WiFi Exposes Sensitive Student Data

cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."

California's new notification provisions: July 1

[NumberField]

They just squeaked by on the calendar. Under the new California Law that goes into effect on July 1, they would have to notify each of the potentially-affected students after a breach like this.

Should be fascinating to see how people react as they start to find out how often security problems actually occur...

Security is still sub-par with wifi

[mao+che+minh]

WEP (Wired Equivalency Protection) uses RC4 encryption which is not very strong. Due to the design of RC4 (it was intended to be used over a synchronous stream), WEP designers had to make the key change with each packet. This means that the keys are quickly reused, and thus a sinffer can eventually - and usually rather quickly in large networks - determine the key loop. The SSID (Service Set ID) is sent over the wire either unencrypted or encrypted using weak algorithims.

WTLS (Wireless Transport Layer Security) was designed poorly as well. It's design limits the effectiveness that a certificate authority like Verisign can have when using WTLS.

Attacks against the WAP WTLS protocol (PDF): Source one, Source two

Security+ primer (lots of basic WEP, WAP, WTLS): Alpha Geek

Re:Security is still sub-par with wifi

[bobthemonkey13]

The key to understanding WEP is the phrase "Wired Equivalency". The theory is that WEP, although a fairly weak cypher, provides the same level of privacy as unencrypted wired Ethernet. That is, breaking WEP is judged to be approximately as difficult as finding somewhere to jack into a wired Ethernet (i.e. not very). WEP never was intended to take the place of encryption systems such as SSL and IPSec that are conventionally used to secure connections over wired networks. Rather, it brings WiFi security to the level of security inherent in wired Ethernet. Thus, WiFi using WEP is insecure only because of the way it is marketed: users see it as a catch-all encryption system, rather than a replacement for the (fairly weak) security inherent to wired Ethernet's physical-access requirement.

They did it with p2p...

[c0dedude]

Remember a week ago when at Senate hearings RIAA people said Peer to Peer that it could put inexpierenced users personal information at risk? My guess is there'll be a similar "Ban the Technology" movement against this for government use because of the potential danger. Except in cases where it would logically be needed, like free public internet access points. Of course, I could be wrong, but it's a thought.

Getting an IP is a felony?

[LionMage]

You bring up an interesting point, so I actually called my attorney and asked him about the points you bring up.

Yes, just getting an IP address is a felony. FCC law says that robbing someone electronically of services or interfering with electronic transmission IS a felony.

Well, actually, my attorney says no it isn't in my case... Because of the following argument:

1. H*neywell is a corporate entity with known expertise in electronic communication.
2. H*neywell is on "constructive notice" that they must secure their resources or face the possibility of people "openly and notoriously" using their resources (in this case, wireless network access).
3. H*neywell remains silent as I and others connect to and use their wireless access point, even though they have the capability to monitor such access, and the ability to lock the electronic "gate" that bars access to this resource. (Locking the gate in this case is equivalent to putting some kind of password protection on the access point.)
4. H*neywell has, in effect, waived their rights by not voicing objections and putting me and others on notice, and by not securing their resources.

It was [the newspaper's] intention to access the network and they knowingly downloaded files that were sensitive in nature.

Agreed. Intent makes the difference. Confidential information was accessed and stolen, as well.

If you knowingly leave your door unlocked and I willingly open it and walk in, have I committed criminal trespass? According to the law I have... it's called "breaking and entering."

Yes, that's true. I asked my attorney about this, and I learned a few things. First, the "breaking" part of breaking and entering happens when you break the plane of the door frame; the door could be completely wide open, and you're still breaking the law by walking through.

Second, the "breaking and entering" analogy doesn't apply. The laws governing real estate and the laws governing electronic communication are a bit different. My attorney said that a closer real estate analogy to the situation we're discussing would be the following: You own 100 acres of land, and I go and squat on one corner of your property. There are no signs up saying "Do Not Trespass." You see me squatting on one acre of your property but don't do anything for a period of time (months, years). After a time has passed, your silence effectively means that you've waived your rights with respect to the piece of property that I'm squatting on, because I'm "openly and notoriously" utilizing that land. On the other hand, if you take immediate action to notify me, you've asserted your rights, and any further incident where I trespass at that point is a separate crime.

Now, in the case of my dealings with H*neywell, if they put me on notice at any time, and I continued to access their network, then every separate instance where I connected to their network would be a specific felony. But since I was not notified until well after the fact, and because they took no measures to secure the electronic "gate" to their network, H*neywell is clearly at fault in this case.

If I'd taken any data off their internal network, then they'd still be able to nail me for that. (And I would fully expect them to do so!)

In the case of the newspaper accessing the school's network, confidential data was stolen. If the wireless access point was secured in any fashion, then merely breaking that security to gain access would be a crime, yes. But if no measures were taken to secure the access point, then merely obtaining an IP address by connecting to the access point wouldn't be a crime.

Disclaimer: I am not a lawyer, and this is my imperfect understanding of what a lawyer has explained to me. Talk to your lawyer; don't take my word for anything.