Slashdot Mirror
NJ School District Hit With Ransomware-For-Bitcoins Scheme
An anonymous reader sends news that unidentified hackers are
demanding 500 bitcoins, currently worth about $128,000, from administrators of a New Jersey school district. Four elementary schools in Swedesboro-Woolwich School District, which enroll more than 1,700 students, are now locked out of certain tasks: "Without working computers, teachers cannot take attendance, access phone numbers or records, and students cannot purchase food in cafeterias. Also, [district superintendent Dr. Terry C. Van Zoeren] explained, parents cannot receive emails with students grades and other information." According to this blog post from security company BatBlue, the district has been forced to postpone the Common Core-mandated PARCC state exams, too. Small comfort: "Fortunately the Superintendent told CBS 3’s Walt Hunter the hackers, using a program called Ransomware, did not access any personal information about students, families or teachers." Perhaps the administrators can take heart: Ransomware makers are, apparently, starting to focus more on product support; payment plans are probably on the way.
...they went after these criminals.
If our government actually did something about stuff like this, I think people would believe in their government a bit more, but as it stands, it seems like the NSA and such only want to either spy on us or topple governments that don't tow the line for the US.
I cannot imagine that finding these criminals is beyond the abilities of the US Government, it just seems like they don't even try.
>> the Superintendent (said) the hackers did not access any personal information about students, families or teachers
He knows this because the hackers told him?
Maybe 200-500 computers. Is the ransom higher than what it would cost to replace everything? (maybe not enough to replace them with Macs, but Linux and Chromebooks are possible). How many computers does a district with 1700 students really need to get the basics done?
Just seems like a steep ransom to me. Especially since if I replaced all the computers, the old equipment is worth something and I could probably auction it off.
The data is gone if you don't pay the ransom (or crack the encryption). Sadly I don't have a way to resolve that problem, other than to start over again and hopefully anything important has backups. (ideally in a form that doesn't spread infection)
“Common sense is not so common.” — Voltaire
No backup system to restore from? Systems linked that should not be linked together? As for classroom computers, fuck it, reimage those suckers. This should not be happening and in the IT dept. heads need to roll. I'm head of IT for a school board and I'm telling you that this should not have happened or at the very least the affected number of computers should be much lower.
The US government needs to immediately make it illegal to pay these types of ransoms. You have no idea what group is collecting the money or what they're going to do with it so just simply make it illegal. That will stop most of these ransoms from happening.
My wife's district uses Microsoft Dynamics, and the piece of garbage, that has never printed a correct pay check, lost its activation so the district could no longer print pay checks, accept payments for lunch, pay bills, etc.. They couldn't even look-up contact info for vendors to call them to give them a heads-up about the late payments. Microsoft really fucks over people with their activation garbage. This isn't like the rest of us that have to suffer with the Office garbage losing its activation so we can't open a Word doc. This is Microsoft holding large organizations hostage with demands for more money. They changed their support fees after the fact. I'm still trying to fix the problems caused with my wife's delayed deposit and NSF fees.
OpenBSD is a great option for a school, because the safest computer is one where there is no software for it at all.
But having no computers is still cheaper and more secure.
And it's even a better time to learn about backups, redundant systems and testing. No matter what your system is computer, papyrus, chiseled rock, something is going to come along and screw it up. If you need the data to keep doing your job, you need some sort of backup system.
And especially if it is a computer system connected to the Internet.
You can lose your lunch money on an open source system just as well as a proprietary one.
Murphy cares not for your screed.
Faster! Faster! Faster would be better!
One can only wonder how difficult it was to teach highschool before computers.
How did our ancestors manage?
a PITA but oh well that's what careless IT admin buys you
Yeah. Careless IT people.
Nothing to do with unreasonable faculty demanding those peon IT people give them wireless and remote access to everything using their iphone/pad, android and infected eight different ways home peecee without the slightest friction or impediment. Probably has nothing to do with the IT budget that gets grudgingly funded only after the quarterly pension COLA bump and the administrative bonuses are paid out, ensuring the whole system relies on a wheezing 12 year old sonicwall appliance. That couldn't have anything to do with it. It's got to be those fools in IT.
On the other hand, the IT staff probably is the direct result of a hiring policy that has actual knowledge and talent waaay down the list of qualifications after race, sex, sexuality, disability and every other imagined grievance they can dream up. That and they're almost certainly terrified of touching the slightest thing lest they interfere with the $240k/year politically connected hypercrat in district HQ that spends nine hours a day surfing porn.
School districts in places like NJ are pretty dysfunctional institutions. Pinning this kind of failure on the IT peons alone is badly naive.
Maw! Fire up the karma burner!
Most backups would be erased or encrypted by the ransomware. The problem is that people think in terms of disk failures or hardware failures, so have their backup solution based around this. Just this in mind, going with two SANs that replicate with each other asynchronously is the best thing to do, since the data is always available.
However, this doesn't factor in software designed to corrupt/encrypt backups over a long haul. This is going to take a dedicated backup server that pulls backups and stores them in a place where a machine cannot access (and thus tamper) with stored data. It also takes a long data retention policy, just in case.
However, in a lot of places, backups are like security -- they are viewed as having no ROI, so at best, you might get some mechanism to stash stuff on disk, but if a machine can back up to the disk directly, it likely can erase/modify stored data.
If you talk to a school administrator and ask them to recover from the nightly backups, you are likely to get a blank stare back.
School districts and schools couldn't be worse set up to deal with complex system recovery.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
I bet they deliver some bloated soliloquy at a key moment and ruin their entire plan
Not if they're being led by Veidt. Then you get the bloated soliloquy 30 minutes after the plan was executed.
What if they pulled their good backup tapes off the shelf, plugged them into one of their infected, online desktops, and the tapes got re-encrypted? Repeat as necessary until there are no more tapes. Then ask another IT admin for help, and learn about write-protect tabs too late for this time.
[ I wish I could say I hadn't seen this before ]
Bitcoins are tracable. Spend another 10k and hire a meth addict hitman.
FTFS:
But the Common Core DOES NOT mandate any particular exam or evaluation instrument of any kind. PARCC is, according to Wikipedia, "a coalition of 12 states and the District of Columbia that are working to create and deploy a standard set of K-12 assessments in math and English." PARCC is basing their assessments upon the Common Core standards, but it is PARCC that mandates the exams, not Common Core.
Common Core is, literally, just a list of skills that students should have at various grade levels. For example, sixth grade math students are supposed to be able to "Write, read, and evaluate expressions in which letters stand for numbers." That simple statement, and many like it, make up the Common Core. It has nothing to do with mandating exams.
The Common Core standards are freely available on the web, in case you would like to look at them: http://www.corestandards.org/r...