back to article Penn State University network sacked by China malware blitz

Penn State University has had to take networks in its school of engineering offline after falling victim to a malware attack traced partially to China. Acting on an FBI tip, the school found that PCs on the network of its College of Engineering were infected with malware that appeared to be trying to harvest research data and …

  1. frank ly

    Call me cynical

    "... a cache of 18,000 Social Security numbers was found on one of the infected PCs."

    That sounds like the university was storing Social Security numbers without much security.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Call me cynical

      It is pointless to put much "security" on Social Security numbers. They are totally unsecure in the first place (and this is as it should be: they are just a form of catalog number, not something for identification and certainly not for authentication). The fact that they are used for identification and possibly authentication by various outfits is another problem.

      Rationally, the highest level of security you would have on a batch of SSN is the one you would put on a list of names.

      1. ecofeco Silver badge

        Re: Call me cynical

        "They are totally unsecure in the first place (and this is as it should be: they are just a form of catalog number, not something for identification and certainly not for authentication). "

        You don't actually live in America do you, because you would know you can't do shit these days without giving out your SS number.

        Contrary to popular belief, there is also no opt out.

        Corporate America has made the SS number the default ID number. So has most government departments.

        1. Destroy All Monsters Silver badge
          Holmes

          Re: Call me cynical

          You don't actually live in America do you, because you would know you can't do shit these days without giving out your SS number.

          That's the effing point: If you give them to world&dog they are not secure. Using them for things they are not mean to be used for does not make them secure or worthy of high-level security measure. Read the link, Einstein.

          1. Tom 13

            Re: Using them for things they are not mean to be used for

            Except it is the government who has essentially required they be used for everything. Want to take out a loan? Yep, you need an SSN. What a student grant? Yep, you need an SSN.

    2. Tom 13

      Re: Call me cynical

      Well, what the article doesn't say is whether or not SSN = School Badge ID, which is what was the case many years ago when I attended. You know, it was easier to just use something students already had that was unique rather than putting together some whole new system.

  2. Shannon Jacobs
    Holmes

    The US will be the biggest loser in a Cyber War?

    Interesting coincidence that I'm currently reading Cyber War by Richard Clarke and Robert Knake. The main point is that the US probably has powerful offensive capabilities but almost NO defensive capabilities, which is amplified by our extreme reliance and even dependency on our computer networks.

    In contrast, China is playing BOTH offense and defense. The Great Firewall of China is actually part of the defensive perimeter, not merely censorship. Private companies don't get to tell the government that network security might reduce their profits. Even more importantly, it's much harder for them to bribe politicians to look away from the problems.

    This article should be regarded as another shot across the bow.

    1. Voland's right hand Silver badge

      Re: The US will be the biggest loser in a Cyber War?

      Even more importantly, it's much harder for them to bribe politicians to look away from the problems.

      It kind'a made sense until I came across this sentence. At that point I stopped reading.

      1. Shannon Jacobs
        Holmes

        Re: The US will be the biggest loser in a Cyber War?

        Just a mindless troll? Or you have a substantive point?

        Perhaps I should be more precise.

        American politicians can be legally and cheaply bribed and the practice is effectively universal. In light of so-called Citizens United and the quid pro quo interpretations of the SCOTUS, it's almost impossible to get in trouble that way. As Clarke's book put it on page 143 (writing before the google eclipsed Microsoft in lobbying): "Microsoft can buy a lot of spokesmen and lobbyists for a fraction of the cost of creating more secure systems." This was near the conclusion of a subsection called "Money Talks". (However, the book is not so old that the google is irrelevant... The authors don't see any connection to security? At least not in the first 2/3...)

        In contrast, political bribery in China is expensive and risky. I don't have much data about the frequency or prevalence, but I do know that if the political winds start blowing the wrong way, your past bribery is one of the quickest and easiest ways to get shot.

      2. Graham Marsden
        Boffin

        Re: it's much harder for them to bribe politicians to look away from the problems.

        > It kind'a made sense until I came across this sentence. At that point I stopped thinking

        FTFY

        "Hello, Mr Politician, we would like to make a large contribution to your election fund. By the way, there's this piece of legislation we would find very helpful to our business if it were enacted..."

        America, the country that gave us the saying: "An honest politician is one that stays bought"!

    2. Destroy All Monsters Silver badge

      Re: The US will be the biggest loser in a Cyber War?

      Cyber War by Richard Clarke

      If you enter the bookstore and see stuff by Richard Clarke, make a large detour around the heap of self-serving alarmist claptrap.

      The Great Firewall of China is actually part of the defensive perimeter

      Anyone who thinks that a "national router moat" is a good idea for playing "cyberdefense" is a few beers short of a sixpack.

      1. razorfishsl

        Re: The US will be the biggest loser in a Cyber War?

        Yes it is complete and utter bollox.

        You only need to hack a company in HK with a VPN to a factory in China.... and you're inside the firewall...

        Come to think of it.. just pop inside on of the cyber cafes in China , if you require a delivery system.

    3. Anonymous Coward
      Anonymous Coward

      Re: The US will be the biggest loser in a Cyber War?

      yep, we've been living in a glass house, and we've been throwing a lot of rocks at pretty much everyone on the planet the past couple decades.

      To destroy is easy, to build is difficult. Unfortunately our national priorities have been almost entirely focused on doing the easy. We've got hackers, spies, lawyers, and government employees out the wazoo, but people doing actual export-grade engineering are rare now, and they are mostly not American.

    4. Aodhhan

      Re: The US will be the biggest loser in a Cyber War?

      Oh how little, so very little you know.

  3. Destroy All Monsters Silver badge
    Paris Hilton

    traced partially to China

    How does that work?

    1. Alister
      Coat

      traced partially to China

      traceroute stopped at Hong Kong...?

    2. thomas k.

      re: traced partially to China

      By saying, "I think it might be China"?

  4. Ru'

    I'm no sys admin, but why did it effectively take 6 months from the warning for any significant action?

    1. ecofeco Silver badge

      If you think government and corporate bureaucracies are slow and inefficient, you should see academics and non-profits.

      1. Destroy All Monsters Silver badge
        Trollface

        So how about for-profit academics with corporate backing bolstered by govnm't bureaucracies?

  5. Tom 13

    Of course no reasearch data was taken.

    When I was there, the College of Engineering had it's main offices in Hammond Building. In a brilliant move, the College had students design it's new HQ. They did a fine job except for one small detail. They forgot to to test bores for the foundation. Turned out the ground where they planned to build the 8 story structure wouldn't support it, and rejiggering the foundation so it would cost too much. So they sliced the building into pieces and laid them side by side. One interesting side effect was that you can't actually get to the middle rooms on the second floor from the first floor. You have to go to the third floor walk t the middle and go down to the second.

  6. Unicornpiss
    WTF?

    VPN

    So just now they're going to start requiring two factor authentication for their VPN??

  7. Anonymous Coward
    Anonymous Coward

    I hereby coin the word "Nutshacked" for anyone hacked by Chinese malware/govt etc

    From henceforth please use the term "Nutshacked" to describe the resulting situation of person(s)/organization(s) hacked by Chinese malware/govt etc. Please inform Oxford and other necessary parties.

    Acceptable alternatives are "nutsacked" or "nenusa." The latter is a shortened version of "netnutsacked"

  8. Aodhhan

    Cost

    For the cost of what they will pay to recover data and have security consultants in to scrub their system, they could add PKI to their student ID cards and mandate 2 factor authentication.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like