Wednesday, January 22, 2020
US flag

US warns of hackers attacking schools

The US Education Department issued a warning to schools across the country about an up-and-rising cyberthreat: computer hackers are allegedly attempting to extort money from the schools, messaging them that their private records have been stolen and students will be subjected to “violence, shaming, or bullying” unless the school pays the protection money.

It’s a type of attack known as ransomware, and because school district computers are generally guarded by inadequately trained security staff or I/T personnel, schools are among our most vulnerable institutions that keep sensitive and personally identifying information (PII) about minor children. Some of that PII may include Social Security numbers, dates of birth, medical or disability records, and other information that could be used by criminals to target individual children, now or in the distant future.

CNN reports that the attacks have so far hit schools in at least three states, including the schools in Columbia Falls, Montana, where Steve Bradshaw is the superintendent. He said he received his first threatening message in mid-September. “The messages weren’t pleasant messages,” he was quoted as saying. “They were ‘splatter kids’ blood in the hallways,’ and things like that.”

The education department said in its message that schools should report all threats to local law enforcement and, optionally, to the department for monitoring purposes.

What can schools do?

Schools should ensure the security of devices and networks, perhaps by conducting a data and network security audit and making certain all the holes and ways into the systems are patched.

They should also review login and httpd logs, such as access.log, to determine where attacks are coming from and what computers are reading or, worse, POSTing to certain Web pages.

Most importantly, since these attacks may also originate as a phishing attack on individual school employees, schools should ensure proper training for teachers, students, and other school staff. Know what the best practices are for data security and social media usage.

Finally, although it is impossible to say all data needs to be stored on systems that can’t be accessed over the internet, access to all sensitive data, which includes student rosters, which might be linked back to their Social Security numbers, should be restricted to personnel on a need-to-know basis. No exceptions. As much as possible, that access should be limited to local network IP addresses, which means not even the superintendent should be able to access it from outside the school.

It may not be possible to install the security recommended, but schools should look into it. We’re going to have to trade a little convenience, because, as we discovered in the Equifax breach earlier this year, data security is paramount.

Schools just don’t invest in computing environments with great technology resources, especially resources devoted to data security. Yet we know, and criminals know, that school computer systems store a virtual treasure chest of personal information about people, data that can be used even long after it was stolen in any criminal or negligent act.

“If bad actors can access student [personal data], that information can be exploited for the purpose of fraud and committing crimes for years before it is detected,” CNN quoted Mary Kavaney, the chief operating officer of the Global Cyber Alliance, as saying. “It’s often only upon application for a job, or application for financial aid to attend college that students find out that their Social Security number has been used fraudulently—they may have poor credit due to false applications against their history, or worse, find that crime has been committed in their name.”

I’m sad to suggest schools think about something other than school subjects, but you can teach all the AP physics you want; if kids aren’t safe or don’t feel safe, they’re not going to learn.

Paul Katula is the executive editor of the Voxitatis Research Foundation, which publishes this blog. For more information, see the About page.

Recent posts

Feds boost Bay funding

Restoration efforts in the Chesapeake Bay watershed received a boost in federal funding in the budget Congress passed last month.

Md. & IL bands perform on New Year’s in...

Bands from IL and Md. once again entertained thousands of people who lined the streets of London and Rome on New Year's Day.

Howard Co. sounds an under-staffing alarm

Teachers in a Md. district have filed a grievance over missing planning and lunch periods and, as a result, putting the most vulnerable students at risk.

Top 11 school stories of 2019

We find these 11 stories to have the greatest potential for influencing activity and direction in schools for the near future.

Girls’ volleyball champs in Illinois

We congratulate the Illinois state champions in girls' volleyball: Newark, St Teresa, Sterling, & Benet Academy.

A weekend of ‘band geeks’ across America

The musical Band Geeks was in performance at a MD high school, just as marching bands from across America named a national champion.

2 dead, 3 wounded in Calif. school shooting

Another school shooting has resulted in the death of 2 California high school students. The suspect shot himself and is in custody.

Mercury makes a transit; next in 2032

A transit of Mercury occurred today and was visible from the US, provided you had sunny skies. It was one of longest possible transits.

On the Naperville BWW racist incident

A racist incident at a Naperville, IL, sports bar indicates that the threads of racism are strong, perhaps as strong as ever.

IL bill could excuse absences to vote

A proposed law in IL could give students up to two hours during the school day so they could vote in the upcoming election.

Loan forgiveness gains some bipartisan support

One Republican from GA, who used to work under Betsy DeVos at the US Education Dept, offers a plan to forgive some student loan debt.