Students breach Williamsville Central School District security
Technorati Tag: Security Breach
Date Reported:
4/12/08
Organization:
Williamsville Central School District*
*"the largest suburban school district in Western New York, Williamsville Central encompasses 40 square miles including portions of the towns of Amherst, Clarence and Cheektowaga."
Contractor/Consultant/Branch:
Williamsville North High School
Victims:
Employees
Number Affected:
1,800
Types of Data:
"personal information and Social Security numbers"
Breach Description:
"Several current and former Williamsville North High School students are believed to have broken into the school district’s computer system last month and copied secure files that included the personal information and Social Security numbers of school employees"
Reference URL:
The Buffalo News
WCAX-TV News
Report Credit:
The Buffalo News and the Associated Press (AP)
Response:
From the online sources cited above:
WILLIAMSVILLE, N.Y. (AP) - Authorities say several current and former students broke into a school district’s computer system in western New York last month and copied secure files that included the personal information of employees.
This computer breach marks the third time in the past month that students have gained unauthorized access to sensitive information in area school districts.
[Evan] What did the school district do after the first two in an attempt to prevent a third?
"From talking with staff and from talking with students involved, we know these students gained access to personal information regarding employees of the school district," Amherst Police Chief John Askey said.
The students, Askey said, overrode the security defenses of a classroom computer at Williamsville North and went trolling for information.
[Evan] I can only imagine what the "security defenses" entailed. A student (or "hacker") can do a lot of damage if they are granted physical access to a computer. Obviously the students need to access classroom computers. Having said this, doesn't it then become critical that they be closely supervised.
"They actively attacked the system " subverted those security procedures and precautions," he said.
He added that several of the hackers are considered "very bright kids" and good students with no lengthy disciplinary records.
The extent of the security breach remains unknown because police are required to have computer evidence extracted by the Western New York Regional Computer Forensics Laboratory, Askey said, which might take several weeks.
This prompted Superintendent Howard S. Smith to send a letter this week to the district’s 1,800 employees, asking them to notify Amherst police if they uncover any suspicious credit card or banking activity.
So far, however, police and school officials say they have no evidence that any of the accessed data has been distributed or used to commit crimes.
Employees or students who suspect their private information might have been used improperly should call the police at 689-1311.
District computer technicians noticed some unusual activity during routine monitoring of its network on March 26, Smith said.
"Immediately upon getting the information, we began our investigation and involved the police," he said, "and they have been working with us ever since."
Two school computers, four personal student computers and one portable flash drive have been confiscated as part of the investigation, Askey said.
At least three individuals are suspected in the breach, he said, and several more knew about it. Those involved have told police they simply were interested in how far they could get into the system.
[Evan] I remember the day when being "interested in how far" we "could get into the system" was commonplace. We were curious and we wanted a challenge, but things are much different today.
Smith said the district has begun disciplinary action against one student and expects to take further action as the police wind up their investigation. He added that the district also has taken steps to improve security.
[Evan] We don't have all the facts, but assuming that the information security practices at the school are less than adequate, how about some disciplinary action against the people that did not secure the information in the first place?
"There are several charges, mostly misdemeanors, that could result," Askey said.
[Evan] This is in reference to the students. Should charges be considered for those who collected the personal information and likely did not secure it properly? I think that the finger could be pointed in either direction.
Commentary:
Kids are kids. On one hand, I think it's important for them to push the boundaries, explore and challenge themselves. On the other hand, their actions in this case led to potential victims. These students should be punished, but I think that the school could come up with some creative solutions (after they secure personal information better). If students are interesting in "hacking", why not teach it. Teach it in a way that clearly communicates the law, but at the same time challenges students to explore and learn. Maybe we can make good information security professionals out of them. My blog, my $.02
Whatever the school district has been doing isn't working. Otherwise, this wouldn't be the third occurrence in the past month.
Past Breaches:
Unknown
Date Reported:4/12/08
Organization:
Williamsville Central School District*
*"the largest suburban school district in Western New York, Williamsville Central encompasses 40 square miles including portions of the towns of Amherst, Clarence and Cheektowaga."
Contractor/Consultant/Branch:
Williamsville North High School
Victims:
Employees
Number Affected:
1,800
Types of Data:
"personal information and Social Security numbers"
Breach Description:
"Several current and former Williamsville North High School students are believed to have broken into the school district’s computer system last month and copied secure files that included the personal information and Social Security numbers of school employees"
Reference URL:
The Buffalo News
WCAX-TV News
Report Credit:
The Buffalo News and the Associated Press (AP)
Response:
From the online sources cited above:
WILLIAMSVILLE, N.Y. (AP) - Authorities say several current and former students broke into a school district’s computer system in western New York last month and copied secure files that included the personal information of employees.
This computer breach marks the third time in the past month that students have gained unauthorized access to sensitive information in area school districts.
[Evan] What did the school district do after the first two in an attempt to prevent a third?
"From talking with staff and from talking with students involved, we know these students gained access to personal information regarding employees of the school district," Amherst Police Chief John Askey said.
The students, Askey said, overrode the security defenses of a classroom computer at Williamsville North and went trolling for information.
[Evan] I can only imagine what the "security defenses" entailed. A student (or "hacker") can do a lot of damage if they are granted physical access to a computer. Obviously the students need to access classroom computers. Having said this, doesn't it then become critical that they be closely supervised.
"They actively attacked the system " subverted those security procedures and precautions," he said.
He added that several of the hackers are considered "very bright kids" and good students with no lengthy disciplinary records.
The extent of the security breach remains unknown because police are required to have computer evidence extracted by the Western New York Regional Computer Forensics Laboratory, Askey said, which might take several weeks.
This prompted Superintendent Howard S. Smith to send a letter this week to the district’s 1,800 employees, asking them to notify Amherst police if they uncover any suspicious credit card or banking activity.
So far, however, police and school officials say they have no evidence that any of the accessed data has been distributed or used to commit crimes.
Employees or students who suspect their private information might have been used improperly should call the police at 689-1311.
District computer technicians noticed some unusual activity during routine monitoring of its network on March 26, Smith said.
"Immediately upon getting the information, we began our investigation and involved the police," he said, "and they have been working with us ever since."
Two school computers, four personal student computers and one portable flash drive have been confiscated as part of the investigation, Askey said.
At least three individuals are suspected in the breach, he said, and several more knew about it. Those involved have told police they simply were interested in how far they could get into the system.
[Evan] I remember the day when being "interested in how far" we "could get into the system" was commonplace. We were curious and we wanted a challenge, but things are much different today.
Smith said the district has begun disciplinary action against one student and expects to take further action as the police wind up their investigation. He added that the district also has taken steps to improve security.
[Evan] We don't have all the facts, but assuming that the information security practices at the school are less than adequate, how about some disciplinary action against the people that did not secure the information in the first place?
"There are several charges, mostly misdemeanors, that could result," Askey said.
[Evan] This is in reference to the students. Should charges be considered for those who collected the personal information and likely did not secure it properly? I think that the finger could be pointed in either direction.
Commentary:
Kids are kids. On one hand, I think it's important for them to push the boundaries, explore and challenge themselves. On the other hand, their actions in this case led to potential victims. These students should be punished, but I think that the school could come up with some creative solutions (after they secure personal information better). If students are interesting in "hacking", why not teach it. Teach it in a way that clearly communicates the law, but at the same time challenges students to explore and learn. Maybe we can make good information security professionals out of them. My blog, my $.02
Whatever the school district has been doing isn't working. Otherwise, this wouldn't be the third occurrence in the past month.
Past Breaches:
Unknown
Posts Atom 1.0
This is an interesting report. I recently performed a pen-test for a school district and as part of the mitigation plan we also recommended creating a "hacking club" with curriculum and internships for capable students. The students get to hack, the district gets cheap help securing the network, and all the students involved are under close legal, academic, and employment restraints.
Reply to this
Brent, I think it's a great idea to start a "hacking club". There are so many points that you could make for it and few that I can think of against it. I hope you are successful.
-Evan
Reply to this