School Creates Own Security Hole; Tries To Have Concerned Parent Arrested For Hacking
from the shut-up,-they-criminally-complained dept
We've seen it so often over the years, it's probably now time to accept the fact that this will never change: when entities are presented evidence of security holes and breaches, far too often the initial reaction is to shoot the messenger.
A school whose online student portal exposed a lot of sensitive data decided the best way to handle a concerned parent's repeated questions about how it was handling the problem was to file a criminal complaint against the parent. (via the Office of Inadequate Security)
The details of the breach (since closed) were reported by independent journalist Sherrie Peif.
The district uses Google Apps for Education (GAFE), a hosting solution by Google that incorporates Google mail, calendar, and chat services. Lewis-Palmer used it for student email accounts, which at that time consisted of the student’s district identification number. [The] system used by the district allowed anyone with email address in the system to download a complete contact list of district students. The list identified students’ names and district email addresses. Because student email accounts were comprised of the student ID, anyone who gained access to this list only needed to know the students’ birthdays to access another program, Infinite Campus, which contains the personal data of possibly thousands of students.
Normally, it might have been difficult to ascertain what students' passwords were. But the school made it easy for anyone to suss out passwords and access the sensitive information stored at the Infinite Campus portal. This message, posted by administrators, sat on the login page for over nearly three years before being removed.
On Aug. 9, 2013 the district posted: “Due to a security enhancement within Infinite Campus, your network and IC passwords have been changed! You must now enter the prefix LP@ before your regular birthday password (i.e. LP@031794).”
What was contained behind the papier-mache security facade was a wealth of sensitive student info.
In Lewis-Palmer, students and parents had access to names, addresses, and phone numbers for students, parents, siblings, and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups took place; and health records.
Parent Derek Araje brought this to the attention of Dewayne Mayo, a district technology teacher. Rather than promise to look into it or direct him to someone who might be able to verify his claims, Mayo became irritated and accused Araje of "breaking federal law."
Mayo also emailed other school administrators to complain about Araje, claiming he was "polluting the waters" and making it easier for parents skeptical about "any new technology" used by the district to raise complaints. Others in the email thread treated Araje's claims skeptically, asserting (hilariously) that it would take "advanced cracking skills" to break into a site where visitors were greeted with a message that basically gave away every students' password.
Six months after it was brought to the school's attention, parents are finally notified. Two days later, the school shut down the site and GAFE access. On the same day, the school filed a criminal complaint [PDF] with local police department accusing parent Derek Araje of hacking into the website. Fortunately for Araje, the police cleared him of any wrongdoing a month later.
Not only did the school go after the person who brought the security hole directly to its attention, but it significantly downplayed its own role in making sensitive student info easily-obtainable. Teacher, administrator, and technology director Bill Fitzgerald points out the school's blatant attempt to cover its own ass after ignoring the site's security issues for months, if not years.
It also appears - based on the parent testimony at the board meeting - that these concerns were brought to the district's attention in the fall of 2015, and were dismissed. Based on some of the other descriptions regarding access to health records, it also sounds like there might be some issues related to Infinite Campus and how it was set up, but that's unclear.
What is clear, however, is that the district is not being as forthright as they need to be. The board meeting with parent testimony was May 19th; Complete Colorado article ran on May 24th. The data privacy page on the Lewis Palmer web site was updated on May 25th, with the following statement:
"Yesterday, we discovered a possible security breach through normal monitoring of IP addresses accessing our systems."
Given that the security issue was covered in the local press the day prior, and that the district was publishing their password structure for over three years, I'd recommend they look at their logs going back a while. I'd also recommend that the district own their role exacerbating this issue.
Instead of owning its role, the school chose to try to make someone else -- parent Derek Araje -- pay for its own carelessness and unwillingness to address a security hole until it became impossible to ignore.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: derek araje, dewayne mayo, infinite campus, passwords, school. shoot the messenger, security
Companies: lewis-palmer
Reader Comments
The First Word
“Teaching anyone to respect a government employee of any kind is stupid beyond comprehension.
Government is to be ENDURED, not respected and damn sure never to be trusted.
made the First Word by audiomagi
Subscribe: RSS
View by: Time | Thread
And the moral of the story (and many others)?
Just jump on TOR and disclose it to everybody in the hopes that the dopes do something about it first.
Mind you, this isn't what I want to happen. It's just the logical outcome of behavior based results.
[ link to this | view in chronology ]
Re: And the moral of the story (and many others)?
[ link to this | view in chronology ]
Re: Re: And the moral of the story (and many others)?
Superintendent, plus the school districts general counsel, with a note that they're in violation of FERPA, and they have 30 days before US Department of Ed + Press is notified.
Want to watch a school district scramble? Point out that violations of federal privacy law are liable to lose them federal funding.
Make sure you sign the note "Concerned Parent".
[ link to this | view in chronology ]
Re: Re: And the moral of the story (and many others)?
[ link to this | view in chronology ]
Re: Re: Re: And the moral of the story (and many others)?
[ link to this | view in chronology ]
Re: Re: And the moral of the story (and many others)?
Second, also given the school's conduct, any "Fix this or I go public" message would probably be willfully mischaracterized in a criminal complaint as "blackmail against the school district." Even if it was not, I would expect the school not to voluntarily disclose the full extent of the vulnerability ever, so if they do fix it, then the concerned citizen either (a) never tells anyone or (b) goes back on the promise in the note. If (a), no one ever knows it was broken. If (b), the school would probably try to find some way to hold that against him too. Further, if (b) and the school has fixed it, what does he use as proof? The system is now fixed, so outside parties cannot independently verify the claims. Does he disclose information he took from the system before it was fixed? If so, what information could he use that is both secret enough that it reasonably must have been from this vulnerability and yet not so secret that taking it violates some other law?
No, there is no safe way to disclose vulnerabilities directly to entities that shoot the messenger. The only vaguely safe way is very anonymously dump it in public and hope it gets to the right people in time.
[ link to this | view in chronology ]
Re: Re: Re: And the moral of the story (and many others)?
[ link to this | view in chronology ]
Re: Re: Re: And the moral of the story (and many others)?
"Postal Service to record pictures of the processed mail."
Yeah so? The best they can get is the processing PO and the mailboxes from were it was deposited.
Blackmail - The key for blackmail is the demand of money. There was none here.
"The system is now fixed" That is the whole point so as long as his kid and other kids info is somewhat safer, than that was the whole point.
I'm glad you liked my idea though.
[ link to this | view in chronology ]
Re: Re: Re: Re: And the moral of the story (and many others)?
Where I live, some things changed afterwards.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: And the moral of the story (and many others)?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: And the moral of the story (and many others)?
[ link to this | view in chronology ]
Re: Re: Re: Re: Dropping in a postal pickup box
Uh, what? Grandparent already mentioned that postal mail provides a wealth of forensics if they care to try to trace it. It would not be quick, easy, or cheap, but if they are willing to file a bogus police report over this, I would not be willing to assume that the inconvenience of a forensic pursuit will deter them. I am not saying they would succeed at it (real forensic work is thankfully much less convenient than that shown on CSI), but I would not be surprised if they at least wanted to try it. It would be better for everyone if they hit a dead end immediately, rather than trying to chase forensics that might eventually lead somewhere.
Beyond the forensic angle, are you saying you have a way to get the letter into the dropbox without being seen on any surveillance cameras? Again, it would not be easy for them to turn that into a positive identification, but they only need to whine hard enough that law enforcement is pressured to go try. They aren't on the hook for the man-hours spent, and their conduct so far suggests they don't have a rationale sense of the importance of finding (and silencing) whistleblowers relative to the importance of the secured information.
Blackmail - The key for blackmail is the demand of money. There was none here.
Citation needed with regard to "demand of money." Most jurisdictions treat demand for goods or services as blackmail too, else "Send me intimate photos or I post this embarrassing information" would not be actionable on its own. As grandparent noted, while demanding that the system be fixed is a pretty unusual and selfless demand, it's not implausible that a shoot-the-messenger oriented entity would report it merely as "Demanded we do what he wants or else" and leave it to a judge to laugh them out for treating it as blackmail when it comes up in court that "Do what he wants" is "Do our jobs" and "Or else" is "Or be embarrassed in the media for the disclosure of our own incompetence".
"The system is now fixed" That is the whole point so as long as his kid and other kids info is somewhat safer, than that was the whole point.
I disagree here. The point is multipart. First, yes, you want the information to be secured. Second, you want injured parties to be made aware of their injury. If the information was taken by a malicious party, the victims ought to be notified. Third, you want the culpable party (i.e. the entities that approved such a pathetic design) to be embarrassed in front of their superiors, with the hope that the embarrassment leads to better decisions next time or, in extreme cases, that the embarrassment leads to appropriate job terminations.
I'm glad you liked my idea though.
Was there a missing /sarc on this line? Grandparent disagreed with you on your major point, and you in turn disagreed with him on every detail. Grandparent's key point is that the school district employees consistently acted irrationally in their pursuit of a shoot-the-messenger strategy, so while their capabilities are limited, their zeal must not be underestimated.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Dropping in a postal pickup box
[ link to this | view in chronology ]
Re: Re: And the moral of the story (and many others)?
[ link to this | view in chronology ]
Re: Re: Re: And the moral of the story (and many others)?
Indeed a better solution.
[ link to this | view in chronology ]
Re: Re: And the moral of the story (and many others)?
[ link to this | view in chronology ]
Re: And the moral of the story (and many others)?
[ link to this | view in chronology ]
Re: Re: And the moral of the story (and many others)?
[ link to this | view in chronology ]
…did these people let the TSA run their IT department?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Shooting the messenger will continue to be SOP...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Think of the children!
This really inspires confidence in the district's technology teachers. (shoot the messenger)
And how dare parents ever be skeptical about new technology at school! The parents are supposed to demonstrate to students how to be compliant robots and respect authority. Doing otherwise undermines the school's mission.
But then, we need some fixed percentage of students who graduate or drop out to become the inmates who keep the for-profit prisons filled. Schools need to consider the prison system's shareholder value, and how it contributes to the local economy (somewhere).
[ link to this | view in chronology ]
Re: Think of the children!
[ link to this | view in chronology ]
Re:
...And opened a new site, Google Apps For Failing Educators: GAFFE.
[ link to this | view in chronology ]
Somebody think of the innocent children! This is our children's future!
[ link to this | view in chronology ]
Re:
Teaching anyone to respect a government employee of any kind is stupid beyond comprehension.
Government is to be ENDURED, not respected and damn sure never to be trusted.
[ link to this | view in chronology ]
Re: Re:
The big problem is that government employees are so defensive that they do not care whether they are respected or not, and will use whatever power they have to try to force respect, not realizing that respect is earned, not presumptive. Which is a bit different than what I said above, maybe it should be respect all people, until they give you a reason not to (which won't take long in many cases).
[ link to this | view in chronology ]
Respect is earned, not granted by position.
Not so, if you're going to be teaching kids who to respect the default position is no-one until they demonstrate that they have earned it. Withholding judgement either way until they demonstrate that they deserve, or don't deserve respect.
[ link to this | view in chronology ]
Re: Respect is earned, not granted by position.
[ link to this | view in chronology ]
Re: Respect is earned, not granted by position.
[ link to this | view in chronology ]
Re: Re: Respect is earned, not granted by position.
[ link to this | view in chronology ]
Re: Re: Re: Respect is earned, not granted by position.
That One Guy is advocating not to respect anyone until they've earned it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Respect is earned, not granted by position.
[ link to this | view in chronology ]
Re: Re: Respect is earned, not granted by position.
No one deserves respect by default, until they show that they do deserve it.
Everyone deserves courtesy by default, until they show that they don't deserve it.
(Also, I'd probably back the idea that everyone deserves the benefit of the doubt by default, until they show that they don't. There's room to convince me otherwise on that one, though.)
[ link to this | view in chronology ]
Re:
Respect is earned, not taught.
The act of "teaching respect" has nothing to do with respect and everything to do with brainwashing indoctrination.
[ link to this | view in chronology ]
Modern IT Systems, Where the Entire Chain is the Weak Link
If you're in a position of power, you don't understand the risks of a security hole, and you assume everyone else using computers is as dumb as you you're not inclined to hire a professional. If one person speaks up about it your wallet much prefers them to shut up than for you to pay someone else to fix it.
We can say "hurr durr, people iz stupid" all we want but this is going to keep happening. It is the easiest and cheapest thing to do.
[ link to this | view in chronology ]
Apathy only goes so far before a cash incentive to look the other way becomes the prevailing reason to ignore security issues.
If someone really wanted to they could start questioning that school if they were helping pedophiles by selling them access to the info. That would certainly light a fire under their butts to explain why they avoided fixing this until it was forced.
[ link to this | view in chronology ]
Re:
What I'm getting from the article is that their decisions weren't completely thought through.
Skyward: Using Student ID # + DOB for credentials. Generally speaking, not an awful decision when balancing usability for parents and young children vs. security. The student ID isn't generally readily available to non-school employees, who already have access to skyward anyway.
Add in Google Apps, where a decision was made to use Student ID as an email address. Again, not a bad decision, in and of itself. And because you want student A to be able to email lab partner B and Teacher C, you implement the directory services piece in google.
but now, the Student ID, which skyward assumes is fairly difficult to get is now commonly used by teachers _and_ students, and you have an easily retrievable bit of information as the password (date of birth) for skyward.
The weakness isn't really apparent until you combine the two, and maybe not even then, if the folks integrating GAFE aren't the same folks that implemented skyward. Multi-billion dollar organizations have run into the same trap - it's no surprise to me that a school district got bitten.
That said: it's the _response_ from the school district that's the major problem here.
[ link to this | view in chronology ]
Re: Re:
Using the DOB for authentication IS, generally speaking, really stupid because
A) available on social media sites
B) 6 characters for a password is below industry standards
C) 6 only numeric characters is easily attacked through brute force.
Using student id for email addresses or even just usernames is, generally speaking, really stupid because
A) an ID number is PII ( Personally Identifiable Information ) which means it must not be disclosed publicly
B) ID numbers are easily guessed, especially if they are issued sequentially.
[ link to this | view in chronology ]
Re: Re: Re:
Technically speaking DOB is worse than 6 random numeric characters: 365 or 366 possible combinations for the first 4 digits, and 15 (to be generous) possible combinations for the last 2 digits given the age range, for at best less than 5500 total possible 6-digit combinations, or nearly twice as insecure as a 4-digit random numeric password.
[ link to this | view in chronology ]
Password equipment
[ link to this | view in chronology ]
Re: Password equipment
Speaking as a google-apps admin myself, GAFE administrators don't have the ability to retrieve passwords from the google environment.
[ link to this | view in chronology ]
Oh, who am I kidding, that non-profit would crumble in days from all the lawsuits because people who've been shown to have their pants around their ankles don't like having people point it out.
[ link to this | view in chronology ]
SECURITY ! *whack!*
IS ! *whack!*
AN ! *whack!*
I.T. ! *whack!*
PROBLEM ! *whack!*
NOT ! *whack!*
A ! *whack!*
LEGAL ! *whack!*
ONE ! *whack!*
[ link to this | view in chronology ]
Re:
If Security isn't properly funded. If it's not adequately staffed. If it's not adequately wrapped into the social structure of an organization, etc, IT is guaranteed to fail.
On the other hand, if IT Security is properly funded, staffed, etc, by executive management, it doesn't guarantee success.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Nope, just be like the NSA and sit on it until it bites them in the ass and when they ask why didn't you tell them just say: "Sorry, I don't like being made a target and taking the blame for trying to help patch your shitty security."
[ link to this | view in chronology ]
Long time ago in a board meeting far away......
Clueless administrator 2: "Well we can't do that! I have a hard enough time remembering just my birthday!!!!"
Clueless administrator 3: "How about we just add LP@ before everyone's birthday and use that as the password! We can even put instructions on the site incase anyone forgets!"
All administrators heard cheering this most awesome idea.
[ link to this | view in chronology ]
Re: Long time ago in a board meeting far away......
Because of the new password complexity rules enforced by the system, you may find it difficult to create an acceptable password.
Therefore, the IT department has created a very secure password. This secure password is being distributed to all faculty. Because it is difficult to memorize, you may need to write it down.
All faculty and students are to begin using this password at once.
The Local School Board and Superintendent
[ link to this | view in chronology ]
Messengers always get the chop for their good deeds.
The general attitude displayed by the owners of IT systems is that they already have the "best" and as you are not someone they know then at best you are an incompetent fool or worse you are a malicious individual trying to put down their hard work.
Unless I personally know the people in charge I no longer help any site make improvements. It is not worth the angst suffered for being a good citizen.
If there is going to be serious problems with security of information, one should just anonymously inform various media outlets of the problem found. The companies or organisations that have failed to protect their or their clients information deserve all and every consequence for their incompetence.
For the last few decades, the problems with not securing IT systems have been publicly displayed for all to see. If the leadership of a company or organisation is foolhardy enough to ignore these requirements then they deserve to die by their own petard.
It doesn't take much to find out if they are a good citizen or not, and one shot twice shy, just go anonymously public with all problems found.
[ link to this | view in chronology ]
So, how long was the school's post about security up?
Over three years means more than three years. Nearly three years means less than three years. Both words together are meaningless.
So, how long was it exactly?
[ link to this | view in chronology ]
But wait, there's more.
(Side note: research uncovered that the board president owns his own cyber security firm, used to be in law enforcement, and is pitching a fit that two local law enforcement agencies do not agree with him and will not press charges, meanwhile his business partner, who is also ex law enforcement, was just indicted for making illegal arrests. Trying to use their positions of power to bully people and failing miserably at it, perhaps?)
[ link to this | view in chronology ]
Re: But wait, there's more.
[ link to this | view in chronology ]