Computer security strengthened

In January, eight Churchill students were caught illegally changing grades of 46 other students. According to Blair systems specialist Anne Wisniewski, MCPS has implemented and in the process of implementing new security measures to prevent similar incidents in the future.

Wisniewski said that the Churchill students used a device called a keylogger to retrieve the passwords that enabled them to change the grades. "The keylogger looks like a USB drive and runs a program that records everything entered," she said.

One of the new security measures that MCPS would like to implement, according to Wisniewski, is to force staff members to change their passwords over a predetermined period of time.
"MCPS took a long, lingering look at the password policy," she said. "We would like to have more policies, however they can't because [Windows] Server 2003 doesn't allow the granularity to allow them to change their passwords every week."

Wisniewski explained that the current software used by MCPS does not allow system administrators the ability to force password changes for only a subset of the users. According to Wisniewski, this means that if the system administrator wanted to force staff members to change the password, every other user would also have to change the password, unfeasible for elementary school students. "We had to set things up so that they work with kids," she said.

A possible solution to the problem is upgrading county software to Windows Server 2007, which, Wisniewski said, does allow administrators to force password changes only on staff members. "These problems will go away when we upgrade [to Server 2007]," she said. "Right now, we rely on people to change their passwords. People will be forced to change passwords."

However, Wisniewski mentioned that MCPS will be implementing a new program, Oracle myID, soon which will allow system administrators to force password changes for staff members without necessitating an upgrade to Server 2007.

"The software allows you to manage accounts through another database," she said. "It will cause problems for us, but not that many."

Wisniewski said that MCPS will be implementing myID soon and that this program may cause the county to delay upgrading the server software until a later point in time.

MCPS director of public information Dana Tofig said the real issue with the hacking incident did not lie with the county's network security. "The issue at hand is the poor, unethical decisions made by a small group of students to steal information and change grades," he said. "As a result, they brought a lot of unwarranted negative attention to the majority of students at Churchill and throughout MCPS who earn their grades through honest, hard work and determination.

Tofig said that as it stands, the MCPS network is robust and capable of preventing many security breaches. "There is already a tremendous amount of security around all data systems at MCPS and these systems prevent hundreds of attacks on our systems each week," he said. "We will take measures to try to prevent [keyloggers] from running on our computers, but want to do so in a way that doesn't limit the effective use of technology."

According to Tofig, while past grade changing incidents have occurred, keyloggers have never been used. "There have been grade-changing incident at MCPS in the past, but none that I am aware of that used this specific type of technology," he said.

Tofig stated that the students that perpetrated the Churchill hacking incident have received punishments. He also said that this incident has not affect college admission decisions for other Churchill and MCPS students.