Slashdot Mirror
WiFi Exposes Sensitive Student Data
cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."
Should be fascinating to see how people react as they start to find out how often security problems actually occur...
I guess Match.com and Yahoo Personals will have plenty of photos of young nubile girls to fill the fake ads on their service with.
WEP (Wired Equivalency Protection) uses RC4 encryption which is not very strong. Due to the design of RC4 (it was intended to be used over a synchronous stream), WEP designers had to make the key change with each packet. This means that the keys are quickly reused, and thus a sinffer can eventually - and usually rather quickly in large networks - determine the key loop. The SSID (Service Set ID) is sent over the wire either unencrypted or encrypted using weak algorithims.
WTLS (Wireless Transport Layer Security) was designed poorly as well. It's design limits the effectiveness that a certificate authority like Verisign can have when using WTLS.
Attacks against the WAP WTLS protocol (PDF): Source one, Source two
Security+ primer (lots of basic WEP, WAP, WTLS): Alpha Geek
Remember a week ago when at Senate hearings RIAA people said Peer to Peer that it could put inexpierenced users personal information at risk? My guess is there'll be a similar "Ban the Technology" movement against this for government use because of the potential danger. Except in cases where it would logically be needed, like free public internet access points. Of course, I could be wrong, but it's a thought.
Since when has this country used intellectual elite as a pejorative term?
Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, but to access files without the network owner's permission is a strict offense. If I'm not mistaken, didn't a San Diego security company get raided by the FBI for doing the same thing?
The district has known about some aspects of this vulnerability for nearly nine months, but failed to take action until the Weekly informed officials of the situation late last week -- a somewhat ironic development given the school board's recent adoption of a technology-use policy.
Well when it comes to information security on Palo Alto networks, they get a big F. Fortunately, a low-level net admin was able to change the grade to an A.
--"The perfect example of the man of action is the suicide." - William Carlos Williams
It's time to introduce some level of legal accountibility for institutions which allow sensative data to be stolen.
The simple truth here is that pointy-hairs and beaurocrats understand one thing: Money. If you threaten to kick them in their budget, they'll respond; otherwise, you'll just keep seeing these articles.
I mean, this is *negligence* or the sort that could easily result in at least a major violation of privacy, or at worst a stolen identity or blackmail. These institutions with faulty IT -- and it's not as if this was some complex cracking job, this is just carelessness -- need to be taught a serious lesson.
(shakes head) It kills me that a college can lose piles of cash for buying shoes for one of their basketball players and a business can get fined for having workers like a box that's 5 lbs. too heavy, but when they expose the private, valuable data of their students/customers, there's no sanction whatsoever....
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I wish my old high school would've had something like that happen to them. I WANT TO SEE MY PSYCHOLOGICAL EVALUATION!
Trent Polack
www.polycat.net
Well, given that it's a newspaper that found this, I can't see that there'll be a big problem as far as non-disclosure on this one. Not to mention the fact that it's been posted to slashdot of course :-)
On a side note, could the newspaper be held liable for this, given that they were intruding on the network without permission? If the newspaper gets screwed over this, it could generate some much-needed publicity and the following public backlash over this BIG problem in the current internet legal scene (namely that if someone finds an insecure network, they usually can't disclose it without getting whacked. Sometimes even if they only tell the company concerned, the company fixes it and then whacks them).
This just goes to show we have a lot more to learn about wirless technology. To a lot of people it may seem like simple common sense to use WEP or some other serious form of protection for sensitive records like that. But getting wiresless is becoming just as easy as getting a cable modem hooked up so more people are doing it at a faster rate and not researching the risks that come with it.
I read an interesting (all be in short) article not too long ago about the risks that does a nice job of explaining things.
Hell, at my high school, I was a junior admin (most bullshit class ever). Each class had a computer which kept grades for the class. Whatever shitty grade software they used stored the grades in PLAIN TEXT LOCALLY. These were win98 machines, no user permissions, freely used by all students. I discovered this fact when one of my teachers forgot his password to the grading program and after a little browsing opened up the raw text file to show us our grades. This all happened in one of the largest (and most inept) school districts in the country too, not some backwater. Actually, from the articles i've seen, it looks like the small school districts have it together more than the large ones as far as tech goes. Our admin was a former chem teacher who spent near 0 time doing anything useful, letting us junior admins do all the grunt work.
Photos.
What do you mean fake? I met my Thai love slave on Yahoo Personals. How much more real could you get?
From the article, it almost sounds as though it was a wide open access point (no WEP encryption or MAC filtering). If this is the case, there should be no demonizing WiFi - just a sloppy sysadmin.
...that they can "crack" into a school district computer and no one blinks an eye. But the moment a student would try the same thing, he would be expelled.
Jason Lotito
Check out what the person in charge at the school said:
"I don't see this as such a huge news story," Superintendent Mary Frances Callan said the day after the district office abruptly shut down its wireless network and student information program. The real news, she added, was the great progress the district has made to its network plans, thanks to new software purchases, planned employee training sessions and the technology-use policy.
She has absolutely no sense of responsibility of the damage she could have/has caused. Money is the only thing that will get them to take notice.
The same information was also accessible to individuals using district computers within school sites.
This case shows who or what department that was incharge had concrete policy with regards to information and IT security.
Security was fundamentally flawed, little or no security mechanisms in place, even lan connections had access to the files! Wireless connection only exacerbated the situation.
The newspapers never admitted to stealing the Watergate documents. They at least claimed that the documents were stolen by an anonymous informant. This case is different, because the paper admits to committing the felony itself, not through an anonymous informant.
I see no reason to hold this paper to any different of a standard than Kevin Mitnick. Personally I'd like to see all hackers pardoned, but until then the law is the law.
This is a general network security issue.
Confidential data needs to have strictly managed flows and storage. It'd worrying enough that this information could be accessed anywhere on campus even without the wireless threat.
When it comes to something like a psych evaluation I cant see why that information isn't kept 'offline' or on a small secured network. There is *no* justification even for allowing all staff members direct access to this sort of thing - it's ripe for abuse. I also cant see any reason why you'd need access to such a report instantly.
This takes the cake: "I don't see this as such a huge news story," Superintendent Mary Frances Callan said ...
'nough said.
Did the newspaper bypass security and illegally access copyrighted material?
If so, didn't they violate the DMCA - no matter what their intent?
After all, if the US constitutional right to 'fair use' is not a loophole, why would journalistic investigation be?
/* affect != effect */ void affect(int *thing,int effect) { *thing += effect; }
I'm a district over from Palo Alto, and it's not surprising to me that the wifi was open. That SasiXP and server shares were open is frightening. But this is what happens when parents are allowed to come in and run roughshod over the plans of the admins. Or when random parents are your admins. Palo Alto has tech people, they should get in trouble for leaving things unsecure, but the parent group that came in and blew a big hole in the existing security needs a solid slap on the knuckles too.
The tech staff that school have are usually underpaid and overworked, or contractors who are juggling the detail of 10-15 districts. I'm still cleaning up from the last time parents got involved, getting everyone connected to the internet.
To every tech minded parent out there: don't give us your used crap, don't come in and 'help,' just stay out of the way. We have a clue (well a lot of us do), but we spend 98% of our time cleaning up the messes left by helpful parents, clueless teachers, and malicious kids. We're trying to get the teachers up to speed, and we're working on making it hard for the kids to purposefully or accidentally fsck things up. But parents are totally deaf to the idea that the help they're offering is really hindering things.
How do you tell someone who wants to help, no. Or better yet, what's a good project to let parents feel good about helping without damaging my network, or my systems?
CIA Industries - Running the world for fun and profit
With pictures and family contact information, e.g., the names of the parents or relatives authorized to pick up the child at school, identity theft is nothing compared to the other abuses that are possible.
E.g., a pedophile could go "shopping" for a victim, then use the information in the file to convince the kid that a trusted adult sent them to pick them up.
Or they could be even more aggressive and add an alias to the list of people authorized to pick up the kid at school. Then they show up and breeze past security that would normally extend from classroom to doorstep.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
"Andrew Hannah, a network administrator for the district, admitted security was an afterthought when the first open wireless networks were installed at the Jordan and Jane Lathrop Stanford middle schools and the district office between 2000 and 2002."
This is the problem with DeVry's, et al, ginning millions of Win32-morons out into the world of computer administration. You get a bunch of clownpunchers who know how to press shiny buttons but who don't have a clue about the underlying principles (and responsibilities) of the computer networks they are in charge of administering.
Mod me troll, but I'm tired of the polluted job market, and absolutely sick to death of cleaning up the puke left behind at countless small companies by these nimrods.
I have something in common with Stephen Hawking...
In all honesty, we shouldn't have legislation for data leaks and the such. Let's say Joe sysadmin sets up a WiFi network. Joe sysadmin locks down said network, board has difficult time accessing network and "orders" John netadmin to reduce the security and make it more "ease of use-ish." Now in the normal IT world there positions aren't filled with morons. In the educational system where tech jobs are filled @ $5.15 an hour, you have the soccer coach, or the part-time janitor doing IT work. Holes open up, since the net/sysadmin knows nothing of what they're doing, they get by.
The question is, would the hole have been discovered? Generally the answer is no, people don't always go looking for security exploits. Hehe, if I had WiFi when I was in HS, I'd be happier about that than anything. It makes me ponder if the news didn't try and get in, would someone have?
I've also worked for the school IT department at my university but quickly quit when I realized the average intelligence around is no higher than a walnut. The one thing I know however, is we don't want the government responsible for private information. Next thing we know is the government pushing DRM and all that other crap.
Well, actually, my attorney says no it isn't in my case... Because of the following argument:
Agreed. Intent makes the difference. Confidential information was accessed and stolen, as well.
Yes, that's true. I asked my attorney about this, and I learned a few things. First, the "breaking" part of breaking and entering happens when you break the plane of the door frame; the door could be completely wide open, and you're still breaking the law by walking through.
Second, the "breaking and entering" analogy doesn't apply. The laws governing real estate and the laws governing electronic communication are a bit different. My attorney said that a closer real estate analogy to the situation we're discussing would be the following: You own 100 acres of land, and I go and squat on one corner of your property. There are no signs up saying "Do Not Trespass." You see me squatting on one acre of your property but don't do anything for a period of time (months, years). After a time has passed, your silence effectively means that you've waived your rights with respect to the piece of property that I'm squatting on, because I'm "openly and notoriously" utilizing that land. On the other hand, if you take immediate action to notify me, you've asserted your rights, and any further incident where I trespass at that point is a separate crime.
Now, in the case of my dealings with H*neywell, if they put me on notice at any time, and I continued to access their network, then every separate instance where I connected to their network would be a specific felony. But since I was not notified until well after the fact, and because they took no measures to secure the electronic "gate" to their network, H*neywell is clearly at fault in this case.
If I'd taken any data off their internal network, then they'd still be able to nail me for that. (And I would fully expect them to do so!)
In the case of the newspaper accessing the school's network, confidential data was stolen. If the wireless access point was secured in any fashion, then merely breaking that security to gain access would be a crime, yes. But if no measures were taken to secure the access point, then merely obtaining an IP address by connecting to the access point wouldn't be a crime.
Disclaimer: I am not a lawyer, and this is my imperfect understanding of what a lawyer has explained to me. Talk to your lawyer; don't take my word for anything.
My school distrist, Fort Bend ISD in Houston, TX, had an IIS webserver that was infected with W32.SadMind. I notified the admin by email who replied with "Uhh.. the server is too slow to run Norton.. so we cant do anything". I laughed and forgot about it for a year.
Then comes a story on slashdot about infected IIS servers, I post a quip about my dealings with FBISD and a couple of Slashdot posters decided to email the district and the local TV station. THAT got it fixed within a day, however the school district was a bit upset at me.
After than, some less than ethical FBISD employee decided to attempt to reset my dyndns.org account password. A while later, I get hits from them to my linux box trying to login to my FTP and protected HTTP pages from them. This is the thanks I get for telling them that they're vulnerable.
As a student, I couldn't really do anything other than publicize what they did on my website and send a few nastygrams back.