WiFi Exposes Sensitive Student Data

cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."

Excellent felony!

[Geminus]

Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, but to access files without the network owner's permission is a strict offense. If I'm not mistaken, didn't a San Diego security company get raided by the FBI for doing the same thing?

Re:Excellent felony!

[mjmalone]

A friend of mine in the San Diego area got arrested for doing the same thing at a local community college. Of course the police had no idea how to handle it and the charges were eventually dropped, but last I checked they still had his laptop (its been about 8 months).

Re:Excellent felony!

[LionMage]

Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, [snip]

I'm not familiar with the laws, but which part is the felony exactly? How can "just" getting the IP address constitute a felony? We don't even know whether the newspaper had to crack encryption to get into this network. Maybe the access point was being run wide open, as another poster suggested.

Certainly, if they had to break in, then it's a felony; on the other hand, if the school ran the access point wide open, then there's more of a gray area.

I have a particular interest in this. You see, I recently got in trouble with H*neywell for using their WiFi without permission. I do consulting work for a small company, and there's a H*neywell office just down the hall from where I work. Someone at that office installed a WiFi access point, apparently contrary to company policy. That access point stayed up for many months, then recently came down, and I never thought anything of it. The access point was being run entirely without security of any kind -- no WEP, no password, nothing.

I was only using this to surf the web and download some software updates/patches to my iBook. I didn't go out looking for this access point, but my iBook is configured to find the nearest access point as soon as it wakes up from sleep (or boots up).

Then about a week after the access point went down, I got a call from my consulting firm. It seems that H*neywell had somehow traced my use of their WiFi access point, and wanted to do something about it. I almost lost my job, but ultimately, a deal was struck whereby I surrendered my laptop to have the hard disk imaged; the laptop was returned to me less than 2 days later, fully intact.

The official story I got was that H*neywell hired an outside firm to check their network security, and they identified the WiFi access point as a security hole; the employee who set it up was fired. Then the security firm traced all who had used the access point, and found my "digital fingerprint."

The unofficial story I got from some other folks in-the-know is that I had posted about my discovery in my LiveJournal, and someone did a Google search and found the entry. Apparently, I forgot to make this a non-public entry. So that's how I was really found out. (That entry has been made friends-only now.) I'm still not 100% sure how Google indexed my journal, since I have my prefs set up to prevent indexing, but not all spiders respect that.

I know H*neywell is a defense contractor, so I had assumed, when I discovered the access point, that it must be some sort of public access point for the convenience of vendors, put in a DMZ on their network. Surely, I thought, they wouldn't be dumb enough to put a wide-open WiFi access point behind their firewall! As it turns out, the access point was behind their firewall, and I could have accessed a whole bunch of material I wasn't supposed to. Scary thought.

I think the real reason I got in trouble was that I embarrassed H*neywell. They could have conceivably taken legal action against me personally, but that would have created a weird situation for them, since it would expose them to government scrutiny. And they might lose some favorable government contracts if that happened. Moral of the story: Always check to see what you're connecting to. That hot-spot might not be safe to connect to after all!

Re:Excellent felony!

[mjmalone]

He had been at the site before and the admins on the network had noticed him connected. They noted his MAC address and when they saw him connect again called the police. When the police got there the admins came out and took his NIC and read off the MAC address so they knew it was him. They had logs of all the times he had connected and what he had done, etc.

Re:They did it with p2p...

WiFi should be banned. In fact there was talk of a congressional hearing on the sad state of security in WiFI. It is insecure by default and the maximum secuirty you can apply to it is flawed and easily hackable.

If this does anything, it should make the gov. smack the hell out of all WiFi consortium members by preventing them from selling any more equipment till they actually get it right. (And giving refunds for all faulty equipment already sold)

WiFI? It was easier at my school;

[metalhed77]

Hell, at my high school, I was a junior admin (most bullshit class ever). Each class had a computer which kept grades for the class. Whatever shitty grade software they used stored the grades in PLAIN TEXT LOCALLY. These were win98 machines, no user permissions, freely used by all students. I discovered this fact when one of my teachers forgot his password to the grading program and after a little browsing opened up the raw text file to show us our grades. This all happened in one of the largest (and most inept) school districts in the country too, not some backwater. Actually, from the articles i've seen, it looks like the small school districts have it together more than the large ones as far as tech goes. Our admin was a former chem teacher who spent near 0 time doing anything useful, letting us junior admins do all the grunt work.

Re:California's new notification provisions: July

[mcdrewski42]

Did the newspaper bypass security and illegally access copyrighted material?

If so, didn't they violate the DMCA - no matter what their intent?

After all, if the US constitutional right to 'fair use' is not a loophole, why would journalistic investigation be?

How about in a hospital

WiFi is now commonly used throughout hospitals transmitting unencrypted patient information to mobile carts and charting hand helds. Imagine what you could grab just by sitting in the lobby.

Re:Security is still sub-par with wifi

[willtsmith]

This is BS. Most organization don't have public ethernet jacks sitting curbside like a phone booth.

The guys who designed WEP just plain fucked up. It was SUPPOSED to be an arduous task to break WEP keys. Instead it's an afternoon of number crunching.

Beyond that, even if you DID jack in to an ethernet in a school system, you SHOULD NOT be able to access private information like grades and student records. The schools I've subbed at (unemployed programmer) have been pretty lax about securing their workstations but their GRADES etc... are secured on Novell servers.

There is NO excuse for the failure of this school district. They are required by law to secure this information. They're lucky a hacker didn't get the info, they would have ended up with a SERIOUS law suit.

PS. I'd bet you money that the paper was tipped off by a teacher who warned the school district ... BUT went unheeded. School districts don't listen to teachers. School administrators are mostly in a world of their own which mainly consists of saving their own asses by kissing the asses of parents (mainly the parents of noisy, disruptive, sociapathic kids (where do you think they get it from)).

Re:yeah, welcome to the red tape.

[Rysith]

I agree. I am a student in the PAUSD who happens to run a lot of the computer stuff at one of the high schools. Many times, parents (with what I hope are good intentions) try to give us stuff. Usually, it compleatly fails to work well with what is already in place, although they insist that it is perfect for whatever we want to do with it. What is more, we have so many tech parents that all want to set things up their own way, regardless of what anyone else is doing, because they want to "Help the school" that even the tech people for the school don't know how a lot of our equipment is set up. It has gotten so bad that I know of at least two teachers at my school who have said that nobody gets to do anything to their computers without their permission (fortunatly, they both know what they are doing). There are many times when I wish that all the helpful parents would go away and be helpful to somebody else, instead of giving us their old apple 2s or offering to set up that new campus-wide wireless network that is crucial to their child's learning environment.

Sigh. My rant is over now.

Students do this too

[kavachameleon]

My friend and I recently gave a white paper to our school describing all net vulnerabilities. We were able to access attendance and grade records, as well as the faculty folders because they didn't secure one of their servers. Also, there was an "install" folder with copies (serials included!) of all of the install cds for all the programs ever used at our school. Office, Starry Night, the grade program, etc. It was a treasure trove. But, like responsible people, we gave them the white paper. The sysadmin was unaware of any of this.

I tried to be helpful

[DMDx86]

My school distrist, Fort Bend ISD in Houston, TX, had an IIS webserver that was infected with W32.SadMind. I notified the admin by email who replied with "Uhh.. the server is too slow to run Norton.. so we cant do anything". I laughed and forgot about it for a year.

Then comes a story on slashdot about infected IIS servers, I post a quip about my dealings with FBISD and a couple of Slashdot posters decided to email the district and the local TV station. THAT got it fixed within a day, however the school district was a bit upset at me.

After than, some less than ethical FBISD employee decided to attempt to reset my dyndns.org account password. A while later, I get hits from them to my linux box trying to login to my FTP and protected HTTP pages from them. This is the thanks I get for telling them that they're vulnerable.

As a student, I couldn't really do anything other than publicize what they did on my website and send a few nastygrams back.

Not surprised

[Linker3000]

Stayed in a uni hotel (part of their conference suite) about a month ago and each room had access to the campus network and Internet via a 100BaseT connection. Hooking my laptop to the network revealed dozens of workgroups, numerous student and uni PCs. About 80% of the PCs had guest login disabled, but among the noteworthy that didn't: 1 PC hosting numerous recent movies including the one where there is no spoon (reloaded) 1 PC sharing 'my documents' with tons of party pics (all very pretty but harmless) Numerous MP3s in about 20 shared 'my music's A smattering of pr0n Almost every accessible PC infected with worms that spread via NETBIOS (Norton AV 2003 went frantic every time I browsed a share) Welcome to the real world L3K