Web Application Security - Vital in Academia

RafalLos — Tue, 20 Jan 2009 03:05:00 GMT

"Police: School data hacked, grades altered"

http://www.republicanherald.com/articles/2009/01/15/news/local_news/pr_republican.20090115.a.pg1.pr15hacker_s1.2230498_top4.txt

Every once in a while, we get a great example of why web application security is vital no matter where in the world you operate. Even though academia often feels like they are the exception due to lack of funding, chaotic environments and a cornucopia of other reasons we occasionally read a news nugget that proves they are just as needy as the rest of the business world of good web application security.

An article in the Pottsville, PA Republican Herald, posted last Thursday January 15th, 2009 identified an incident that caused a bit of a ruckus.

"Pottsville police anticipate filing charges against one or more computer hackers who unlawfully made changes to an online grading system used by Pottsville Area School District.

“You had some people who hacked into a school-functioned, online site and found ways to change data that was put in there,” Pottsville police Capt. Ronald J. Moser said Wednesday

“In this case, someone figured out a teacher’s login and password. It is still a federal offense,” said Monica Langenberg, Shawnee, Okla., director of business development for Classroll.com."

There are several things we can gleam just from that critical quote... let's address:

First, this incident highlights the dangers of having publicly accessible grading systems and school-tied information available on the public Internet. Perhaps the school system should evaluate the sanity of having such critical information for its students protected by a simple username/password system available to the whole of the Internet?
Unless I misunderstand the content of this article... no one "hacked into" anything... the students simply guessed the login credentials of a teacher, who, coincidentally should be held accountable as well for having easily guessable credentials to such a system
A "federal offense"? That's fascinating...
The student demonstrated lack of malicious intent in my view, simply by making the types of changes that would get them caught... it very well could have been done silently over time to really cause some damage

What does this teach you, if you've in academia and evaluating or building an online system like this? Secure it. Base-level login/password authentication from 1999 isn't going to work... Also because of COPPA (Child Online Privacy Protection Act) there is some much greater accountability for academic environments when it comes to protecting children and their information.

The Politics of Getting Hacked

Rafal Los — Sun, 06 Apr 2008 03:07:00 GMT

It's the words that keep IT Security Managers up at night - "We have a problem, I think we've been hacked". Of course, there are few possible responses...

Acknowledge Responsibly - You can acknowledge what has happened, open an investigation, and communicate with the public and your customers. While this may be initially bad PR, in the end it shows responsibility and maturity of process and management
Acknowledge Irresponsibly - You can acknowledge the issue but attempt a campaign of mis-direction and cover-up. Redirect blame to partners, vendors and even former employees, release mis-leading information about the magnitude of the issue and do not publicly investigate the breach.
Bury It - Re-direct blame, issue no statements or official information

The problem is this - you know which you want to do, but which option will your lawyers allow you to take? There are many IT Security departments which are run more by the company legal counsel than the IT Security manager or CISO. Why is this you may ask? Lack of planning and initiative. If a CISO has no strategic, pre-planned response plan for that dark day - the lawyers will more often than not take over and try and guide the company out of trouble (and in the process create a bigger problem). Responsible breach disclosure isn't easy to plan for, and if executed poorly will potentially cause a catastrophic end. This game isn't for the faint of heart.

The purpose here isn't to poke at the legal counsels, in fact, they're entirely necessary and should be your allies. They should not; however, run your crisis management process. Crisis management should be left up to those who are trained for it, and not to the CEOs, the lawyers, or the PR department. Litigation should be a component of your crisis-management process but if you lose control of the situation as the "security" function - you're in for a rough ride.

As the title of this entry suggests, there is a political component to every "incident" that must be carefully navigated. Leave room in your response strategy (crisis management process) for all those previously mentioned folks to do their part - but make sure you understand that you have to control the situation. You're only going to accomplish any semblance of control by planning in advance, working your plan through the ranks, and making sure you have buy-in long before the call comes. This is really a case of failing to plan means planning to fail.

Politics is a dirty business, but unfortunately you cannot escape it, even in IT Security management. Remember, make allies, plan ahead, and get buy in and you'll weather the storm. Otherwise... I need to tell you a story about 3 envelopes...

Following the White Rabbit Blog : breach

Web Application Security - Vital in Academia

The Politics of Getting Hacked