Teen becomes instant "celebrity" after breach

|

Date Reported:
10/21/10

Organization:
Thames Valley District School Board

Contractor/Consultant/Branch:
Unknown

Location:
London, Ontario Canada and Online

Victims:
Students

Number Affected:
"more than 27,000"

Types of Data:
"private information such as student passwords"

Breach Description:
London - A 15-year-old Lucan, Ontario, teen has become a bit of a celebrity after hacking into the Thames Valley District School Board website last week.

Reference URL:
Thames Valley District School Board media release
St. Thomas Times-Journal
The London Free Press
Digital Journal

Report Credit:
Thames Valley District School Board

Response:
From the online sources cited above:

The Internet passwords of more than 27,000 high school students in the Thames Valley District School Board were compromised Wednesday, forcing the board to shut down its online student portal.
[Evan] I am surprised that we don't read about more secondary school breaches.  We know that they happen more often than what is publicly reported.  In general school district systems are very poorly secured.

But the board believes the system, and information on students, is secure: the portal was taken down immediately after the breach was discovered.
[Evan] How can you call something "secure" when it was just compromised?!

Around 4:25 p.m. Wednesday, a link was posted on a Facebook page directing visitors to a website on which the names and passwords of Thames Valley students were posted, Valerie Nielsen superintendent of operations and program services for the board confirmed Thursday afternoon.

"Yesterday we received word there was a security breach regarding our student portal and, yes, that those passwords had been posted. We immediately shut down our student portal so that those passwords would be meaningless, that nobody could do anything with the student portal.
[Evan] The passwords are not "meaningless".  We know for a fact that a good portion of people use the same password in multiple places.  The claim that "nobody could do anything with the student portal" is also a wrong and misleading statement.

"Our student portal is completely secure," she said.
[Evan] Really?  Then why are we reading and writing about a breach?!

The board's student portal website allows secondary school students an online space to view their marks, courses and timetable.

Nielsen said other personal information, such as home address or contact information, was not listed on the portal.
[Evan] Do you think it is possible (and even probable) that this portal system or the backend database server is connected to or trusted by other sensitive systems in the school board's architecture?

"We were working as quickly as we can and the focus initially was the shutdown of the portal and the protection of data and now we're working with students through the schools in terms of having their passwords protected."

She said the portal will be reposted as soon as possible, once passwords have been refreshed and security of the site is assured.

[Evan] Later, we come to find out who the attacker was; according to The London Free Press:

LUCAN — He flunked out of a gifted program at a London high school.

Now, he spends almost all his spare time on computers — sometimes writing code for new software, other times seeking his dad.

He’s a 15-year-old hacker, who says this week he broke into the Thames Valley District school board’s website in less than an hour, exposing the passwords of 27,000 high school students and the board’s weak security system.
[Evan] How typical is this?  The attacker is a teenage loner with above average intelligence.  He is bored because he is not challenged with school or daily life.  The computer satisfies his need for companionship and challenge.

“It could have been a lot worse. There were sites where marks could have been changed, personal information exposed,” he said Friday in his Lucan home, as the teenage online world buzzed about the security breach.
[Evan] Nice logic (or lack thereof).  How often do we look for some sort of justification for something that is just plain wrong?  It is wrong and illegal to break into a computer system, period.

Instead of breaking into more sensitive sites, he chose one where marks and timetables were revealed, but no changes could be made.
[Evan] Do you really think that this is the first (or only) site that this kid has compromised?  Let's be naive and say it was/is.  It won't be his last.

“If it had been an employee portal, it would have been completely different. It would have opened up a world of trouble with people able to change marks, personal information exposed,” he said.

His point, he added, was to draw attention to what he sees as a problem with the board’s weak website security system and its refusal to listen to his suggestions to improve it.
[Evan] We don't break things because people won't listen to us.  This is childish.

“It was not intended to be malicious, it was intended to get my message across,” he said. “I know I will definitely pay a price, but I do not see myself going to jail.”
[Evan] No matter what the intention is/was, it is wrong.

While he reluctantly agreed to be identified, The Free Press decided not to do so to afford him the same rights he’d receive under the federal Youth Criminal Justice Act were he charged, because police have been notified about the incident.

A slight youth, short for his age but confident-sounding, he said he was at home when, about 5 p.m. Wednesday, he got into the board’s site through the Lucas secondary school website.

The hack was done in less than an hour.

He was then called into the office at Medway high school at 11 a.m. Thursday and told he was suspended indefinitely, he said.

He’s had no contact with police, but his mother spoke with them, he said.

“I will tell them the way it is. There is no sense now trying to cover things up. That will get you nowhere,” he said.

While the board is reviewing its security, the response from students has been “overwhelmingly” positive, he said.

“I went to school Thursday and a guy came up, gave me a hug and said, ‘Dude, you’re a hero.’ ” he said.
[Evan] Now this kid is a celebrity, great.  It's funny (in a sad way) how we sometimes reward people for doing the wrong thing.  We send the wrong message to our kids.

His Facebook page is still getting messages praising his actions and he’s had more than 100 Facebook friend requests, in support.

“I am a bit like an icon, a celebrity right now,” he laughed. “I am glad there is positive feedback. It is almost all universally positive. For kids our age, going against the establishment is a big thing.”

The youth has been interested in computers and technology as long as he can remember. But it was in Grade 6 when he got serious about his passion. Even at that young age, he was “writing code” for computer programs, he said.

“I just love it, it is my major hobby. I taught myself mostly,” he said, adding he dreams of a career as a software engineer or in the military working in the technology field. He attends Sea Cadets at HMCS Prevost in London.
[Evan] If this kid would think things through, he would realize that the government doesn't really like people who can't play by the rules.  It's hard to get a job with a criminal record.  Furthermore, do you think that the military is impressed with a kid that can execute a simple compromise of a poorly secured system that causes a disruption affecting 27,000+ people?

As for how his suspension went over with his mother, he said: “She’s mad at me. Right now, we’re not talking much.”

He went to Lucas for the gifted program in Grades 9 and 10 and, after failing there, was sent to his home school, Medway.

“I am smart, but I am lazy. I just did not hand in assignments or do homework. I am working now on getting over my lazy streak, but when I sit down all I want to do is go on the computer,” he said.
[Evan] It would have been "smart" to not draw attention to yourself as a loose cannon.  It would have been "smart" to think of a way to effect change without causing damage.  It would have been "smart" to think through the cause and effect of your actions.  It's sad because this kid probably has a ton of potential.

As for the hack, he said he posted student passwords on a link from his Facebook site.
 
Since many students use the same password for Facebook, Hotmail or even bank accounts, they were left scrambling to change passwords.

“I feel sorry about that, if this affected them somehow,” he said. “If someone accessed their information, I apologize — that was never my intention. There was no maliciousness intended at all.”
[Evan] Really?  How sorry?  It seems like he has no idea what the implications of his actions could be, which is dangerous.  This is the same type of person who writes malicious code without any clue as to how it may affect systems and people globally.

Still, it’s a lesson people should use different passwords for different programs, he added.

The Grade 11 Medway student is now suspended indefinitely from class as the board and London police investigate the security breach.

“It was worth it. I did it to make a point, I told them it was a problem and they ignored me,” he said. “I got my message across. The board is reviewing and will put in more security.”

He said he was shocked the board didn’t encrypt its website pages and passwords, a relatively simple step that would make hacking into them tougher.

“I have made apps for website encryptions — it is simple, it is not hard at all,” he said. “The most simple web developer will use encryption. I am now writing a blog software program that uses encryption, and I am 15.”

That computer work would includes helping the board to beef up its security, if it’s interested, he said. “If they ever contacted me about helping with security, I would be glad to help — you never know.”

How he says he hacked the system

 - An SQL database system is used to store information, such as passwords.
 - Using an “SQL injection,” he logged on to the site as an administrator
 - From there, he was able to upload files and get the login information.

“It let me see all the files on the servers, passwords, user names. They did not make any effort to hide it,” he said of the school board’s IT department

Commentary:
I got sick of writing comments above, and stopped after the "sorry" statement.  I have a lot more ranting, but don't feel as though it will be constructive.  There is nothing noble is what this kid did, and he is nowhere near as talented as he (and his peers) thinks he is.  A SQL injection attack is nothing to brag about.  This breach is novice work that did nothing more than cause an unnecessary disruption and distraction from real work.

Ugh.  OK, enough ranting.  This kid can be characterized like many others who are just like him.  He is intelligent, but unchallenged.  Schools are way behind in teaching children, especially when it comes to using technology.  It's scary.  Until schools begin equipping our children on how to use computers responsibly, beyond the basics, this problem will only get worse.

I can't figure out what ticks me off more about this breach; the school district's lackadaisical approach to information security or this kid's lackadaisical approach to life.  This kid probably has incredible potential to be an outstanding information security professional.  He could become a valuable asset to an organization who really needs his skills, but if he breaks the law, he only limits his own options in life.

The article was posted by Evan Francen, President of FRSecure LLC.
About FRSecure  LLC

Past Breaches:
Unknown

Posted by Evan Francen at 10/25/2010 2:35 PM
Categories: Thames Valley District School Board, Hack
Tags: FERPA security breach network security SQL injection data breach
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment