K12 | Bach Seat

Tag Archive for K12

RB | April 18, 2016

Comments Off

Schools Face RansomWare Risk

More than 2,000 machines at K12 schools are infected with a backdoor in unpatched versions of JBoss that could be used at any moment to install ransomware such as Samsam. TargetTech defines ransomware as malware designed for data kidnapping, an exploit in which the attacker encrypts the victim’s data and demands payment in Bitcoins for the decryption key.

JBoss Ransomware has typically been spread through drive-by downloads or spam emails with malicious attachments. One of the latest victims of Samsam was MedStar Health, a not-for-profit organization that runs 10 hospitals in the Washington, D.C., area.

PCWorld reports that the Cisco (CSCO) Talos threat-intelligence organization, announced that roughly 3.2 million machines worldwide are at risk. The article says that many of those already infected run Follett’s Destiny library-management software, used by K12 schools worldwide. According to Cisco, Follett responded quickly to the vulnerability,” Follett identified the issue and immediately took actions to address and close the vulnerability”.

In a presser, Follett offers patches for systems running version 9.0 to 13.5 of its software and says it will help remove any backdoors. The author states that Follett technical support staff will reach out to customers found to have suspicious files on their systems. Follett even offers SNORT detection rules on the presser page.

Snort is a highly regarded open-source, freeware network monitoring tool that detects attack methods, including denial of service, buffer overflow, CGI attacks, stealth port scans, and SMB probes. When suspicious behavior is detected, Snort sends a real-time alert to Syslog, a separate ‘alerts’ file, or to a pop-up window.

JBoss the vulnerable underlying system is described as an open-source Red Hat product that serves as an application server written in Java that can host business components developed in Java. Essentially, JBOSS is an open source implementation of J2EE that relies on the Enterprise JavaBeans specification for functionality.

PCWorld reports that compromised JBoss servers typically contain more than one Web shell. Talos advises that it is important to check the contents of a server’s jobs status page. “This implies that many of these systems have been compromised several times by different actors,” the company said.

Web shells are scripts that indicate an attacker has already compromised a server and can remotely control it. The list of those associated with this exploit is listed in Talos’s blog post.

Companies that find a Web shell installed should begin by removing external access to the server, Talos said in the article. The security firm recommends quick action.

Ideally, you would also re-image the system and install updated versions of the software … If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production.

rb-

I have worked with a number of customers on their library automation projects. The cost of these systems is as usual in the data. There is a great deal of time and effort that goes into creating the proper MARC records, especially for books that are out of print and kiddie books. If these files get locked up by ransomware, the system is useless and expensive to replace.

K12 schools are notoriously cheap, but the advice is the same as always,

Keep your software UP TO DATE
Use a real virus scanner on your servers and administrative stations
Back-Up – Back-Up – Back-Up – With a good backup, you can just blow the machine away, re-install and restore the data. and be back in business.

What Came First, Bitcoin or Ransomware? (newsbtc.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2016, Bitcoin, Cisco, CSCO, Follett, Java, JBoss, K12, Library, Malware, Open Source, Ransomware, Red Hat, Security, SNORT, Talos

RB | August 27, 2015

Comments Off

Back to School Cybersafety Resources

The new school year is here. If cybersafety is not on your “back to school” checklist, it should be. SecureWorld offered up a list of resources to help parents have a meaningful conversation about “cyber-safety” with their children. Parents need to talk with their kids about what they can do to protect themselves from the threats that are lurking online.

There are a variety of resources available that can help parents teach their children about the importance of Internet safety and privacy. Here are some recommended in the article.

In 2009, President Obama asked the Department of Homeland Security to create the Stop.Think.Connect. Campaign to help Americans understand the dangers that come with being online. The program stresses that cybersecurity is a shared responsibility. Parents can download a Cybersecurity for Kids tip card (PDF) that offers helpful hints and advice designed specifically for children.

ConnectSafely.org is a nonprofit organization dedicated to educating users of connected technology about safety, privacy and security. The website offers a number of Parent Guides, written by parents for parents, including:

The National Cybersecurity Alliance is an industry-led group, founded by the likes of Symantec (SYMC), Cisco (CSCO), Microsoft (MSFT), and EMC (EMC), whose mission is to educate and therefore empower a digital society to use (rb- their products) the Internet safely and securely at home, work and school.

Parents and teachers can download tips and resources from their website StaySafeOnline.org. The tip sheets are created specifically for different age groups ranging from kindergarten to college students. This site offers resources like:

Free Security Check-Up and Tools – Which has download locations for tools from A to W – Avast to Webroot. (as always use at your own risk).

Tip Sheets for:

The author states that industry professionals are also placing a high priority on preparing children for life in cyberspace. For instance, the (ISC)2 Foundation’s Safe and Secure Online program was introduced in 2006 in conjunction with Childnet International. They offer resources for parents which include Top 10 Tips for Parents (PDF) and the Parent-Child Commitment to Safety Agreement (PDF).

The Business Insider polled and a bunch of industry cyber security experts about what they teach their kids about the internet. The experts working in the field recommend you:

Start discussing online safety at an early age.
If you wouldn’t do it face to face – Don’t do it online.
Once you’ve written something you can’t delete it.
Not just to tell them the rules but also to spend the time/

You can read the rest of the tips at Business Insider here.

rb-

Good luck, you will need it.

Talk to your students about cyber safety – Staysafe.org’s guide on Internet Safety for Teens: https://www.staysafe.org/teens/

Family Cyber Security [Video] (drdonysreviews.com)

Category: Uncategorized | Tags: (ISC)2, 2015, Cisco, ConnectSafely.org, CSCO, Cyberbullying, DHS, EMC, K12, Microsoft, MSFT, NCSA, PII, Safety, Security, Symantec, SYMC

RB | July 2, 2015

Comments Off

The Enemy Within at School

Naked Security reports on a hack that combines two of our favorite things on the Bach Seat, Florida, and lax data security at school. The way the Sophos blog tells the story, a 14-year-old Florida boy is charged with being a hacker by trespassing on his school’s computer system.

Florida school hacker

The charges came after he shoulder-surfed a teacher typing in his password and used it without permission to trespass in the network. The student then tried to embarrass a teacher he doesn’t like by swapping his desktop wallpaper with an image of two men kissing.

A Tampa Bay Times article says that an eighth-grader was recently arrested for “an offense against a computer system and unauthorized access.” This is a felony in Fla. Sheriff Chris Nocco said that the teen logged onto the network of a Pasco County School District school using an administrative-level password without permission.

A spokesman for the Pasco County Sheriff’s Office told Network World that the student was not detained. Rather, he was questioned at the school before being released to his mother. His sentence remains to be seen, But at this point, it’s looking like the boy isn’t going to suffer much more than a 10-day school suspension. Sheriff’s detective Anthony Bossone says is likely to be “pretrial intervention” by a judge with regards to the felony charge, the Tampa Bay Times reports. Naked Security says this is the student’s second offense.

When the newspaper interviewed the student, he said that he’s not the only one who uses that password. Other students commonly log into the administrative account to screen-share with their friends, he said. It’s a well-known trick, the student said. He claimed the password was a snap to remember, it’s just the teacher’s last name, which the boy says he learned by watching the teacher type it in.

The sheriff says that the student didn’t just access the teacher’s computer to pull his wallpaper prank. He also reportedly accessed a computer with sensitive data – the state’s standardized tests – (now we know why he is in trouble – NCLB! – Common Core!!) while logged in as an administrator. Those are files he well could have viewed or tampered with, though he denies having done so. Sheriff Nocco says that’s the reason why this can’t be dismissed as being just a bit of fun. Even though some might say this is just a teenage prank, who knows what this teenager might have done.

I logged out of that computer and logged into a different one and I logged into a teacher’s computer who I didn’t like and tried putting inappropriate pictures onto his computer to annoy him.

in typical HS-er logic, he told the newspaper:

If they’d have notified me it was illegal, I wouldn’t have done it in the first place. But all they said was ‘You shouldn’t be doing that.‘

Idaho school hacker

Another report from the other side of the continent comes from Engadget. They report that a teenager from Idaho took advantage of the latest trend in online criminal activity. He likely rented a cloud-based botnet to launch a distributed denial of service (DDos) against the largest school district in Idaho. The alleged DDoS took down the school district’s internet access according to media reports.

KTVB News reports that the 17-year-old student paid a third party to conduct a distributed denial-of-service attack/ The attack forced the entire West Ada school district offline. The act disrupted more than 50 schools, bringing everything from payroll to standardized tests (More high stakes testing – NCLB! Common Core!!) grinding to a halt. Unfortunate students undertaking the Idaho Standard Achievement test had to go through the process multiple times because the system kept losing their work and results.

The report goes on to say that authorities have found the Eagle High student from their IP address. The students could now face State and Federal felony charges. If found guilty, the unnamed individual is likely to serve up to 180 days in jail, as well as being expelled from school. In addition, the suspect’s parents will be asked to pay for the financial losses suffered as a consequence of the attack.

rb-

Many school networks have bigger pipes than the business world. Some EDU networks I have worked on have had 10 GigE for years. In the rest of the online world, these incidents would serve as a wake-up call to network managers that hey, we might be at risk too, but not schools. Oh yeah – Passwords are Evil

Rightly or wrongly schools rely on the Intertubes for their core business – instruction, and NCLB high-stakes testing. However, they do not take steps to protect themselves. Administrators fight common tactics like periodic password changes, enforcing password complexity, or blacklisting common weak passwords. None bother with an anti-DDOS strategy let alone buying a tool to fight off a denial of service attack.

Stop DDoS attacks, CISOs urged (itworldcanada.com)

Category: Uncategorized | Tags: 2015, Administrative Privledge, Cloud, Common Core, DDOS, Florida, Hack, High school, Idaho, Insider threat, K12, NCLB, Password, Security, Shoulder surf, Social engineering

RB | April 21, 2015

Comments Off

EDU- The Most Bot-Infested Sector

DarkReading confirms, what I have pointed out to Bach Seat readers for a while, education people are terrible at IT security. The latest evidence comes from a BitSight report which concludes that the more bots in-house, the more a company is likely to have reported a data breach. The report finds that the education sector harbors the most botnet infections, according to a new study. The study highlights how bot infections correlate with a higher rate of data breaches.

The DarkReading article says BitSight, a security ratings firm, studied public breach disclosure data between March 2014 and March 2015 across the finance, retail, healthcare, utilities, and education industries. The study concluded that organizations with a botnet grade of B or below had experienced data breaches at a rate of 2.2 times more than organizations with an A grade. The report says there is a correlation between botnet infestations and data breaches; “This does not mean the infections were the cause of the breaches; rather, it means that the infections and breach incidents are correlated.”

The education sector fared poorly. Only 23% of institutions got an A as their botnet grade, and 33% get an F. The main botnets dogging schools and universities:

Jadtre (59.2%) – Downloads other malware and steals info;
Flashback (22.1%) – The Java exploit targeting Apple OS X;
TDSS (8.3%) – Discovered in 2011 It infects the master boot record of the target machine among other things it deletes other malware;
Zeus (6%) – Financial credential-stealing malware, and
Sality (4.4%) One of the longest-lived botnets. It was first discovered in 2003. Sality is considered to be one of the most complex and formidable forms of malware to date.

The report notes Flashback is malware that targets Apple computers by taking advantage of a Java vulnerability. Mac computers are popular among younger generations and educational institutions, intensifying the proliferation of this malware in education. Although the Flashback botnet itself has largely been shut down, the large number of infections that still exist indicates that people are running machines that have not been updated; thus, they are still vulnerable to other forms of infection.

Other industries received better scores better than Education.
• 74% of Financial Services firms got an A
• 57% of Retailers receive an A grade
• 53% of healthcare received an A grade
• 50% of Utilities received an A

there is a correlation between botnet infestations and data breaches The report concludes that organizations with bot-infected machines are more likely to report a data breach. “The implications for organizations across industries are that botnet infections cannot be ignored. Companies with poor botnet grades have been breached far more often than those with good grades, and actions should be taken to mitigate these risks.”

rb-

Been there done that … EDU people don’t get IT security. They don’t understand how much PII they collect and randomly hang onto. Their systems send data in clear text across the inter-tubes to change schools.

Someone is going to get breached and sued and maybe they will learn.

Trojan Horse, Zombies, and 15 Critical Cybersecurity Terms You Need to Know (coloradotech.edu)

Category: Uncategorized | Tags: 2015, AAPL, Apple, BitSight, Botnet, Data breach, Flashback, Jadtre, K12, Malware, School, Security

RB | January 30, 2014

Comments Off

Cyber Attacks on Schools

Cloud services and data-management systems are multiplying in the edu market. Schools, districts, and states are using online networks to store student data such as records PII, medical records, attendance, and grades. Putting all of this data online is scary enough, these systems are designed to allow parents (and attackers) to get to data from a home PC.

More convenient for teachers and parents

Education Week explains that the switch to online data is often more convenient for teachers and parents. But these changes can also make state agencies, districts, and schools vulnerable to cyber attacks. The author cites the August 2013 DDoS attack on the Kentucky Department of Education’s statewide Infinite Campus information network as a precursor of things to come. The Kentucky agency was able to fight off the DDoS attack before any data was compromised but school DDoS attacks are occurring more often as they get easier to execute. David Couch the Kentucky Department of Education’s chief information officer said.

What I understand from what I’ve seen is that [DDoS attacks are] a commonality now … I think most organizations have to add to their tool suite a way to detect them.

Online attacks

GCN reports another edu DDoS attack. This one is on OnCourse Systems for Education a SaaS that provides software services to K-12 schools. The firm became the victim of UDP flood from Germany and the Netherlands. The firm tried to fly under the radar, Mark Yelcick, chief technology officer and partner at OnCourse said.

This was the first DDoS attack at OnCourse, and we never thought that we would be a target … There’s no money or assets to be gained by attacking an SaaS provider of K-12 educational systems. We felt that the firewall, intrusion protection and DDoS protection from our data center provider would be enough.

In order to turn back the tide of rouge packets, OnCourse brought in P rolexic. Prolexic has solutions tailored for the education market. The company engaged its emergency services, routing traffic through Prolexic’s 1.5 Tbps cloud-based DDoS mitigation platform and stopping the attacks. CTO Yelcick said, “We simply cannot afford downtime brought about by a DDoS attack.”

Because DDoS attacks can target any IP address, it’s impossible to completely prevent them, so for districts and the companies that offer data management services, the focus is on battling these attacks as they come.

“We have to be prepared and understand the environment that we are operating in so we’re prepared to address these issues as they come up,” says Infinite Campus CEO Eric Creighton, the victim of the Kentucky DDoS attack.

Attackers are after student PII

Part of predicting and combating cyber attacks is understanding why people order these attacks in the first place. When the target is a network that stores student grades and attendance information, the immediate thought is that a student is responsible. However, Mr. Creighton says that students rarely attempt attacks and, in his experience, have never succeeded.

“I don’t think these are attacks attempting to get data … There’s no jackpot of valuable data –there’s no payload here.” CEO Creighton may be spinning the results. rb- I wrote about schools collecting and losing PII here.

One reason that schools and districts are targeted is that their systems are designed for convenient access. Easy access for parents and teachers, makes for easier targets. Marcus Rogers, a professor, and chair of the cyber forensics program at Purdue University told Education Week.

For a lot of these attacks, the intended victim or goal is something bigger than the school. Obviously schools want to protect their data, but the bigger threat is when they use those networks now to go out and attack a power plant or a stock exchange or an air traffic control systems. That’s when the stakes go up.

Caused by a BYOD device

Kentucky education officials believe that the attack on their systems was triggered by a beacon. They hypothesize that a beacon was unknowingly placed on a student’s mobile device, which he or she took with them to school. Viruses can cause a device to send out a beacon, instructing thousands of other devices to attack the network the device is connected to. In Kentucky, officials say that this won’t stop individual districts from implementing bring-your-own-device programs. However, schools can decrease the chances of an attack by making sure that these student devices are properly protected according to Education Week. CIO Couch believes schools will start to protect themselves.

I think what you’re going to see is districts making sure that before people plug into their network they have up-to-date, good virus protection … I think you’ll start to see that in K-12.”

Purdue’s Rogers says that even when schools know best practices for avoiding and combating attacks, such measures are often cost-prohibitive. “A lot of times the schools know what to do, but at the end of the day if they’re trying to get library books, a firewall is not going to be their big concern.”

DDoS as a distraction: The one-two cyberpunch (pando.com)

Category: Uncategorized | Tags: 2014, Cloud computing, DDOS, Denial-of-service attack, K12, Kentucky, SaaS, Security, Software as a service

« Older Entries

Bach Seat

Tag Archive for K12

Schools Face RansomWare Risk

Related articles

Back to School Cybersafety Resources

Related articles

EDU- The Most Bot-Infested Sector

Related articles

Meta