Several years ago, I was called on to investigate the intrusion of a student into our district’s legacy student and financial information systems.
The student had gotten passwords to the systems and had used his newfound access to change student grades for $5 a grade. I’d like to say a brilliant case of technological sleuthing turned up the intruder, but it didn’t. Instead, the trespassing was discovered by a high school security guard who overheard students discussing the grade changes.
As the network administrator, I was asked to work with the school’s staff and local police to determine the extent of the intrusion. The investigation brought to light a number of critical issues regarding the vulnerabilities of K-12 networks to intrusion from their own student populations.
As a point of clarification, the term “hacker” originally referred to someone who tinkered with computers and software in order to rework and improve them. Over time, the press has applied the term to anyone who uses a computer to perpetrate a crime or cause mischief in cyberspace. Some will argue that these “evil-doers” should be labeled “crackers.”
Students have four things going for them that invite probing and intrusion into unauthorized areas of the typical K-12 network:
• Many legacy or mainframe systems weren’t designed with security in mind. Often, the code running the systems had been added to and reconfigured for many years, leaving security loopholes and easy-to-find passwords throughout the system.
• Older systems may communicate with users via nonsecure protocols, such as telnet and HTTP. These protocols make it easy for intruders to obtain passwords by capturing, or “sniffing,” data from the network.
• Students have access to free and easy-to-use software from thousands of sites on the net. A school district’s own internet connections often provide the means for students to get and use this software.
• Students have time to explore. They often have access to the network from home and at school. Many schools provide open student labs at lunch and after school for students to use for homework and other activities. Often, these labs are lightly monitored or not monitored at all.
Motivation for student intruders varies from incident to incident, but several key factors stand out:
Hacking is exciting. It’s the world’s largest video game. A student’s chance of getting caught is minimal. Even if students are caught, the chance they will receive a substantial punishment is almost nonexistent. Many schools do not have a policy to deal specifically with issues like cybercrime or electronic trespassing. Often, the student’s parents will take the attitude of, “Isn’t he smart?” I have even had parents offer to have their children help us “fix the computers” after they have broken in.
Hacking is cool. Within days of the suspension and arrest of the student hacker mentioned above, T-shirts showed up around the district with the slogan, “Free Adam.” Our hacker’s exploits were reported on several web sites and news groups, which sparked copycat strikes by other students against our network resources. I have interviewed students who say they use their hacking skills to gain notoriety and acceptance by other students.
Hacking K-12 computer systems is easy. As I said earlier, the software is readily available via the internet. But step-by-step instructions are also easy to find. All a student has to do is identify the types of computers he is trying to compromise, and there is a procedure or technical tips guide somewhere that will help him access the system. If there isn’t a guide, the student can post a question or request for information to one of the many news groups devoted to hacking and get an answer there.
Feeling concerned? No wonder! But there’s help out there to make you more familiar with the threats to your network resources. Knowing what’s possible for an intruder to do on your network is the first step in protecting it.
Probably the best way to get information is to network with folks in other districts. They may have some tips or ideas that could help you design you own network security policy, as well as prevent you from spending energy reinventing the wheel.
There are also a number of excellent resources available on the internet and in print:
ZDTV Cyber Crime
Maximum Security: A Hacker’s Guide to Protecting Your Internet Site and Network (Sams, Macmillan Computer Publishing, 1997)
Hacking Exposed: Network Security Secrets and Solutions by McClure, Scambray, and Kurtz (McGraw-Hill Computing, 1999)