|
-
October 20th, 2004, 08:51 PM
#1
Hacker hits California-Berkeley computer
"Most significant hacking job"? I wonder if this violates HIPAA for keeping the data without the individuals' consent... Sigh. Sucks that the media still refers to it as hackers rather than attackers, which is what they are.  :
Anyways, anyone know of the hows/details of the attack itself? Platform? method? etc.? And if you think they may have information on you or someone you know, visit the California Department of Social Services for details on how to place a "fraud alert" on your identity with credit agencies.
Source: CNN
SAN FRANCISCO, California (Reuters) -- A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said Tuesday.
"The investigation is continuing but we have no idea if the (personal) information has been compromised," said Carlos Ramos, assistant secretary at the California Health and Human Services Agency.
He said state agencies and the Federal Bureau of Investigation were investigating but the hacker had not been found.
The names accessed by the hacker were being used by a UC Berkeley researcher who had collected data on elderly people and individuals who provide in-home care to seniors to study the impact of wages on in-home care, Ramos said.
The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study.
Ramos said the state is authorized to share with researchers the personal information of individuals who participate in state programs administered by the state social services department.
George Strait, a university spokesman, confirmed the school's computer system had been penetrated in what he believed was the most significant hacking job the university had experienced.
The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said.
-
October 20th, 2004, 08:55 PM
#2
Better get Clifford Stoll on the case 
\"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn
-
October 20th, 2004, 08:56 PM
#3
This is what found...
"The intruder used a known vulnerability to crack the university system on August 1st, but wasn't detected until August 30th."
"According to Ramos, the university had not been in compliance with the security rules the state sets out for research access to sensitive data."
Full Story can be found here:
http://securityfocus.org/news/9758
The command completed successfully.
\"They drew first blood not me.\"
-
October 20th, 2004, 08:57 PM
#4
Wow, so much for UCB using the talent they turn out of their security program or more so, the techniques taught for securing research data.
Yikes.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
October 20th, 2004, 09:01 PM
#5
The intruder used a known vulnerability to crack the university system on August 1st, but wasn't detected until August 30th. Ramos says the university didn't notify the agency until late September; the university says it reported the attack to the state within two weeks of discovery.
OMG! I hope their funding gets pulled! A month they were vulnerable. Sigh... Someone just got an ugly lesson in patch management and the importance of doing regular checks on systems, even research ones. I suspect that the one of the two following viewpoints was following: "We have nothing important that's worth stealing" or "It's someone else's job".
I wonder if they'll get sued now (California has some pretty severe laws about protecting data IIRC).
-
October 20th, 2004, 11:03 PM
#6
UC Berkeley???!
I would have assumed (obviously a bad thing to do in this case) that would be like trying to break into Fort Knox or something. They got some folks there that can make a computer serve coffee, dance, control the deficit, etc. But the intruder:
used a known vulnerability
Probably some jobs openings there now
cheers
edit:
From br_fusion above:
"The intruder used a known vulnerability to crack the university system on August 1st, but wasn't detected until August 30th."
"According to Ramos, the university had not been in compliance with the security rules the state sets out for research access to sensitive data."
While looking for more info on this I was Googleing, and keeping in mind the quotes (dates) above; after you read the the quote (note the date) below, well.........
iNews: From the Chief Information Officer
UC Berkeley's IT security standards win Larry Sautter Award
August 10, 2004
Jack McCredie, Chief Information Officer
Berkeley's new Information Technology Security Policy and Minimum Security Standards for Networked Devices were recently awarded the prestigious University of California Larry Sautter Golden Award for "best IT Practices in Business Processes and Services". The award was presented by Kristine Hafner, UC associate vice president for information resources and communications, at the UC Computing Services Conference held August 1-3 at UC Riverside.
Established in 2000, the Sautter award recognizes information technology innovations that have the potential to improve how the University operates. Berkeley's award-winning suite of security policies, standards, and support activities represent a best-practice framework that can be readily modified and implemented to benefit many other campuses throughout the University of California and the nation.
Each year, IT business and academic personnel from the UC campuses and the three UC-managed national laboratories submit applications to compete for four categories of awards. This year's other Sautter awards went to UC Irvine, UC Riverside, and UC San Francisco. Details on all four winning nominations are available from UC's IT Leadership Council website at http://www.ucop.edu/irc/itlc/sautter/welcome.html.
Here
Connection refused, try again later.
-
October 21st, 2004, 12:06 AM
#7
Just another stereotypical Sys Admin at work.
It's not just the media's use of the word 'hacker' that gets me.
This is a prime target, a site that generates vast amounts of data, that just wasn't being looked after.
And, if it can happen there ........................
This IMHO is more grist to the mill for those who will try ANYTHING to reduce spending on IT security:
"If UCB isn't safe, why should WE spend a gazillion $$ trying to keep ours safe"
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
October 21st, 2004, 12:59 AM
#8
It's not just the media's use of the word 'hacker' that gets me.
I say, do not even use the H word at all. Anyone with a true interest in computers could live without people making such a over crowded scene of things, the whole socialised ranking and classification of "computer user", the constant pushing and pulling at labels onto themselves and other people to gain some sort of self-importance or to simply use something that sounds cool. These people have no true interest in computers specificly, more like they are more into the social surroundings that come with owning and operating a computer. Sad really.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
