Friday, May 23, 2008

School District in PA "hacked" by a 15 year old


From Dark Reading:
15-Year-Old Steals Data on 55,000 People in School District Hack

A Pennsylvania school district suffered its second consecutive breach at the hands of one of its students – the latest attack involved personal information on students, staff, and county residents.
http://www.darkreading.com/document.asp?doc_id=154709

Before you click that link, read this one from the school district.
http://dasd.us/security/?cat=3

start from the bottom and read up, its an interesting chain of events. Especially conflicting reports of "that a student had overridden the security of a classroom computer" and "The breach occurred in the high school during the student’s study hall, a time when students are authorized to use the school’s computer for studying and research."

This is also pretty good:

"Prior to 2006, Social Security numbers had been used by the district as key indicators in our resident data base. The file the student accessed was a copy of a report that had been issued in 2005. (He did not access our secured database) Social Security numbers are no longer used by the district and our new database does not include this information. "

In response, the District has:
  • Tightened up folder security by confirming all folder permissions
  • Separated network servers to ensure that students have access only to student servers
  • Reconfirmed the integrity of the district’s firewall protection to prevent unauthorized outside users
  • Removed all access to folders that had been breached.
  • Continued to remind teachers and administrators to keep individual district passwords private.
  • Begun a Board authorized complete overhaul of the active directory file structures dealing with login, password security and folder access permissions.
I'm far removed from this, but it looks suspiciously like the "hack" was someone browsing the network shares that had crappy permissions on them. How that equates to "unauthorized access" in beyond me but i'm sure the kid will take the fall and not the school's network admins for doing a shitty job.

A better question is why a database or names, addresses and social security numbers is sitting unencrypted on a network share.

"Your personal information including your name, address and social security number in an unencrypted and un-redacted form were among those accessed."

and for a next to final kick in the nuts:

"We are providing you this notice so that you can take measures to contact the credit reporting agencies and monitor any unusual activity in your account....Under Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, contact www.annualcreditreport.com..."

Yep we lost your data, we were irresponsible, our admins failed to safeguard your PII and you basically get the same thing you got if we had been doing the right thing.

and lastly:

"In December 2007, another DASD student circumvented the security of the district’s computer network by using unauthorized software. That student was arrested and has been charged. The district responded to this incident by researching and putting together a plan to overhaul the active directory file structures dealing with login, password security and folder access permissions. The second security breach will require complete additional security revamping."

Oh yeah? and six months later this happens? looks like you did a A+ job on that one. Someone should be sooooo fired.
CG

No comments: