The needler in the haystack.

Monday, January 24, 2011

Plainfield Schools website breach: Worse than being let on?


Screen shot, District website, Monday morning.

Is the website breach at the Plainfield Public Schools worse than is being let on?

The Genesis parents' portal was apparently hacked around 7 PM this past Tuesday, as was discovered by Maria Pellum, a parent and user, on Wednesday evening. The system has been unavailable since then (it seems to be online Monday morning), without explanation until a letter from Acting Superintendent Anna Belin-Pyles was posted to the website late Saturday afternoon (it is time-stamped just before 6:00 PM).

WHAT IS 'GENESIS'?

Student information modules offered.
Genesis is a turnkey software system which manages student information for the entire school district as a web-based application. The company (see their website here) has 160 installations in New Jersey, including six K-12 districts in Union County, and an unnamed Plainfield charter school. Teachers input student grades and other evaluations; parents access the information through the portal.

WHAT HAPPENED?

The site was hacked by members of 4chan (see more here, and here), an amorphous mob of hackers, pranksters and anarchic types, who shortly thereafter posted their exploit to a high-traffic message board, green-oval.net (see here).

Besides posting a username and password to access the system (the password 'poopnuggets' hopefully was the hackers' substitution and not the official District password), the hackers seem to have wreaked havoc on student records, including changing names, grades and disciplinary records. There is also talk on one of the message boards of their having prepared a 'bomb threat' notice (which was never delivered), as well as destruction of backup records (for this, see the thread here).

By the time I began researching the matter Friday evening, the images of student records posted to the message boards had been taken down, though both the green-oval.net thread and another at Reddit (see here) were still up.

Reddit is a highly popular online message board/news source, mainly technology slanted, that happens to be owned by Advance Media, the Star-Ledger's parent company. If you read the Reddit thread carefully, you will note these are sort of the 'white hat' guys -- pointing out the deep doo-doo the hackers are getting themselves into.

WHAT IS THE DAMAGE?

While the District will no doubt have to spend time combing the records to see how many of the several modules have been sabotaged, an immediate worry is whether the records of the Senior class, those who will be looking to enter college next fall, have been compromised.

Searching and fixing these records, and then eventually those of the entire student base will be made harder if complete 'paper' backup records have not been kept for grades, etc.

WAS THE I.T. STAFF CARELESS...OR WORSE?

Why did it take until Saturday evening to put out a response?

While we cannot know exactly how the system was hacked, and certainly won't be told while the incident is under investigation, questions arise (from the comment threads) as to whether the system was actually hacked by OUTSIDERS. The same threads give rise to how the whole security of the system is handled, including password storage and backups of the databases of information. To which can be added the matter of a strong password policy (I am told by parent/users they have never been asked to change their passwords since originally signing up in 2009).

If the Genesis portion of the District's infrastructure was vulnerable, what about other portions, such as those that have the credit card information of parents paying for school lunches online? Or the social security numbers and other personally identifying information of the students?

If I.T. policies and procedures, training, or supervision have been lacking in any way, how will the stakeholders know that deficiencies are being addressed and corrected?

And, lastly, there is the matter of the symbiosis between the District and the City with regard to I.T.

Not only has the City recently inked a 'shared services' agreement for information technology, but the City's I.T. director was previously the District's.

Is the same set of circumstances which made the District vulnerable been brought over to City Hall?

Bears thinking about.


    -- Dan Damon [follow]

    View today's CLIPS here. Not getting your own CLIPS email daily? Click here to subscribe.

    13 comments:

    Anonymous said...

    Dan --

    I looked at the 4chan chat thread.

    Essentially the issue lies not with the school per se, but with the software company.

    It appears the are using a universal interface for all their "client" schools. If these guys had wanted to, they could have messed with a lot of schools. It appears that Genesis' security protocols are not very robust.

    From reading the 4chan chat, they had about a thousand threads of people logging in as admin. This ALONE should have been a red flag to the system and it should have blocked access. Admin permissions should belong to only one person -- often it can be tied to your IP (the address/computer you are logging in from).

    Out of all the things the guys are bragging that they did -- the most serious is someone claims to have deleted the backups. If they did this, and there are not redundant backups somewhere -- the school is going to have problems.

    They mention several times the Barack Obama School as well. So I suspect it was hit as well.

    Part of selecting software vendors is not only looking at user functionality, but at the robustness of their password protection. Because hacking is out there, many use mobile "keys" (that changed every minute) which you combine with your password to get into a system.

    I would think a company that build an application that is web accessed and would hold sensitive information (hackers mentioned substitute teachers' social security numbers), would have the most robust security available.

    It appears not. I guess whoever decided to go with this vendor didn't think access security was that important -- or didn't know enough to realize the application's vulnerability.

    Olive Lynch

    Anonymous said...

    As someone who was in the thread live... (I didn't participate and warned people they were breaking the law & likely committing felonies)...

    It wasn't really "hacking", at least on 4chan's part. It was unauthorized access with the username and password. How that password was obtained is unknown. A disgruntled Genesis Education Software employee? A user hacking in, then giving 4chan the password? We may never know.

    It's telling that there wasn't two factor authentication. I mean, RSA tokens are getting near a $1/seat now and provide a valuable way to minimize the usefulness of a login alone.

    Anyhow...

    There were not "thousands" of people logging in. Most of us knew better and watched the sh**tstorm. At the peak, one of the screenshots reflected 61 active sessions, 3 of which were teachers, most of them were the compromised admin login.

    The school seems to have redundant backups according to this article.

    We WERE able to see a wide variety of information in screenshots - students phone numbers and addresses were included in some screenshots with their names. I don't think anyone was malicious enough to export any of it (thank god) and no information like SSNs were seen in any screenshots.

    Anyhow...

    Article says the stuff was reverted and Genesis claims to have handed things over to the FBI for those stupid enough to participate in such vandalism. What I guessed would happen.

    Key takeaways are that two factor auth should be the norm to avoid issues when a password is compromised, and admin sessions should be limited to one or two at a time with a session timeout. And the school should have explained this sooner.

    Anonymous said...

    Olive - Great piece of investigative journalism. Did you derive all your information from the rants and boasts of 13 year old boys on an anonymous 4chan internet forum?

    Anonymous said...

    Dan, although the links to the pages contained here have been changed, one could access the info, if someone was forward thinking enough to have saved them. hint...hint.

    As a matter of public "right-to-know" and transparency, I think it can be arranged.

    I agree with Ms. Lynch and you; the exploit potential was there but on both fronts (Genesis Company and PPS IT) and some discussion about PPS IT history is in order.

    Anonymous said...

    Dan, the I.T. Department does not manage the Genesis system, and that is by Dr. Gallon's design. Genesis USED to be managed by I.T. until Gallon came along and changed everything. The few employees that do handle Genesis don't even report to the I.T. department. So no, I.T. did not drop the ball... Check out Mark Spivey's informative article which explains a lot.

    Anonymous said...

    Dan, the Website did not belong to the I.T. Department either, until last month, also Dr. Gallon's design. The Webmaster and website were under Eric Jones.

    Anonymous said...

    You need to ask:
    1. When did the district learn about the breach?

    2. Make them show you how it was reported and to whom.

    3. When did the Board, superintendent and Public Information Officer learn about it?

    4. Are there e-mails or communications that were sent? Ask for them.

    5. What did they do with the information?

    The truth will show that they knew about this some time ago and tried to COVER IT UP!!!!

    In a meeting it was discussed that personal information (SS#, DOB, etc.) were open to thousands who may have gone into the system.

    Grades have been changed and other information has been tampered with.

    THIS IS A MAJOR SCANDAL AND ATTEMPTED COVER UP THAT GOES ALL THE WAY TO THE TOP.

    Lets hope that the little guys in IT dont take the fall.

    Anonymous said...

    Dan,


    Dont be fooled by 6:16 and 6:21 who are probably the SAME person.

    Gallon has been gone since May 2010. The efforts of the Grand Slam and the Interim Super and lackeye Eric Jones to save the jobs of cronies last year in spite of the budget shortfall showed their focus.

    They are in charge. They own it. The structure, the organization, the operations, the problems and yes, this cover up. They are the ones that MOVED the IT Department to the high school and moved BOA in the basement.

    They promoted Eric Jones and paid him over $100k despite the fact that he ONLY holds a teaching certificate and now reports directly to the superintendent.

    They CANNOT have it both ways.

    The Plainfield Public School district is in shambles and this debacle and attempted cover up is only the tip of the iceberg.

    There is much more to come.

    GB said...

    Dan,

    Reminds me of the time I got a "Blank" hall pass from Mr Ott, the acting VP. Well I told ....

    Anonymous said...

    to 3:42pm

    I didn't realize it was my job to be a journalist! I was making observations based on reading that 4chan thread. I don't think I was off track, given Mark Spivey quoted excerpts from those same 4chan threads.

    That thread does not contain the language of 13 year olds, that is for sure.

    Web application security is difficult. To have a truly secure access, most institutions have users use mobile keys which change every minute. On contracts I have had I have been given remote access into the bank's systems -- full of sensitive information, they always have employees use mobile keys -- such as "Safeword".

    You not only have your normal user/password on the application -- but the key has a user/password, which when you enter it - it gives you a randomly generated key which you use to get into the system. It's very secure.

    Many web applications are moving to this technology because people can have their login and passwords stolen by phishing, keyloggers (malicious applications that get downloaded when you visit websites that store and send back all your keystrokes), or plain stealing the sticky in your office cube with your password.

    Online MMO games are using the same technology, because people get their accounts hacked. It's very problematic when the people doing the attacking are out of the country -- there is practically no recourse.

    The point being, a software company which has specifically developed an application for online use should have had tougher security measures -- especially if their is sensitive information involved.

    Their instructions to change passwords once a year on their website aren't going to solve the security vulnerability of their system.

    If you read the 4chan threads, several of the posters were worried they could be traced by any potential investigators by their IP address when they viewed or logged into the system.

    One way a web application can be more secure is to tie your login and password to a specific IP address (such as your computer at work). Often if you log in from another computer (like home or via your iphone), it will challenge you with another security layer (like your pet's name, etc.).

    The fact this person got the username and password, was able to make changes -- then other people were able to log in with the same username and password from DIFFERENT IP addresses -- and the system didn't shut them down right away -- well, this is a very weak system security-wise.

    Genesis said they were upset. They should be. If I were their product manager, I would be scrambling to put in new, hard-core security protocols proto!

    I think this is something parents can demand of our BOE and IT department -- ask Genesis what security improvements they are going to make so this can't happen again, and when they will be made.

    Just saying.

    Olive Lynch

    Anonymous said...

    If they use this to get rid of Gary Bloom who holds a Master Degree and is white and an "outsider" to bring back Cris Payne who holds NO DEGREE but is black and an "insider", then shut the entire City down and make it a police state.

    This will be used for local politics and cronyism. Gary Bloom who is a well respected and professional administrators should get his lawyer now and have his number on speeddial.

    The fix is in. Why is Cris Payne commenting on school district affairs? We see this a mile away.

    Anonymous said...

    In response to the post Jan 25, 10:31 am. Yes those posts are by the same person, why would Dan be fooled? Check the facts for yourself. Again, the I.T. Department does not manage the Genesis system. All they do is have the Helpdesk change passwords for teachers to log in as well as answer questions on usage. The Genesis team does NOT report to the I.T. department. Is this "hacking" issue being handled well? No! Should I.T. have some input in daily operations and maintenance of Genesis? Yes! This was Gallon's grandiose idea to have the Genesis people report to Kemp and the website under Eric Jones, who is useless and way overpaid! He makes $97,000 to do what exactly?? He doesn't even take pictures anymore! Hopefully the interim supeintendent handles issues better than she has been so far. Why they haven't dismantled all of Gallon's organizatinal structure is beyond me!!

    Anonymous said...

    8:55 a.m.,

    Gallon's structure was his structure and as far as operations in the district it seemed to work. People were accountable and did their jobs. But almost a year later this is their structure now. They own it.

    Maybe they did not dismantle it because they dont have a structure or idea of their own. Or maybe the Grand Slam team did not give that directive.

    At least we agree that Eric Jones is worthless. Gallon's plan for him was in the classroom where he should be. They dismantled that plan and kept him at the district at $100k so they can do what they want to do.

    The superintendent simply doesnt not have the background or experience for this job. Nice person but look at her background.