The Unexpected Curriculum – Case study: Information Security in Education.
When we think about hackers, it most likely means any skilled computer expert who uses their technical skills to tackle an issue. While a “hacker” can refer to any skilled computer programmer, the term has been incorporated by popular culture by portraying hackers as someone who, with their technical knowledge, uses bugs or exploits to break into computer systems or mainframes. These are the ones that we are exposed to in our day to day culture, shaping what we think hackers are.
However, hackers today are known to be cyber criminals who commit crimes such as fraud, scams and theft using a computer, these are what we know as cybercrime, when an individual utilizes technology to gain benefits through underhanded means.
In this case study, we will be looking at some of the methods in which cyber crime happens in a common place which we all know to stem budding talents and aspiring scholars, we will be looking at a few common cyber crimes as well as these cyber crimes happening in educational institutes.
A password is a memorized secret, in a form of string characters, used to confirm the identity of a user. A password usually contain letters, digits, or other symbols. If possible characters are constrained to be numeric.
So, what are breached passwords? A breached password is when your sensitive, confidential, or otherwise protected password has been accessed and/or disclosed to others resulting in loss of data.
Below are the 3 examples of password breach methods in schools.
- Brute force
Some hackers used brute force to breach into a school’s computers and acted upon a batch of bogus transfers out of the school’s payroll account. The transfers were kept below $10,000 to avoid getting detected by anti-money laundering reports. While the hackers had close to 20 accomplices they hired as scammers. Over $100,000 was successfully removed from the school’s payroll account. Two days later an employee discovered the bogus payments. Unfortunately, organizations and companies have roughly two business days to spot and dispute unauthorized activity. This is because school organizations that bank online fall under the Uniform Commercial Code. Therefore the school was only able to get back less than $20,000.
- Shoulder surfing
An ex student shoulder surfed the password of an employee back when he was in school. After graduating, he used this information to get into the student information system. From there, he gained access to a different payroll data sets including birth dates, social security numbers, and bank account information of nearly 5000 current and former employees. This information was then used crimes such as identity theft & fraud cases such as using the stolen credit cards, creating checks, and altering bank account information. The perpetrator was caught and arrested after attempting to use a fake check at a local store. At a cost of $62,000 the district gave all the affected employees fraud prevention and resolution services. According to the district superintendent, the district suffered “damage to our reputation with the public and our employees. Hundreds of hours were spent investigating the extent of the compromised data and developing the plans and procedures to protect staff from further exposure to fraud…. answering employee questions and preparing internal and external communications. It is impossible to measure lost productivity as employees worried about their financial security and work to change bank account and payroll information.”
- Key logger
A group of students installed a keystroke-tracking program (this could also fall under malware or student hacking) on computers at their high school to grab the user names and passwords of about 10% of the students, teachers, parents, and administrators that use the system. The students then used this password information to access the system to change grades for themselves and others. They did not seem to do anything else to the system while they had access.
Therefore, ways like these actually show how vulnerable we really are when dealing with sensitive data as well as how we might have underestimated the capabilities of how easily our passwords can be obtained by others.
Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of types of malware exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, and scareware.
Malwares are generally malicious and are usually targeted to exploit the user’s data as the malware leaves traces in the user’s devices.
Below are 2 examples of malware attacks in school.
- Data stealing malware
A school computer containing no confidential information was hooked to the network containing the personal information of over 15,000 students. This computer was breached with malware designed to steal sensitive data. Names, addresses, phone numbers, dates of birth and Social Security numbers were all part of the database that was potentially exposed to this malware. It is uncertain if any of this information was accessed, but the malware was found to have been on the breached computer for approximately five years.
A school network administrator was contacted concerning spam e-mail and other attacks emanating from the district system. When the administrator investigated the problem, it was discovered several computers had been infected with a botnet. Several of the district computer’s operating systems had been commandeered and were being used by the person controlling the botnet for illicit activities.
And these are only the 2 most common programs that can be installed into a computer resulting in dangerous consequences.
As we all own equipment and devices that can store and contain data, we become responsible for our own digital safety with all these equipment containing important data, yet this means that not only should we be more aware with our digital equipment but are also more susceptible to crime against digital equipment theft.
Below are examples of some of devices we own that contain important information getting stolen or missing.
- USB Drive
A school employee was using a flash drive to transfer personal information of 6000 employees for job related purposes. The information included names, addresses, phone numbers, dates of birth and Social Security numbers. This flash drive went missing. There is currently no evidence that the sensitive information has been accessed or used inappropriately.
- Stolen & Returned Mobile Storage Device
A mobile storage device was stolen and retrieved in a matter of three hours. The thief was apprehended. The device contained names and Social Security numbers for approximately 1600 individuals in a welfare reform program. A computer expert could not determine if the information on the data storage device had been copied off it. There is currently no evidence that the sensitive information has been accessed or used inappropriately.
- Stolen Laptop
A district business office laptop was stolen. The laptop contained sensitive employee and student data. The laptop was password protected and contained data in a format that would not be easily accessible. There is currently no evidence that the sensitive information has been accessed or used inappropriately.
With all these confidential data in our hands being so handy and portable, we have to increase measures to ensure that our equipment do not end up in the wrong hands exposing ourselves to risk of data getting stolen.
Posting Information to the Web
As internet is becoming prevalent to our lives, we tend to share things onto the web either via social media like Facebook & Instagram or other content sharing platforms, we tend to be unaware how connected we are to these platforms which problems may arise when we accidentally upload private and confidential information online.
Below are 2 examples of uploading confidential information online.
- FTP installed
A member of a school association installed a file transfer program (FTP) onto a server without permission, inadvertently exposing the names, birth dates and Social Security numbers of thousands of associated members around the country. The program was installed and had the information exposed for almost a year before it was discovered.
- Wrong information uploaded
An assessment specialist who handled testing data accidentally uploaded personal information including names, Social Security numbers, birth dates and test scores of the district’s 17,000 students to a Web site for an unrelated school study.
We have all watched some movies or shows depicting a hacker trying to obtain information from their target and it looked really cool to the extent that we always wondered how would it feel like to be a hacker trying to mimic things we saw. A survey that was conducted showed that approximately 67 percent of teens admit to trying on at least one occasion, to hack into friends’ social network account or other social platforms which is why students need to be taught proper ethical behaviour when it comes to the internet and computer usage.
Here are a few examples of students trying out hacking within school compounds.
- Grade “Fixing”
A group of high school students managed to infiltrate the school district’s records management system. Once in they changed grades for students who paid them to accomplish this task. The students said in addition to the money, they did it for kicks, to prove they could do it.
- Moving files
A high school student taking a networking class hacked into an administrator’s user file. Once in, he changed student’s passwords, remotely shut down computers, and created and copied folders in an assistant principal’s file. He just wanted to see what he could get away with and did not do any real damage despite his capability to do so.
- Unauthorized access
A third-grade student used the teacher’s password to gain access to the instructor’s portion of the blackboard online learning environment. Once in, he changed some student’s passwords and some of the homework assigned.
- Hacking the School as a Project
A 15-year-old student used three hacking programs to gain access to the district records management system in 200 milliseconds. Once in, he lowered his grades, since he could not raise them, he already had 4.0. He then wrote a three-page paper on how to improve the security of the system. Finally, he proceeded to help the district to improve the security of the network in general.
Education institutions need prioritize cybersecurity as cyberattacks are occurring as frequently in education sectors contrary to popular belief. In fact, cyberattacks are gaining ground in prevalence year-on-year as instances of data breaches in schools and higher education are widely reported.
It is a fact that cybersecurity in Education is necessary to protect against not only financial loss and prevent disruption, it is also to protect students from any means of danger of harm. Which is why we need to do everything to ensure any applications or systems that we have in these educational institutions are protected at all cost.