Slashdot Mirror
Generic Passwords Expose Student Data
Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)
One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.
The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.
The default password was (for 50,000 employees) "1234".
I missed out on having the ability to hack my middle teachers computer's. All we had were apple IIe's and Oregon Trail (Which still rocks btw) :-(.
The access was a crime. She accessed the system with an unauthorized name and password.
../../ after a URL to see if it was a scam donation site and was fined/lost his job over it.
quite a bit more than the poor sod in the UK who typed
different laws, but still a criminal trespass. I think that applies to reporters too.
hanzie.
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
I have a bit of a bone to pick with that headline... it's not a "software glitch." The software was probably working exactly as it was intended to.
The problem was the process by which passwords were being assigned.
Accountability on the heads of the powerful.
Power in the hands of the accountable.
sloppy admining is everywhere unfortunately; it's seen as more of a nuisance rather than a safeguard. It's just pervasive, and even when new projects are brought onboard at my company, the password ends up being the username's name, or -blank-. I even wrote an article about my recent experience with this at work: Password deficiency in the workplace where the person implementing the software said, "Well, there's a password, it's not a really good password, and it's the same for everybody (hehe)" Yeah, she said that...and then laughed - during the presentation introducing the project to the team.
(yeah, even the timesheet software has the same password -FOR ALL USERS!-)
fak3r.com
(c) [...] any person who commits any of the following acts is guilty of a public offense:
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
(3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows:
(A) For a first violation which does not result in injury, an infraction punishable by a fine not exceeding two hundred fifty dollars ($250).
Aa you say, according to California law the reporter who tested a user name and password and then reported the issue is guilty.
The NSA: The only part of the US government that actually listens.
A couple years ago I heard through the grapevine that the local district's computers were wide open. Sure enough, I did a quick scan and found a couple ports. Within about five minutes I had a list of the names, ages and addresses of every student in the district.
Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.
No credit, no publicity, but results. (My kids will be students there soon!)
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
I am suprised that the reporter was not arrested for "hacking" the system. If it was a student who did this, I think that he or she would have been expelled from school, arrested, and hauled off to jail.
You'll never know, that still might happen...
Coderz 4 Life
Yes ... human history is chock full of headless Good Samaritans.
Sometimes it pays to simply keep your mouth shut and let the people who are paid to deal with it do their jobs. Or not, but the U.S. is not a particularly friendly place for unauthorized people that report security problems.
If I noticed a serious security breach on a system or server somewhere, no way I'd point it out unless I happened to know the administrator personally, and knew that that person wouldn't immediately turn around and report me as an "evil hacker" to the FBI. I've read of too many cases where someone who was only trying to help got reamed.
It's funny, some States have Good Samaritan laws where you can be held liable for refusing to help someone in dire circumstances (car accident victim, etc.) but the law works pretty much the other way when it comes to computer security.
So forget it. Let everybody secure their own networks. Or not. But in either case it's not my problem.
The higher the technology, the sharper that two-edged sword.
I worked at a place that had the same policy for their Exchange system - i.e. blank passwords for everyone. Not only that, but normal users were not able to change their account passwords.
I discovered that the purpose of this was to allow the Managing Director to read everyone elses E-mail after work to see what his staff were up to. External E-mail was only available from one machine which just so happened to be next to the same person's desk, and could only be used with supervision.
I left the place after 2 days of work in disgust at this and the other equally shady practices of this dodgy company.
I shouldn't respond to this, but I feel I must. First off, both of my parents are teachers.
My mother had to work 25 years, get a national board certification, and such to reach $38,000. My father had to work similarly. All this while raising two children. When I was growing up, I remember my mother having to decide what she could afford at the store to go with rice for dinner.
Recently, the school board decided to fund my mother's room with a whopping total of $75 to purchase supplies for the year. Now what's worse is that this class has several modules that require expendable items like glue, balsa wood, certain chemicals, etc. The $75 wouldn't cover even ONE of the 12 modules. She had to buy the rest out of pocket.
And if you think they get paid over the summer, you're mistaken. Most teachers have 10-month contracts. So, what the school does is spread that money out over 12 months so that there is no stop in money flow. Also, teachers work during the day at school, and get paid no overtime for the work they do at home. Make lesson plans, grade papers, deal with irate parents, deal with the verbal abuse of morons like you... etc... etc.
Next time you make an assanine comment like that, I hope you do it in front of a teacher and get the back of your hand slapped by a ruler. But of course that won't happen since teachers are disciplined for patting a child on the shoulder now in congratulations of good work.
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
And if you forget your password, you have to do it again.
Blindfolded.
A new college hire involved in a password change request.
Some have suggested our IT folks have gone a bit too far. They claim not, but it's hard to argue with new account setup metrics of 14 dead, 39 severely wounded and 21 missing (presumed logged in).
.... It wouldn't matter. A long time ago in a galaxy far far away, I used to do IT support in a school. I would create user accounts on a Netware 4.11 (see how long ago that was?) server that forced teachers to change the password upon their first logon. The teachers would almost always change the passwords to any of the following:
- Name of their child
- Type of car
- Licence plate number
- Name of husband/wife/spouse/life partner/current booty call
The kids (14 year old and younger) knew this and almost always managed to guess the passwords within a week through social engineering. So changing the passwords is half the problem, using strong passwords (or the lack of using them) is the other half of the problem.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.