every time someone dropped money into the machine. The camera was hidden on the front of the "Diet Blue Dr Pepper" can, which ensured that it would never be disturbed by a purchase.

    • by hpulley ( 587866 ) <hpulley4.yahoo@com> on Tuesday March 22, 2005 @04:05PM (#12015853) Homepage

      The summary above is not quite correct. The linked article actually states, "...someone had broken into a computer server at the university's housing and food service center last July", not a vending machine.

  • Re: (Score:1, Informative)

    Comment removed based on user account deletion
    • Disreputable people might contact affected individuals to "help," falsely identifying themselves as affiliated with the University. CSU, Chico will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from individuals. Do not release any private information in response to contacts of this nature.

      Perhaps a lot of IRS workers graduated from here...
      http://it.slashdot.org/article.pl?sid=05/03/17/014 5220&tid=172&tid=218 [slashdot.org] IRS Empl
    • ...a few grand worth of debt in beer bongs and...

      beer bongs?

      Is this an accessory for smoking or a new way to consume potent potables more expediantly?
      • Re:FYI (Score:3, Insightful)

        by cot ( 87677 )
        You're a bit too sheltered. Here's a remedial homework assignment to make up for your lack of education:

        Go to the store and buy
        -A 12 pack of pabst blue ribbon or equivalent
        -A funnel
        -four feet of plastic hose

        Your assigment is to find the fastest way to get the most beer into your stomach. Bonus points for finishing the 12 pack before you puke (with partial credit for fininshing the 12 pack even after you puke)
        • Ah, the Redneck beer dispenser. These were just starting to be sold in places likes Spencers when I was in college. Hadn't heard the "bong" moniker applied to them before. I honestly thought you just left out a comma.
          • by yack0 ( 2832 )
            Indeed, in my day (said the old timer) it was just "funnels"

            Not to be confused with funnel cake! Or ingested with funnel cake (eww, what a mess)

        • or the I Tappa Keg fraternal initiation rites, where you must down a 6-pack in one bongload and just when you get to the finish they start adding tequila.

          Guaranteed puke-fest. Be sure to keep the poison control center on speed-dial, because someone is guaranteed to see .4 BAC that night.
      • Re:beer bongs (Score:2, Insightful)

        by shrubya ( 570356 )
        Is this an accessory for smoking or a new way to consume potent potables

        Dude, you must be using WAY too much of the other kind of bong if you couldn't even do a simple google [google.com] (and for a few seconds more, the image search [google.com]).

        And just to make sure this isn't Offtopic, here's some Chico info [google.com]
  • by garcia ( 6573 ) * on Tuesday March 22, 2005 @04:03PM (#12015818)
    Why oh why do people give out their SSNs even when registering for college courses? I work at a college and I went to college. You aren't required to give your SSN and when I register for courses now I certainly don't.

    Colleges shouldn't even ask applicants for their SSN. Yeah, it's a real pain in the ass 12 years from now when you try and get your transcripts and you can't remember your student ID. I graduated in 2001 and I remember mine... Maybe I won't in 10 more years but I will know that I can be searched for by name and graduation date.

    DO NOT GIVE OUT YOUR SSN TO ANYONE. If they ask then politely decline and ask if they will allow another ID number. Every college I know of has a student ID field.

    Here we are pushing students to use their student ID instead of their SSNs (a good majority of students give us the wrong SSN anyway).
    • CSUC said it has implemented new security measures. One of them is to issue randomly assigned nine-digit identification numbers to students and staff, in place of Social Security numbers.
      • CSUC said it has implemented new security measures. One of them is to issue randomly assigned nine-digit identification numbers to students and staff, in place of Social Security numbers.

        I did RTFA and it doesn't say *WHEN* that was implemented. Was it implemented 5 years ago because that's when TFA says that the data was stored from.

        If it was implemented then were they not even prompting for SSNs or were they asking for the SSN and then creating a 9 digit ID number from that?

        Just because you don't pub
    • by Anonymous Coward
      Even if you make a stink about it your SSN will often "sneak" into your records. I went to the trouble of getting an ID number rather than using SSN (and put up with all the expasperated sighing and angry looks that come with taking such a stance), but had to give it for work study - and sure enough the number found its way into school records.
    • Is why we've set up a system where it's a problem that you SSN is known?

      Your SSN is your taxpayer identification number. Giving you my SSN should enable you to pay my taxes.

      Why have we set up a system where a nonsecure number has so much of a strangle hold over our financial lives?
      • The other half of the problem is illegal immigrants. My SSN has been used to buy a bunch of property in california, all under mexican surnames. However the privacy laws protect the fraudsters, i cant even find out who it is or where this property is. Only reason I found out was because I went to open an account at the bank and all these property transactions came up under my ssn -- the lady messed up and told me one of the names.
        • My SSN has been used to buy a bunch of property in california, all under mexican surnames. However the privacy laws protect the fraudsters, i cant even find out who it is or where this property is.

          If this is true, do they show up on your credit history?

          If you think you've been the victim of identity theft, you should be able to request free credit reports to see what's going on. Your bank should also help you out with more pointers to whatever the fedgov is doing, now.

    • I work at a college and I went to college. You aren't required to give your SSN and when I register for courses now I certainly don't.

      Uh, OK. So you went to "college" and therefore know that "college" doesn't ask for an SSN during class registration.

      I hope you're in my basketball pool -- after picking Wake Forest to win, I need your "college" beats "college", "college and "college" to avoid the basement.

    • The SSN is required if you receive most types of financial aid, if you are getting reimbursed in somes way where taxation is involved, and a couple other legitimate instances.

      Part of the SSN is required to validate data for alumni against lists provided by subsidiaries of child companies owner or operated by larger companies like Seisint (LexusNexus).
    • by rkcallaghan ( 858110 ) on Tuesday March 22, 2005 @04:46PM (#12016281)
      Why oh why do people give out their SSNs even when registering for college courses?

      Because its utterly impossible to get by without doing so?

      You aren't required to give your SSN.

      You are, if you need student loans, work study, or other financial aid.

      I'm a current student at Mesa Community College in Arizona, USA. I can tell you that there is absolutely no way I could have gotten through all the things I need to do to continue my education without using my SSN. I've personally asked about not using such information, and been told flat in several instances that I could not. Failure to cooperate results in poor service from the school, and likely revocation of privledges.

      If I wanted to park within a mile radius of campus? SSN, Drivers License Number, and License Plate.

      I'm normally quite concious about my personal information. There's just no way for me not to give my SSN to my school, though.

      ~Rebecca
    • DO NOT GIVE OUT YOUR SSN TO ANYONE.

      It pisses me off that everyone uses SSN to identify you. My old bank used it over the phone as sole proof of identification before giving you access to your account. I know my dad's ssn, should I be able to PHONE IN and have access his bank account? Just doesn't seem right that anyone uses that, except the irs. Just seems like everyone wants to up the bar for identifiying people, so they started using people's SSN. Now so many people use it that it's not a good tec
    • I don't about you, but my Student ID was my SSN. The only way not to use it was not to attend that college. I don't think that they use it anymore but for some people, they don't have a choice.
  • by htmlboy ( 31265 ) on Tuesday March 22, 2005 @04:04PM (#12015835)
    i'd be surprised if any of the student data actually made it off the computer. through a not-really-worth-explaining series of events, a former co-worker of mine had a machine exploited in such a fashion. it became a hub for trading shows of cedric the entertainer. the hard disk quickly filled up and we unplugged the machine after its network activity started looking odd. it turns out that the parties responsible didn't even take the time to notice there was a second drive on the machine they'd be able to use.

    i don't have any experience beyond that, but i've heard similar stories from other friends. it seems like the sort of exploit that took place isn't one that's likely to be targetted at retrieving potentially sensitive data from the exploited machine.

    of course, one should never assume a particular attacker was ignorant and single-minded based on others' experience.

    • Maybe, maybe not.

      In my experience, when encountered with a breech, its safest to assume the worst. The ability to guess how ignorant or stupid a hacker is/was is not very wise. Even a moron that can break in, can leave a backdoor to come back in.

    • by FreeLinux ( 555387 ) on Tuesday March 22, 2005 @04:40PM (#12016220)
      I've seen it many times. Someone leaves an IIS default install exposed to the world without sufficient patches. A script kiddie opens them up with an FTP exploit. They then create a directory that is invisible to all, including the administrator, and is impossible to remove with the OS(I thought that was interesting when I first saw it). They then start uploading warez and posting the ip on warez web sites.

      They haven't rooted the box, they just fill up the disk with warez because of unpatched holes in IIS FTP service. The disk space and bandwidth is owned but, nothing else.
    • a former co-worker of mine had a machine exploited in such a fashion. it became a hub for trading shows of cedric the entertainer.

      I set up an FTP server once and inadvertently gave "guest:guest" full rights. The few days later there were a bazillion levels of weirdly named nested directories, and at the bottom were directories with names like "games" and "movies". Since there was nothing else on that box to exploit, I figured I'd let them upload me some movies and games. Three days later they'd got about

  • choose a purpose (Score:5, Insightful)

    by MrLint ( 519792 ) on Tuesday March 22, 2005 @04:04PM (#12015836) Journal
    Have any of these people ever heard of data segregation?

    Why on earth would a 'food service' computer either have on it, or have access to a list of prospective students? So they can preemptively issue dining cards in case of alien attack?
    • by ndege ( 12658 )
      Why on earth would a 'food service' computer either have on it, or have access to a list of prospective students? So they can preemptively issue dining cards in case of alien attack?

      No. The meal cards were most likely issued because these prospective students were recruited to visit the campus. During their visit, the prospective students used their free meal cards. The cost of these meals would have been billed back to the recruiting/marketing department at the university and the recruiting/marketing
    • It held that information to preform a check against data on food cards. Not in the database? You have to pay for the food instead of it being debted to your account.

      This is how it was done at Purdue and Indiana University; albiet at Purdue and IU the card swipe was a dumb terminal and the data was stored on the school network, it is still a similar problem.

      Stupid, but that seems to be the way things are done at most state universities.

      Then again, I have been known to be wrong.
    • There is likely a political reason behind this. CSUC is broken into at least 4 seperate entities (not to mention the individual colleges): Housing & Food services, Associated Students, Research Foundation, and the actual educational/administrative part. The housing department probably insisted on doing their own thing with their own database and their own administrators. There are very competent IT people at CSUC; Housing & Food services probably just refused to allow the competent people to admi
  • I am the only one with visions of a vending machine stuffed with warez instead of Kit-Kat bars?
    • That's definitely what I saw...
      I spent a few second wondering how being electronically hacked let them get the games into the slots...
    • I am the only one with visions of a vending machine stuffed with warez instead of Kit-Kat bars?

      That is a legitimate question which may be blamed on poor editing skills... At any rate, the quote below is taken from the article:

      The university's computer monitoring system caught some unauthorized software on the network in early February and determined that someone had broken into a computer server at the university's housing and food service center last July. The hacker had installed software to store f

  • What? (Score:5, Insightful)

    by mboverload ( 657893 ) on Tuesday March 22, 2005 @04:04PM (#12015839) Journal
    What the hell are these databases doing on machines connected to the internet?
    • dancing!
    • I wonder how many people even realize it's still possible to set up a computer and keep it working without an Internet connection.

      Good reasons for moderation in connectivity?

      "Why use a teaspoon when you can use a tidal wave?"

  • by cot ( 87677 ) on Tuesday March 22, 2005 @04:12PM (#12015936)
    They stole my social security number? That's totally lame. Pass the bong.

    (gurgling sounds)

    What's a social security number?
  • by sdcharle ( 631718 ) on Tuesday March 22, 2005 @04:14PM (#12015947) Journal
    Students at CSU Harpo and CSU Groucho breathed a sigh of relief on finding their campuses were not affected. No word at this time on CSU The Man.
  • by Crimsane ( 815761 ) <clarke@nullfs.com> on Tuesday March 22, 2005 @04:16PM (#12015981) Homepage
    Little Johnny suspected something might have been up when the lunch menu started to refer to today's special as 0-d4y meatloaf
  • I remember back in high school filling out college applications, and seeing spaces for my SS#. I didn't give it out, of course. I wonder how many people who applied to CSU Chico now regret filling in that space...
  • Pr0n (Score:3, Interesting)

    by bcmm ( 768152 ) on Tuesday March 22, 2005 @04:24PM (#12016068)
    and used to distribute "games, files, and other media".
    Briefly disregarding the fact that "files" probably covers everything that they were distributing, anyone worked out what the "other media" could be a euphemism for?
  • Pluto Data Inc (Score:3, Interesting)

    by djirk ( 763517 ) on Tuesday March 22, 2005 @04:27PM (#12016091)
    My fiance was a student at Chico State within the last 5 years and she just found out last night that she had been hit for $39.99 from a Pluto Data Inc scam. http://www.broadbandreports.com/shownews/60769 [broadbandreports.com] I wonder if they are somehow connected? She has only used her credit card online a few times.
    • They're hitting a lot of people, and I've not been able to find what the connecting point is. (They put a $29.99 charge - their other standard amount - on one of my cards.)


      If enough people on Slashdot have suffered from Pluto Data, we might be able to kick up some serious noise. Also, we might be able to narrow down whose machine(s) they've compromised.

  • by Embedded Geek ( 532893 ) on Tuesday March 22, 2005 @04:28PM (#12016098) Homepage
    one of their "Food Service" machines was cracked

    That's it! I don't care how many bells and whistles the thing has. I'm never going to give my social security number or bank account number to the soft drink machine [wired.com] again!

  • The sooner somebody steals my ID the better! They are welcome to my debt and TAXES I pay.

    I never was a student... dipped out AGAIN :-/
  • by The Bungi ( 221687 ) <thebungi@gmail.com> on Tuesday March 22, 2005 @04:48PM (#12016301) Homepage
    Please deposit amount (quarters, dimes, nickels and $1 bills) in the machine and then make a selection:

    1. 3oz Snickers Bar
    2. Adobe Photoshop 7.0
    3. 7oz Dorito Ranch
    4. Windows XP Professional
    5. 3oz Baby Ruth Bar
    6. Your credit report (may be delayed)
    7. Can of coke (not, not that kind)
    8. 1yr Subscription to GothicJapaneseScoolGirls.cx (please share)
    9. Ham&Cheese Sandwich (may be delayed)
    10. Got milk?

    Press 1 + A + COIN RETURN for more options, including misc keygens and ketchup.

  • Happens all the time (Score:4, Interesting)

    by KidHash ( 766864 ) on Tuesday March 22, 2005 @04:50PM (#12016332) Homepage
    This kind of thing happens _all_ the time. When I knew people who did this, they'd get 10 or 15 unis whenever a new exploit came out. And that was just one 'fxp' team, of which there are hundreds. I'd be suprised if most of the unis in the US, and indeed around the world, don't have at least one compromised machine. And the guys don't care about sensitive data, they just want your hdd space and fast uni connection to serve the latest movies/games/apps/mp3s/whatever. This is the most un-news slashdot has posted in a _long_ time
  • The DEA (Score:4, Funny)

    by ilduce ( 141065 ) on Tuesday March 22, 2005 @04:57PM (#12016427) Journal
    The DEA is going to be busy for a while, given, you know, that its CSU Chico.
  • by ChicoLance ( 318143 ) * <lance@orner.net> on Tuesday March 22, 2005 @05:20PM (#12016691)
    I've spent the past 11 years of my professional life after my CSU, Chico Computer Engineering degree explaining to everybody that there really is a pretty good computer/engineering school there. Most of the engineering people spend too much time in the labs to really get out and party as much as some of the other people do.

    I try to claim that they know computers -- but then they do this! :)

    (It really is a very nice school, with an attractive campus and social life included).

    --Lance, CSUC Computer Engineering '93
  • Given all of these security breaks, why do we still consider a persons SSN as "password" type data? Why don't we just assume that a SSN is know just like your name, and go from there. Find some other way to secure the call to you bank besides using the last four digits of your SSN.

    I know the history here. SSNs are supposed to be used for tax purposes only, and early cards even said so. But it is a handy ID number in the computer age, and it's the only number that is unique to all US residents. Just be
  • I'm afraid that when Congress finally acts to protect our identities, all these thefts will have gone so far that when they say the only way is a national ID card, crossref'd to every authentication in our lives, their ultimatum will be well received. And, in fact, perhaps the only way. We're doomed.
  • I get free credit reports. Gee, all I had to do was give up my SSN to some unknown script kiddie.

Trap full -- please empty.

Working...