6 min read
Through the continuing wonderful work over at Databreaches.net, I read about an odd situation in Lewis Palmer School District 38. The details are still unfolding, but based on the article on databreaches.net and the original report in Complete Colorado, there are a few layers at play here. First, the Complete Colorado piece isn't clear on the technical details - and that's a good thing, because they were printing a story about an unfixed security issue (note - as of today, the affected systems have been taken offline). The ethics of printing information about an unpatched issue are questionable, at best - but we'll return to that later.
Two pieces stand out in the story. First, the data that was potentially exposed seems very sensitive. The exposed data included:
names, addresses, and phone numbers for students, parents, siblings, and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups take place; and health records.
Second, the Complete Colorado piece includes reporting from a school board meeting held on May 19th. In the exchange below, pulled from the Complete Colorado piece, Sarah Sampayo (a school board member) is speaking with Liz Walhof, the district technology director.
Sampayo questioned the district’s technology director, Liz Walhof, about whether the district planned to make changes to the Gmail accounts. “How easily accessible is that uniquely identifying [student identification] number to the vast community,” Sampayo asked. “And is our kids’ information then protected because you can then log in … with just the kid’s ID number.” Walhof said they continue to look into better formats, but added that right now it is not possible to issue an email without using the student’s ID number.
At the 5/19 school board meeting, a parent shared her experience speaking with the district IT staff. In her public comments, she shared talking with school officials in the fall of 2015 about some of her concerns. The testimony begins at the 53:40 mark of the video. In her testimony, it appears like the student's login id to Google Apps is the same as their student ID. Therefore, based on how Google Apps works, student emails would also be student IDs, thus ensuring that kids in a class know everyones login ID.
I'm concerned that children are having to log into GAFE with their student ID numbers. And I was told that is just the way it is.
At this point, it's worth noting that just knowing someone's login ID is not sufficient to gain access. If, however, passwords were known, then that is a serious privacy issue.
And, it appears that the Lewis Palmer School District used birthdays as passwords, and announced this online from at least September 24, 2013 to March 14, 2016.
The two screenshots below were taken with the Wayback Machine. The first was crawled on September 24, 2013.
The second screenshot, below, was taken on March 14, 2016.
Both of the screenshots (and the ones taken between these two dates) contain this text:
Due to a security enhancement within Infinite Campus, your network and IC passwords have been changed! You must now enter the prefix, Lp@ before your regular birthday password (i.e. Lp@032794). Additionally, you may change this password by entering Ctrl+Alt+Delete and then picking Change a Password. Changing your password this way ONLY works if you are logged into the school network, NOT from home.
This information suggests a couple things. Starting with the most obvious, passwords appear to be created using a commonly known structure based on a person's birthday.
Second, the instructions about being connected to the school network and changing your password suggests (although I'm not certain on this) that usernames and passwords are centrally managed, meaning that a student has a single login ID and password.
It also should be highlighted that username and password issues do not appear directly related to security issues in either Infinite Campus or GAFE. This sounds a lot like an issue with how accounts were provisioned.
Based on the information available here, it appears that the way the district provisioned emails ensured that every student's login ID was easily available. Because the district both used an insecure default password structure and published that password structure on the open web for over three years, the district created a structure that allowed many people within the community to easily know the usernames and passwords of their peers.
It also appears - based on the parent testimony at the board meeting - that these concerns were brought to the district's attention in the fall of 2015, and were dismissed. Based on some of the other descriptions regarding access to health records, it also sounds like there might be some issues related to Infinite Campus and how it was set up, but that's unclear.
What is clear, however, is that the district is not being as forthright as they need to be. The board meeting with parent testimony was May 19th; Complete Colorado article ran on May 24th. The data privacy page on the Lewis Palmer web site was updated on May 25th, with the following statement:
Yesterday, we discovered a possible security breach through normal monitoring of IP addresses accessing our systems.
Given that the security issue was covered in the local press the day prior, and that the district was publishing their password structure for over three years, I'd recommend they look at their logs going back a while. I'd also recommend that the district own their role exacerbating this issue.
For districts, parents, teachers, and students: if there is a commonly known structure to how you provision both usernames and passwords, that is potentially a serious red flag. The process of provisioning accounts is time consuming and not fun (which is part of the reason why we see people starting to rush into the rostering space), but if you can't do it securely, you should put your tech programs on hold until you get it sorted out.