Hacker hits California-Berkeley computer
Results 1 to 8 of 8

Thread: Hacker hits California-Berkeley computer

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Hacker hits California-Berkeley computer

    "Most significant hacking job"? I wonder if this violates HIPAA for keeping the data without the individuals' consent... Sigh. Sucks that the media still refers to it as hackers rather than attackers, which is what they are. :

    Anyways, anyone know of the hows/details of the attack itself? Platform? method? etc.? And if you think they may have information on you or someone you know, visit the California Department of Social Services for details on how to place a "fraud alert" on your identity with credit agencies.

    Source: CNN

    SAN FRANCISCO, California (Reuters) -- A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said Tuesday.

    "The investigation is continuing but we have no idea if the (personal) information has been compromised," said Carlos Ramos, assistant secretary at the California Health and Human Services Agency.

    He said state agencies and the Federal Bureau of Investigation were investigating but the hacker had not been found.

    The names accessed by the hacker were being used by a UC Berkeley researcher who had collected data on elderly people and individuals who provide in-home care to seniors to study the impact of wages on in-home care, Ramos said.

    The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study.

    Ramos said the state is authorized to share with researchers the personal information of individuals who participate in state programs administered by the state social services department.

    George Strait, a university spokesman, confirmed the school's computer system had been penetrated in what he believed was the most significant hacking job the university had experienced.

    The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    Better get Clifford Stoll on the case
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  3. #3
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167
    This is what found...


    "The intruder used a known vulnerability to crack the university system on August 1st, but wasn't detected until August 30th."

    "According to Ramos, the university had not been in compliance with the security rules the state sets out for research access to sensitive data."


    Full Story can be found here:
    http://securityfocus.org/news/9758
    The command completed successfully.


    \"They drew first blood not me.\"

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Wow, so much for UCB using the talent they turn out of their security program or more so, the techniques taught for securing research data.

    Yikes.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    The intruder used a known vulnerability to crack the university system on August 1st, but wasn't detected until August 30th. Ramos says the university didn't notify the agency until late September; the university says it reported the attack to the state within two weeks of discovery.
    OMG! I hope their funding gets pulled! A month they were vulnerable. Sigh... Someone just got an ugly lesson in patch management and the importance of doing regular checks on systems, even research ones. I suspect that the one of the two following viewpoints was following: "We have nothing important that's worth stealing" or "It's someone else's job".

    I wonder if they'll get sued now (California has some pretty severe laws about protecting data IIRC).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    UC Berkeley???!

    I would have assumed (obviously a bad thing to do in this case) that would be like trying to break into Fort Knox or something. They got some folks there that can make a computer serve coffee, dance, control the deficit, etc. But the intruder:

    used a known vulnerability
    Probably some jobs openings there now

    cheers

    edit:

    From br_fusion above:

    "The intruder used a known vulnerability to crack the university system on August 1st, but wasn't detected until August 30th."

    "According to Ramos, the university had not been in compliance with the security rules the state sets out for research access to sensitive data."
    While looking for more info on this I was Googleing, and keeping in mind the quotes (dates) above; after you read the the quote (note the date) below, well.........

    iNews: From the Chief Information Officer

    UC Berkeley's IT security standards win Larry Sautter Award

    August 10, 2004

    Jack McCredie, Chief Information Officer

    Berkeley's new Information Technology Security Policy and Minimum Security Standards for Networked Devices were recently awarded the prestigious University of California Larry Sautter Golden Award for "best IT Practices in Business Processes and Services". The award was presented by Kristine Hafner, UC associate vice president for information resources and communications, at the UC Computing Services Conference held August 1-3 at UC Riverside.

    Established in 2000, the Sautter award recognizes information technology innovations that have the potential to improve how the University operates. Berkeley's award-winning suite of security policies, standards, and support activities represent a best-practice framework that can be readily modified and implemented to benefit many other campuses throughout the University of California and the nation.

    Each year, IT business and academic personnel from the UC campuses and the three UC-managed national laboratories submit applications to compete for four categories of awards. This year's other Sautter awards went to UC Irvine, UC Riverside, and UC San Francisco. Details on all four winning nominations are available from UC's IT Leadership Council website at http://www.ucop.edu/irc/itlc/sautter/welcome.html.

    Here
    Connection refused, try again later.

  7. #7
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    Just another stereotypical Sys Admin at work.
    It's not just the media's use of the word 'hacker' that gets me.
    This is a prime target, a site that generates vast amounts of data, that just wasn't being looked after.
    And, if it can happen there ........................

    This IMHO is more grist to the mill for those who will try ANYTHING to reduce spending on IT security:
    "If UCB isn't safe, why should WE spend a gazillion $$ trying to keep ours safe"
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  8. #8
    Banned
    Join Date
    Apr 2004
    Posts
    843
    It's not just the media's use of the word 'hacker' that gets me.
    I say, do not even use the H word at all. Anyone with a true interest in computers could live without people making such a over crowded scene of things, the whole socialised ranking and classification of "computer user", the constant pushing and pulling at labels onto themselves and other people to gain some sort of self-importance or to simply use something that sounds cool. These people have no true interest in computers specificly, more like they are more into the social surroundings that come with owning and operating a computer. Sad really.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides