There is a grade changing scandal over at Walt Whitman High School locally in Montgomery County Maryland. A teacher noticed that the grades in the system did not match what he or she entered. Investigation has found 54 changes.
Montgomery County Schools CTO Sherwin Collette said they believe teacher’s passwords were obtained through the use of hardware keystroke logging.
Hardware keystroke loggers are readily available online. Check out this video from irongeek if you aren’t familiar with hardware keystroke loggers. Basically its just like it sounds. A transparent USB or PS2 device that sits between the keyboard and the computer port.
Remember Microsoft’s Immutable Laws of Security number 3. If a bad guy has unrestricted physical access to your computer, then its not your computer anymore.
The best solution to this sort of problem is multifactor authentication. The thinking is that if the password is stolen then it cant be used again later. Of course some systems will allow concurrent logons allowing an attacker to immediately use the learned password. (That wouldn’t work with this device, but keystroke loggers can also use wireless/bluetooth to send the learned information immediately.
People who don’t use multifactor authentication always thinks it costs too much. I wonder how much Montgomery County has spent on this incident. The cost of securing the data should have been part of the original decision to put the grade system online.
Even without strong authentication, other things could be done to protect against this sort of attack. Its not clear if the attackers used the teachers computer. If they didn’t that might get flagged in anomaly detection. Noting that the account was normally used during the day from location A but suddenly was also used from location B at another time.
Displaying last logon and location to the user might have helped. If someone was unusually observant they might notice they didn’t use the account then.
The Post reports that Montgomery County Schools will now have a 120 day password expiration policy. That indicates before they didn’t expire passwords at all. This means a stolen password is only good for one school year. Still a long time.
Some people are taking a “boys will be boys” attitude about this. They dont understand why the police are investigating this as a criminal matter. If they’d stolen a facebook password and vandalized the teachers Facebook page, I might be laughing. With grades they had to know they were doing wrong. And worse yet these false grades were likely used to fraudulently gain admission to college potentially depriving a more deserving person.
Right now all we can do is speculate based on media reports. And worry about whether the businesses we deal with are ready for 21st century attacks.
Posts tagged ‘Bluetooth’
Grade Hacking
Disable Wireless when Wired Connected
This week Steve Riley of Microsoft wrote that “customers have asked for a way to configure a computer to automatically disable the wireless NIC when Ethernet is in use.” Nevertheless this will not be a feature in Windows 7, the next version of Windows.
Steve writes that this is only a security issue if the user is logged on as administrator and the two networks are routed. Since windows connection bridging isn’t on by default, this is not a issue in his opinion.
When users are connected to both wired and wireless network, the user can experience network problems.
When computers are constantly looking for Ad HOC connections (or alerting you to connection opportunities) it just doesn’t give you that strong secure feeling no matter what Steve says.
I will admit that absent a knowledgeable attacker a context aware personal firewall can effectively stop attacks of this sort.
Based on another blog post of Steve’s I’m wondering if he’s switched sides and now believes in default allow but secure it. I still believe in least privilege. Can anything good come from allowing wireless connections when Ethernet connected? I dont think so. Can anything bad occur when you disable wireless when Ethernet connected? There are some unforeseen consequences. Users with Ware look like they are Ethernet connected all the time unless they bridge the Ware adapters. Also it adds a big of complexity But that is a small price to pay.
I find it nice to not have the media considering articles because our computers connect to the fake AP they set up in the parking lot.
I’ve always said that with a context aware personal firewall, in many cases a more restrictive fw mode will go into place when the non-corporate network connection is detected. But does that mean in a perfect world I dont care that both connections are on? Heck no.
I can hear you now
Joshua Wright, author of the SANS Security Wireless course I took recently and presenter of one of the better talks a this years shmoocon has a 5 minute video on bluetooth phone earpiece hijacking.
As he says in the intro, as states require hands free devices more and more people are turning to bluetooth headsets. But what of the security? See his video below:
A whole new kind of bluejack
Johnny Cache has uncovered flaws in bluetooth implementations from Toshiba. Brian Krebs reports in his SecurityFix blog.
Apparently its a Toshiba bluetooth driver that is also used by Dell.
In a refreshing change from how Apple responded to their wireless driver vulnerability,
A Dell spokesperson said SecureWorks shared an exploit with the company that worked against any of nine different Dell Latitude laptops, and that the company’s engineers were able to reproduce the reported problems in-house. Dell said it has shipped updates to fix the problem on Latitude Models D820, D620, D420, and D520. Other Latitude models also are vulnerable, including the D810, D610, D410, D510 and X1 versions, but the company doesn’t expect to ship updates for those models until Nov. 4.
I keep my bluetooth disabled, but I’ll be checking the Toshiba site soon to see if my M400 is vulnerable.
Long Range Hookup
FSecure Weblog
At Defcon, the Schmoo Group demonstrated a long range Wireless LAN antenna that could connect to Wireless LANS 9 miles away. For those of you who advocate bluetooth use to avoid WLAN problems, be aware another presentation picked up signals 2/3rds of a mile away.
This is a good reminder that with wireless networks you may be expanding the reach of your network far more than you think.
