Greenville County Schools student "hacker" turns himself in
Technorati Tag: Security Breach
Date Reported:
10/9/08
Organization:
Greenville County Schools (GCS)
Contractor/Consultant/Branch:
None
Location:
Greenville, South Carolina
Victims:
Students
Number Affected:
Unknown*
*According to the school district web site, Greenville County Schools is the 51st largest school district in the nation, with "68,382 students and growing!".
Types of Data:
"students’ names, addresses, Medicaid ID numbers, and social security numbers"
Breach Description:
"A student at Riverside High School reported on September 26 to Greenville County Schools (GCS) Education Technology Services Department (ETS) that while using a GCS networked computer he bypassed district security controls to gain unauthorized access to a GCS file server. That server contained confidential student information"
Reference URL:
Greenville County Schools Announcement
News Channel 7
Fox News
T.H.E. Journal
Report Credit:
Greenville County Schools
Response:
From the online sources cited above:
A student at Riverside High School reported on September 26 to Greenville County Schools (GCS) Education Technology Services Department (ETS) that while using a GCS networked computer he bypassed district security controls to gain unauthorized access to a GCS file server.
[Evan] Sheesh, didn't I just post an article about a student gaining and exploiting unauthorized access to school district information about an hour ago?! How do you suppose this student "bypassed district security controls"? It is not likely that he used some super-sophisticated zero-day vulnerability and exploit.
That server contained confidential student information, including students’ names, addresses, Medicaid ID numbers, and social security numbers.
There is no evidence to indicate that any data was transmitted to any other person or used in any manner.
Although we have no indication that any misuse has occurred, as a precaution we are informing our students and parents of this situation.
The student provided ETS personnel the portable storage device to which he had downloaded the information and a written statement that he had neither shared nor reproduced that information.
[Evan] I have to wonder why the student copied the information to a portable storage device.
ETS personnel immediately initiated established Incident Response Procedures including investigation of the incident by ETS Information Security Personnel and referral to the Greenville County Sheriff’s Department Investigations Division.
[Evan] Kudos to the Greenville School District for having established incident response procedures. Hopefully they were tested and updated regularly. An incident response plan and procedures are worth every ounce of effort and expense if you have to use them.
Law enforcement and the school district are conducting separate on-going investigations.
[Evan] Does this mean that there is not a coordinated investigation?
The results of the district investigation will determine any school disciplinary action.
this incident serves as a reminder that data of a confidential, personal nature is stored in computer systems throughout the world and these systems are constantly subjected to attempts at unauthorized entry
[Evan] Yep, this is the nature of the beast. I guess this is why guys like me have a job.
Commentary:
My commentary for this breach isn't unlike my comments on the last one. What makes this breach unique is the fact that the student turned himself in and that he already had the information on a portable storage device.
What motivated the student to turn himself in? Conscience? Heat? My guess is no better than yours.
Past Breaches:
December, 2007 - DHS notified the Greenville County School District of compromise
Date Reported:10/9/08
Organization:
Greenville County Schools (GCS)
Contractor/Consultant/Branch:
None
Location:
Greenville, South Carolina
Victims:
Students
Number Affected:
Unknown*
*According to the school district web site, Greenville County Schools is the 51st largest school district in the nation, with "68,382 students and growing!".
Types of Data:
"students’ names, addresses, Medicaid ID numbers, and social security numbers"
Breach Description:
"A student at Riverside High School reported on September 26 to Greenville County Schools (GCS) Education Technology Services Department (ETS) that while using a GCS networked computer he bypassed district security controls to gain unauthorized access to a GCS file server. That server contained confidential student information"
Reference URL:
Greenville County Schools Announcement
News Channel 7
Fox News
T.H.E. Journal
Report Credit:
Greenville County Schools
Response:
From the online sources cited above:
A student at Riverside High School reported on September 26 to Greenville County Schools (GCS) Education Technology Services Department (ETS) that while using a GCS networked computer he bypassed district security controls to gain unauthorized access to a GCS file server.
[Evan] Sheesh, didn't I just post an article about a student gaining and exploiting unauthorized access to school district information about an hour ago?! How do you suppose this student "bypassed district security controls"? It is not likely that he used some super-sophisticated zero-day vulnerability and exploit.
That server contained confidential student information, including students’ names, addresses, Medicaid ID numbers, and social security numbers.
There is no evidence to indicate that any data was transmitted to any other person or used in any manner.
Although we have no indication that any misuse has occurred, as a precaution we are informing our students and parents of this situation.
The student provided ETS personnel the portable storage device to which he had downloaded the information and a written statement that he had neither shared nor reproduced that information.
[Evan] I have to wonder why the student copied the information to a portable storage device.
ETS personnel immediately initiated established Incident Response Procedures including investigation of the incident by ETS Information Security Personnel and referral to the Greenville County Sheriff’s Department Investigations Division.
[Evan] Kudos to the Greenville School District for having established incident response procedures. Hopefully they were tested and updated regularly. An incident response plan and procedures are worth every ounce of effort and expense if you have to use them.
Law enforcement and the school district are conducting separate on-going investigations.
[Evan] Does this mean that there is not a coordinated investigation?
The results of the district investigation will determine any school disciplinary action.
this incident serves as a reminder that data of a confidential, personal nature is stored in computer systems throughout the world and these systems are constantly subjected to attempts at unauthorized entry
[Evan] Yep, this is the nature of the beast. I guess this is why guys like me have a job.
Commentary:
My commentary for this breach isn't unlike my comments on the last one. What makes this breach unique is the fact that the student turned himself in and that he already had the information on a portable storage device.
What motivated the student to turn himself in? Conscience? Heat? My guess is no better than yours.
Past Breaches:
December, 2007 - DHS notified the Greenville County School District of compromise
Posts Atom 1.0
From what I've heard, the 'sophisticated hacking tool" that was used to "bypass" the district's network security was a rather obscure application called "Internet Explorer v6"! By selecting the appropriate search options, it's easy to search for all computers on the attached network. In this case, the search revealed the names of hundreds of district servers and access to them was only a click away!
I'm guessing that the reason that the student turned everything over to the school was based on the fact that he obtained the information without hacking, cracking, or wacking.
No crime--no time, right? Apparently not in this case.
Reply to this
Gotta love it. Internet Explorer v6 is one of the best hacking tools available on the market, from what I hear anyway!
Reply to this