BreachExchange mailing list archives
Two legacy Dataloss events
From: security curmudgeon <jericho () attrition org>
Date: Mon, 3 Oct 2011 19:06:28 -0500 (CDT)
While reading Kevin Mitnick's new book, 'Ghost in the Wires' [1], he referenced past hacking activity he was engaged in. In two separate cases, he wrote about incidents that qualify for inclusion in DatalossDB.org. Rather than scan in a page of the book, I am including the relevant text in this post for reference. P318 - 319 (mid 1994 based on subsequent text) Desperately in need of a new identity, and knowing it would be dangerous to use any of the names from the South Dakota list since all that information was also on the unencrypted backup tapes that the cops had grabbed in the Seattle raid, I targeted the largest college in Oregon's largest city, Portland State University. After compromising the server for the Admissions Office, I called the database administrator. "I'm new in the Admissions Office," I told him. "And I need to look at...," and then I described the parameters of what I was looking for: people who had received undergraduate degrees between 1985 and 1992. he spent a good forty-five minutes on the phone with me, explaining how the records were organized and the commands I needed to extract all the student data for graduates in the years of interest. He was so helpful that he gave me even more than I was asking for. When we were done, I had access to 13,595 student records, each one complete with a student's full name, data of birth, degree, year of degree, Social Security number, and home address. P365 (unknown year) Of course, the Feds had also found Netcom's customer database that contained more than 20,000 credit card numbers on my computer, but I had never attempted to use any of them; no prosecutor would ever be able to make a case against me on that score. I had to admit, I had liked the idea that I could use a different credit card every day for the rest of my life without ever running out. But i'd never had any intention of running up charges on them, and never did. That would be wrong. My trophy was a copy of Netcom's customer database. [1] http://www.amazon.com/exec/obidos/ISBN=0316037702/insekurityorgA/ _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Two legacy Dataloss events security curmudgeon (Oct 03)