Monday, July 6, 2020
US flag

US warns of hackers attacking schools

The US Education Department issued a warning to schools across the country about an up-and-rising cyberthreat: computer hackers are allegedly attempting to extort money from the schools, messaging them that their private records have been stolen and students will be subjected to “violence, shaming, or bullying” unless the school pays the protection money.

It’s a type of attack known as ransomware, and because school district computers are generally guarded by inadequately trained security staff or I/T personnel, schools are among our most vulnerable institutions that keep sensitive and personally identifying information (PII) about minor children. Some of that PII may include Social Security numbers, dates of birth, medical or disability records, and other information that could be used by criminals to target individual children, now or in the distant future.

CNN reports that the attacks have so far hit schools in at least three states, including the schools in Columbia Falls, Montana, where Steve Bradshaw is the superintendent. He said he received his first threatening message in mid-September. “The messages weren’t pleasant messages,” he was quoted as saying. “They were ‘splatter kids’ blood in the hallways,’ and things like that.”

The education department said in its message that schools should report all threats to local law enforcement and, optionally, to the department for monitoring purposes.

What can schools do?

Schools should ensure the security of devices and networks, perhaps by conducting a data and network security audit and making certain all the holes and ways into the systems are patched.

They should also review login and httpd logs, such as access.log, to determine where attacks are coming from and what computers are reading or, worse, POSTing to certain Web pages.

Most importantly, since these attacks may also originate as a phishing attack on individual school employees, schools should ensure proper training for teachers, students, and other school staff. Know what the best practices are for data security and social media usage.

Finally, although it is impossible to say all data needs to be stored on systems that can’t be accessed over the internet, access to all sensitive data, which includes student rosters, which might be linked back to their Social Security numbers, should be restricted to personnel on a need-to-know basis. No exceptions. As much as possible, that access should be limited to local network IP addresses, which means not even the superintendent should be able to access it from outside the school.

It may not be possible to install the security recommended, but schools should look into it. We’re going to have to trade a little convenience, because, as we discovered in the Equifax breach earlier this year, data security is paramount.

Schools just don’t invest in computing environments with great technology resources, especially resources devoted to data security. Yet we know, and criminals know, that school computer systems store a virtual treasure chest of personal information about people, data that can be used even long after it was stolen in any criminal or negligent act.

“If bad actors can access student [personal data], that information can be exploited for the purpose of fraud and committing crimes for years before it is detected,” CNN quoted Mary Kavaney, the chief operating officer of the Global Cyber Alliance, as saying. “It’s often only upon application for a job, or application for financial aid to attend college that students find out that their Social Security number has been used fraudulently—they may have poor credit due to false applications against their history, or worse, find that crime has been committed in their name.”

I’m sad to suggest schools think about something other than school subjects, but you can teach all the AP physics you want; if kids aren’t safe or don’t feel safe, they’re not going to learn.

Paul Katula is the executive editor of the Voxitatis Research Foundation, which publishes this blog. For more information, see the About page.

Recent posts

Voxitatis congratulates the COVID Class of 2020

2020 is unique and, for high school graduates, different from anything they've seen. Proms, spring sports, & many graduation ceremonies are cancelled. Time for something new.

Vertical addition (m3.nbt.2) math practice

3rd grade, numbers and operations in base 10, 2, 3-digit vertical addition practice problem

Rubber ducks (m3.oa.1) math practice

3rd grade, operational and algebraic thinking, 1, rubber ducky modeling practice problem

Distance learning begins as Covid-19 thrives

What we learn during & from coronavirus, a challenging & imminent crisis, will provide insights into so many aspects of our lives.

Calif. h.s. choir sings with social distancing

Performances with the assistance of technology can spread inspiration across the globe even as the coronavirus spreads illness and disease.

Families plan to stay healthy during closures

Although schools are doing what they can to keep students learning and healthy during the coronavirus outbreak, that duty now shifts to parents.

Illinois temporarily closes all schools

IL schools will be closed on Tuesday, March 17, through at least March 30. Schools in 18 states are now closed due to coronavirus.

Coronavirus closures & cancellations

Many schools are closed and sports tournaments cancelled across America during what the president called a national emergency: coronavirus.

Coronavirus closes schools in Seattle

The coronavirus pandemic has caused colleges to cancel classes, and now Seattle Public Schools became the nation's first large district to cancel classes due to the virus.

Most detailed images ever of the sun

A new telescope at the National Solar Observatory snapped the most detailed pictures of the sun's surface we have ever seen.

Feds boost Bay funding

Restoration efforts in the Chesapeake Bay watershed received a boost in federal funding in the budget Congress passed last month.