[ISN] Hackers download SIUE data, police say

From: InfoSec News (isn@private)
Date: Thu Aug 12 2004 - 00:18:19 PDT


http://www.stltoday.com/stltoday/news/stories.nsf/News/Metro+East/A3F75AB9CA0230BB86256EEE0012DF3B?OpenDocument&Headline=Hackers+download+SIUE+data,+police+say

By Trisha Howard
Of the Post-Dispatch
08/11/2004

The names and passport information of more than 500 foreign students
at Southern Illinois University Edwardsville was illegally downloaded
last week by a fellow student at the school, according to a search
warrant filed Wednesday by university police.

Greg Conroy, an SIUE spokesman, said Wednesday that three students had
been questioned Friday after university officials discovered the
security breach.

Conroy said he expected the university to seek criminal charges in the
case.

The search warrant, filed in Madison County Circuit Court, said that
the hacker downloaded the information from a special database set up
to comply with provisions of the federal Patriot Act. The data
included names, dates of birth, Social Security numbers and visa
information, Sgt. Marty Tieman of the SIUE Police Department said in
his affidavit.

Conroy said that employees in the university's Office of Information
Technology found out about the breach on Friday while doing their
daily check of activity logs. The log showed that someone had
downloaded the information early that morning.

Computer experts then tracked the computer to one of three students
who share an apartment at Cougar Village, Conroy said. On Friday
afternoon, police seized three computers from the apartment and
questioned the three students, Conroy said.

Tieman said in his affidavit that police were greeted at the door by
one of the three students, who admitted that he had seen his roommate
access the server and download the information.

Conroy said that officials had not yet determined a motive.

"For all I know, these students could have been doing this as a
prank," Conroy said. "At this point, I don't know what they wanted to
do with the information."

Conroy said investigators from a Metro East law enforcement computer
task force were examining all three computers for evidence.

He emphasized that the system does not allow hackers to change vital
information. But he said that the breach was possible because an
employee had failed to disable a feature that gives people access to
the system without a password.

"The students were scanning the system, they found the flaw, and they
started downloading files," Conroy said. "It's an unfortunate mistake,
but it happened."



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Thu Aug 12 2004 - 03:08:57 PDT