School Creates Own Security Hole; Tries To Have Concerned Parent Arrested For Hacking
from the shut-up,-they-criminally-complained dept
We’ve seen it so often over the years, it’s probably now time to accept the fact that this will never change: when entities are presented evidence of security holes and breaches, far too often the initial reaction is to shoot the messenger.
A school whose online student portal exposed a lot of sensitive data decided the best way to handle a concerned parent’s repeated questions about how it was handling the problem was to file a criminal complaint against the parent. (via the Office of Inadequate Security)
The details of the breach (since closed) were reported by independent journalist Sherrie Peif.
The district uses Google Apps for Education (GAFE), a hosting solution by Google that incorporates Google mail, calendar, and chat services. Lewis-Palmer used it for student email accounts, which at that time consisted of the student’s district identification number. [The] system used by the district allowed anyone with email address in the system to download a complete contact list of district students. The list identified students’ names and district email addresses. Because student email accounts were comprised of the student ID, anyone who gained access to this list only needed to know the students’ birthdays to access another program, Infinite Campus, which contains the personal data of possibly thousands of students.
Normally, it might have been difficult to ascertain what students’ passwords were. But the school made it easy for anyone to suss out passwords and access the sensitive information stored at the Infinite Campus portal. This message, posted by administrators, sat on the login page for over nearly three years before being removed.
On Aug. 9, 2013 the district posted: “Due to a security enhancement within Infinite Campus, your network and IC passwords have been changed! You must now enter the prefix LP@ before your regular birthday password (i.e. LP@031794).”
What was contained behind the papier-mache security facade was a wealth of sensitive student info.
In Lewis-Palmer, students and parents had access to names, addresses, and phone numbers for students, parents, siblings, and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups took place; and health records.
Parent Derek Araje brought this to the attention of Dewayne Mayo, a district technology teacher. Rather than promise to look into it or direct him to someone who might be able to verify his claims, Mayo became irritated and accused Araje of “breaking federal law.”
Mayo also emailed other school administrators to complain about Araje, claiming he was “polluting the waters” and making it easier for parents skeptical about “any new technology” used by the district to raise complaints. Others in the email thread treated Araje’s claims skeptically, asserting (hilariously) that it would take “advanced cracking skills” to break into a site where visitors were greeted with a message that basically gave away every students’ password.
Six months after it was brought to the school’s attention, parents are finally notified. Two days later, the school shut down the site and GAFE access. On the same day, the school filed a criminal complaint [PDF] with local police department accusing parent Derek Araje of hacking into the website. Fortunately for Araje, the police cleared him of any wrongdoing a month later.
Not only did the school go after the person who brought the security hole directly to its attention, but it significantly downplayed its own role in making sensitive student info easily-obtainable. Teacher, administrator, and technology director Bill Fitzgerald points out the school’s blatant attempt to cover its own ass after ignoring the site’s security issues for months, if not years.
It also appears – based on the parent testimony at the board meeting – that these concerns were brought to the district’s attention in the fall of 2015, and were dismissed. Based on some of the other descriptions regarding access to health records, it also sounds like there might be some issues related to Infinite Campus and how it was set up, but that’s unclear.
What is clear, however, is that the district is not being as forthright as they need to be. The board meeting with parent testimony was May 19th; Complete Colorado article ran on May 24th. The data privacy page on the Lewis Palmer web site was updated on May 25th, with the following statement:
“Yesterday, we discovered a possible security breach through normal monitoring of IP addresses accessing our systems.”
Given that the security issue was covered in the local press the day prior, and that the district was publishing their password structure for over three years, I’d recommend they look at their logs going back a while. I’d also recommend that the district own their role exacerbating this issue.
Instead of owning its role, the school chose to try to make someone else — parent Derek Araje — pay for its own carelessness and unwillingness to address a security hole until it became impossible to ignore.
Filed Under: derek araje, dewayne mayo, infinite campus, passwords, school. shoot the messenger, security
Companies: lewis-palmer
Comments on “School Creates Own Security Hole; Tries To Have Concerned Parent Arrested For Hacking”
And the moral of the story (and many others)?
Don’t be a good samaritan because that will get you in trouble.
Just jump on TOR and disclose it to everybody in the hopes that the dopes do something about it first.
Mind you, this isn’t what I want to happen. It’s just the logical outcome of behavior based results.
Re: And the moral of the story (and many others)?
Nah. Just print out a list of the student body’s info and mail… postal mail the list to the Principal and Superintendent with a note that if the situation was not corrected within 30 days the info was going to the press and the parents. Then in 30 days do so.
Re: Re: And the moral of the story (and many others)?
The principal won’t have authority to do anything.
Superintendent, plus the school districts general counsel, with a note that they’re in violation of FERPA, and they have 30 days before US Department of Ed + Press is notified.
Want to watch a school district scramble? Point out that violations of federal privacy law are liable to lose them federal funding.
Make sure you sign the note “Concerned Parent”.
Re: Re: And the moral of the story (and many others)?
I think TOR and some added layer of anonymity should be enough for this first contact.
Re: Re: Re: And the moral of the story (and many others)?
Excellent idea. I think there should be a tor site specifically for this service. It will be really interesting how many security issues are out there. Maybe it should be indexed by location so everybody can see pins on a map.
Re: Re: And the moral of the story (and many others)?
Postal mailing proof of the vulnerability is a terrible idea. First, the Feds have for years been running a program where they get the U.S. Postal Service to record pictures of the processed mail. Given the school’s conduct in this case, it would not at all surprise me that, if the concerned citizen had used postal mail, the school would at least attempt to avail itself of this program to track him down. He could try to make it harder for them by posting it from a busy mailbox, handling the whole thing using gloves, etc., but at that point, why bother? Announcing it online via Tor would be less trouble.
Second, also given the school’s conduct, any “Fix this or I go public” message would probably be willfully mischaracterized in a criminal complaint as “blackmail against the school district.” Even if it was not, I would expect the school not to voluntarily disclose the full extent of the vulnerability ever, so if they do fix it, then the concerned citizen either (a) never tells anyone or (b) goes back on the promise in the note. If (a), no one ever knows it was broken. If (b), the school would probably try to find some way to hold that against him too. Further, if (b) and the school has fixed it, what does he use as proof? The system is now fixed, so outside parties cannot independently verify the claims. Does he disclose information he took from the system before it was fixed? If so, what information could he use that is both secret enough that it reasonably must have been from this vulnerability and yet not so secret that taking it violates some other law?
No, there is no safe way to disclose vulnerabilities directly to entities that shoot the messenger. The only vaguely safe way is very anonymously dump it in public and hope it gets to the right people in time.
Re: Re: Re: And the moral of the story (and many others)?
Anonymously dump it in the lap of the local news Action Line? Get them to report on how the school is making it easy to find student information.
Re: Re: Re: And the moral of the story (and many others)?
I don’t know where you live, but where I live you can still put a stamp on a letter and drop it in this R2D2 kinda looking thing and the small white truck comes by and picks it up. It is the safest way to insulate yourself from liability. No means of E anything is untraceable.
“Postal Service to record pictures of the processed mail.”
Yeah so? The best they can get is the processing PO and the mailboxes from were it was deposited.
Blackmail – The key for blackmail is the demand of money. There was none here.
“The system is now fixed” That is the whole point so as long as his kid and other kids info is somewhat safer, than that was the whole point.
I’m glad you liked my idea though.
Re: Re: Re:2 And the moral of the story (and many others)?
Let me guess… The 2001 anthrax attacks are not a thing in your country?
Where I live, some things changed afterwards.
Re: Re: Re:3 And the moral of the story (and many others)?
What? I live in the US and we still have the little blue boxes to mail things.
Re: Re: Re:4 And the moral of the story (and many others)?
The hologram projectors on the little blue boxes don’t look at all similar to the one that R2D2 has.
Re: Re: Re:2 Dropping in a postal pickup box
I don’t know where you live, but where I live you can still put a stamp on a letter and drop it in this R2D2 kinda looking thing and the small white truck comes by and picks it up. It is the safest way to insulate yourself from liability. No means of E anything is untraceable.
Uh, what? Grandparent already mentioned that postal mail provides a wealth of forensics if they care to try to trace it. It would not be quick, easy, or cheap, but if they are willing to file a bogus police report over this, I would not be willing to assume that the inconvenience of a forensic pursuit will deter them. I am not saying they would succeed at it (real forensic work is thankfully much less convenient than that shown on CSI), but I would not be surprised if they at least wanted to try it. It would be better for everyone if they hit a dead end immediately, rather than trying to chase forensics that might eventually lead somewhere.
Beyond the forensic angle, are you saying you have a way to get the letter into the dropbox without being seen on any surveillance cameras? Again, it would not be easy for them to turn that into a positive identification, but they only need to whine hard enough that law enforcement is pressured to go try. They aren’t on the hook for the man-hours spent, and their conduct so far suggests they don’t have a rationale sense of the importance of finding (and silencing) whistleblowers relative to the importance of the secured information.
Blackmail – The key for blackmail is the demand of money. There was none here.
Citation needed with regard to “demand of money.” Most jurisdictions treat demand for goods or services as blackmail too, else “Send me intimate photos or I post this embarrassing information” would not be actionable on its own. As grandparent noted, while demanding that the system be fixed is a pretty unusual and selfless demand, it’s not implausible that a shoot-the-messenger oriented entity would report it merely as “Demanded we do what he wants or else” and leave it to a judge to laugh them out for treating it as blackmail when it comes up in court that “Do what he wants” is “Do our jobs” and “Or else” is “Or be embarrassed in the media for the disclosure of our own incompetence”.
“The system is now fixed” That is the whole point so as long as his kid and other kids info is somewhat safer, than that was the whole point.
I disagree here. The point is multipart. First, yes, you want the information to be secured. Second, you want injured parties to be made aware of their injury. If the information was taken by a malicious party, the victims ought to be notified. Third, you want the culpable party (i.e. the entities that approved such a pathetic design) to be embarrassed in front of their superiors, with the hope that the embarrassment leads to better decisions next time or, in extreme cases, that the embarrassment leads to appropriate job terminations.
I’m glad you liked my idea though.
Was there a missing /sarc on this line? Grandparent disagreed with you on your major point, and you in turn disagreed with him on every detail. Grandparent’s key point is that the school district employees consistently acted irrationally in their pursuit of a shoot-the-messenger strategy, so while their capabilities are limited, their zeal must not be underestimated.
Re: Re: Re:3 Dropping in a postal pickup box
You seem to assume that either it’s easy to cover one’s tracks digitally (or at least a lot easier than physically) or the district wouldn’t pursue a digital forensic investigation of who leaked the materials.
Re: Re: And the moral of the story (and many others)?
Re: Re: Re: And the moral of the story (and many others)?
Gah, hit Enter too soon.
Indeed a better solution.
Re: Re: And the moral of the story (and many others)?
That didn’t work out too well for weev. Of course that was AT&T, and they have the clout to push a federal prosecution.
Re: And the moral of the story (and many others)?
It’s “Tor”. Really.
Re: Re: And the moral of the story (and many others)?
Aye, was thinking acronym for The Onion Router (TOR) in the traditional sense but the project decided to lowercase the “or”, so it is Tor.
So instead of addressing the actual security hole, they shot the messenger, ignored the security hole, “patched” it when the media and the general public started asking questions, and (unless I missed something here) acted as if the messenger was the real problem.
…did these people let the TSA run their IT department?
Re: Re:
US Corporations have a long, storied history of shooting the messenger.
Re: Re:
They didn’t patch anything. They just shut everything down.
Re: Re: Re:
So you are saying these were the guys running Hilary Clinton’s email server?
Re: Shooting the messenger will continue to be SOP...
…so long as covering personal asses and keeping up appearances are more important to survival than making things work.
Who got fired?
Re: Re:
Most likely the Janitor.
Re: Re: Re:
Still need that SAD-BUT-TRUE button.
I just noticed the word gaffe exists in English. And I laughed. Seems to be an euphemism to me. Aggressively colossal failure would fit this school better.
Re: Think of the children!
Don’t be too harsh on the school personnel. They are trying to be good role models for the kiddies.
This really inspires confidence in the district’s technology teachers. (shoot the messenger)
And how dare parents ever be skeptical about new technology at school! The parents are supposed to demonstrate to students how to be compliant robots and respect authority. Doing otherwise undermines the school’s mission.
But then, we need some fixed percentage of students who graduate or drop out to become the inmates who keep the for-profit prisons filled. Schools need to consider the prison system’s shareholder value, and how it contributes to the local economy (somewhere).
Re: Re: Think of the children!
This is what the “going dark” crowd want. Why bother with good security when you can just criminally charge anyone who points out the emperor has no clothes.
Re: Re:
“Two days later, the school shut down the site and GAFE access.”
…And opened a new site, Google Apps For Failing Educators: GAFFE.
And we used to teach our kids to respect school teachers and school employees. Is there somewhere actually offering bachelor & master degrees in Applied Incompetence, with a minor in Our Students is Learning and PhDs in Theory, Practice, Desirability and PsychoDynamics of Zero Knowledge and Zero Tolerance?
Somebody think of the innocent children! This is our children’s future!
Re: Re:
And we used to teach our kids to respect…
Teaching anyone to respect a government employee of any kind is stupid beyond comprehension.
Government is to be ENDURED, not respected and damn sure never to be trusted.
Re: Re: Re:
Actually, they should teach children to respect government employees, at least until they give one a reason to no longer respect them (which will not take long and will have few execptions). The problem with an initial position of disrespect is that it will bleed over into other relationships.
The big problem is that government employees are so defensive that they do not care whether they are respected or not, and will use whatever power they have to try to force respect, not realizing that respect is earned, not presumptive. Which is a bit different than what I said above, maybe it should be respect all people, until they give you a reason not to (which won’t take long in many cases).
Re: Re: Re: Respect is earned, not granted by position.
Actually, they should teach children to respect government employees, at least until they give one a reason to no longer respect them (which will not take long and will have few execptions).
Not so, if you’re going to be teaching kids who to respect the default position is no-one until they demonstrate that they have earned it. Withholding judgement either way until they demonstrate that they deserve, or don’t deserve respect.
Re: Re: Re:2 Respect is earned, not granted by position.
Until the public is once again innocent until proven guilty, so should all government positions be guilty until proven innocent as far as respect and trust goes.
Re: Re: Re:2 Respect is earned, not granted by position.
Imagine some children living down the block from children being taught to not respect other children from the get go. It would not make for good neighborhood relations.
Re: Re: Re:3 Respect is earned, not granted by position.
Not the same at all. It’s more like some children down the block being taught to not respect the local teen gang that vandalizes the neighborhood on a regular basis.
Re: Re: Re:4 Respect is earned, not granted by position.
It’s more like some children down the block being taught to not respect the local teen gang that vandalizes the neighborhood on a regular basis.
That One Guy is advocating not to respect anyone until they’ve earned it.
Re: Re: Re:5 Respect is earned, not granted by position.
Not “anyone”, but anyone in certain positions. Positions that have demonstrated over the last few decades that only the very worst people strife for said positions. People who will use those positions to their own advantage at the expense of the rest of us.
Re: Re: Re:3 Respect is earned, not granted by position.
My position / argument on the question of respect is:
No one deserves respect by default, until they show that they do deserve it.
Everyone deserves courtesy by default, until they show that they don’t deserve it.
(Also, I’d probably back the idea that everyone deserves the benefit of the doubt by default, until they show that they don’t. There’s room to convince me otherwise on that one, though.)
Re: Re:
” we used to teach our kids to respect “
Respect is earned, not taught.
The act of “teaching respect” has nothing to do with respect and everything to do with brainwashing indoctrination.
Modern IT Systems, Where the Entire Chain is the Weak Link
You, I, and the person beside me can all laugh at something like this, but really it’s not a crazy scenario. We often forget that the average computer user still has trouble finding the any key. These people then assign that-one-friend-who-googled-a-cake-recipe-once as their IT expert to save money. One thing leads to another and we end up with an IT department with no qualifications trying to run a system they don’t understand.
If you’re in a position of power, you don’t understand the risks of a security hole, and you assume everyone else using computers is as dumb as you you’re not inclined to hire a professional. If one person speaks up about it your wallet much prefers them to shut up than for you to pay someone else to fix it.
We can say “hurr durr, people iz stupid” all we want but this is going to keep happening. It is the easiest and cheapest thing to do.
I would question if the reason they ignored the security flaw was because some of them had been selling access to children’s info to various unsavoury types.
Apathy only goes so far before a cash incentive to look the other way becomes the prevailing reason to ignore security issues.
If someone really wanted to they could start questioning that school if they were helping pedophiles by selling them access to the info. That would certainly light a fire under their butts to explain why they avoided fixing this until it was forced.
Re: Re:
It doesn’t read as a security flaw.
What I’m getting from the article is that their decisions weren’t completely thought through.
Skyward: Using Student ID # + DOB for credentials. Generally speaking, not an awful decision when balancing usability for parents and young children vs. security. The student ID isn’t generally readily available to non-school employees, who already have access to skyward anyway.
Add in Google Apps, where a decision was made to use Student ID as an email address. Again, not a bad decision, in and of itself. And because you want student A to be able to email lab partner B and Teacher C, you implement the directory services piece in google.
but now, the Student ID, which skyward assumes is fairly difficult to get is now commonly used by teachers and students, and you have an easily retrievable bit of information as the password (date of birth) for skyward.
The weakness isn’t really apparent until you combine the two, and maybe not even then, if the folks integrating GAFE aren’t the same folks that implemented skyward. Multi-billion dollar organizations have run into the same trap – it’s no surprise to me that a school district got bitten.
That said: it’s the response from the school district that’s the major problem here.
Re: Re: Re:
–Skyward: Using Student ID # + DOB for credentials. Generally speaking, not an awful decision when balancing usability for parents and young children vs. security.
Using the DOB for authentication IS, generally speaking, really stupid because
A) available on social media sites
B) 6 characters for a password is below industry standards
C) 6 only numeric characters is easily attacked through brute force.
Using student id for email addresses or even just usernames is, generally speaking, really stupid because
A) an ID number is PII ( Personally Identifiable Information ) which means it must not be disclosed publicly
B) ID numbers are easily guessed, especially if they are issued sequentially.
Re: Re: Re: Re:
C) 6 only numeric characters is easily attacked through brute force.
Technically speaking DOB is worse than 6 random numeric characters: 365 or 366 possible combinations for the first 4 digits, and 15 (to be generous) possible combinations for the last 2 digits given the age range, for at best less than 5500 total possible 6-digit combinations, or nearly twice as insecure as a 4-digit random numeric password.
Password equipment
Due to the school being able to change everyone’s password to PE@…. Doesn’t this mean that they have full access to all the passwords?
Re: Password equipment
No. All it means is that they have the ability to bulk-change passwords via a script.
Speaking as a google-apps admin myself, GAFE administrators don’t have the ability to retrieve passwords from the google environment.
Someone should start a non-profit called White Hatting and the entire purpose of the company is to be an infosec proxy for when people want to reveal a vulnerability but don’t want to get shot. That way the White Hats can make a name for themselves and it will be harder for schools and corporations to go after the messengers.
Oh, who am I kidding, that non-profit would crumble in days from all the lawsuits because people who’ve been shown to have their pants around their ankles don’t like having people point it out.
I’m gonna keep saying this until TPTB listen:
SECURITY ! *whack!*
IS ! *whack!*
AN ! *whack!*
I.T. ! *whack!*
PROBLEM ! *whack!*
NOT ! *whack!*
A ! *whack!*
LEGAL ! *whack!*
ONE ! *whack!*
Re: Re:
No. Security is an executive leadership problem.
If Security isn’t properly funded. If it’s not adequately staffed. If it’s not adequately wrapped into the social structure of an organization, etc, IT is guaranteed to fail.
On the other hand, if IT Security is properly funded, staffed, etc, by executive management, it doesn’t guarantee success.
If only the school district had decided to consult a REAL I.T. security expert and hold the (Dewayne) Mayo.
So from now on people, DON’T report any exploits or holes in systems even though you’re trying to help get them patched because you will be targeted, and blamed for even INSINUATING that there’s a problem.
Nope, just be like the NSA and sit on it until it bites them in the ass and when they ask why didn’t you tell them just say: “Sorry, I don’t like being made a target and taking the blame for trying to help patch your shitty security.”
Long time ago in a board meeting far away......
Clueless administrator 1: “Apparently Infinite Campus requires all of our account passwords to have some capitol letters and symbols not just numbers, I can’t think of anyway we can possibly meet their stupid demand!”
Clueless administrator 2: “Well we can’t do that! I have a hard enough time remembering just my birthday!!!!”
Clueless administrator 3: “How about we just add LP@ before everyone’s birthday and use that as the password! We can even put instructions on the site incase anyone forgets!”
All administrators heard cheering this most awesome idea.
Re: Long time ago in a board meeting far away......
Memo to faculty:
Because of the new password complexity rules enforced by the system, you may find it difficult to create an acceptable password.
Therefore, the IT department has created a very secure password. This secure password is being distributed to all faculty. Because it is difficult to memorize, you may need to write it down.
All faculty and students are to begin using this password at once.
The Local School Board and Superintendent
Messengers always get the chop for their good deeds.
There is little point in helping others improve their IT systems (unless you are getting paid for it) as you will invariably get kicked in the head, if not worse.
The general attitude displayed by the owners of IT systems is that they already have the “best” and as you are not someone they know then at best you are an incompetent fool or worse you are a malicious individual trying to put down their hard work.
Unless I personally know the people in charge I no longer help any site make improvements. It is not worth the angst suffered for being a good citizen.
If there is going to be serious problems with security of information, one should just anonymously inform various media outlets of the problem found. The companies or organisations that have failed to protect their or their clients information deserve all and every consequence for their incompetence.
For the last few decades, the problems with not securing IT systems have been publicly displayed for all to see. If the leadership of a company or organisation is foolhardy enough to ignore these requirements then they deserve to die by their own petard.
It doesn’t take much to find out if they are a good citizen or not, and one shot twice shy, just go anonymously public with all problems found.
So, how long was the school's post about security up?
The article says “for over nearly three years.”
Over three years means more than three years. Nearly three years means less than three years. Both words together are meaningless.
So, how long was it exactly?
But wait, there's more.
Not just the school- the Monument D38 school district, including most of its board members and administration. The board president is the man in charge of attempting to claim that the parent committed a crime (to pivot blame?) on the premise that the district owns the Infinite Campus and GAFE programs and therfore the parent did not have permission from the district to share the security vulnerability nor did a parent have district permission to ask another parent if they too could see their own child’s vulnerable information.
(Side note: research uncovered that the board president owns his own cyber security firm, used to be in law enforcement, and is pitching a fit that two local law enforcement agencies do not agree with him and will not press charges, meanwhile his business partner, who is also ex law enforcement, was just indicted for making illegal arrests. Trying to use their positions of power to bully people and failing miserably at it, perhaps?)
Re: But wait, there's more.
Can anyone please tell me how I can contact Tim Cushing, or how I can not in public get a private message to him. Thanks