http://www.palmbeachpost.com/localnews/content/local_news/epaper/2007/11/23/s1b_skcomputer_1123.html By CHRISTINA DeNARDO Palm Beach Post Staff Writer November 23, 2007 Following a security breach by a high school student who hacked into the Palm Beach County School District's computer system to change grades and attendance records, more than $1.5 million has been spent to beef up security of its extensive network. So far, the investment has paid off. Since the student's arrest in April 2006, there have been no major security threats, even as those opportunities increase. The district is so confident in its security, it has dared students and hackers to crack it, offering a free wireless router for anyone who could. "We had people trying to hack in from China," said Bob LaRocca, the IT security chief, who gave hackers a specific assignment. "Some days we got thousands of hits. The prize is still sitting in my office." Every day, the computer network gets 16,000 attacks. Every week, the employees receive 100,000 e-mails, and 80 percent of them are spam and potentially dangerous. Outside schools and district offices, hackers using devices attempt to capture the data that runs across the district's network to crack password files. Unlike a decade ago, people don't have to be computer geeks to become hackers. Online chat rooms and Web sites give step-by-step directions on how to hack, making it easier for students or anyone to tap into networks. The first serious security breach occurred after a student stole a password to a server, giving him access to every user profile in the school district's system. Ryan Duncan, then an Inlet Grove High student, hacked into the computer system at school and home in December 2003 and January 2004. Though he didn't alter any records, his access could have resulted in great harm to the system, officials said. In a plea deal, Duncan agreed to help create a video on the seriousness of computer crimes. Less than a year later, another student, Jeff Yorston of Dreyfoos School of the Arts, used employee passwords to change his friends' grades, erase suspensions and give himself credit for classes he never took. In another case, an employee posted a detailed instruction sheet for how to log in to the district server in case of a power outage, including login and password information. Yorston avoided jail by deferring prosecution after agreeing to complete a pretrial intervention program, undergoing state supervision and paying a $5,000 fine. Since those incidents, the district has spent more than $1.5 million in security upgrades, as well as changing policy to require employees to change passwords every 60 days. Previously, passwords never had to be changed. A year ago, the district's middle and high schools had no one on staff responsible for fixing problems and relied on the district's office for help. But now each school is starting to bring in its own computer experts. Three computer security personnel were hired to scan for holes in the network's security, monitor e-mail traffic and prevent intrusions such as hackers. To prevent terminated employees from accessing district information, in the next few weeks, a new program will automatically disable their access. Computer administrators, who have the greatest access, will soon need another device in addition to a password to connect to the system. The device, called a token, generates a new pin number every 60 seconds. "If someone would steal the unit, they wouldn't have your user ID and password, and if they had your user ID and password, they would need the unit," LaRocca said. The district has spent about $1 million to upgrade its anti-virus software for every computer in the district. The district is also moving to prevent what is called "sniffing," where hackers with wireless access sit outside school buildings, often in their cars, and scan traffic in order to capture passwords and view the content of messages send over the Internet. In response, the district is spending about $500,000 to purchase a package of sensors for every school and district building which will pinpoint the location of the sniffers and alert police. The technology will also encrypt the data so sniffers can't understand it. Though the safeguards have been successful, experts say the only way to fully protect against an attack is to unplug the computers. But LaRocca said the incidents involving Duncan and Yortson have made raising security a greater priority. "The board gave us their full support in light of all the things that have happened," he said. "What happened here helps me get the message out that we had to tighten security and make more prudent investments." __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Sun Nov 25 2007 - 23:34:59 PST