Slashdot Mirror
WiFi Exposes Sensitive Student Data
cfarivar writes "'Like leaving a vault open, the Palo Alto Unified School District failed to place a number of highly sensitive computer files containing student information in a locked location on its network. Using a laptop with a wireless card outside the district's main office, the Palo Alto Weekly gained access to such data as grades, home phone numbers and addresses, emergency medical information complete with full-color photos of students and a psychological evaluation."
Should be fascinating to see how people react as they start to find out how often security problems actually occur...
I guess Match.com and Yahoo Personals will have plenty of photos of young nubile girls to fill the fake ads on their service with.
Hmmm... according to FCC article 15, this newspaper just openly and admittingly committed a felony. Just getting an IP address constitutes committing this felony, but to access files without the network owner's permission is a strict offense. If I'm not mistaken, didn't a San Diego security company get raided by the FBI for doing the same thing?
The district has known about some aspects of this vulnerability for nearly nine months, but failed to take action until the Weekly informed officials of the situation late last week -- a somewhat ironic development given the school board's recent adoption of a technology-use policy.
Well when it comes to information security on Palo Alto networks, they get a big F. Fortunately, a low-level net admin was able to change the grade to an A.
--"The perfect example of the man of action is the suicide." - William Carlos Williams
It's time to introduce some level of legal accountibility for institutions which allow sensative data to be stolen.
The simple truth here is that pointy-hairs and beaurocrats understand one thing: Money. If you threaten to kick them in their budget, they'll respond; otherwise, you'll just keep seeing these articles.
I mean, this is *negligence* or the sort that could easily result in at least a major violation of privacy, or at worst a stolen identity or blackmail. These institutions with faulty IT -- and it's not as if this was some complex cracking job, this is just carelessness -- need to be taught a serious lesson.
(shakes head) It kills me that a college can lose piles of cash for buying shoes for one of their basketball players and a business can get fined for having workers like a box that's 5 lbs. too heavy, but when they expose the private, valuable data of their students/customers, there's no sanction whatsoever....
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I wish my old high school would've had something like that happen to them. I WANT TO SEE MY PSYCHOLOGICAL EVALUATION!
Trent Polack
www.polycat.net
This just goes to show we have a lot more to learn about wirless technology. To a lot of people it may seem like simple common sense to use WEP or some other serious form of protection for sensitive records like that. But getting wiresless is becoming just as easy as getting a cable modem hooked up so more people are doing it at a faster rate and not researching the risks that come with it.
I read an interesting (all be in short) article not too long ago about the risks that does a nice job of explaining things.
From the article, it almost sounds as though it was a wide open access point (no WEP encryption or MAC filtering). If this is the case, there should be no demonizing WiFi - just a sloppy sysadmin.
...that they can "crack" into a school district computer and no one blinks an eye. But the moment a student would try the same thing, he would be expelled.
Jason Lotito
Check out what the person in charge at the school said:
"I don't see this as such a huge news story," Superintendent Mary Frances Callan said the day after the district office abruptly shut down its wireless network and student information program. The real news, she added, was the great progress the district has made to its network plans, thanks to new software purchases, planned employee training sessions and the technology-use policy.
She has absolutely no sense of responsibility of the damage she could have/has caused. Money is the only thing that will get them to take notice.
The key to understanding WEP is the phrase "Wired Equivalency". The theory is that WEP, although a fairly weak cypher, provides the same level of privacy as unencrypted wired Ethernet. That is, breaking WEP is judged to be approximately as difficult as finding somewhere to jack into a wired Ethernet (i.e. not very). WEP never was intended to take the place of encryption systems such as SSL and IPSec that are conventionally used to secure connections over wired networks. Rather, it brings WiFi security to the level of security inherent in wired Ethernet. Thus, WiFi using WEP is insecure only because of the way it is marketed: users see it as a catch-all encryption system, rather than a replacement for the (fairly weak) security inherent to wired Ethernet's physical-access requirement.
Did the newspaper bypass security and illegally access copyrighted material?
If so, didn't they violate the DMCA - no matter what their intent?
After all, if the US constitutional right to 'fair use' is not a loophole, why would journalistic investigation be?
/* affect != effect */ void affect(int *thing,int effect) { *thing += effect; }
I'm a district over from Palo Alto, and it's not surprising to me that the wifi was open. That SasiXP and server shares were open is frightening. But this is what happens when parents are allowed to come in and run roughshod over the plans of the admins. Or when random parents are your admins. Palo Alto has tech people, they should get in trouble for leaving things unsecure, but the parent group that came in and blew a big hole in the existing security needs a solid slap on the knuckles too.
The tech staff that school have are usually underpaid and overworked, or contractors who are juggling the detail of 10-15 districts. I'm still cleaning up from the last time parents got involved, getting everyone connected to the internet.
To every tech minded parent out there: don't give us your used crap, don't come in and 'help,' just stay out of the way. We have a clue (well a lot of us do), but we spend 98% of our time cleaning up the messes left by helpful parents, clueless teachers, and malicious kids. We're trying to get the teachers up to speed, and we're working on making it hard for the kids to purposefully or accidentally fsck things up. But parents are totally deaf to the idea that the help they're offering is really hindering things.
How do you tell someone who wants to help, no. Or better yet, what's a good project to let parents feel good about helping without damaging my network, or my systems?
CIA Industries - Running the world for fun and profit
This is BS. Most organization don't have public ethernet jacks sitting curbside like a phone booth.
... BUT went unheeded. School districts don't listen to teachers. School administrators are mostly in a world of their own which mainly consists of saving their own asses by kissing the asses of parents (mainly the parents of noisy, disruptive, sociapathic kids (where do you think they get it from)).
The guys who designed WEP just plain fucked up. It was SUPPOSED to be an arduous task to break WEP keys. Instead it's an afternoon of number crunching.
Beyond that, even if you DID jack in to an ethernet in a school system, you SHOULD NOT be able to access private information like grades and student records. The schools I've subbed at (unemployed programmer) have been pretty lax about securing their workstations but their GRADES etc... are secured on Novell servers.
There is NO excuse for the failure of this school district. They are required by law to secure this information. They're lucky a hacker didn't get the info, they would have ended up with a SERIOUS law suit.
PS. I'd bet you money that the paper was tipped off by a teacher who warned the school district
-------- -------- Support Wesley Clark for president!!!