Computer security hole puts kids at risk

They identify vulnerabilities in applications and networks

(AP Photo/Damian Dovarganes, File)

(CNN) – Two computer experts have discovered a way for strangers to get your personal information using a security hole that could leave you and your children vulnerable.

Bryan Seely and Ben Caudill say they’ve discovered one of the biggest potential security holes of the modern era, one that can leave your data and those of your kids exposed to any hacker willing to find it.

Seely said, “Within a couple of minutes we found social security numbers, dates of birth, private student records, transcripts, and grades.”

Seely and Caudill are so-called ethical hackers, using their computer skills for good, to identify vulnerabilities in applications and networks.

Caudill said, “We take that information, privately disclose it to law enforcement, to the relevant parties and then work to get those issues remediated.”

This month, they found that a weakness in Oracle’s software – that the company discovered in 2012 and provided a patch for – still remains a huge vulnerability to any customer that missed or ignored that news.

Seely says at risk is the sensitive information from databases belonging to 20 government-related agencies, 100 schools K-12, and 50 institutions of higher learning, affecting hundreds of thousands, if not millions of people, he says.

He said, “You could completely steal someone’s identity and assume someone else, and take money out of their accounts, you could file legal documentation, you could take out business loans, the sky’s the limit.”

They also easily accessed the records of the Texas Department of Family and Protective Services.

Seely said, “That is a department that had records of parents, the children, the situation of the living environment of the child, things that the child had gone through. It’s a little rattling.”

In a statement to CNN, the department acknowledged not only that the records had been vulnerable, but that they were breached. They said: “the database has been shut down, and testing so far has found a limited data breach affecting fewer than 30 individuals. Anyone whose information was compromised is being notified and credit monitoring/identity restoration services will be provided at state expense.”

Seely and Caudill are working with the FBI to alert the dozens of organizations representing hundreds of thousands of files that are still vulnerable and help patch their security systems.

In a statement to CNN, Oracle said the issue was not because of a product defect, but because of the configuration of how the security checks could be disabled.

The statement went on: “The patch that made the default setting secure was issued as part of our regularly scheduled critical patch update customers know to apply every quarter. Oracle notified all of our customers directly that they should apply patch.”

Comments are closed.