Security | Bach Seat

Tag Archive for Security

RB | January 30, 2014

Comments Off

Cyber Attacks on Schools

Cloud services and data-management systems are multiplying in the edu market. Schools, districts, and states are using online networks to store student data such as records PII, medical records, attendance, and grades. Putting all of this data online is scary enough, these systems are designed to allow parents (and attackers) to get to data from a home PC.

More convenient for teachers and parents

Education Week explains that the switch to online data is often more convenient for teachers and parents. But these changes can also make state agencies, districts, and schools vulnerable to cyber attacks. The author cites the August 2013 DDoS attack on the Kentucky Department of Education’s statewide Infinite Campus information network as a precursor of things to come. The Kentucky agency was able to fight off the DDoS attack before any data was compromised but school DDoS attacks are occurring more often as they get easier to execute. David Couch the Kentucky Department of Education’s chief information officer said.

What I understand from what I’ve seen is that [DDoS attacks are] a commonality now … I think most organizations have to add to their tool suite a way to detect them.

Online attacks

GCN reports another edu DDoS attack. This one is on OnCourse Systems for Education a SaaS that provides software services to K-12 schools. The firm became the victim of UDP flood from Germany and the Netherlands. The firm tried to fly under the radar, Mark Yelcick, chief technology officer and partner at OnCourse said.

This was the first DDoS attack at OnCourse, and we never thought that we would be a target … There’s no money or assets to be gained by attacking an SaaS provider of K-12 educational systems. We felt that the firewall, intrusion protection and DDoS protection from our data center provider would be enough.

In order to turn back the tide of rouge packets, OnCourse brought in P rolexic. Prolexic has solutions tailored for the education market. The company engaged its emergency services, routing traffic through Prolexic’s 1.5 Tbps cloud-based DDoS mitigation platform and stopping the attacks. CTO Yelcick said, “We simply cannot afford downtime brought about by a DDoS attack.”

Because DDoS attacks can target any IP address, it’s impossible to completely prevent them, so for districts and the companies that offer data management services, the focus is on battling these attacks as they come.

“We have to be prepared and understand the environment that we are operating in so we’re prepared to address these issues as they come up,” says Infinite Campus CEO Eric Creighton, the victim of the Kentucky DDoS attack.

Attackers are after student PII

Part of predicting and combating cyber attacks is understanding why people order these attacks in the first place. When the target is a network that stores student grades and attendance information, the immediate thought is that a student is responsible. However, Mr. Creighton says that students rarely attempt attacks and, in his experience, have never succeeded.

“I don’t think these are attacks attempting to get data … There’s no jackpot of valuable data –there’s no payload here.” CEO Creighton may be spinning the results. rb- I wrote about schools collecting and losing PII here.

One reason that schools and districts are targeted is that their systems are designed for convenient access. Easy access for parents and teachers, makes for easier targets. Marcus Rogers, a professor, and chair of the cyber forensics program at Purdue University told Education Week.

For a lot of these attacks, the intended victim or goal is something bigger than the school. Obviously schools want to protect their data, but the bigger threat is when they use those networks now to go out and attack a power plant or a stock exchange or an air traffic control systems. That’s when the stakes go up.

Caused by a BYOD device

Kentucky education officials believe that the attack on their systems was triggered by a beacon. They hypothesize that a beacon was unknowingly placed on a student’s mobile device, which he or she took with them to school. Viruses can cause a device to send out a beacon, instructing thousands of other devices to attack the network the device is connected to. In Kentucky, officials say that this won’t stop individual districts from implementing bring-your-own-device programs. However, schools can decrease the chances of an attack by making sure that these student devices are properly protected according to Education Week. CIO Couch believes schools will start to protect themselves.

I think what you’re going to see is districts making sure that before people plug into their network they have up-to-date, good virus protection … I think you’ll start to see that in K-12.”

Purdue’s Rogers says that even when schools know best practices for avoiding and combating attacks, such measures are often cost-prohibitive. “A lot of times the schools know what to do, but at the end of the day if they’re trying to get library books, a firewall is not going to be their big concern.”

DDoS as a distraction: The one-two cyberpunch (pando.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2014, Cloud computing, DDOS, Denial-of-service attack, K12, Kentucky, SaaS, Security, Software as a service

RB | December 12, 2013

Comments Off

Is Your Data Safe From Gen Y?

Is Your Data Safe From Gen Y? Fortinet (FTNT) released a new study that says that most Gen Y staff members are thwarting their employers’ Bring Your Own Device programs. Fortinet surveyed 3,200 employees between the ages of 21 and 32 on their attitudes and practices around BYOD and found that 51 percent of respondents said they would ignore formal BYOD policies at their organization. “It’s worrying to see policy contravention so high …” Fortinet VP of Marketing John Maddison said in the study report.

Gen Y staff

The same Fortinet survey revealed that 55 percent said they have been the victims of cyberattacks on their desktops or laptops. The respondents noted that those attacks had affected their productivity and potentially cost them corporate or personal data.

FierceCIO provides another example of staff’s cavalier attitude towards data security from Symantec. According to the Mountain View, CA-based Symantec (SYMC) when it comes to corporate data, employees who feel like they live in a “finder’s keepers” environment, Robert Hamilton, Symantec director of information risk management said. The firm surveyed workers in the U.S. about taking corporate data outside of the workplace if they would use company information in another job and their views on whether that constituted stealing. FierceCIO reports the results of the survey, were not encouraging to IT security professionals and IT management.

Finder’s keepers

40% of employees download work files to personal devices,
40% of employees plan to use old company information in a new job role,
56% of employees do not believe it is a crime to use a competitor’s trade secrets,
68% of employees say their company doesn’t take proper steps to protect sensitive information.

Mr. Hamilton summarized, “The attitude is that ownership lies with the person that created it, not with the company that employs them.” He says companies need to do a better job of safeguarding data from employees, especially with the growing popularity of BYOD. Symantec noted,

Only 38 percent of employees say their managers view data protection as a business priority, and 51 percent think it is acceptable to take corporate data because their company does not strictly enforce policies

A survey by mobile file-sharing app provider Workshare provides more evidence of how employees flaunt IT policies by using free file-sharing services to store and share corporate documents from their mobile devices. FierceMobileIT reports that the firm’s survey revealed that 81% of employees access work documents from their mobile devices. A disturbing 72% of workers are using free file-sharing services without authorization from their IT departments.

Fiberlink recently conducted a survey of its customers about what apps they are blacklisting and whitelisting. DropBox appeared at the top of the blacklisted apps lists for both Android and iOS devices. Commenting on the results, Fiberlink CEO Christopher Clark told FierceMobileIT: “I think there are other ways besides DropBox or Box to do apps and content management.”

Work documents on personal devices

Another survey, conducted by Ipsos MORI for Huddle found that 91% of U.S. office workers store work documents on personal devices, such as USB drives, and 38% store documents on consumer file-sharing services.

FierceMobileIT reports that Dropbox is the most used consumer file-sharing service for work document storage and sharing.

DropBox 16%
Google (GOOG) Drive 15%
Apple (AAPL) iCloud 12%.

Patrice Perche, Fortinet’s senior Fred Donovan VP for international sales and support, said in the report:

This year’s research reveals the issues faced by organizations when attempting to enforce policies around BYOD, cloud application usage, and soon the adoption of new connected technologies. The study highlights the greater challenge IT managers face when it comes to knowing where corporate data resides and how it is being accessed.

FierceMobileIT’s Fred Donovan warns that enterprises need to educate their employees to combat the security risks of using consumer file-sharing services. He also says that employers need to offer enterprise-sanctioned file-sharing alternatives. Otherwise, employees will continue to bypass IT policies and put corporate data at risk. Symantec’s Hamilton told FierceCIO that firms need to undergo a cultural shift if they are going to win the battle of protecting their assets from their own staff.

rb-
Sharon Nelson at Ride the Lighting sums up my thoughts on the BYOD thing.

I have never understood the arrogance of this attitude or the failure to appreciate that employers have a duty to impose rules to protect client/customer/proprietary data./proprietary data.

It is common for each succeeding generation to despair of the generation that follows it, but I confess to a certain amount of despair for a generation that is so tied to their mobile devices that they cannot balance their desire to use their devices with the duty owed to the employer to keep work data secure. In a world where young folks cannot seem to keep from checking their phones at weddings and funerals, I guess it is no wonder that they see nothing wrong with willfully disobeying rules imposed at work.

What do you think? Is your data safe from Gen Y staff?

GEN Y Does Not Want to Hear About BYOD Security Measures (huffingtonpost.com)

Category: Uncategorized | Tags: 2013, BYOD, Cloud, Consumerization, Dropbox, Fortinet, FTNT, Gen Y, Information, Ipsos MORI, Security, Symantec, SYMC

RB | November 5, 2013

Comments Off

DDoS Attack Map

Help Net Security points out a report that DDoS attacks continue to be a global threat. The report is from Arbor Networks a leading provider of DDoS and advanced threat protection solutions for enterprise and service provider networks. Arbor has noted an alarming increase in distributed denial of service (DDOS) attack sizes this year. The Arbor Networks ATLAS monitors a significant part of all Internet traffic and found that DDoS attack size accelerating rapidly:

54% of attacks year to date are over 1 Gbps.
37% of attacks this year are in the 2 – 10 Gbps range.
4% of all attacks are over 10 Gbps.
The 2013 average DDoS attack is 2.64 Gbps, up 78% from 2012.
The largest monitored and verified attack size was 191 Gbps.

DDoS Attack Map Tool

One way to visualize what these facts mean is the DDoS Attack Map Tool pointed out by Brad Reese.com. The tool, built by a collaboration between Arbor Networks and think tank Google Ideas presents a global map with a data visualization map of global distributed denial of service attacks. Google Ideas uses anonymous data from Arbor Networks’ ATLAS global threat monitoring systems. Atlas can monitor up to 69 Tbps of Internet traffic. Researchers and users can use the DDoS Attack Map Tool to explore historical trends in DDoS attacks. They can make their own connection to related news events on any given day. The data is updated daily, and historical data can be viewed for any country worldwide.

Category: Uncategorized | Tags: 2013, Arbor Networks, ATLAS, Data visualization, DDOS, Google Ideas, Internet traffic, Security

RB | October 8, 2013

Comments Off

LA Schools iPads Hacked In A Week

– UPDATE 08-28-2014 – Just in time for the start of School reports surface LAUSD is “re-opening” bids for its controversial billion-dollar contract with Apple and Pearson to give all students, teachers, and administrators iPads.

—

The second-largest school district in the US is spending at least $1 Billion to complete a 1:1 tablet initiative. The Las Angles Unified School District (LAUSD) plans to deploy 650,000 Apple (AAPL) iPads, one for each student in LA county. The project slated to be completed by December 2014, has had problems that may prevent if from reaching that goal.

The project includes 500 million dollars for iPads and 500 million dollars for Wi-Fi and related infrastructure. The initiative is funded mostly by voter-approved school construction bonds, which taxpayers typically pay off over 25 years which the LA Times says “has sparked some concerns and legal and logistical hurdles.” (rb- I first noted the project here)

The project has run into a series of issues. The first issue focused on the 25 year payback period on a $500.00 device. A second issue emerged in September 2013 when the district recognized that it may need to buy Bluetooth keyboards for the iPads. The LA Times estimated a bill of $38 million for the oversight. The LA Times reports that the included software keyboard on the iPad might not satisfy the needs of older students writing term papers.

Also, LAUSD has planned to use the iPads for testing based on new Common Core English and math learning standards. The article contends that the iPad’s touch screen could frustrate students and even obscure portions of a test item that would be visible in its entirety on a full screen. (rb- I talked to many school districts about the SBAC keyboard testing issue, who is going to configure Bluetooth on and off? What about power? Does Bluetooth decrease the battery time on the iPad? Do you have enough electrical outlets to plug in 30 iPads? How is your Wi-Fi?)

In late September 2013, the LAUSD iPad project ran into a bigger problem as they deployed the iPads to high school students. According to the LA Times, it took exactly one week for nearly 300 students at Theodore Roosevelt High School to defeat the LAUSD installed device security. Following the news that students were using the hacked tablets for personal use, district officials halted home use of the Apple tablets until further notice.

Students told the LA Times once they had the iPad home they could not do anything with the $678 device. Apparently, the students began to tinker with the security lock on the tablets and soon discovered all they had to do was delete their personal profile information. With the profile deleted, a student was free to surf, tweet like, and stream music.

The new found freedom prompted L.A. Unified School District Police Chief Steven Zipperman to suggest that the district might want to delay the distribution of the devices. The chief said in a memo obtained by the LA Times, “I want to prevent a ‘runaway train‘ scenario when we may have the ability to put a hold on the roll-out.”

According to a March 2013 blog post from Roosevelt HS, LAUSD chose AirWatch as the provider for the mobile device management system. And that when students first get their iPads they will have AirWatch already installed. The district posted an update on their website that indicated they have turned to AirWatch and Apple for better solutions to their iPad problem.

rb-

This really is a story of mismanagement from the top down. A billion-dollar project for consumer devices financed over 25 years – Really? Are the students of LA’s class of 2038 going to have to use the iPad’s from 2013? Where is the refresh program? How are they getting the money to buy 650,000 iPad 9’s in 5 or 6 years?

If the iPads are to be used at home? how is LAUSD addressing the digital divide in LA?

Did the big-wigs consider the equity of using iPads for high-stakes nationwide common core testing? Not only will LA students be compared against each other and the rest of California but also students in 44 other states. It is my understanding that the current SBAC test is not optimized to display well on small screens. Will the tablet form factor handicap LA students or others across the US using tablets when competing against others using large screens and real keyboards in ergonomically proper positions? Will LAUSD show the test takers how to see the entire question, or how to easily switch between back and forth between screens to review a passage and then write a response.

Call me cynical after working in K-12 and living in the Detroit area, but a public $1 Billion dollar government project seems like a magnet for mismanagement, fraud, waste, and pay-to-play scams. It already seems to be at least $20 million over budget to buy keyboards even at K-12 discounts. Hopefully, the iOS and AirWatch updates are already included in the existing contracts.

While the headline-grabbing hacking story may be resolved in Apple’s iOS7. AFAIK Apple does not let anybody into its BIOS or whatever chip it is on an iPad. That is why students can easily delete the AirWatch agent. LAUSD still has a task on its hands to get all the deployed devices up to iOS 7.

In more signs of mismanagement, The LA Times reports that LAUSD is missing 71 iPads. They deployed 69 of the missing iPads last year at the Valley Academy of Arts and Science. PadGadget reports that after the fact, the District ramped up its tracking efforts by adding stronger safeguards. Global positioning can now be activated for every tablet. Plus, an electronic inventory system registers who is now responsible for a particular device, and District officials can remotely shut down iPads reported stolen. Lt. Jose Santome of the school district’s Police Department stated, “We know what’s going out and deployed on every campus.”

How Apple is replacing Macs with iPads at school (gigaom.com)

Category: Uncategorized | Tags: 2013, AAPL, AirWatch, Apple, Common Core, Hack, iPad, K12, LAUSD, MDM, SBAC, Security

RB | October 3, 2013

Comments Off

BYOD Could Land Employees in Jail

Agreeing to a BYOD policy could land an employee in jail. Courts can go after employee personal phones in litigation involving companies. Michael Kassner, an information security consultant told FierceMobileIT that employees could be dragged into civil or criminal litigation.

Employees could be required to give up their personal device to the courts or even have all the data on the device searched, with possible legal ramifications for the owner. According to Mr. Kassner, “There is legal precedence involving e-discovery and plain-view doctrine that allows the seizure of evidence whether it is related to the case under investigation or not.” There are three possible legal scenarios involving BYOD, says Mr. Kassner who consulted with Tyler Pitchford, with the law firm of Brannock and Humphries.

The first scenario outlined in the article involves an employee who has signed a BYOD end-user license agreement, having his personal data wiped along with the corporate data. If the end-user agreement includes the clause enabling the wiping of all data on the personal device, the employee is out of luck.

“In the above scenario we’re talking about a legal contract, which means if the employee signed the contract, he agreed to its terms, granting his employer the right to reset the employee’s phone,” comments lawyer Pitchford.

In the second scenario, the enterprise becomes involved in a civil lawsuit and a subpoena is issued for the employee’s smartphone. During the legal discovery process, sensitive personal information is publicly disclosed.

“Since the employee co-mingled work and personal data, she has turned her smartphone into discoverable evidence …The employee can seek an order quashing the subpoena or an order sealing the discovered information, but that’s unlikely in this circumstance,” Mr. Pitchford observes.

In the third scenario brought up in the article, the employee’s company does business with a firm that is the subject of a criminal proceeding. Authorities issue a warrant for the employee’s phone because the employee has done work for the targeted firm. Incriminating evidence is found on the employee’s phone and the employee is now under criminal investigation.

“Assuming the warrant is valid, then anything the government located in plain view within the scope of the warrant is admissible against the employee in another proceeding,” Mr. Pitchford notes.

Mr. Kassner concludes: “Until case-law or new technologies decide which way the legal winds are blowing about BYOD, it might be in your best interest to avoid BYOD and its alluring convenience.”

rb-

I am not a lawyer and you should consult your own legal counsel but as I have said this before – ummm Acceptable Use Policy?

BYOD: Like inviting your boss into your house when you’re not home (zdnet.com)

Category: Uncategorized | Tags: 2013, AUP, Business, BYOD, Device, Employment, Law, Mobile, PII, Security

« Older Entries Recent Entries »

Bach Seat

Tag Archive for Security

DDoS Attack Map

DDoS Attack Map Tool

LA Schools iPads Hacked In A Week

Related articles

BYOD Could Land Employees in Jail

Related articles

Meta