You
can see why anyone who deals with security breaches on a regular
basis would be disappointed by the way the school handled this.
Perhaps someone (their lawyers?) should have walked them through some
of the pitfalls of dealing with security breaches, minors, and just
plain public relations. Educators in particular seem to need this
kind of education.
For
those not familiar with it, FCAT is the Florida Comprehensive
Assessment Test, a standardized test for assessing student
performance.
WTSP
reports:
A 14-year-old student at Paul
R. Smith Middle School was arrested Wednesday after
investigators say he hacked into the school’s computer system and
accessed the server containing 2014 FCAT information.
In addition, the student also used the administrative access to take
control of a teacher’s computer during class and displayed an image
of two men kissing, disrupting classroom activities.
Read
more on WTSP.
I understand why they did
not name the student, but am puzzled that they uploaded the complaint
affidavit that shows the student’s physical description, his date
of birth, and his mother’s full name and address.
And
it’s a shame the news team didn’t ask the school some hard
questions about how the student was able to gain administrative
access. What does this say about their infosecurity?
(Related)
An update.
WTSP
has provided a follow-up to a report noted
earlier involving a 14-year old student at Paul
R. Smith Middle School who is facing two felony
charges for allegedly hacking into the Pasco
County School District‘s network. Their new report
addresses some of the questions I
raised in my previous post about the incident.
In
their update, the student, who is now named, claims:
“If they would have notified me it was illegal I wouldn’t have
done it in the first place but all they said was you shouldn’t be
doing that,” said Domanik Green. [Isn't
that enough? Bob]
Green
had reportedly done something similar last year and was suspended for
three days. [But not
arrested Bob]
The
district’s Responsible
Electronic Use Guidelines for Students can be found
here,
and the Student Code of
Conduct can be found here,
if you’d like to see how much (or little) they describe computer
offenses like hacking and the consequences. Is Green right? Did the
district ever tell him that unauthorized access is hacking and that
it’s a felony – and that if it happened again, he might be
arrested? How did they follow-up on last year’s incident?
But
here’s one of the stunning revelations in Casey Cumley’s report:
The sheriff’s office says Green got
the password information 2 years ago from a teacher and several
students might have had the ability to hack the system.
Why
is a password from two years ago still working? And if he did
something similar last year, are we to understand that even after
that, they still didn’t change the password – or didn’t
last year’s incident involve the same password? If it did involve
the same password, this is just incredibly negligent on the
district’s part, as it would appear they didn’t take what would
be obvious, minimal, and reasonable steps to prevent a recurrence of
the problem. Even if the password wasn’t involved in last year’s
incident, their failure to regularly change passwords may have
contributed to the current incident.
And
if they’re correct that Green got the password from a
teacher two years ago, how did that happen? Was it actually
given to him or did he shoulder-surf it? A statement by a district
administrator suggests that a teacher may have knowingly provided the
password:
“Our department of employee relations are going to investigate why
students were allowed to have the password,” said Cobbe.
Amazing,
if true. But put down your preferred beverage before you read the
next statement from a press conference about the case:
“You have somebody that clearly doesn’t learn their lesson.”
The
sheriff was referring to the student. I think his statement is more
applicable to the district.
The school district said it is still investigating employees and
there will be disciplinary actions taken for anyone who might have
shared password information.
Shouldn’t
that investigation and any action have occurred last year after they
first discovered the student had improperly accessed the network?
And
this, children, may be a useful example of why school districts
should never be allowed to collect and store sensitive student
information and why
we can’t have pretty things.
Read
the full report on WTSP.
I'm
not the only one pointing to poor school security.
Education
Sector Struggles With Botnets: BitSight
The
education industry – which includes education companies, schools
and colleges - brought up the rear in a new study from BitSight
examining the connection between botnets and data breaches.
According to BitSight, fewer than 23 percent earned an 'A' grade,
while more than 33 percent earned an 'F'.
The
report examined the ratings and risk vectors for 6,273 companies
between March 2014 and March 2015.
…
organizations
with a grade 'B' or below were 2.2 times as likely to have a
publicly-disclosed breach compared to those who achieved an A,
according to the report.
…
The
second-worst industry in the study was the
utilities industry, which had more than 50 percent of the
companies receiving a grade of B or lower. Perhaps unsurprisingly,
the best scoring vertical was the financial industry, where 74
percent of organizations scored an A.
For
my Computer Security students. This is a small network of
“kidnapped” computers. Imagine how easy it is to take control of
these computers.
U.S.,
European police break up network of 12,000 computers taken over by
criminals
Law enforcement agencies in Europe and the United States have
dismantled a network comprising at least 12,000 in computers that had
been taken over by criminals, Europol said on Thursday.
The software used to infect the computers was "very
sophisticated" but the
network was relatively small compared to others uncovered in the
past, Europol said in a statement.
Admitting
Tracking ‘Bug,’ Facebook Defends European Privacy Practices
Facebook
Inc. pushed back on Thursday against some accusations from Belgian
scholars that the social network trampled over its users’ privacy
rights – but admitted that the academics found a “bug” that
mistakenly tracked people even while they weren’t on Facebook’s
website.
The
company said it has started to fix the problem
…
But Richard Allan, the company’s European policy chief, said in a
blog
post that the group of Belgian academics reached the wrong
conclusions. “The report gets it wrong multiple times in asserting
how Facebook uses information to provide our service to more than a
billion people around the world,” he said.
The
report, commissioned by the Belgian government’s privacy
watchdog, analyzed an update of Facebook’s terms of use that went
into effect Jan. 31. The Belgian agency is part of a group of
European privacy watchdogs, including France and Spain, that are
investigating
Facebook’s privacy practices.
The
watchdog, the Belgian Privacy Commission, doesn’t have the power to
directly fine or sanction Facebook. But there is a growing belief
among privacy regulators that Facebook and other U.S. tech companies
need to face more scrutiny – and potential fines – for their
practices of using personal information to fuel their lucrative
advertising sales.
(Related)
Do you begin to see why we have problems teaching people how to
protect themselves?
Millions
Of People Think They Use Facebook, But Not The Internet
…
Many admit to spending far too much time on the world’s most
popular social network, but they are, at least, aware that they’re
using the Internet; yet studies (including one by think-tank
LIRNEasia) in
countries like Indonesia, Africa, and the Philippines have found that
those surveyed love Facebook – but assert that they don’t use the
web. It’s not simple ignorance. They’ve been brought into this
culture. While many of us have been introduced to the idea of
Facebook through the Internet, in the minds of millions, the two
exist separately because their first interaction with the World Wide
Web is via the social network.
…
Many service providers offer low-priced
Facebook-only data plans, while Facebook Zero gives –
you guessed it – entirely free access to the social network
exclusively.
…
Initially, the fact that people think they’re using Facebook but
not the Internet is quite funny. It sounds so improbable.
But
considering that Facebook
already knows a surprising amount about you, this is potentially
a huge issue.
Don't
all levels of law enforcement do this? If it works they have
precedent. If not all they need do is wait a while and try again.
Like hackers, they only need to succeed once.
The
Obama administration is abandoning decades of established law in
order to force Microsoft to hand over data from a foreign server, the
software giant claims.
“For
an argument that purports to rest on the 'explicit text of the
statute,’ the Government rewrites an awful lot of it,” Microsoft
said in a new
brief as part of its case against the government.
“Congress
never intended to reach, nor even anticipated, private communications
stored in a foreign country when it enacted” the 1986 Electronic
Communications Privacy Act, Microsoft said.
Yet
that, it claims, is exactly what the Justice Department is trying to
do by issuing a search warrant ordering Microsoft to give up a
suspected drug trafficker’s email and records from an Irish data
center.
Microsoft
has claimed that digital
data is no different than paper files in a desk drawer.
If the government wants to obtain such files from another country, it
needs to go through a foreign treaty process, the company says.
Otherwise, it’s up to Congress to change the meaning of the law.
Toward
the “Education on demand” market?
LinkedIn
to Buy Career-Skills Educator Lynda.com for $1.5 Billion
LinkedIn
Corp. has
entered the growing market for online learning with its $1.5 billion
purchase of lynda.com Inc., a website that got its start 20 years ago
and has since emerged as a leader in professional training videos.
The
cash-and-stock deal is LinkedIn’s largest acquisition and gives the
professional networking site one of the biggest online libraries of
video tutorials, with courses ranging from Web design to digital
photography.
…
Lynda.com’s ability to
certify the people who have completed courses could also
provide valuable data to the millions of recruiters who pay LinkedIn
to find and assess potential job candidates. Such credentials can
give employers an indication that a candidate has some level of
knowledge about a topic, or at least has passed a test about it. But
it is unclear if employers will take such nontraditional
certifications seriously.
…
The overall market for e-learning is estimated to hit $107 billion
this year, according to Global Industry Analysts Inc.
Something
to distract my students? (Article 5)
Pacapong
Combines Class Video Games
Why
limit yourself to playing just one classic video game at a time when
Pacapong
allows you to play four games at once? The four in question
being Pac-Man, Pong, Space Invaders, and Donkey Kong. Unfortunately,
this combination makes
Pacapong fiendishly difficult.
Using
the bats from Pong, you launch Pac-Man across the board, collecting
pills while avoiding ghosts. And while Pac is doing his thing, YOU
have to shoot aliens from Space Invaders while avoiding barrels from
Donkey Kong. Simple.
Pacapong,
created by developer KingPenguin,
is available to download
for free on Windows, Mac, and Linux.
No comments:
Post a Comment