Posted on 10/21/2004 2:32:37 PM PDT by Paleo Conservative
The state of California has warned residents that their personal data may have been stolen from computers at the University of California, Berkeley, after a database used by researchers there was compromised by hackers.
The California Department of Social Services (CDSS) issued a media advisory on Tuesday, saying that the agency was working with the U.S. Federal Bureau of Investigation to investigate an intrusion on a computer at Berkeley that contained personal information on around 1.4 million recipients and providers of In Home Supportive Services (IHSS), which provides home-care services to low-income elderly and disabled Californians. Names, addresses, telephone and Social Security numbers, as well as the birth dates for IHSS participants, could have been stolen by the malicious hackers, according to Carlos Ramos, assistant secretary at CDSS.
The state agency gave Berkeley the IHSS data, which was stored on a machine at the university, for research on the CDSS program. If stolen, the information could be used to fake the identity of IHSS recipients.
The compromise occurred on Aug. 1 and was discovered on Aug. 30 by Berkeley IT staff using intrusion detection software, Ramos said.
According to Ramos, investigators know a malicious hacker exploited a vulnerability in "commercially available database software" and compromised the computer, but they don't know if the attack was targeted, speculating that malicious hackers possibly discovered the system by scanning for machines running vulnerable versions of the database software.
While evidence indicates that none of the database's information has been misused, IHSS recipients were encouraged to obtain a credit report and make sure that they were not identity theft victims, the CDSS said in a statement.
A database of personal information on elderly and infirm people would be an attractive target for identity thieves, who may lack the technical sophistication to defend themselves against identity theft, and may even be unaware the IHSS database stored their data, said Jonathan Bingham, president and founder at Intrusic Inc., a Waltham, Massachusetts, company that makes software for spotting suspicious activity on computer networks.
"You take somebody who's elderly and hasn't had experience with computer networks, they're not going to get it," Bingham said.
Without adequate forensic information, investigators face a daunting task in reconstructing the intrusion and determining whether the IHSS database was compromised, let alone finding the culprits, he said.
"The problem isn't that the system was attacked but that it wasn't discovered for a month," Bingham said.
In the meantime, the CDSS asked Berkeley to return the IHSS data and will investigate whether the researcher adhered to an agreement to protect the personal information in the database. The department will also review other researchers' work to make sure they are adhering to data protection guidelines, Ramos said.
Democrats
A particularly vulnerable group.
I'm surprised why Berkley didn't use BSD. This sounds like a Winders box that was compromised. I get SNORT log entries on a daily basis for SQL exploits on my Linux machine.
Man, this article went out of the way to not mention that this hack was through the Oracle software that was purchased via no-bid by Gray Davis prior to his recall...
Liberal scum...
Paging John Edwards, class action law suit alert.
If anything happens to anyone on the list. Sorry for the citizens of California but confidentiality has been broken. I used to make homevists to people who used supportive services. They are the truly vunerable. Sloppy records security.
So now exploited Oracle Databases are Microsoft's fault too, now?
Voter fraud....
How much would you like to bet every one of these elderly and disabled people who's ID was in the database votes a straight Democratic ticket come election day?
Where does it say Oracle database in the article?
In alphabetical order.
this doesn't happen. computers are completely safe. national medical database? completely safe.
That sounds like an opportunity for massive finger pointing.
That would be about as smart as stealing a homeless man's house keys.
Oracle is the Database System of choice among California state agencies, thanks to Former governor Davis... It would be a safe bet that the college was using the same database, but it is currently just a guess on my part.
OH. I did not know that. I wasn't aware of any exploits for Oracle newer than 9i. Now ifs its 7 or 8, then yeah, there are BIG holes in those revisions.
Oracle warns of exploits for latest DB flaws
Malicious code that can exploit unpatched vulnerabilities in its software
By Paul Roberts, IDG News Service October 15, 2004
Oracle (Profile, Products, Articles) Corp. is warning customers to apply software patches it released in August, citing the availability of malicious code that can exploit unpatched vulnerabilities in its software.
*snicker*
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.