[ISN] Schools spend big to secure system

Mon Nov 26 01:08:48 CST 2007

http://www.palmbeachpost.com/localnews/content/local_news/epaper/2007/11/23/s1b_skcomputer_1123.html

By CHRISTINA DeNARDO
Palm Beach Post Staff Writer
November 23, 2007

Following a security breach by a high school student who hacked into the 
Palm Beach County School District's computer system to change grades and 
attendance records, more than $1.5 million has been spent to beef up 
security of its extensive network.

So far, the investment has paid off.

Since the student's arrest in April 2006, there have been no major 
security threats, even as those opportunities increase. The district is 
so confident in its security, it has dared students and hackers to crack 
it, offering a free wireless router for anyone who could.

"We had people trying to hack in from China," said Bob LaRocca, the IT 
security chief, who gave hackers a specific assignment. "Some days we 
got thousands of hits. The prize is still sitting in my office."

Every day, the computer network gets 16,000 attacks. Every week, the 
employees receive 100,000 e-mails, and 80 percent of them are spam and 
potentially dangerous. Outside schools and district offices, hackers 
using devices attempt to capture the data that runs across the 
district's network to crack password files. Unlike a decade ago, people 
don't have to be computer geeks to become hackers. Online chat rooms and 
Web sites give step-by-step directions on how to hack, making it easier 
for students or anyone to tap into networks.

The first serious security breach occurred after a student stole a 
password to a server, giving him access to every user profile in the 
school district's system. Ryan Duncan, then an Inlet Grove High student, 
hacked into the computer system at school and home in December 2003 and 
January 2004. Though he didn't alter any records, his access could have 
resulted in great harm to the system, officials said. In a plea deal, 
Duncan agreed to help create a video on the seriousness of computer 
crimes.

Less than a year later, another student, Jeff Yorston of Dreyfoos School 
of the Arts, used employee passwords to change his friends' grades, 
erase suspensions and give himself credit for classes he never took. In 
another case, an employee posted a detailed instruction sheet for how to 
log in to the district server in case of a power outage, including login 
and password information. Yorston avoided jail by deferring prosecution 
after agreeing to complete a pretrial intervention program, undergoing 
state supervision and paying a $5,000 fine.

Since those incidents, the district has spent more than $1.5 million in 
security upgrades, as well as changing policy to require employees to 
change passwords every 60 days. Previously, passwords never had to be 
changed.

A year ago, the district's middle and high schools had no one on staff 
responsible for fixing problems and relied on the district's office for 
help. But now each school is starting to bring in its own computer 
experts.

Three computer security personnel were hired to scan for holes in the 
network's security, monitor e-mail traffic and prevent intrusions such 
as hackers.

To prevent terminated employees from accessing district information, in 
the next few weeks, a new program will automatically disable their 
access.

Computer administrators, who have the greatest access, will soon need 
another device in addition to a password to connect to the system. The 
device, called a token, generates a new pin number every 60 seconds.

"If someone would steal the unit, they wouldn't have your user ID and 
password, and if they had your user ID and password, they would need the 
unit," LaRocca said. The district has spent about $1 million to upgrade 
its anti-virus software for every computer in the district.

The district is also moving to prevent what is called "sniffing," where 
hackers with wireless access sit outside school buildings, often in 
their cars, and scan traffic in order to capture passwords and view the 
content of messages send over the Internet.

In response, the district is spending about $500,000 to purchase a 
package of sensors for every school and district building which will 
pinpoint the location of the sniffers and alert police. The technology 
will also encrypt the data so sniffers can't understand it.

Though the safeguards have been successful, experts say the only way to 
fully protect against an attack is to unplug the computers.

But LaRocca said the incidents involving Duncan and Yortson have made 
raising security a greater priority.

"The board gave us their full support in light of all the things that 
have happened," he said. "What happened here helps me get the message 
out that we had to tighten security and make more prudent investments."