Tag Archive for Insider threat

| July 2, 2015
Comments Off on The Enemy Within at School

The Enemy Within at School

The Enemy Within at SchoolNaked Security reports on a hack that combines two of our favorite things on the Bach Seat, Florida, and lax data security at school. The way the Sophos blog tells the story, a 14-year-old Florida boy is charged with being a hacker by trespassing on his school’s computer system.

Florida school hacker

The charges came after he shoulder-surfed a teacher typing in his password and used it without permission to trespass in the network. The student then tried to embarrass a teacher he doesn’t like by swapping his desktop wallpaper with an image of two men kissing.

an offense against a computer system and unauthorized accessA Tampa Bay Times article says that an eighth-grader was recently arrested for “an offense against a computer system and unauthorized access.” This is a felony in Fla. Sheriff Chris Nocco said that the teen logged onto the network of a Pasco County School District school using an administrative-level password without permission.

A spokesman for the Pasco County Sheriff’s Office told Network World that the student was not detained. Rather, he was questioned at the school before being released to his mother. His sentence remains to be seen, But at this point, it’s looking like the boy isn’t going to suffer much more than a 10-day school suspension. Sheriff’s detective Anthony Bossone says is likely to be “pretrial intervention” by a judge with regards to the felony charge, the Tampa Bay Times reports. Naked Security says this is the student’s second offense.

Old school securityWhen the newspaper interviewed the student, he said that he’s not the only one who uses that password. Other students commonly log into the administrative account to screen-share with their friends, he said. It’s a well-known trick, the student said. He claimed the password was a snap to remember, it’s just the teacher’s last name, which the boy says he learned by watching the teacher type it in.

The sheriff says that the student didn’t just access the teacher’s computer to pull his wallpaper prank. He also reportedly accessed a computer with sensitive data – the state’s standardized tests (now we know why he is in trouble – NCLB! – Common Core!!while logged in as an administrator. Those are files he well could have viewed or tampered with, though he denies having done so. Sheriff Nocco says that’s the reason why this can’t be dismissed as being just a bit of fun. Even though some might say this is just a teenage prank, who knows what this teenager might have done.

I logged out of that computer and logged into a different one and I logged into a teacher’s computer who I didn’t like and tried putting inappropriate pictures onto his computer to annoy him.

in typical HS-er logic, he told the newspaper:

If they’d have notified me it was illegal, I wouldn’t have done it in the first place. But all they said was ‘You shouldn’t be doing that.

Idaho school hacker

rented a cloud based botnet to launch a distributed denial of serviceAnother report from the other side of the continent comes from Engadget. They report that a teenager from Idaho took advantage of the latest trend in online criminal activity. He likely rented a cloud-based botnet to launch a distributed denial of service (DDos) against the largest school district in Idaho. The alleged DDoS took down the school district’s internet access according to media reports.

KTVB News reports that the 17-year-old student paid a third party to conduct a distributed denial-of-service attack/ The attack forced the entire West Ada school district offline. The act disrupted more than 50 schools, bringing everything from payroll to standardized tests (More high stakes testing – NCLB! Common Core!!) grinding to a halt. Unfortunate students undertaking the Idaho Standard Achievement test had to go through the process multiple times because the system kept losing their work and results.

State and Federal felony chargesThe report goes on to say that authorities have found the Eagle High student from their IP address. The students could now face State and Federal felony charges. If found guilty, the unnamed individual is likely to serve up to 180 days in jail, as well as being expelled from school. In addition, the suspect’s parents will be asked to pay for the financial losses suffered as a consequence of the attack.

rb-

Many school networks have bigger pipes than the business world. Some EDU networks I have worked on have had 10 GigE for years. In the rest of the online world, these incidents would serve as a wake-up call to network managers that hey, we might be at risk too, but not schools. Oh yeah – Passwords are Evil

Rightly or wrongly schools rely on the Intertubes for their core business – instruction, and NCLB high-stakes testing. However, they do not take steps to protect themselves. Administrators fight common tactics like periodic password changes, enforcing password complexity, or blacklisting common weak passwords. None bother with an anti-DDOS strategy let alone buying a tool to fight off a denial of service attack.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| September 20, 2012
2 comments

Students – Insider Threat At K12 Schools

Students - Insider Threat At K12 SchoolsI have spoken to several tech people outside of K-12 lately. When the topic of information security comes around, they talk about how much they are focusing on the “growing insider threat” their employers face. I always smile because those of us in K12 have always faced a hostile internal threat, students. Here are a couple of examples of how students can be an insider threat at school.

student hackers changed gradesAt Colorado’s Jefferson County K12 Schools KUSA reports that administrators are investigating reports that student hackers got into Golden High School’s computer system and changed grades. Investigators are looking into whether students inside the school hacked the campus portal system. A student said, “People started giving themselves A’s.”

Golden High School students told the media that the hackers changed the grades for themselves and others just before winter break and the end of the first semester.

Administrators do not even know how many grades were changed. It could be low as 15 students or as high as 200. The district will not say if any students were caught or how many are suspected of hacking into the system.

do not even know how many grades were changedJefferson County Schools Superintendent Cindy Stevenson told local TV her staff is working hard to find out how it happened. When they do, she says security will be improved.

Berkeley High School

Prestigious Berkeley High School in Berkeley CA succumbed to the student insider threats. The media reports nearly three dozen students were suspended and face expulsion for hacking into the K12 school’s attendance system, an act that could lead to criminal prosecution according to SFGate. At least four students used an administrator’s stolen password to clear tardies and unexcused absences from the permanent records of 50 students, offering the service or the password for a price, Principal Pasquale Scuderi said.

The hackers erased from the system hundreds of cut classes and tardies from October through December, and charged classmates $2 to $20 for the illicit help, Scuderi told the SFGate.

Orange County K12 schools

student insider threatThe student insider threat struck K12 schools in Orange County, California. Omar Khan a former student of Tesoro High School, pled guilty to charges of having installed spyware on his high school’s computers and having used the collected passwords to get access to the grading system and change his grades according to CSO Online.

Khan and another student, Tanvir Singh were arrested for breaking into the school’s assistant principal’s office at night. Khan’s goal was to destroy the evidence that he cheated on a statistics test by stealing it.

Khan had faced a maximum of 38 years in prison on the felony burglary and public-record tampering charges is expected to be sentenced to 30 days in jail, 500 hours of community service, and ordered to pay about $15,000 in restitution.

years in prison on the felony public-record tampering chargesThe article says Khan admitted he was guilty of breaking into school offices and installing spyware on computers and then using the passwords to change some of his grades and that of 12 other students.

He also acknowledged that he changed his transcript grades to appeal rejection letters from the University of Southern California, the University of California, Berkeley, and the University of California, Los Angeles.

Nevada salutation

PC World reports that in Pahrump, Nevada, K12 schools Tyler Coyner, Pahrump Valley High School’s 2010 salutation with a 4.54-grade point average, was arrested as the ringleader in a group of 13 students who have been charged with conspiracy, theft, and computer intrusion. The article states that Coyner somehow obtained a password to the school’s grade system and, over the course of two semesters, offered to change grades in return for cash payments.

salutation arrested as the ringleader in a group of students charged with conspiracy and computer intrusion.According to PC World, ten juveniles have also been arrested for having profited from Coyner’s offer to bump up their grades. It turns out that Coyner, somewhat foolishly – chose to make himself the one that profited most from his scheme. In fact, the 4.54-grade point average that made him the school’s salutation is the result of his own grade manipulation.

rb-

Looks like Coyner is gotten a head start on his dream of becoming a Wall Street hedge fund trader by facing criminal charges as a student insider threat at school.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| July 31, 2012
Comments Off on Mommy Hacker

Mommy Hacker

Mommy HackerTime Magazine reports that a Pennsylvania woman faces six felony charges for hacking the computer system at her kids’ schools. Catherine Venusto, 45, hacked into the Northwestern Lehigh School District computer system and altered the grades of her two children, ABC News reports. Venusto had worked at the district as an administrative office secretary from 2008 through April 2011. A year before she quit, Venusto, of New Tripoli, PA had been accused be being a hacker. She reportedly changed her daughter’s failing grade to a medical exception. And in February 2012, she was accused of changing her son’s 98 to a 99.

Third-degree felonies

Data integrityMs. Venusto was arraigned on three counts of unlawful use of a computer. She was also charged with three counts of computer trespassing and altering data. All six of those charges are third-degree felonies. Pennsylvania State police say Venusto admitted changing the grades, saying she thought her actions were unethical but not illegal.

When ABCNews.com attempted to contact Ms. Venusto at her current job as an event coördinator at Lehigh University, a school employee said her employment ended Wednesday. Venusto’s lawyer, Thomas Carroll, declined to comment.

GradesI’m concerned on numerous levels,” said Jennifer Holman, Northwestern Lehigh School District’s assistant superintendent. “When we say systems, there were three different systems violated…There were 10 different users that at some point had their email violated.

PA State police investigate the hacker

Ms. Holman told ABCNews.com that she first realized something was wrong when a teacher asked why superintendent Mary Ann Wright was in that teacher’s online grade book. Once Wright explained she was never in the grade book the investigation began. Administrators and state police looked for whoever used Wright’s username and password without permission.

Bad passwordsPA State police discovered Venusto used Wright’s credentials 110 times to access the district’s online grading system, according to the District Attorney’s office. Venusto also allegedly accessed nine other faculty members’ email accounts without permission. She also accessed the human resources “H-drive” to view “thousands of files associated with district policy, contract information, employee reports, and personnel issues.

Superintendent Wright released a statement in anticipation of Venusto’s arraignment.

We deeply regret this incident and that this unauthorized access occurred, and we sincerely regret any inconvenience this may cause,” Wright wrote. “We are doing everything we can to prevent this from happening again, and new security procedures are in place to better assure that our systems are protected from such attempts.

The court set bail at $30,000. Venusto will not have to pay the bail unless she does not appear in court for her preliminary hearing. Venusto could face a maximum of 42 years in prison or a $90,000 fine, according to District Attorney’s office spokeswoman Debbie Garlicki, who said the maximum penalty on each count is seven years or a $15,000 fine.

rb-

New sheriff in townThe mommy hacker’s defense is “I thought it was immoral but not illegal”. I will mention in passing the declining parenting standards which are creating a bunch of narcissistic and self-absorbed generation that has no consciousness to what right and wrong is. 

The Administration and IT departments both bear the blame for this intrusion. Some easy-to-implement best practices could have shut the mommy hacker down quicker. They should have required regular password changes. They could have broken the bank and installed an intrusion protection system.

Those of us who work in K-12 understand that security is only important after an incident.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| February 1, 2009
Comments Off on Fannie Mae – What Ails America

Fannie Mae – What Ails America

Fannie Mae - What Ails AmericaComputerWorld reports that an Indian national Rajendrasinh Babubhai Makwana, in an outsourced contract job as a Unix engineer is accused of planting malicious code on his employer’s network. Makwana was employed by the Federal National Mortgage Association, better known as Fannie Mae. He has been accused of planting malicious code on the corporation’s network that was to “destroy and alter” all the data on the company’s servers on 01-31-09, court documents show.

H-1B VisaMakwana, 35, was indicted on 01-27-2009 by a federal court on a single charge of computer intrusion, according to documents released yesterday. Reports are unclear about the attacker’s employer or his employment status. According to the AP, Makwana has lived in the United States since at least 2001.

According to the complaint sworn by FBI Special Agent Jessica Nye, Makwana was let go from his outsourced contract position at Fannie Mae’s Urbana, Md., datacenter on Oct. 24, 2008. He was fired after he had “erroneously created a computer script that changed the settings on the Unix servers without the proper authority of his supervisor,” Makwana had created that settings-changing script on Oct. 10 or Oct. 11, as much as two weeks before he was fired, Nye said.

Fannie Mae data centerWithin 90 minutes of being told he was terminated on Oct. 24, and several hours before his access to the Fannie Mae network was disabled later that evening, Makwana embedded a malicious script in a legitimate script that ran on Fannie Mae’s network every morning, Nye said in her affidavit.

The logic bomb would have “caused millions of dollars in damage and reduced if not shutdown [sic] operations at [Fannie Mae] for at least one week” if it had not been found before Saturday’s trigger date, the complaint said. “this script would power off all servers, disabling the ability to remotely turn on a server,” said the government’s complaint. “Subsequently, the only way to turn the servers back on was physically getting to a data center.”

rb-

I agree with Dvorak’s piece on MarketWatch which asks the rhetorical question, why was Makwana working at Fannie Mae in the first place?  Are you telling me no American citizen could have done his job? 

It has long been believed that in most cases H-1B visas in technology have been exploited by companies such as Fannie Mae only because programmers coming from India work cheaper. Over the years, companies like Fannie Mae have been begging for more and more H-1B visas to outsource more jobs.. That means more people working cheaper than the going rate. You get what you pay for.

This episode also is further evidence that Fannie Mae is still a poorly run company. Is it really so hard to turn off someone’s network access when you take their ID card?. A good place to start is that when a person is meeting with their boss and HR, to be terminated, their access to all systems is to be suspended. There is no reason to allow access to remote systems. In this case, based on the papers filed, Just more of my tax dollars at waste work.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,