#TechTalk – Student Data Stolen From FCPS

Original work by Katherine Heerbrandt
Commentary by Eric Beasley

This morning, I woke up, read Facebook, and quickly started pounding my head against a table in frustration. Yet another data breach caused by government incompetence and poor leadership.

With permission, we’re going to go through the article posted by the Frederick Extra. Frederick County Public Schools had a data breach many years ago and add the technical perspective. It’s my day job, after all.

Student data about Frederick County Public School students, including name, date of birth, and social security number, was discovered on a foreign server several months ago, according to multiple sources.

The combination of name, date, and social security number is the base level of information needed to steal someone’s identity. With this information, an identify thief can open bank accounts and credit cards, steal your medical records, use password recovery features on your e-mail and social media accounts, and pretend to be you. The fact that this was on a foreign server is no surprise. Generally, hackers prefer to store and sell data out of servers in places like Panama, Caymen Islands, Sweden, and Denmark. Places where getting a warrant for computers is more difficult than the United States.

Personal data from more than 1,000 students was discovered on foreign servers. That type of information is commonly sold. Buying children’s personal data is becoming more popular as the theft may not be uncovered for several years.

So a few things here. I cannot imagine an information system that only stores information on 1,000 students. There is no logic behind storing such a small amount of data on any server. Likely, this is just the amount that they know about, not the actual amount of data that was stolen.

Yes, this sort of information is sold on the Dark/Deep web. What’s the difference? The Deep Web are web sites on the public internet that block search engines. You would have to know the exact URL of the site to visit it. The Dark Web are web sites that are only accessible through Tor, a modified web browser designed for anonymity.

Both Dark and Deep web sites exist to sell this sort of merchandise. You may remember The Silk Road, a site used to sell everything from drugs and illegal guns to hackers and hitmen for hire. These sorts of sites sell stolen identities for about $25 each for name, birthday, and social security number.

Kids identities are especially valuable to thieves. The financial aspect is just one small piece of this. A few fraudulent maxed-out credit cards are a BEST CASE scenario.

The worst case scenarios involve using that kid’s identity for money laundering and terrorism. With the social, organized crime can use this identity to report income through the fake identity and make money from their illegal enterprise look legitimate. With an official US passport, anyone in the world can walk into our country with no additional screening. Legit US passports sell for upwards of $100,000, purchased by the highest bidder. They could be a Russian spy, terrorist, or fugitive on the run.

The data breach is believed to have occurred between 2004 and 2006, according to sources, and was discovered about several months ago. FCPS, per state law, is obligated to notify those students and will be sending letters to those involved, according to sources.

FCPS computer security came under fire in a state audit report released in April 2015. The audit, conducted by the state’s Department of Legislative Services, began in 2014 and reviewed financial management practices, and included several recommendations to tighten its cyber security, including access, account and password controls over “critical applications, servers and a database.”

I have read over similar state audits. These are not stringent or complicated requirements on the computer side. We’re talking about common sense requirements, like having a password to protect access and making sure that only folks who need access to a system can access it (role-based access control). It’s a sad state of affairs when an enterprise-level computer network like FCPS cannot protect their stuff with a simple password.

1992 called, they want their computer security back.

The audit report stated that “FCPS provided over 11,000 active user accounts unnecessary, read and modification access to clear text (that is, unencrypted) files maintained on a web server that contained sensitive personal information (for example names and social security numbers) of numerous individuals. This sensitive personal information is commonly sought for use in identity theft and therefore should be protected by appropriate information system security controls. A similar condition was commented upon in our preceding audit report regarding unnecessary or inappropriate access privileges and capabilities.”

 So now we get to the actual findings in the audit report. There’s so much wrong here I hardly know where to begin. When overwhelmed with idiocy, I fall back to bulletpoint lists.

• Why does a school system with 5,690 employees need over 11,000 user accounts? Are they not deleting old accounts? Are they giving everyone multiple user accounts? Did the Russians make some extra accounts for themselves?
• Why was student information being storied on a web server? There’s these things called databases that we use to store large amounts of information.
• Why was student information not encrypted in accordance with Privacy Act standards?
• Why did FCPS have a similar finding from a previous audit, then repeat the same mistake again in this audit? Are they ignoring the audits on accident on purpose?

FCPS’s director of technology Derek Root told Board of Education members at its Apr. 22, 2015 meeting that he took exception to the wording of the audit. “This is what happens when you have CPAs doing a technical audit. They don’t fully understand technology,” Root said. Board member Colleen Cusimano, who works in information technology, fired back at Root that the auditors were “senior level” with backgrounds in information technology.

Really, Derek? Are you kidding me right now? When the Department of Legislative Services conducts these sorts of audits, they utilize accountants and CISSP certified individuals. What does CISSP stand for? Glad you asked. It stands for Certified Information Systems Security Professional. This is the gold-standard certification for audits like this.

If Derek is this clueless about something as basic and pedantic as CISSP certifications, then it is no wonder FCPS performed so poorly on the IT side.

Root said at the 2015 meeting that many of the issues in the audit stemmed from an outdated software system, and could be, or had been, easily resolved. But Cusimano was not convinced. “The most troubling thing is that I went through a lot of state reports, and nobody else in the state says that 11,000 users without access can find personally identifying information. I am seeking to feel some confidence about what that risk was and that we have addressed it,” she said at the 2015 meeting.

As if I needed anymore information to solidify my opinion of Mr. Root’s technical abilities, he had to go and say this. You know what happens now:

• Outdated software DOES NOT cause 11,000 user accounts to be present on a network that has 5,700 users. Lack of business processes for employees leaving FCPS and regular user account audits do.
• Outdated software DOES NOT cause unencrypted sensitive personal information to be stored on a publicly accessible web server. Poor coding practices, lack of penetration testing, and laziness do.
• Outdated software DOES NOT cause weak or no passwords to control access to critical systems. Poor management, oversight, policy writing, and laziness do.

Root left FCPS in July 2016 and is now Chief Technology Officer at Washington County Public Schools.

FINALLY we have some good news. Mr. Root is no longer plaguing our school system with incompetence. He’s become someone else’s problem.