{"id":77384,"date":"2015-07-02T22:15:48","date_gmt":"2015-07-03T02:15:48","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-08-11T20:53:24","modified_gmt":"2021-08-12T00:53:24","slug":"the-enemy-within-at-school","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/the-enemy-within-at-school\/","title":{"rendered":"The Enemy Within at School"},"content":{"rendered":"

\"TheNaked Security<\/a><\/em> reports<\/a>\u00a0on\u00a0a hack that combines two of our favorite\u00a0things on the Bach Seat<\/strong><\/a>, Florida<\/a>,<\/strong> and lax data security<\/strong> at school. The way the Sophos<\/a> blog\u00a0tells the story, a 14-year-old Florida<\/a> boy is charged with being a hacker by trespassing<\/strong> on his school’s computer system.<\/p>\n

Florida school hacker<\/h3>\n

The charges came after he shoulder-surfed<\/strong> a teacher typing in\u00a0his password <\/strong>and used it without permission to trespass in the network. The student then tried to embarrass a teacher he doesn’t like by swapping his desktop wallpaper with an image of two men kissing.<\/p>\n

\"an<\/a>A Tampa Bay Times<\/a> <\/em>article<\/a> says that an eighth-grader<\/strong> was recently arrested for “an offense against a computer system and unauthorized access.” This is a felony in Fla<\/strong>. Sheriff Chris Nocco said that the teen logged onto the network of a Pasco County<\/a>\u00a0School District school using an administrative-level password<\/strong> without\u00a0permission.<\/p>\n

A spokesman for the Pasco County Sheriff’s Office<\/a> told Network World<\/a><\/em> that the student was not detained. Rather, he was questioned at the school before being released to his mother. His sentence remains to be seen, But at this point, it’s looking like the boy isn’t going to suffer much more than a 10-day school suspension.\u00a0<\/strong>Sheriff’s detective Anthony Bossone says is likely to be “pretrial intervention” by a judge with regards to the felony charge, the Tampa Bay Times<\/em> reports. Naked Security says this is the student\u2019s\u00a0second offense<\/strong>.<\/p>\n

\"Old<\/a>When the newspaper interviewed the student, he said that he’s not the only one who uses that password. Other students commonly log into the administrative account<\/strong> to screen-share with their friends, he said. It’s a well-known trick, the student said. He claimed the password was a snap to remember, it’s just the teacher’s last name, which the boy says he learned by watching the teacher type it in.<\/p>\n

The sheriff says that the student didn’t just access the teacher’s computer to pull his wallpaper prank. He also reportedly accessed a computer with sensitive data – the state’s standardized tests<\/a> –<\/strong>\u00a0(now we know why he is in trouble – NCLB! – Common Core!!<\/strong>)\u00a0<\/em>while logged in as an administrator. Those are files he well could have\u00a0viewed or tampered with, though he denies having done so. Sheriff Nocco says that’s the reason\u00a0why this can’t be dismissed as being just a bit of fun. Even though some might say this is just a teenage prank, who knows what\u00a0this teenager might have done.<\/p>\n

I logged out of that computer and logged into a different one and I logged\u00a0into a teacher’s computer who I didn’t like and tried putting inappropriate pictures onto his computer to annoy him<\/em>.<\/p>\n

in typical HS-er logic, he told the newspaper:<\/p>\n

If they’d have notified me it was illegal, I wouldn’t have done it in the\u00a0first place. But all they said was ‘You shouldn’t be doing that.<\/em>‘<\/p>\n

Idaho school hacker<\/h3>\n

\"rented<\/a>Another report from the other side of the continent comes from Engadget<\/a>. <\/em>They\u00a0report<\/a> that a teenager from Idaho<\/a> took advantage of the latest trend in online criminal activity. <\/strong>He likely rented a cloud-based botnet<\/strong> to launch a distributed denial of service<\/strong> (DDos) against the largest school district in Idaho. The alleged DDoS<\/a><\/strong> took down the school district’s internet access according to media reports.<\/p>\n

KTVB News reports that the 17-year-old student paid a third party to conduct a distributed denial-of-service attack\/ The attack forced the entire West Ada school district offline<\/strong>. The act disrupted more than 50 schools, bringing everything from payroll to standardized tests<\/strong>\u00a0(More high stakes testing – NCLB! Common Core!!<\/strong><\/em>) grinding to a halt. Unfortunate students undertaking the Idaho Standard Achievement test<\/strong> had\u00a0to go through the process multiple times because the system kept losing their work and results.<\/p>\n

\"State<\/a>The report goes on to say that authorities have found the Eagle High student<\/strong> from their IP address. The students could now face State and Federal felony charges<\/strong>. If found guilty, the unnamed individual is likely to serve up to 180 days in jail, as well as being expelled from school. In addition, the suspect’s parents will be asked to pay for the financial losses<\/strong> suffered as a consequence of the attack.<\/p>\n

rb-<\/em><\/strong><\/p>\n

Many school networks have bigger pipes than the business world. Some EDU networks I have worked on have had 10 GigE<\/a> for years. In the rest of the online world, these incidents would serve as a wake-up call to network managers that hey, we might be at risk too, but not schools. Oh yeah – Passwords are Evil<\/strong><\/em><\/p>\n

Rightly or wrongly schools rely on the Intertubes for their core business – instruction, and NCLB high-stakes testing. However, they do not take steps to protect themselves. Administrators fight common tactics like periodic password changes, enforcing password complexity, or blacklisting common weak passwords. None bother with an anti-DDOS strategy let alone buying a tool to fight off a denial of service attack.<\/em><\/p>\n

Related articles<\/h6>\n