Shenendehowa Central Schools student arrested
Technorati Tag: Security Breach
Date Reported:
10/23/08
Organization:
Shenendehowa Central Schools
Contractor/Consultant/Branch:
None
Location:
Clifton Park, New York
Victims:
School district bus drivers
Number Affected:
Unknown
Types of Data:
"internal records", "including Social Security numbers"
Breach Description:
'About 1:00 p.m. on Tuesday an e-mail was received by our high school principal informing him that the sender had access to a file that had demographic data about bus drivers. It was signed "A student."'
Reference URL:
Shenendehowa Central Schools
The Daily Gazette
The Saratogian
The Daily Gazette (follow-up)
Report Credit:
Shenendehowa Central Schools
Response:
From the online sources cited above:
CLIFTON PARK - A 10th-grader at Shenendehowa Central School has been charged with three crimes for allegedly accessing personnel files on a school computer Tuesday.
State Police said the boy, who is not being identified because of his age, is charged with computer trespass, unlawful possession of personal identification information and identity theft.
[Evan] Sheesh. Throwin' the book at the kid, eh?
The 15-year-old is accused of looking at the files of bus drivers as he worked on a school-owned computer in a classroom.
the district's Information Services Department (IMS) began to investigate and discovered that two high school students had accessed the file from an internal computer using their student password
[Evan] Wait a second. The students accessed the file using their student passwords?
Due to a configuration error, this file was not completely secured from student password access after being moved to a new server.
[Evan] A sysadmin permissioned the folder/file wrong. Should the kid be charged or should the person who was supposed to secure the data be charged? The persons responsible for securing school information are adults and professionals (they get paid). Kids are kids. They are curious. They are trying to make an name for themselves. They are trying to figure out who they are and they will push the boundaries. I don't know these kids, but I do have kids. These kids seemed to be doing what kids their age do. Has anyone at the school district ever heard anything about network segmentation? Why in the world would you store sensitive district information on the same network (and/or servers) that the kids use for school? There should be no connectivity between the two. Ugh.
District spokeswoman Kelly DeFeciani said two 15-year-old boys were discovered within hours of the breach of the in-school computer security system.
[Evan] Yes. Again, they are kids. They are not likely to be sophisticated "hackers".
The other boy allegedly involved has not been charged, according to police.
One of the students sent an e-mail to the high school principal revealing what he had seen.
"He sent an e-mail to his principal saying, ‘look what I have,’?" DeFeciani said. "That was at 1 [p.m.] Tuesday and within two hours we knew who he was."
[Evan] Not the brightest kids in the world.
She said the files were internal records kept on bus drivers for the state Department of Motor Vehicles.
The information included Social Security numbers.
Police said the boy is scheduled to appear in Saratoga County Family Court at a later date to answer the charges.
The district takes great measures to secure our data and this breach is extremely troublesome.
[Evan] Great measures like what?
We will have reviewed our procedures and IMS has written an application that proactively reviews folder security permissions on all system folders.
This will be run as part of the current IMS protocols for the routine system security and integrity process.
Commentary:
I'm torn on this one. I never condone accessing information resources without permission, but I think a case could be made for the kids. The kids should certainly be reprimanded in some way, but charged with crimes? I don't know. First, there is no excuse for not securing this information better. I don't know why the school doesn't segregate data. Second, why aren't kids given an alternative? What kind of computer science classes are taught at schools nowadays? I think computer ethics and/or ethical hacking could be good classes to add to many district curricula.
Past Breaches:
Unknown
Date Reported:10/23/08
Organization:
Shenendehowa Central Schools
Contractor/Consultant/Branch:
None
Location:
Clifton Park, New York
Victims:
School district bus drivers
Number Affected:
Unknown
Types of Data:
"internal records", "including Social Security numbers"
Breach Description:
'About 1:00 p.m. on Tuesday an e-mail was received by our high school principal informing him that the sender had access to a file that had demographic data about bus drivers. It was signed "A student."'
Reference URL:
Shenendehowa Central Schools
The Daily Gazette
The Saratogian
The Daily Gazette (follow-up)
Report Credit:
Shenendehowa Central Schools
Response:
From the online sources cited above:
CLIFTON PARK - A 10th-grader at Shenendehowa Central School has been charged with three crimes for allegedly accessing personnel files on a school computer Tuesday.
State Police said the boy, who is not being identified because of his age, is charged with computer trespass, unlawful possession of personal identification information and identity theft.
[Evan] Sheesh. Throwin' the book at the kid, eh?
The 15-year-old is accused of looking at the files of bus drivers as he worked on a school-owned computer in a classroom.
the district's Information Services Department (IMS) began to investigate and discovered that two high school students had accessed the file from an internal computer using their student password
[Evan] Wait a second. The students accessed the file using their student passwords?
Due to a configuration error, this file was not completely secured from student password access after being moved to a new server.
[Evan] A sysadmin permissioned the folder/file wrong. Should the kid be charged or should the person who was supposed to secure the data be charged? The persons responsible for securing school information are adults and professionals (they get paid). Kids are kids. They are curious. They are trying to make an name for themselves. They are trying to figure out who they are and they will push the boundaries. I don't know these kids, but I do have kids. These kids seemed to be doing what kids their age do. Has anyone at the school district ever heard anything about network segmentation? Why in the world would you store sensitive district information on the same network (and/or servers) that the kids use for school? There should be no connectivity between the two. Ugh.
District spokeswoman Kelly DeFeciani said two 15-year-old boys were discovered within hours of the breach of the in-school computer security system.
[Evan] Yes. Again, they are kids. They are not likely to be sophisticated "hackers".
The other boy allegedly involved has not been charged, according to police.
One of the students sent an e-mail to the high school principal revealing what he had seen.
"He sent an e-mail to his principal saying, ‘look what I have,’?" DeFeciani said. "That was at 1 [p.m.] Tuesday and within two hours we knew who he was."
[Evan] Not the brightest kids in the world.
She said the files were internal records kept on bus drivers for the state Department of Motor Vehicles.
The information included Social Security numbers.
Police said the boy is scheduled to appear in Saratoga County Family Court at a later date to answer the charges.
The district takes great measures to secure our data and this breach is extremely troublesome.
[Evan] Great measures like what?
We will have reviewed our procedures and IMS has written an application that proactively reviews folder security permissions on all system folders.
This will be run as part of the current IMS protocols for the routine system security and integrity process.
Commentary:
I'm torn on this one. I never condone accessing information resources without permission, but I think a case could be made for the kids. The kids should certainly be reprimanded in some way, but charged with crimes? I don't know. First, there is no excuse for not securing this information better. I don't know why the school doesn't segregate data. Second, why aren't kids given an alternative? What kind of computer science classes are taught at schools nowadays? I think computer ethics and/or ethical hacking could be good classes to add to many district curricula.
Past Breaches:
Unknown
Posted by Evan Francen at 10/26/2008 10:16 PM 
Categories: Poor Business Practice, Shenendehowa Central Schools
Categories: Poor Business Practice, Shenendehowa Central Schools
Posts Atom 1.0
Comments