Iowa State University to former students: we got hacked by miners!

[nutildah]

Thought this was pretty funny:

[serenitys]

So they sent you an email that basically says oh hey, we got hacked but have absolutely zero evidence it happened, and anyway you weren't affected and even if you were, nobody knows? And you want to do what about it?

Did you at least ask if you got any bitcoin? 

[Elwar]

So they sent you an email that basically says oh hey, we got hacked but have absolutely zero evidence it happened, and anyway you weren't affected and even if you were, nobody knows? And you want to do what about it?

Did you at least ask if you got any bitcoin? 

Worse, it looks like they spent money on actual letters to each student.

[Ron~Popeil]

I know this was technically crime but you have to admire it just a bit. My wife is a university professor in PA and the students there have a bitcoin club. The actually have permission to use university servers for mining "experiments." Purely academic of course.

[Elwar]

When I was in college a friend of mine worked in the computer labs. He used to steal RAM out of the machines leaving each machine with just enough to run. He would put the RAM in his computer or friends computers.

A computer program running on 3 servers is hardly anything.

I also used to run a MUD on the servers in the engineering building. I had it up for about 2 years before they found it.

I recall no letter going out to everyone in the school when they found out. They just e-mailed me and told me to not use their equipment as a server.

[Kluge]

Nice of them to let you know your SSN and other info may've been compromised. Just a year ago, companies thought it was okay to keep silent about break-ins until they could confirm sensitive data was leaked and being used nefariously. If your security measures to prevent unauthorized software was thwarted (esp. if a remote attack), it's not unreasonable to assume information stored on the same servers successfully attacked is compromised, too.

[nutildah]

Nice of them to let you know your SSN and other info may've been compromised. Just a year ago, companies thought it was okay to keep silent about break-ins until they could confirm sensitive data was leaked and being used nefariously. If your security measures to prevent unauthorized software was thwarted (esp. if a remote attack), it's not unreasonable to assume information stored on the same servers successfully attacked is compromised, too.

Good point. Whether they are required by law to inform me of the situation or not, it was good of them to at least send me a letter.

[Phinnaeus Gage]

https://threatpost.com/iowa-state-hacked-to-mine-bitcoins/105650

One of the comments, below:

“The SSNs and other information of 29,780 students who went to ISU between 1995 and 2012 was exposed during the breach, but officials said no financial data was exposed.”

Well good, no financial data exposed, just their SSNs! Sadly, I don’t know many colleges who take computer/information security seriously. The smaller the college the worse it is. “We just don’t have the money” is the repeated excuse.

[Kluge]

"The university decommissioned the compromised servers and then physically destroyed them."

wat?

[Phinnaeus Gage]

"The university decommissioned the compromised servers and then physically destroyed them."

wat?

Then, they were set out at the curb for the garbage truck the next day but, luckily, a scrapper came by before morning, thus now they won't leech toxins in the local landfill.

[nutildah]

"The university decommissioned the compromised servers and then physically destroyed them."

wat?

Sounds appropriate... Remember we are talking about a live virus here. It could mutate and become airborn.

Sorry, just trying to think like a college administrator. 

[brian_23452]

I don't get what is so funny?  Were they supposed to keep it a secret so that dumbasses could then complain that no one told them about this?   Isn't that what people bitched at Target for? 

[nutildah]

Were they supposed to keep it a secret so that dumbasses could then complain that no one told them about this?   Isn't that what people bitched at Target for? 

How could dumbasses complain about it if it was still a "secret"? If the word's out, its not exactly a secret anymore, is it?

I don't know all the facts but likely it was discovered by some students who painfully had to describe the problem to a bunch of government employees who will never fully understand it. So, if the students know about the problem first, good luck trying to keep it under wraps. Better to just admit you messed up.

If I was a lawyer I would probably take this to the next level and try to use it as an excuse to get out of paying for the rest of my student loan, but there's only so many hours in a lifetime and how many of them do you want to spend litigating with anal retentive know-nothings?

[hellscabane]

To be frankly honest, I'm surprised there aren't more incidents like this. It just seems that the ability to have little purview over a system with a fairly high computational power would invite this sort of thing more often. There's gotta be more incidents like this right?

[Beliathon]

If your security measures to prevent unauthorized software was thwarted (esp. if a remote attack), it's not unreasonable to assume information stored on the same servers successfully attacked is compromised, too.

Yep, and healthy security culture dictates you must ASSUME that info was compromised.

[brian_23452]

How could dumbasses complain about it if it was still a "secret"? If the word's out, its not exactly a secret anymore, is it?

Okay you're a little slow so let me break it down in simple words.  They find out.  They don't tell anyone.  Someone at some point finds out about it.  People like you bitch "why wasn't I told about this when they first found out?  Why did they try to cover it up?"

I don't know all the facts but likely it was discovered by some students who painfully had to describe the problem to a bunch of government employees who will never fully understand it. So, if the students know about the problem first, good luck trying to keep it under wraps. Better to just admit you messed up.

You freely admit you don't know all the facts.  But you'll be happy to speculate and make shit up anyway, apparently.

If I was a lawyer I would probably take this to the next level and try to use it as an excuse to get out of paying for the rest of my student loan, but there's only so many hours in a lifetime and how many of them do you want to spend litigating with anal retentive know-nothings?

And if I was the bank that loaned you the money I would ask you wtf does a data breach at some other company have to do with the money you owe me?

Let me ask you this.  Say hypothetically a company you do business with has a security breach.  And potentially, some of your information was leaked.  Would you rather they tell you right away, or cover it up and try to keep it a secret? 
Second question.  Does your reaction to how the school responded encourage the response you want, or discourage it? 

[LAMarcellus]

My advice;
Talk to a lawyer and have them draw up the proper paperwork to go after the creator of this malicious "Bitcoin".   

[Bit_Happy]

To be frankly honest, I'm surprised there aren't more incidents like this. It just seems that the ability to have little purview over a system with a fairly high computational power would invite this sort of thing more often. There's gotta be more incidents like this right?

more incidents like this?
Sometimes it's the head of the IT dept using/abusing the computers to produce BTC.
One was way back in 2011, if my memory is correct, and at least 2 dept heads have been fired over the years (2 different schools)

[freshprince]

Wickert says they have learned from this attack. “We’ve already taken some very proactive steps to decommission and actually destroy the computers that were affected,” Wickert says.

[nutildah]

How could dumbasses complain about it if it was still a "secret"? If the word's out, its not exactly a secret anymore, is it?

Okay you're a little slow so let me break it down in simple words.  They find out.  They don't tell anyone.  Someone at some point finds out about it.  People like you bitch "why wasn't I told about this when they first found out?  Why did they try to cover it up?"

I don't know all the facts but likely it was discovered by some students who painfully had to describe the problem to a bunch of government employees who will never fully understand it. So, if the students know about the problem first, good luck trying to keep it under wraps. Better to just admit you messed up.

You freely admit you don't know all the facts.  But you'll be happy to speculate and make shit up anyway, apparently.

If I was a lawyer I would probably take this to the next level and try to use it as an excuse to get out of paying for the rest of my student loan, but there's only so many hours in a lifetime and how many of them do you want to spend litigating with anal retentive know-nothings?

And if I was the bank that loaned you the money I would ask you wtf does a data breach at some other company have to do with the money you owe me?

Let me ask you this.  Say hypothetically a company you do business with has a security breach.  And potentially, some of your information was leaked.  Would you rather they tell you right away, or cover it up and try to keep it a secret? 
Second question.  Does your reaction to how the school responded encourage the response you want, or discourage it? 

Sheesh buddy. Sorry you were having such a bad day. I just posted this letter here because I thought it was interesting.