BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Two legacy Dataloss events

From: security curmudgeon <jericho () attrition org>
Date: Mon, 3 Oct 2011 19:06:28 -0500 (CDT)


While reading Kevin Mitnick's new book, 'Ghost in the Wires' [1], he referenced 
past hacking activity he was engaged in. In two separate cases, he wrote about 
incidents that qualify for inclusion in DatalossDB.org. Rather than scan in a 
page of the book, I am including the relevant text in this post for reference.


P318 - 319 (mid 1994 based on subsequent text)

Desperately in need of a new identity, and knowing it would be dangerous to use 
any of the names from the South Dakota list since all that information was also 
on the unencrypted backup tapes that the cops had grabbed in the Seattle raid, 
I targeted the largest college in Oregon's largest city, Portland State 
University.

After compromising the server for the Admissions Office, I called the database 
administrator. "I'm new in the Admissions Office," I told him. "And I need to 
look at...," and then I described the parameters of what I was looking for: 
people who had received undergraduate degrees between 1985 and 1992. he spent a 
good forty-five minutes on the phone with me, explaining how the records were 
organized and the commands I needed to extract all the student data for 
graduates in the years of interest. He was so helpful that he gave me even more 
than I was asking for.

When we were done, I had access to 13,595 student records, each one complete 
with a student's full name, data of birth, degree, year of degree, Social 
Security number, and home address.

P365 (unknown year)

Of course, the Feds had also found Netcom's customer database that contained 
more than 20,000 credit card numbers on my computer, but I had never attempted 
to use any of them; no prosecutor would ever be able to make a case against me 
on that score. I had to admit, I had liked the idea that I could use a 
different credit card every day for the rest of my life without ever running 
out. But i'd never had any intention of running up charges on them, and never 
did. That would be wrong. My trophy was a copy of Netcom's customer database.



[1] http://www.amazon.com/exec/obidos/ISBN=0316037702/insekurityorgA/
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/
Previous By Date Next
Previous By Thread Next

Current thread: