Tries To Have Concerned Parent Arrested For Hacking: School Creates Own Security Hole
Tries To Have Concerned Parent Arrested For Hacking: School Creates Own Security Hole
from the shut-up,-they-criminally-complained dept
We've seen it so often over the years, it's probably now time to accept the fact that this will never change: when entities are presented evidence of security holes and breaches, far too often the initial reaction is to shoot the messenger.
A school whose online student portal exposed a lot of sensitive data decided the best way to handle a concerned parent's repeated questions about how it was handling the problem was to file a criminal complaint against the parent. (via the Office of Inadequate Security)
Tries To Have Concerned Parent Arrested For Hacking: School Creates Own Security Hole
The National Fraternal Order of Police (NFOP) says Hillary Clinton’s campaign has made it clear that she will not be seeking an endorsement from them this presidential election cycle.
NFOP president Chuck Canterbury said he was “disappointed and shocked” that Clinton “declined” to even return a questionnaire which had been sent to her campaign. The only other candidate he can remember not returning the questionnaire was John Kerry in 2004.
According to The Hill, Canterbury said, “It sends a powerful message.” He added, “You would think with law enforcement issues so much in the news that even if she had disagreements with our positions, that she would’ve been willing to say that.”
Clinton spokesman Jesse Ferguson played down Clinton’s “snub” of the NFOP, saying:
Throughout her career, Hillary Clinton has been committed to our law enforcement officers. As she said from the beginning of her campaign, across the country, police officers are out there every day inspiring trust and confidence, honorably doing their duty, putting themselves on the line to save lives.
She believes we must work together to build on what’s working and to build the bonds of trust between police and the communities they serve — because we are stronger together.
The NFOP “represents 335,000 members.” Canterbury said the group is meeting with Donald Trump to discuss a possible endorsement of the Republican candidate.
AWR Hawkins is the Second Amendment columnist for Breitbart News and political analyst for Armed American Radio. Follow him on Twitter: @AWRHawkins. Reach him directly at awrhawkins@breitbart.com.
The details of the breach (since closed) were reported by independent journalist Sherrie Peif.
The district uses Google Apps for Education (GAFE), a hosting solution by Google that incorporates Google mail, calendar, and chat services. Lewis-Palmer used it for student email accounts, which at that time consisted of the student’s district identification number. [The] system used by the district allowed anyone with email address in the system to download a complete contact list of district students. The list identified students’ names and district email addresses. Because student email accounts were comprised of the student ID, anyone who gained access to this list only needed to know the students’ birthdays to access another program, Infinite Campus, which contains the personal data of possibly thousands of students.
Normally, it might have been difficult to ascertain what students' passwords were. But the school made it easy for anyone to suss out passwords and access the sensitive information stored at the Infinite Campus portal. This message, posted by administrators, sat on the login page for over nearly three years before being removed.
On Aug. 9, 2013 the district posted: “Due to a security enhancement within Infinite Campus, your network and IC passwords have been changed! You must now enter the prefix LP@ before your regular birthday password (i.e. LP@031794).”
What was contained behind the papier-mache security facade was a wealth of sensitive student info.
In Lewis-Palmer, students and parents had access to names, addresses, and phone numbers for students, parents, siblings, and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups took place; and health records.
Parent Derek Araje brought this to the attention of Dewayne Mayo, a district technology teacher. Rather than promise to look into it or direct him to someone who might be able to verify his claims, Mayo became irritated and accused Araje of "breaking federal law."
Mayo also emailed other school administrators to complain about Araje, claiming he was "polluting the waters" and making it easier for parents skeptical about "any new technology" used by the district to raise complaints. Others in the email thread treated Araje's claims skeptically, asserting (hilariously) that it would take "advanced cracking skills" to break into a site where visitors were greeted with a message that basically gave away every students' password.
Six months after it was brought to the school's attention, parents are finally notified. Two days later, the school shut down the site and GAFE access. On the same day, the school filed a criminal complaint [PDF] with local police department accusing parent Derek Araje of hacking into the website. Fortunately for Araje, the police cleared him of any wrongdoing a month later.
Not only did the school go after the person who brought the security hole directly to its attention, but it significantly downplayed its own role in making sensitive student info easily-obtainable. Teacher, administrator, and technology director Bill Fitzgerald points out the school's blatant attempt to cover its own ass after ignoring the site's security issues for months, if not years.
It also appears - based on the parent testimony at the board meeting - that these concerns were brought to the district's attention in the fall of 2015, and were dismissed. Based on some of the other descriptions regarding access to health records, it also sounds like there might be some issues related to Infinite Campus and how it was set up, but that's unclear.
What is clear, however, is that the district is not being as forthright as they need to be. The board meeting with parent testimony was May 19th; Complete Colorado article ran on May 24th. The data privacy page on the Lewis Palmer web site was updated on May 25th, with the following statement:
"Yesterday, we discovered a possible security breach through normal monitoring of IP addresses accessing our systems."
Given that the security issue was covered in the local press the day prior, and that the district was publishing their password structure for over three years, I'd recommend they look at their logs going back a while. I'd also recommend that the district own their role exacerbating this issue.
Instead of owning its role, the school chose to try to make someone else -- parent Derek Araje -- pay for its own carelessness and unwillingness to address a security hole until it became impossible to ignore.
0 Response to "Tries To Have Concerned Parent Arrested For Hacking: School Creates Own Security Hole"
Post a Comment