There is a grade changing scandal over at Walt Whitman High School locally in Montgomery County Maryland. A teacher noticed that the grades in the system did not match what he or she entered. Investigation has found 54 changes.
Montgomery County Schools CTO Sherwin Collette said they believe teacher’s passwords were obtained through the use of hardware keystroke logging.
Hardware keystroke loggers are readily available online. Check out this video from irongeek if you aren’t familiar with hardware keystroke loggers. Basically its just like it sounds. A transparent USB or PS2 device that sits between the keyboard and the computer port.
Remember Microsoft’s Immutable Laws of Security number 3. If a bad guy has unrestricted physical access to your computer, then its not your computer anymore.
The best solution to this sort of problem is multifactor authentication. The thinking is that if the password is stolen then it cant be used again later. Of course some systems will allow concurrent logons allowing an attacker to immediately use the learned password. (That wouldn’t work with this device, but keystroke loggers can also use wireless/bluetooth to send the learned information immediately.
People who don’t use multifactor authentication always thinks it costs too much. I wonder how much Montgomery County has spent on this incident. The cost of securing the data should have been part of the original decision to put the grade system online.
Even without strong authentication, other things could be done to protect against this sort of attack. Its not clear if the attackers used the teachers computer. If they didn’t that might get flagged in anomaly detection. Noting that the account was normally used during the day from location A but suddenly was also used from location B at another time.
Displaying last logon and location to the user might have helped. If someone was unusually observant they might notice they didn’t use the account then.
The Post reports that Montgomery County Schools will now have a 120 day password expiration policy. That indicates before they didn’t expire passwords at all. This means a stolen password is only good for one school year. Still a long time.
Some people are taking a “boys will be boys” attitude about this. They dont understand why the police are investigating this as a criminal matter. If they’d stolen a facebook password and vandalized the teachers Facebook page, I might be laughing. With grades they had to know they were doing wrong. And worse yet these false grades were likely used to fraudulently gain admission to college potentially depriving a more deserving person.
Right now all we can do is speculate based on media reports. And worry about whether the businesses we deal with are ready for 21st century attacks.
Archive for March 2010
Grade Hacking
CVE-2010-0188 Adobe Exploit
The Microsoft Malware Protection Center reported earlier this week a sighting of a malicious PDF file exploiting CVE-2010-0188. Adobe released 9.2.1 and 8.2.1 in February.
Users can pull down the ‘help’ menu and click on ‘check for updates’ to ensure that they’re running the latest version.
One lesson learned here is don’t skip deploying a patch just because no exploits are out for it. it will leave you scrambling later.
Adobe’s next scheduled Reader and Acrobat update is due April 13.
