School district computer network left student records available to public

[InfoSec News <isn () c4i org>]

http://www.paloaltoonline.com/paw/paonline/weekly/thisweek/2003_06_25.wire25.html

by Rachel Metz 
June 25, 2003

In the heart of Silicon Valley, where companies secure information as
tightly as a bank safeguards money, some student records on Palo Alto
school district computers have been as easy to obtain as a dollar bill
left on a street corner.

Like leaving a vault open, PAUSD failed to place a number of highly
sensitive computer files containing student information in a locked
location on its network. Using a laptop with a wireless card outside
the district's main office, the Weekly gained access to such data as
grades, home phone numbers and addresses, emergency medical
information complete with full-color photos of students and a
psychological evaluation.

Unauthorized users could copy many of those sensitive files, as well
as upload their own files onto one of the district's servers, Fuji,
the Weekly found. Unlike the majority of the district's information,
the documents were not password protected.

The same information was also accessible to individuals using district
computers within school sites.

The district has known about some aspects of this vulnerability for
nearly nine months, but failed to take action until the Weekly
informed officials of the situation late last week -- a somewhat
ironic development given the school board's recent adoption of a
technology-use policy.

"I don't see this as such a huge news story," Superintendent Mary
Frances Callan said the day after the district office abruptly shut
down its wireless network and student information program. The real
news, she added, was the great progress the district has made to its
network plans, thanks to new software purchases, planned employee
training sessions and the technology-use policy.

However, the availability of such student information is not only a
breach of said policy, but of federal law governing distribution of
students' education records.

District administrators are blaming the security breach on everything
from bureaucracy to teacher error to grass-root efforts to establish
wireless networks at school sites.

"We're not in any way trying to make excuses, but we knew there were
issues, we knew that there were things that needed to be more secure,"  
Marie Scigliano, PAUSD's director of educational technology and
information services, said.

School board President Mandy Lowell was surprised by the amount of
sensitive data the Weekly was able to access.

"Unless I missed it no one reported to me that there was a gaping hole
in security and needed to be repaired and couldn't unless a policy was
enacted," said Lowell, the parent of three children attending district
schools.

"I never heard this was a matter of urgency to accomplish or our
documents could be printed on the front page of a newspaper," she
said.

The Weekly's ability to access student files was called by one
district employee the biggest security hole in PAUSD's system to date.

Andrew Hannah, a network administrator for the district, admitted
security was an afterthought when the first open wireless networks
were installed at the Jordan and Jane Lathrop Stanford middle schools
and the district office between 2000 and 2002.

The district, he said, was more interested in equipment issues than
securing information.

"With every subsequent school that we're putting up with wireless,
security is now part of the pre-thought process," he said, pointing
out that newer wireless networks at Walter Hays and Juana Briones are
locked from outside wireless use. A Weekly check confirmed Hannah's
statement.

No other schools in the Palo Alto district have permanent wireless
set-ups.

The district uses a wide-area network, or WAN, to link computers at
school sites and the district office.

There are about 40 servers on PAUSD's district-wide network. Each
school has two servers: one academic and one administrative. The
academic server provides access to the Internet, while core school
information -- such as names, grades and medical information -- is
stored on the administrative server.

The district office has access to several other servers, as well as
those of the individual school sites. One of the district servers --
PAUSD Resources -- contains a sub-server known as Fuji, which was
designed to allow authorized personnel to share files.

Although the server was not intended for high-security documents, the
Weekly was able to access some of Fuji's contents as easily as opening
a Microsoft Word file. We found student medical cards listing health
conditions accompanied by a photo of the child, a psychological
profile with the student's first and last name, and a file containing
student addresses, phone numbers and grades. We also able to view the
district's student information system, SASIxp.

This same information could also be obtained from Jordan Middle
School's computer network.

Such access illustrates the hazards of an open wireless network if
proper security measures are not enacted.

Although students and district employees need a password to log on,
laptops with wireless cards skip this step by connecting directly to
the system as a guest.

Gregg Gunkel, security and information systems manager for the Sequoia
Union High School District, said an open network exposes the district
to the risk of pranks, viruses and stolen information.

"I can't imagine that school districts do provide guest access to
their network," said Gunkel, who added the Sequoia district does not
leave its wireless nodes open.

"We have a requirement by the federal government to maintain secure
networks. Because they're for student use, we have to be careful where
those networks have access to," he said. "And because of the
confidentiality of the information in our student-information
databases, we have to really be sure that's in a really secure mode."

To test whether the network was accessible by other means, we entered
a Paly classroom accompanied by a teacher and were able to log on to
Fuji from a desktop computer without a password.

"In some ways I guess I shouldn't be too surprised this would be a
problem too but at the same time I'm sort of flabbergasted that they
knew about this but didn't make it a priority," Suzan Stewart, Paly
social studies instructional supervisor, said.

Our ability to access the network comes a week after the district
passed a new technology-use policy that took nearly a year to draft.  
Under the terms of that policy, distribution of private or personal
information -- including home addresses, phone numbers, age, sex or
other personal information -- over PAUSD electronic-information
systems is prohibited.

The district's "Student Handbook" regarding use of Internet and
district information systems also states users should identify student
work and images only by first name and initials. No images are allowed
without parent permission.

The federal Family Education Rights and Privacy Act (FERPA) also
enforces student and parental rights regarding private information,
placing the Palo Alto district in violation of the law.

"We're not trying to disregard the law, we're not trying to make data
available. We have to work through a process with our staff because we
wanted them to be positive and moving through it. We didn't want to be
cutting people off," Scigliano said.

In May, Christopher Grant, a district systems administrator, learned
it was possible to access the district's Fuji server through the
wireless network.

Grant recommended locking down the wireless network, but was told the
district was waiting for the school year to end and the board to
approve the technology-use policy.

"My understanding that what we were planning on doing is taking down
wireless networks that we could not secure until such time we were
able to bring on board the new wireless networks or update the old
ones. My understanding is that has not changed," he said.

Scigliano said the policy was necessary "in this political environment
to be able to move to the next step."

"It's not to say that it's not an important problem, but we find that
we have to educate our staff to let them know what we're doing rather
than do it to them -- and it's not like we're trying to risk the
child, the student information or any of that," she said.

Callan echoed that sentiment: "We are totally in the process of
addressing the issues but we address them starting at the policy
level."

Despite their stated preference for the slow-and-steady approach, the
district office's wireless network was completely shut down within
four hours after the Weekly informed district officials of the breach.

The next day, Hannah circulated an e-mail to district employees
stating, "Wireless connectivity to the District Office is unavailable
due to a security incident. Wireless connectivity will return after
the system has been upgraded. If you have any questions please contact
me. Thank you for your patience."

Questioned about the speed of their reaction, district officials said
they were going to start maintenance work on the network in a few days
anyway, and asserted the Weekly's revelation only sped up the process.

As of press time, the district's wireless network is off. Networks at
Jordan and JLS middle schools were locked.

Scigliano and Hannah admitted it's difficult to close a network.

Though Walter Hays and Juana Briones started out with some protection
from unauthorized use or abuse, Scigliano said grass-roots parent
organizations that developed the earlier wireless networks hampered
the district's ability to standardize technology.  Hannah said they
were in the process of locking down open wireless nodes at Jordan and
JLS for about three months now. He added that the new technology-use
policy forbids people from setting up grass-roots networks at district
schools.

Scigliano expressed some frustration over the haphazard method
wireless networks were installed.

"The wireless was brought up at Jordan by a group of parents, OK?  
Separate of the district," she said. "So this is what I'm trying to
explain. It's not to make an excuse," Scigliano said.

She added that teachers were not trained appropriately to use the
computer systems.

"A year ago, some of the documents were in print documents and
(teachers) never ended up transferring, sharing files, doing any of
those types of things," Scigliano said. "Folks have the capability now
so they're doing some of these things, without following the pieces in
place of whether they should be doing it or not, because it's just
normal -- it's considered 'A Job That I Need to Do,' OK?"

Scigliano said holes in the PAUSD system should be patched by the end
of the summer.

"Give us a week and we'll see what you can get on and what you can't
get on," she said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.