Friday, April 10, 2015

You can see why anyone who deals with security breaches on a regular basis would be disappointed by the way the school handled this. Perhaps someone (their lawyers?) should have walked them through some of the pitfalls of dealing with security breaches, minors, and just plain public relations. Educators in particular seem to need this kind of education.
For those not familiar with it, FCAT is the Florida Comprehensive Assessment Test, a standardized test for assessing student performance.
WTSP reports:
A 14-year-old student at Paul R. Smith Middle School was arrested Wednesday after investigators say he hacked into the school’s computer system and accessed the server containing 2014 FCAT information.
In addition, the student also used the administrative access to take control of a teacher’s computer during class and displayed an image of two men kissing, disrupting classroom activities.
Read more on WTSP. I understand why they did not name the student, but am puzzled that they uploaded the complaint affidavit that shows the student’s physical description, his date of birth, and his mother’s full name and address.
And it’s a shame the news team didn’t ask the school some hard questions about how the student was able to gain administrative access. What does this say about their infosecurity?

(Related) An update.
WTSP has provided a follow-up to a report noted earlier involving a 14-year old student at Paul R. Smith Middle School who is facing two felony charges for allegedly hacking into the Pasco County School District‘s network. Their new report addresses some of the questions I raised in my previous post about the incident.
In their update, the student, who is now named, claims:
“If they would have notified me it was illegal I wouldn’t have done it in the first place but all they said was you shouldn’t be doing that,” said Domanik Green. [Isn't that enough? Bob]
Green had reportedly done something similar last year and was suspended for three days. [But not arrested Bob]
The district’s Responsible Electronic Use Guidelines for Students can be found here, and the Student Code of Conduct can be found here, if you’d like to see how much (or little) they describe computer offenses like hacking and the consequences. Is Green right? Did the district ever tell him that unauthorized access is hacking and that it’s a felony – and that if it happened again, he might be arrested? How did they follow-up on last year’s incident?
But here’s one of the stunning revelations in Casey Cumley’s report:
The sheriff’s office says Green got the password information 2 years ago from a teacher and several students might have had the ability to hack the system.
Why is a password from two years ago still working? And if he did something similar last year, are we to understand that even after that, they still didn’t change the password – or didn’t last year’s incident involve the same password? If it did involve the same password, this is just incredibly negligent on the district’s part, as it would appear they didn’t take what would be obvious, minimal, and reasonable steps to prevent a recurrence of the problem. Even if the password wasn’t involved in last year’s incident, their failure to regularly change passwords may have contributed to the current incident.
And if they’re correct that Green got the password from a teacher two years ago, how did that happen? Was it actually given to him or did he shoulder-surf it? A statement by a district administrator suggests that a teacher may have knowingly provided the password:
“Our department of employee relations are going to investigate why students were allowed to have the password,” said Cobbe.
Amazing, if true. But put down your preferred beverage before you read the next statement from a press conference about the case:
“You have somebody that clearly doesn’t learn their lesson.”
The sheriff was referring to the student. I think his statement is more applicable to the district.
The school district said it is still investigating employees and there will be disciplinary actions taken for anyone who might have shared password information.
Shouldn’t that investigation and any action have occurred last year after they first discovered the student had improperly accessed the network?
And this, children, may be a useful example of why school districts should never be allowed to collect and store sensitive student information and why we can’t have pretty things.
Read the full report on WTSP.

I'm not the only one pointing to poor school security.
Education Sector Struggles With Botnets: BitSight
The education industry – which includes education companies, schools and colleges - brought up the rear in a new study from BitSight examining the connection between botnets and data breaches. According to BitSight, fewer than 23 percent earned an 'A' grade, while more than 33 percent earned an 'F'.
The report examined the ratings and risk vectors for 6,273 companies between March 2014 and March 2015.
organizations with a grade 'B' or below were 2.2 times as likely to have a publicly-disclosed breach compared to those who achieved an A, according to the report.
The second-worst industry in the study was the utilities industry, which had more than 50 percent of the companies receiving a grade of B or lower. Perhaps unsurprisingly, the best scoring vertical was the financial industry, where 74 percent of organizations scored an A.

For my Computer Security students. This is a small network of “kidnapped” computers. Imagine how easy it is to take control of these computers.
U.S., European police break up network of 12,000 computers taken over by criminals
Law enforcement agencies in Europe and the United States have dismantled a network comprising at least 12,000 in computers that had been taken over by criminals, Europol said on Thursday.
The software used to infect the computers was "very sophisticated" but the network was relatively small compared to others uncovered in the past, Europol said in a statement.
… It was impossible to estimate the damage costs, he said, adding that no arrests have been made.

Admitting Tracking ‘Bug,’ Facebook Defends European Privacy Practices
Facebook Inc. pushed back on Thursday against some accusations from Belgian scholars that the social network trampled over its users’ privacy rights – but admitted that the academics found a “bug” that mistakenly tracked people even while they weren’t on Facebook’s website.
The company said it has started to fix the problem
… But Richard Allan, the company’s European policy chief, said in a blog post that the group of Belgian academics reached the wrong conclusions. “The report gets it wrong multiple times in asserting how Facebook uses information to provide our service to more than a billion people around the world,” he said.
The report, commissioned by the Belgian government’s privacy watchdog, analyzed an update of Facebook’s terms of use that went into effect Jan. 31. The Belgian agency is part of a group of European privacy watchdogs, including France and Spain, that are investigating Facebook’s privacy practices.
The watchdog, the Belgian Privacy Commission, doesn’t have the power to directly fine or sanction Facebook. But there is a growing belief among privacy regulators that Facebook and other U.S. tech companies need to face more scrutiny – and potential fines – for their practices of using personal information to fuel their lucrative advertising sales.

(Related) Do you begin to see why we have problems teaching people how to protect themselves?
Millions Of People Think They Use Facebook, But Not The Internet
… Many admit to spending far too much time on the world’s most popular social network, but they are, at least, aware that they’re using the Internet; yet studies (including one by think-tank LIRNEasia) in countries like Indonesia, Africa, and the Philippines have found that those surveyed love Facebook – but assert that they don’t use the web. It’s not simple ignorance. They’ve been brought into this culture. While many of us have been introduced to the idea of Facebook through the Internet, in the minds of millions, the two exist separately because their first interaction with the World Wide Web is via the social network.
… Many service providers offer low-priced Facebook-only data plans, while Facebook Zero gives – you guessed it – entirely free access to the social network exclusively.
… Initially, the fact that people think they’re using Facebook but not the Internet is quite funny. It sounds so improbable.
But considering that Facebook already knows a surprising amount about you, this is potentially a huge issue.

Don't all levels of law enforcement do this? If it works they have precedent. If not all they need do is wait a while and try again. Like hackers, they only need to succeed once.
Microsoft: Feds are 'rewriting' the law to obtain emails overseas
The Obama administration is abandoning decades of established law in order to force Microsoft to hand over data from a foreign server, the software giant claims.
“For an argument that purports to rest on the 'explicit text of the statute,’ the Government rewrites an awful lot of it,” Microsoft said in a new brief as part of its case against the government.
“Congress never intended to reach, nor even anticipated, private communications stored in a foreign country when it enacted” the 1986 Electronic Communications Privacy Act, Microsoft said.
Yet that, it claims, is exactly what the Justice Department is trying to do by issuing a search warrant ordering Microsoft to give up a suspected drug trafficker’s email and records from an Irish data center.
Microsoft has claimed that digital data is no different than paper files in a desk drawer. If the government wants to obtain such files from another country, it needs to go through a foreign treaty process, the company says. Otherwise, it’s up to Congress to change the meaning of the law.

Toward the “Education on demand” market?
LinkedIn to Buy Career-Skills Educator for $1.5 Billion
LinkedIn Corp. has entered the growing market for online learning with its $1.5 billion purchase of Inc., a website that got its start 20 years ago and has since emerged as a leader in professional training videos.
The cash-and-stock deal is LinkedIn’s largest acquisition and gives the professional networking site one of the biggest online libraries of video tutorials, with courses ranging from Web design to digital photography.’s ability to certify the people who have completed courses could also provide valuable data to the millions of recruiters who pay LinkedIn to find and assess potential job candidates. Such credentials can give employers an indication that a candidate has some level of knowledge about a topic, or at least has passed a test about it. But it is unclear if employers will take such nontraditional certifications seriously.
… The overall market for e-learning is estimated to hit $107 billion this year, according to Global Industry Analysts Inc.

Something to distract my students? (Article 5)
Pacapong Combines Class Video Games
Why limit yourself to playing just one classic video game at a time when Pacapong allows you to play four games at once? The four in question being Pac-Man, Pong, Space Invaders, and Donkey Kong. Unfortunately, this combination makes Pacapong fiendishly difficult.
Using the bats from Pong, you launch Pac-Man across the board, collecting pills while avoiding ghosts. And while Pac is doing his thing, YOU have to shoot aliens from Space Invaders while avoiding barrels from Donkey Kong. Simple.
Pacapong, created by developer KingPenguin, is available to download for free on Windows, Mac, and Linux.

No comments: