HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
If you attended the University of Wisconsin (or worked there), your social security number and personal information might have been compromised.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
University of Wisconsin Hacked
- Thread starter HardOCP News
- Start date
TechLarry
RIP [H] Brother - June 1, 2022
- Joined
- Aug 9, 2005
- Messages
- 30,481
Is today's group of IT "Professionals" just plain stupid? I just don't get it.
Why is this stuff being left on net accessible servers? Obviously without proper security.
Why is this stuff being left on net accessible servers? Obviously without proper security.
Clockworks
Supreme [H]ardness
- Joined
- Aug 23, 2004
- Messages
- 5,269
It's about money and limitation of what you can do, WI is hurting for money.
- The UW system uses Peoplesoft, which by default doesn't support data encryption (more things to buy or get a new system).
- Encryption is taxing on the system. The more you have to encrypt/decrypt, the less processing power you have for other jobs. This means that you need to buy more servers to account for the extra overhead.
- School has to retain your SSN for a host of reasons, one of which is for your school bills and loans (GOOD LUCK ESCAPING THAT ONE! HA HA!!).
- The UW system uses Peoplesoft, which by default doesn't support data encryption (more things to buy or get a new system).
- Encryption is taxing on the system. The more you have to encrypt/decrypt, the less processing power you have for other jobs. This means that you need to buy more servers to account for the extra overhead.
- School has to retain your SSN for a host of reasons, one of which is for your school bills and loans (GOOD LUCK ESCAPING THAT ONE! HA HA!!).
It's almost inexcusable. I can understand the need for a university to be online - students working from home for one thing - but a separate server should be used for information storage. A single Cisco firewall for example can be configured to allow traffic on the production server while denying outside traffic for student information storage on the very same network. It doesn't take a billion dollars to do this.
Renegade_Azzy
Limp Gawd
- Joined
- Aug 31, 2004
- Messages
- 326
here's the big one, why do they need a social security number? I understand the tax portion that the payroll department uses, but otherwise, why for the students?
DeathCloud
Gawd
- Joined
- Jul 21, 2005
- Messages
- 1,004
This this and more this. I don't get it, do these places never have outside penetration tests done on their network.
oROEchimaru
Supreme [H]ardness
- Joined
- Jun 1, 2004
- Messages
- 4,662
I hate with a passion UWM's IT department. I worked there 3 years. They have no standards of security, use out of date versions of mcafee and have attitude issues that prevent common sense IT practices.
If you find a security issue, application issue, user issue etc = it doesnt exist.
There IT department lives off of "making sure everyone's feelings are ok" and that no alarms or concerns are raised.
Then again, I owe my IT career to them, its where I started as a student 8 years ago. I just wish instead of focusing on win98 they would focus on the future. In 2007 they gave us tech manuals for win98 and office 2000 to help improve our tech support. AWESOME!
Also they have had "favorite employees" get in trouble for p2p, best story ever is when one of the higher ups got caught file sharing "dream girls". rofl
If you find a security issue, application issue, user issue etc = it doesnt exist.
There IT department lives off of "making sure everyone's feelings are ok" and that no alarms or concerns are raised.
Then again, I owe my IT career to them, its where I started as a student 8 years ago. I just wish instead of focusing on win98 they would focus on the future. In 2007 they gave us tech manuals for win98 and office 2000 to help improve our tech support. AWESOME!
Also they have had "favorite employees" get in trouble for p2p, best story ever is when one of the higher ups got caught file sharing "dream girls". rofl
oROEchimaru
Supreme [H]ardness
- Joined
- Jun 1, 2004
- Messages
- 4,662
example: I found hackers using sql injection for porn onto the uwm's website.
- I was told its not possible (sql injection doesn't exist).
- after more porn arrived = it got fixed 6 months later.
I also loathed their stupid hiring policies. They would hire non-english speakers and get upset they couldn't take phone calls. One time they hired a deaf person and yelled at her for not answering the phone. Seriously? They refused to allow office communicator since it is "chatting". Most management are concerned about pleasing management, not student bodies.
- I was told its not possible (sql injection doesn't exist).
- after more porn arrived = it got fixed 6 months later.
I also loathed their stupid hiring policies. They would hire non-english speakers and get upset they couldn't take phone calls. One time they hired a deaf person and yelled at her for not answering the phone. Seriously? They refused to allow office communicator since it is "chatting". Most management are concerned about pleasing management, not student bodies.
oROEchimaru
Supreme [H]ardness
- Joined
- Jun 1, 2004
- Messages
- 4,662
Clockworks, when I was a tech 2 beta testing peoplesoft. We were told by the peoplesoft vendor in writing that it is against our contract to complain about bugs, concerns, security risks etc.
Each year for 3 years we got a new peoplesoft website, each costing 1-2 million +. With common bugs, we were told not to report them.
As students we were granted full security access to perform peoplesoft password resets. This means we have access to adjust our own grades, other student grades, see any sensitive account info etc, at least this was possible in 2007.
Each year for 3 years we got a new peoplesoft website, each costing 1-2 million +. With common bugs, we were told not to report them.
As students we were granted full security access to perform peoplesoft password resets. This means we have access to adjust our own grades, other student grades, see any sensitive account info etc, at least this was possible in 2007.
chinesepiratefood
2[H]4U
- Joined
- Oct 8, 2005
- Messages
- 2,629
As the above poster linked to, 1098-T's are a big thing at universities among students which is distributed to them every year after they've paid their tuition for tax filing purposes.
Awesome, my university uses Peoplesoft too, and it is the buggiest POS software I have ever seen. It makes Windows ME look great.
TheCommander
2[H]4U
- Joined
- Apr 2, 2003
- Messages
- 2,999
I'd say most actual IT Pros know what they are doing but are limited in what they can do thanks to politics, money, and other crap where they work.
I disagree. I have worked IT for over 15 years and the ones that aren't idiots are in the minority. I hate having to hire, I end up going through 75+ candidates to find 1 who actually can do the job and not just take a test.
oROEchimaru
Supreme [H]ardness
- Joined
- Jun 1, 2004
- Messages
- 4,662
Amen to that dekoth-e
oROEchimaru
Supreme [H]ardness
- Joined
- Jun 1, 2004
- Messages
- 4,662
got my john dear letter from uw-milwaukee today, what a sham! they are a shameful IT department with lax security and pure arrogance.
if your a former student visit computersecurity.uwm.edu or call 800-349-8518
if your a former student visit computersecurity.uwm.edu or call 800-349-8518
oROEchimaru
Supreme [H]ardness
- Joined
- Jun 1, 2004
- Messages
- 4,662
found the letter their site:
Text of letter to potentially affected persons
August 10, 2011
We are writing to inform you of a computer security incident at the University of Wisconsin-Milwaukee that may have exposed records containing your name and Social Security number. After a thorough investigation, we do not believe the unauthorized individuals targeted or copied any personal information, but we wanted to make you aware of the breach so that you can take steps to prevent any potential misuse of your information.
We first became aware of the situation May 25, 2011, when we discovered that computer hackers had installed malware (computer viruses) on one university server, which housed a software system serving several campus departments and which managed confidential information. We immediately shut down the system and reassessed security before restarting it. We also reported the incident to local and federal law enforcement. With the help of a national computer security consultant, the university launched an investigation to determine the source and extent of the security breach. Several weeks into the investigation, on or around June 30, 2011, we discovered that a database associated with the system was accessible to the hackers. This database included the names and social security numbers of approximately 75,000 individuals associated with the university, primarily current and former employees and students.
As with many such incidents, the investigators were not able to identify those who gained unauthorized access. Investigators theorize that the motive was not identity theft, and could find no proof of attempts to download names or social security numbers.
However, because any incident that potentially exposes personal information could contribute to the risk of identity theft, we encourage you to take steps to protect your identity and monitor your credit reports. We have included information on steps you can take on the other side of this letter.
We want to apologize for any concern or inconvenience this may cause you, and assure you that the university takes computer and data security seriously. We continue to provide strong protection for our systems and campus computers. As a result of this incident, however, we are taking additional security measures.
If you have any questions, visit computersecurity.uwm.edu. We have also set up a toll-free line for you to call if you have any additional questions, at 800-349-8518.
Sincerely,
John McCarragher,
UWM Interim Chief Information Officer
Text of letter to potentially affected persons
August 10, 2011
We are writing to inform you of a computer security incident at the University of Wisconsin-Milwaukee that may have exposed records containing your name and Social Security number. After a thorough investigation, we do not believe the unauthorized individuals targeted or copied any personal information, but we wanted to make you aware of the breach so that you can take steps to prevent any potential misuse of your information.
We first became aware of the situation May 25, 2011, when we discovered that computer hackers had installed malware (computer viruses) on one university server, which housed a software system serving several campus departments and which managed confidential information. We immediately shut down the system and reassessed security before restarting it. We also reported the incident to local and federal law enforcement. With the help of a national computer security consultant, the university launched an investigation to determine the source and extent of the security breach. Several weeks into the investigation, on or around June 30, 2011, we discovered that a database associated with the system was accessible to the hackers. This database included the names and social security numbers of approximately 75,000 individuals associated with the university, primarily current and former employees and students.
As with many such incidents, the investigators were not able to identify those who gained unauthorized access. Investigators theorize that the motive was not identity theft, and could find no proof of attempts to download names or social security numbers.
However, because any incident that potentially exposes personal information could contribute to the risk of identity theft, we encourage you to take steps to protect your identity and monitor your credit reports. We have included information on steps you can take on the other side of this letter.
We want to apologize for any concern or inconvenience this may cause you, and assure you that the university takes computer and data security seriously. We continue to provide strong protection for our systems and campus computers. As a result of this incident, however, we are taking additional security measures.
If you have any questions, visit computersecurity.uwm.edu. We have also set up a toll-free line for you to call if you have any additional questions, at 800-349-8518.
Sincerely,
John McCarragher,
UWM Interim Chief Information Officer