Slashdot Mirror

← Back to Stories (view on slashdot.org)

WiFi Exposes Sensitive Student Data

Posted by simoniker on from the a-great-thing-if-implemented-carefully dept.

cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."

8 of 350 comments (clear)

  1. Excellent felony! by Geminus · · Score: 5, Interesting

    Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, but to access files without the network owner's permission is a strict offense. If I'm not mistaken, didn't a San Diego security company get raided by the FBI for doing the same thing?

    1. Re:Excellent felony! by mjmalone · · Score: 4, Interesting

      A friend of mine in the San Diego area got arrested for doing the same thing at a local community college. Of course the police had no idea how to handle it and the charges were eventually dropped, but last I checked they still had his laptop (its been about 8 months).

      --
      Visualize the world of wine
    2. Re:Excellent felony! by LionMage · · Score: 4, Interesting
      Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, [snip]

      I'm not familiar with the laws, but which part is the felony exactly? How can "just" getting the IP address constitute a felony? We don't even know whether the newspaper had to crack encryption to get into this network. Maybe the access point was being run wide open, as another poster suggested.

      Certainly, if they had to break in, then it's a felony; on the other hand, if the school ran the access point wide open, then there's more of a gray area.

      I have a particular interest in this. You see, I recently got in trouble with H*neywell for using their WiFi without permission. I do consulting work for a small company, and there's a H*neywell office just down the hall from where I work. Someone at that office installed a WiFi access point, apparently contrary to company policy. That access point stayed up for many months, then recently came down, and I never thought anything of it. The access point was being run entirely without security of any kind -- no WEP, no password, nothing.

      I was only using this to surf the web and download some software updates/patches to my iBook. I didn't go out looking for this access point, but my iBook is configured to find the nearest access point as soon as it wakes up from sleep (or boots up).

      Then about a week after the access point went down, I got a call from my consulting firm. It seems that H*neywell had somehow traced my use of their WiFi access point, and wanted to do something about it. I almost lost my job, but ultimately, a deal was struck whereby I surrendered my laptop to have the hard disk imaged; the laptop was returned to me less than 2 days later, fully intact.

      The official story I got was that H*neywell hired an outside firm to check their network security, and they identified the WiFi access point as a security hole; the employee who set it up was fired. Then the security firm traced all who had used the access point, and found my "digital fingerprint."

      The unofficial story I got from some other folks in-the-know is that I had posted about my discovery in my LiveJournal, and someone did a Google search and found the entry. Apparently, I forgot to make this a non-public entry. So that's how I was really found out. (That entry has been made friends-only now.) I'm still not 100% sure how Google indexed my journal, since I have my prefs set up to prevent indexing, but not all spiders respect that.

      I know H*neywell is a defense contractor, so I had assumed, when I discovered the access point, that it must be some sort of public access point for the convenience of vendors, put in a DMZ on their network. Surely, I thought, they wouldn't be dumb enough to put a wide-open WiFi access point behind their firewall! As it turns out, the access point was behind their firewall, and I could have accessed a whole bunch of material I wasn't supposed to. Scary thought.

      I think the real reason I got in trouble was that I embarrassed H*neywell. They could have conceivably taken legal action against me personally, but that would have created a weird situation for them, since it would expose them to government scrutiny. And they might lose some favorable government contracts if that happened. Moral of the story: Always check to see what you're connecting to. That hot-spot might not be safe to connect to after all!
    3. Re:Excellent felony! by mjmalone · · Score: 4, Interesting

      He had been at the site before and the admins on the network had noticed him connected. They noted his MAC address and when they saw him connect again called the police. When the police got there the admins came out and took his NIC and read off the MAC address so they knew it was him. They had logs of all the times he had connected and what he had done, etc.

      --
      Visualize the world of wine
  2. WiFI? It was easier at my school; by metalhed77 · · Score: 4, Interesting

    Hell, at my high school, I was a junior admin (most bullshit class ever). Each class had a computer which kept grades for the class. Whatever shitty grade software they used stored the grades in PLAIN TEXT LOCALLY. These were win98 machines, no user permissions, freely used by all students. I discovered this fact when one of my teachers forgot his password to the grading program and after a little browsing opened up the raw text file to show us our grades. This all happened in one of the largest (and most inept) school districts in the country too, not some backwater. Actually, from the articles i've seen, it looks like the small school districts have it together more than the large ones as far as tech goes. Our admin was a former chem teacher who spent near 0 time doing anything useful, letting us junior admins do all the grunt work.

    --
    Photos.
  3. Re:California's new notification provisions: July by mcdrewski42 · · Score: 5, Interesting

    Did the newspaper bypass security and illegally access copyrighted material?

    If so, didn't they violate the DMCA - no matter what their intent?

    After all, if the US constitutional right to 'fair use' is not a loophole, why would journalistic investigation be?

    --
    /* affect != effect */ void affect(int *thing,int effect) { *thing += effect; }
  4. Re:Security is still sub-par with wifi by willtsmith · · Score: 5, Interesting

    This is BS. Most organization don't have public ethernet jacks sitting curbside like a phone booth.

    The guys who designed WEP just plain fucked up. It was SUPPOSED to be an arduous task to break WEP keys. Instead it's an afternoon of number crunching.

    Beyond that, even if you DID jack in to an ethernet in a school system, you SHOULD NOT be able to access private information like grades and student records. The schools I've subbed at (unemployed programmer) have been pretty lax about securing their workstations but their GRADES etc... are secured on Novell servers.

    There is NO excuse for the failure of this school district. They are required by law to secure this information. They're lucky a hacker didn't get the info, they would have ended up with a SERIOUS law suit.

    PS. I'd bet you money that the paper was tipped off by a teacher who warned the school district ... BUT went unheeded. School districts don't listen to teachers. School administrators are mostly in a world of their own which mainly consists of saving their own asses by kissing the asses of parents (mainly the parents of noisy, disruptive, sociapathic kids (where do you think they get it from)).

    --
    -------- -------- Support Wesley Clark for president!!!
  5. I tried to be helpful by DMDx86 · · Score: 4, Interesting

    My school distrist, Fort Bend ISD in Houston, TX, had an IIS webserver that was infected with W32.SadMind. I notified the admin by email who replied with "Uhh.. the server is too slow to run Norton.. so we cant do anything". I laughed and forgot about it for a year.

    Then comes a story on slashdot about infected IIS servers, I post a quip about my dealings with FBISD and a couple of Slashdot posters decided to email the district and the local TV station. THAT got it fixed within a day, however the school district was a bit upset at me.

    After than, some less than ethical FBISD employee decided to attempt to reset my dyndns.org account password. A while later, I get hits from them to my linux box trying to login to my FTP and protected HTTP pages from them. This is the thanks I get for telling them that they're vulnerable.

    As a student, I couldn't really do anything other than publicize what they did on my website and send a few nastygrams back.