[ISN] Hackers infiltrate Cal Poly

InfoSec News isn at c4i.org
Mon Aug 8 01:04:24 EDT 2005


By Kenneth Todd Ruiz
Staff Writer
August 04, 2005 

POMONA -- Computer hackers added Cal Poly Pomona to a growing list of
schools from which personal information has been accessed illegally.

Notices went out on Thursday to 31,077 people informing them that
their records might have been stolen after Cal Poly Pomona discovered
two computer servers were compromised in late June.

"We got hit by a hacker,' said Debra Brum, interim vice president of
instructional and information technology.

Personal data, including names and Social Security numbers of
university applicants and of current and former faculty, staff and
students were accessed in the security breach.

Recent graduate Robert Pedraza, 26, said he is troubled by the

"If you break into a system, you went in there deliberately to do
harm,' Pedraza said. "It sounds like there was something they were

Cal Poly is unable to determine whether any of the records were copied
or downloaded, said university spokesman Ron Fremont.

The school discovered the breach during routine network monitoring on
June 29, which university officials said is likely the day the attack

Systems compromised included student transfer records, a system for
scanning in applications and a limited amount of payroll data that
Brum said did not include financial information.

Shahnaz Lotfipour, a professor of multimedia productions, said she
immediately called credit agencies and put a fraud alert on her
account. She said Internet insecurity is an issue worldwide.

"I hope the global community (will) do something about this problem
... I don't think anybody's safe,' Loftipour said.

Fremont said they delayed announcing the attack to investigate the
incident and determine the extent of information compromised.

The attack on Cal Poly is among several recent incidents at California

Also in June, hackers absconded with more than a quarter-million
applicant records from USC. It was enough to prompt USC officials to
urge former applicants to check their credit for fraudulent activity.

On July 26 Cal State Dominguez Hills discovered three-quarters of its
student records had been compromised. The same occurred with 59,000
Cal State Chico student records in March.

"We're in an ongoing battle with hackers and intruders on the
Internet,' said Dan Manson, Cal Poly computer and information systems
professor. "We build up better defenses; they build up better

Fremont said the school is still investigating the incident and does
not rule out the possibility it is related to others.

"We're considering all options,' he said.

So far, Brum said, they have been unable to trace the source of the

Internet infiltrators gained access to the system through a security
hole in a particular application, Brum said.

She would not name the vulnerable program for fear the attack could be
replicated by others.

"The vendor found out about this vulnerability in their software the
same week this incident happened,' Brum said. "It's a real challenge.  
If you let more people know how the vulnerability works, you have more
bad guys who are going to use it.'

Every day, numerous exploits emerge from the "black-hat' hacking
community, according to Web sites that post security notices. The
"black-hat' hackers are so named by computer security experts for
their malicious intent.

Advocates for "open-source' software the programming code of which is
freely available fault the reluctance of software companies to
acknowledge security holes for the ongoing success of digital rogues.

"If we control the distribution of information, we're essentially
making sure only the bad guys have it,' said Bruce Perens, senior
research scientist for George Washington University and vice president
of SourceLabs, Inc.

In most cases, system administrators only learn of a vulnerability
after it has been exploited and a developer has had time to produce a

With the California Security Information Breach Act, which went into
effect in 2003, companies and institutions are now compelled to inform
people when their personal information might have been compromised.

In the past two years, Cal Poly has notified 400 students that their
personal information, such as Social Security numbers, was posted
online, Brum said.

The U.S. Senate is working on the Personal Data Privacy and Security
Act, which would extend provisions similar to California's law across
the nation.

School officials are urging those possibly affected to visit
www.csupomona.edu/notices/security to find information about identity
theft, as the information could be used for fraudulent purposes.

By calling (909) 979-6100, individuals can learn if their information
is at risk.

"This isn't the first time this happened at a campus, and it won't be
the last, but we're taking every step to make sure this won't happen
again,' Fremont said.


Staff writer Esther Chou contributed to this report. Kenneth Todd Ruiz
can be reached at (909) 483-8555 or by e-mail at todd.ruiz at

More information about the ISN mailing list