SIUE hacked any info?

[Guest]

Saw this article

http://www.wqad.com/Global/story.asp?S=2158303

Anyone got the inside scoop on what happened, ie what technologies (os/network devices) were compromised?  Was it a known vuln?

[Jarod Neuner]

Sorry, no Kiddie Scripts here.

The important question is how many times was it exploited before last Friday =/

[R. Andrew Lamonica]

Apparently, a script was not necessary as an employee forgot to set the password.  The data stolen was that of students being tracked by the Department of Homeland Security under the Patriot Act.  This means that unless you are a foreign national your data was probably not viewed.  You can read all about the incident in the Post Dispatch or on their website.  (Found using Google News)

Google News (Click the #1 Topic)
http://news.google.com/news?q=SIUE

Ugly STLToday Link follows (and changed down to a nice looking TinyURL link)
http://tinyurl.com/5pehr

[Jerry]

Well, without naming names, does anyone know if they are CS majors?

If not, maybe they should be  :-P

[R. Andrew Lamonica]

I don't know, but if it was anyone on the CS Tech. staff there is going to be some yelling.

[William Grim]

I know the guys who did the "hacking" (no, I won't give names), and they didn't "hack" ANYTHING.

The supposed crack was not due to an OIT worker forgetting to set a password, it was due to his or her stupid self having a virus on his or her computer system.

The students are being screwed over majorly, and the press doesn't have the story straight.  I hope the students are found innocent soon... one of them has a decent case for a lawsuit.

SIUE, if you are reading, you should investigate things more carefully before placing broad claims like you did on individuals.

PS: I know this because of speaking with the individuals, not because I was there or had prior or post knowledge of it occuring.  I only learned about it after the investigation began.  (Just in case anyone has ideas that I was there).

[Jerry]

Take it from someone who has been in the press a number of times, the press hardly ever gets the story right.

If there is anyone on the inside who wants to air their side, we still have anonymous posting on CAOS.

Which brings up an interesting set of questions:
1. Should we have anonymous postings on CAOS
2. If we do, should it be an intentional anonymous rather than the default?
3. How anonymous is anonymous on CAOS?

[EvilAndrew]

I recently had the opportunity to speak to one of the accused "Hackers" mentioned in the Intelligencer (Link) and other news sources.  In speaking with him I came to understand that as with most stories this one has more than one side.  In some respects, the differences between previous reporting and this one are due to the absence of technical details in the former, but I do have some information that that was not reported in other stories.

My source (who shall continue to remain nameless) is one of the three residents of the Cougar Village apartment that the "Hacking" took place from.  He states that his roommate was doing a routine security check (Port Scan) on the computers in their apartment and decided to do the same on OIT's part of the network.  When he did this he discovered an Anonymous FTP server.  Since these are typically used by OIT (and the Internet community at large) to distribute software and data to the public, he decided to look around.

At this point, according to my source, the student found files containing student IDs and other information.  This made him concerned that his ID might be available to the public, as well.  To verify that this was not the case he downloaded the remainder of the data for examination.

This downloading was performed early Thursday and another of the roommates, who works for OIT, was told about the discovery.  On Friday, this roommate informed OIT of the mistake so that they could fix it.  At this point OIT apparently examined their server access logs and saw that they had indeed posted data insecurely and that someone (the above mentioned roommate) had downloaded the data. At this time, presumably, the data was password protected and authorities were informed.

These authorities included School, Local, State and Federal (FBI) Agents and they took the following actions.  The local Police and FBI arrived at the apartment and confiscated computers and hard drives totaling over 1.6Terra-Bytes (of storage). The hardware was sent to the state crime lab. The FBI Agent, who was apparently there for technical support, departed due to a lack of jurisdiction. The school sent the students a letter.  

This letter is interesting in that it had a different tone for all the other encounters relating to this incident.  The local police and FBI agent were courteous and reasonable concerning the incident, even to the extent of allowing the students to keep parts of their computers (keyboards, monitors, mice, etc.) not used to store data.  The letter, on the other hand, called the students "A significant threat to the safety of the university community."  My source acknowledges that this statement may have been made in response to the discovery of prohibited Fireworks and a BB-Gun in their residence, but still contends that it is not an accurate description of him and his roommates. The letter also informed the students that they would be kicked out of their apartment and the university, but after talking to James Klenke of Student Affairs this was not the case.

Finally, my source reports that he is unhappy that his data was confiscated, but that he is confident that an examination of it will show that he did not personally download any student data.  He also reports that he will be attending classes next week and that he is optimistic that the next meeting with school officials should be the last one concerning this incident.

[Michael Kennedy]

I find this quote from that Edwardsville Intelligencer article the most amusing.

[Greg] Conroy, who has been with the University since Jan. 1988, said he doesn't recall any other incident when students have hacked into the university's computer system.

"Although we have had worms and viruses, I never recall any incident of hacking," Conroy said.

This guy must have some selective memory.  :)

[Guest]

I agree.  

My Sophomore year, a guy (who no longer goes here) showed me a root exploit on cougar to convince me that it was better to download your mail then leave in on the cougar.  I told him he should tell OIT about it and he said that they would surely kick him out if he did.

I’m not convinced that he was right, but from this story it sounds like he might have been.  

[Jerry]

Well, to be fair to Greg Conroy, he is the University PR person.

If anyone finds a security hole that they are afraid to report you let me know and I will report it. I will not divulge who told me, though if it makes you feel more comfortable feel free to send it to me anonymously.

[Guest]

A simple Retina scan discovered the exploit, if you wish to call it that. According to the campus police this problem had not been accessed except during the incident at hand. Knowing that if roommate hadn't said anything to OIT the exploit would have gone unnoticed for a VERY long time. Nobody has been talking about the other Anon FTP server that was discovered in the same scan. Found on that server were MP3's availible just as the student records were. Fortunatly the police have realized the lack of a case, and have said prosecution is very  unlikely.

[Michael Kennedy]

Also, in fairness to OIT, the incidents I know of were dealt with properly by OIT.  The problems were fixed and the people responsible for finding the flaws were not even remotely punished (much to their surprise).  So hopefully they'll deal with this properly, too- whether or not the students need to be punished of not, hopefully the prosecuting side makes the correct decision.

[Guest]

The person responsible for finding the hole is still up for punishment. I just wonder why the person responsible for the hole is not up for punishment?

[Jarod Neuner]

Mr. Anonymous from 8/24 22:30:23 has a very valid point that concerned me as soon as I heard the details of what happened (I know one of the guys too). After hearing the about the event, I couldn't help but think that I'm glad they found it before I did.

In my experience, this school is all too lazy about making sure data is secure. Seriously...an anonymous ftp server with sensitive info on it? Does anyone know if there is legislation about the requirements of an individual or organization protecting this kind of stuff?

Perhaps some kind of training should be put in place to reinforce how important it is to keep data secure. Working in Housing on a daily basis, I've been trusted with a quite a bit of information about most of the residents on campus. How hard is it to keep tabs on these files; and moreover, put at least some layer of security over it. Being discreet is not a good security strategy.

Check process lists. Look over your own services. Password protect screensavers. Keep sensitive files under a seperate account. Any of those things (which only take a couple of minutes to do) at least put something between a_random_client and my SocSec#.

[Guest]

I think the Alestle needs a few good letters to the editor from those who know how ridiculus this situation is.  Does anyone think the students responisible should goto the Alestle as well? I think anyone who has an opinion on this should write a letter/email to the Alestle.

[C3]

i think going to the alestle is a good idea, it will be a chance for every one to see what relly happened, hear the facts, (unlike what you read in all the papers/nightly news) and then make their own decision on who the ones at fault are.   i think  if it is done properly it could very well help people at the university laying down the law (although it isn't relly law,(if this was law the case wouldn't stand a chance) it is "university policy" in the "student conduct code" and it is written in such a way that the university can justify any charge it feels like, despite the facts)..any way, the people laying down the law would have a chance to hear the other side from he media, hopefully showing them that there is another side to this, helping to dispel any misconceptions they may have.  I do think it should wait untill the other 2 (who were merly in the apartment when this happened) find out if the university feels they are guilty of "computer misconduct" or not.

so yes, i think going to the alestle is a good idea

[EvilAndrew]

Parts of my story (Link) were used in today’s(9-2-2004) Alestle under the heading â€Ã...“Students voice opinions on hacking charges.â€Ã,  There are a number of factual errors in this article.  This does not make it unusual in technology reporting, but I will mention the ones I caught here.  

1. Cory Freeman called and asked me if I was an â€Ã...“Instructor.â€Ã,  I said no but that did not deter him from calling me one in the paper.  I suspect that it makes his story better if I am an instructor as opposed to a Graduate Student.

2. As far as anyone has told me no formal charges have been made against the â€Ã...“Hackersâ€Ã, so the title of the story is a little off.

3. In Paragraph 7 the quote (from the website) should read â€Ã...“discovered an Anonymous FTP server. Since these are typically used by OIT to distribute software and data to the public.â€Ã,  Instead, it reads â€Ã...“discovered a server typically used to â€Ã,¦ distribute software to the publicâ€Ã,.  Changing the subject from Anonymous FTP Servers to â€Ã...“serverâ€Ã, makes it sound like OIT put the data on a server that distributes data to the public.   This is not the case as, far as I know.  Instead the server/virus/whatever used the FTP protocol.  Protocols and servers are not the same thing and OIT runs many servers with many different protocols.

4. Most people call me â€Ã...“Andrewâ€Ã, (Thus the name EvilAndrew) not Robert.  However, since I was misquoted, I guess I don’t mind if they got my name wrong too.

Had I known that the Alestle was going to run an article that was more then half Quotes from my post on this website, I would have polished the story and sent it to them to use verbatim.

[Peter Motyka]

Is this article published on the internet anywhere?  I could not find it at thealstle.com.

[Jerry]

Looks like the Alstle website is an edition behind their current issue.

[Guest]

Does anyone know where Mike Grim (the student mentioned in the story) got his information about the virus?

[C3]

...so that was an interesting article,  its too bad that there wasn't actually more meat to the story...  

[Guest]

i doubt the author of the story actully knows the charges in question, but they have all been charged with "computer misconduct"

[Guest]

Leave it to Andy to confuse the poor reporter... I am suprised they only made a couple mistakes...