Feb. 25, 2010
MCPS to strengthen computer security
Montgomery County Public Schools (MCPS) officials have implemented additional computer security measures following the Jan. 27 discovery that students at Churchill High School accessed teacher grading accounts on school computers and modified several students' grades.
The Montgomery County Police Department (MCPD) and MCPS have identified seven students suspected of involvement in the security breach, according to MCPS Director of Public Information Dana Tofig. He explained that these students ran a program on school computers to access teacher passwords. "They used a USB device that ran a program to capture keystrokes," he said.
The school system is currently updating county computers to prevent users from running programs off USB flash drive devices. "You can still do certain things, such as copy documents, but you can't run a program off a USB device," Tofig said.
MCPS Chief Technology Officer Sherwin Collette also sent an email notifying teachers that they would be required to change their computer log-in passwords by Feb. 10 and create a new password every 120 days, according to a Feb. 4 article published in The Washington Post. "We're trying to reinforce the idea that people have to change their passwords more frequently," Tofig said. The memorandum also informed MCPS employees that the new passwords must be eight characters long and contain one number and one capital letter to strengthen the security of teacher accounts.
After interviewing teachers and students, MCPD and MCPS investigators have determined that the students involved infiltrated three teacher accounts. These teachers are still in the process of fixing discrepancies between printed records and the grades that appear on their computer accounts, according to Tofig. "The investigation is still ongoing," he said. "We have the capability of doing audit trails."
MCPS officials are currently issuing punishments to the seven students who illegally accessed teacher computer accounts. Tofig could not reveal the charges against the students or the recommended punishments due to confidentiality requirements, but he said that the punishments for computer abuse range from a loss of computer privileges to a police referral and recommendation for expulsion. The punishments for academic dishonesty range from a conference to expulsion. "We're taking this very seriously," he said. "Ultimately, these students put their futures in jeopardy."
The students involved could also face criminal charges if the Montgomery County state's attorney decides to press charges, according to Tofig. School officials are also considering taking disciplinary action against students who asked for those directly involved to change their grades.
Alex Pope, a senior at Churchill High School, described the investigations that took place over the past month. "At one point, a whole lot of cop cars were parked outside the school," she said.
Pope could not identify the seven students charged with the computer security breach. "I've only heard rumors," she said. "I think a whole bunch of juniors were involved."
The Montgomery County Police Department (MCPD) and MCPS have identified seven students suspected of involvement in the security breach, according to MCPS Director of Public Information Dana Tofig. He explained that these students ran a program on school computers to access teacher passwords. "They used a USB device that ran a program to capture keystrokes," he said.
Seven students at Churchill High School will be punished for accessing teacher computer accounts and changing several students' grades.
MCPS Chief Technology Officer Sherwin Collette also sent an email notifying teachers that they would be required to change their computer log-in passwords by Feb. 10 and create a new password every 120 days, according to a Feb. 4 article published in The Washington Post. "We're trying to reinforce the idea that people have to change their passwords more frequently," Tofig said. The memorandum also informed MCPS employees that the new passwords must be eight characters long and contain one number and one capital letter to strengthen the security of teacher accounts.
After interviewing teachers and students, MCPD and MCPS investigators have determined that the students involved infiltrated three teacher accounts. These teachers are still in the process of fixing discrepancies between printed records and the grades that appear on their computer accounts, according to Tofig. "The investigation is still ongoing," he said. "We have the capability of doing audit trails."
MCPS officials are currently issuing punishments to the seven students who illegally accessed teacher computer accounts. Tofig could not reveal the charges against the students or the recommended punishments due to confidentiality requirements, but he said that the punishments for computer abuse range from a loss of computer privileges to a police referral and recommendation for expulsion. The punishments for academic dishonesty range from a conference to expulsion. "We're taking this very seriously," he said. "Ultimately, these students put their futures in jeopardy."
The students involved could also face criminal charges if the Montgomery County state's attorney decides to press charges, according to Tofig. School officials are also considering taking disciplinary action against students who asked for those directly involved to change their grades.
Alex Pope, a senior at Churchill High School, described the investigations that took place over the past month. "At one point, a whole lot of cop cars were parked outside the school," she said.
Pope could not identify the seven students charged with the computer security breach. "I've only heard rumors," she said. "I think a whole bunch of juniors were involved."
Discuss this Article
- can't seem to grasp the fact that a handful of kids can infiltrate systems in a matter of minutes.
- Use Windows XP
- Allow users to download and run a program
- Have poor to no spyware or firewall security
- Did I mention that we use Windows XP?
It amazes me that MCPS uses McAfee; why, because it comes free with Comcast, the internet service we use. What's more amazing is that a simple keystroke logging software cannot be detected.
Nice job MCPS, keep up the good work! The great irony here is MCPS wants to be more technological savvy, which is why we spend thousands of unnecessary tax payers' money on Promethean Boards, yet MCPS Computer Administrators can't figure out how to stop something so simple, a keylogger.
Yes, XP has its fair share of problems, but it's quite possible to have a secure XP machine if you know what you're doing.
Applies to all 32-bit versions of windows. So no, it really is not possible to have a secure windows machine/network of any type.
"Haxor": uh-huh. 1) UNIX has nothing to do with the security of Linux and the BSDs - the security they have is caused by the peer-review process that open source enables. Want to make sure something's secure? Check for yourself. I can tell you, with 100% certainty, that mod_suexec in Apache 2 is secure.
2) If a system is vulnerable under a keylogger executable program, that's the fault of the user who allowed their keystrokes to be logged. Change your passwords, keep an eye out for people who have recently logged into your account. Keylogger work under linux.
3) "And why would WinXP under a limited account allow a student user to run a program through a flash drive, but not through the computer itself? " And is that the case? Nope.
4) "An operating system should be indomitable, why do you think UNIX servers are used in the military and government?" They're not. Get your statistics straight. *nix servers may be to a great extent, but I have never encountered a UNIX server.
"Latin curity" - wait, what? (captcha)
Haxor: d0 y0u h4v3 4 r34l 1d3n717y?
Here are some things that students could do to access grades, even with these new restrictions in place. These are all off the top of my head:
Use a tried-and-true physical keylogger. No one would notice.
Copy the keylogger executable from the flash drive to any other drive, then run it from there.
Host the keylogger executable on a website and download / run it from there, instead of running it from a flash drive.
Create a web page and embed something that takes advantage of one of the many vulnerabilities in Internet Explorer and have it run the executable.
Sniff the TCP traffic on the network and extract the login credentials that way. There's a good chance the grading system isn't secure, especially if they're still using the telnet-based system.
Replace the executable for the program used to access grades with a lookalike or a compromised version that sends passwords to, well, wherever. Someone's email address, perhaps.
Phishing attack. Write a teacher an email claiming to be from the MCPS IT department and ask for the teacher's password. You could even claim that asking for the password is a specific security measure taken as a result of the events mentioned in the article. I'm sure someone would fall for it.
MCPS, you've got so much work to do!