Piece of crap Unix box coughs up personal information of 160,000 liberal students, alumni, and paren

Discussion in 'Computer Support' started by H1B Stings, May 9, 2009.

  1. H1B Stings

    H1B Stings Guest

    http://www.informationweek.com/news/security/attacks/showArticle.jhtml?art
    icleID=217400055

    For six months, hackers had access to a server at the University of
    California, Berkeley, and stole personal information associated with as
    many as 160,000 students, alumni, and parents.

    In an uncommonly thorough disclosure, a UC Berkeley spokeswoman said that
    the data breach began on Oct. 9, and lasted through April 9, when
    university IT personnel found messages left by the hackers and took action
    to close the breach.

    The compromised server housed information from the UC Berkeley campus
    health services center and contained "Social Security numbers, health
    insurance information, and nontreatment medical information, such as
    immunization records and names of some of the physicians they may have
    seen for diagnoses or treatment," according to the spokeswoman.
    It did not contain medical records such as patient diagnoses, treatments,
    or therapies.

    On Friday, UC Berkeley began notifying students, alumni, and parents --
    who may have personal information on student health service insurance
    forms -- that their personal information had been accessed without
    authorization. They also began notifying about 3,400 Mills College
    students who received health care through UC Berkeley.

    The data in question dates back to 1999 for those affiliated with UC
    Berkeley and to 2001 for those affiliated with Mills College.

    Shelton Waggener, UC Berkeley's associate vice chancellor for information
    technology and its CIO expressed regret for the incident and assured those
    affected that the university is committed to reducing its exposure to
    future attacks. He said that the university is working with law
    enforcement to investigate the incident.

    The university has set up a 24-hour data theft hot line, 888-729-3301, to
    field inquiries and address concerns. Its Web site includes links to
    credit reporting agencies for requesting fraud alerts and obtaining credit
    reports, advisable steps to mitigate the risk of identity theft.

    A university spokesperson did not immediate respond to a request for
    information about the method of attack. The incident FAQ document
    characterizes the attackers as "overseas criminals" and says they "were
    highly skilled and broke in using a number of different techniques."
    Further details may not emerge until the university completes its
    investigation.

    Slavik Markovich, CTO of database security company Sentrigo, speculates
    that the hackers probably got in through a SQL injection attack on a
    public Web application.

    He said it's not clear whether the hackers targeted UC Berkeley
    specifically or merely spotted a weakness in the university's network. "I
    think they just did some smart Google (NSDQ: GOOG) searches for certain
    errors and then started to target the application," he said.

    Though he credits the university for having a prepared security response
    to the incident, he said IT personnel there could have done more to keep
    an eye on things. "The fact that it took them more than half a year to
    find out about the breach indicates that they do not have the correct
    policies and tools to monitor database access and behavior," he said.

    He also said that the university should not have had databases containing
    information with different levels of sensitivity on the same server.
     
    H1B Stings, May 9, 2009
    #1
    1. Advertising

  2. H1B Stings

    catchme Guest

    Re: Piece of crap Unix box coughs up personal information of 160,000liberal students, alumni, and parents at UC Berkeley.

    H1B Stings wrote:
    > http://www.informationweek.com/news/security/attacks/showArticle.jhtml?art
    > icleID=217400055
    >
    > For six months, hackers had access to a server at the University of
    > California, Berkeley, and stole personal information associated with as
    > many as 160,000 students, alumni, and parents.
    >
    > In an uncommonly thorough disclosure, a UC Berkeley spokeswoman said that
    > the data breach began on Oct. 9, and lasted through April 9, when
    > university IT personnel found messages left by the hackers and took action
    > to close the breach.
    >
    > The compromised server housed information from the UC Berkeley campus
    > health services center and contained "Social Security numbers, health
    > insurance information, and nontreatment medical information, such as
    > immunization records and names of some of the physicians they may have
    > seen for diagnoses or treatment," according to the spokeswoman.
    > It did not contain medical records such as patient diagnoses, treatments,
    > or therapies.
    >
    > On Friday, UC Berkeley began notifying students, alumni, and parents --
    > who may have personal information on student health service insurance
    > forms -- that their personal information had been accessed without
    > authorization. They also began notifying about 3,400 Mills College
    > students who received health care through UC Berkeley.
    >
    > The data in question dates back to 1999 for those affiliated with UC
    > Berkeley and to 2001 for those affiliated with Mills College.
    >
    > Shelton Waggener, UC Berkeley's associate vice chancellor for information
    > technology and its CIO expressed regret for the incident and assured those
    > affected that the university is committed to reducing its exposure to
    > future attacks. He said that the university is working with law
    > enforcement to investigate the incident.
    >
    > The university has set up a 24-hour data theft hot line, 888-729-3301, to
    > field inquiries and address concerns. Its Web site includes links to
    > credit reporting agencies for requesting fraud alerts and obtaining credit
    > reports, advisable steps to mitigate the risk of identity theft.
    >
    > A university spokesperson did not immediate respond to a request for
    > information about the method of attack. The incident FAQ document
    > characterizes the attackers as "overseas criminals" and says they "were
    > highly skilled and broke in using a number of different techniques."
    > Further details may not emerge until the university completes its
    > investigation.
    >
    > Slavik Markovich, CTO of database security company Sentrigo, speculates
    > that the hackers probably got in through a SQL injection attack on a
    > public Web application.
    >
    > He said it's not clear whether the hackers targeted UC Berkeley
    > specifically or merely spotted a weakness in the university's network. "I
    > think they just did some smart Google (NSDQ: GOOG) searches for certain
    > errors and then started to target the application," he said.
    >
    > Though he credits the university for having a prepared security response
    > to the incident, he said IT personnel there could have done more to keep
    > an eye on things. "The fact that it took them more than half a year to
    > find out about the breach indicates that they do not have the correct
    > policies and tools to monitor database access and behavior," he said.
    >
    > He also said that the university should not have had databases containing
    > information with different levels of sensitivity on the same server.
    >

    there are a number of people on this group who would say something akin
    to "this is the internet; quit being paranoid."
    However, this is a blow to every persons' right to privacy, and to own
    themselves.

    --
    To the States or any one of them, or any city of the States,
    Resist much, obey little,
    Once unquestioning obedience, once fully enslaved,
    Once fully enslaved, no nation, state, city of this earth,
    ever after-ward resumes its liberty.

    -Walt Whitman, 1860
     
    catchme, May 10, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Harv
    Replies:
    4
    Views:
    7,353
  2. Guest
    Replies:
    4
    Views:
    750
    Peter
    Jan 23, 2007
  3. Guest
    Replies:
    0
    Views:
    615
    Guest
    Jan 23, 2007
  4. Paul D. Sullivan
    Replies:
    89
    Views:
    1,737
    John Turco
    May 30, 2007
  5. Knut Arvid Keilen

    I offer you 300.000.000.000 NOK by law. Who is the bidder?

    Knut Arvid Keilen, Dec 13, 2007, in forum: Computer Support
    Replies:
    3
    Views:
    515
    Moldy Cheese
    Dec 13, 2007
Loading...

Share This Page