Slashdot Mirror
WiFi Exposes Sensitive Student Data
cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."
I guess Match.com and Yahoo Personals will have plenty of photos of young nubile girls to fill the fake ads on their service with.
The district has known about some aspects of this vulnerability for nearly nine months, but failed to take action until the Weekly informed officials of the situation late last week -- a somewhat ironic development given the school board's recent adoption of a technology-use policy.
Well when it comes to information security on Palo Alto networks, they get a big F. Fortunately, a low-level net admin was able to change the grade to an A.
--"The perfect example of the man of action is the suicide." - William Carlos Williams
I wish my old high school would've had something like that happen to them. I WANT TO SEE MY PSYCHOLOGICAL EVALUATION!
Trent Polack
www.polycat.net
What do you mean fake? I met my Thai love slave on Yahoo Personals. How much more real could you get?
when it comes to networks.
Not only do they expose sensitive information,
but they run generally insecure servers, and
they pay mercenary network installation contractors
1000 cents on the dollar for old crappy network
hardware.
And the web pages set up by school districts for
employess to use are brain dead.
This one:
http://www.teachinla.com
has a link on the NCLB teacher profile logo
that sends you to a page that will let anybody
that can get a teachers employee number and
birthdate change their professional credentials.
Well, it would, except the form page doesn't work!
Those who can set up networks, do.
Those who can't, do it anyway.
It takes 3 seconds to set up an access point and about 2 minutes to set it up and secure it. Even my neighbor (who apparently has wi-fi going on I see) was smart enough to secure their network (so much for the extra bandwidth for those huge game demo downloads, while I play online with no latency or packetloss!)
well, was she right?
Know what I like about atheists? I've yet to meet one that believes God is on their side.
I'm your Thai love slave.
I'm a 46 year old white dude. I weigh in at 332 lbs, and I sell pig manure to soy bean farmers for a living.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
>How do you tell someone who wants to help, no. Or better yet, what's a good project to let parents feel good about helping without damaging my network, or my systems?
You must have a backlog of projects, if you're like most IT people. Turn those into requirements documents, and the next time a parent asks to help hand him/her a requirements doc.
A few years ago I was taking a Cisco course that was offered through out school by the local Tech Institution. I was working on a way to log into a Win2k server box over a modem so that I could do various things from home (never did exactly figure out what as the net connection at the school was crap and the modem never did work), but as I was looking at the network I ran across the schools web page and looked at the server behind it (WinNT 4 with IIS, luckally patched for code red that had been running rampant about that time). I could log onto the sever through FTP as Anonymous and browse through the few files that were there. The one gem I found was a Access database with personal information about every single employee of the district. Beeing the good little boy I told IT (wonderful when the teachers listen to you). The server stoped serving FTP for about a week and then it was back up with the offending file. It didn't get taken back down until they did a major upgrade over the summer and put a Win2k box in its place. (that and half the IT staff got replaced that year). Ahh the stories of our IT staff, I could go on forever.
The theory is that WEP, although a fairly weak cypher, provides the same level of privacy as unencrypted wired Ethernet. That is, breaking WEP is judged to be approximately as difficult as finding somewhere to jack into a wired Ethernet (i.e. not very).
Yeah, I'm sure they made it weak on purpose... They were all set to publish a stronger algorithm, but then someone said "Hey! This isn't wired *equivalent*, this superior to unencrypted Ethernet."
Unfortunately by that point they were already set on the name. [It was already in all the marketing materials and WEP just has a better ring to it than BWP (Better than Wired Privacy).] So the only solution was to introduce an arcane security flaw.
Yeah, that's so much more plausible than "They fucked up!"
-a