Hacking of high school grading system raises key security practice issues

Although it is one of the top-ranked schools in high-performing Montgomery County, Maryland, in the past few months Winston Churchill High School has been more noteworthy for the alleged hacking by students into the school’s grade reporting system, resulting in changes to as many as 54 grades. The investigation into the hacking incident is now a criminal one, and not all the details of the incident have been disclosed, but from what has been reported, several key issues emerge in terms of security practices (or the lack thereof) that may have facilitated the intrusion. These issues at a minimum provide food for thought for other organizations thinking about their own security controls, and they also offer valid points of reference for any organization conducting an assessment of its own computing environment.

The attack scenario described in published media reports suggests that up to 8 students were involved in first capturing teacher passwords to the grading system with the use of a keylogger or similar program contained on a USB drive attached to a school computer. Once the passwords were obtained, the students were able to gain access to the grading system on multiple occasions and make changes to grades. It seems that the students in question had routine authorized access to the computers used to access the grading system, and there is no mention of whether the grading system can be accessed remotely. Looking at the incident from a defense-in-depth perspective, there appear to have been exploitable vulnerabilities at multiple levels, including at least in the physical, platform, application, and user layers, and possibly the network layer as well.

• Students had unsupervised physical access to school computers sufficient to allow the placement of the keylogging devices on the computers and, after passwords had been captured, to use the computers to access the grading system and make changes. Given the sensitivity of applications and corresponding data accessible from these computers, physical access should either be monitored more closely if valid reasons exist for students to use the computers, or better yet, access to these computers should be restricted to faculty and administrative staff only.
• Without knowing what sort of network or system-level monitoring was in place at the school, it is hard to say whether the attachment of the USB drives containing the keylogging program was unrecorded, or recorded but unnoticed, but in either case, the fact that USB drives were permitted to be plugged into school computers without any sort of scanning or verification provided a vital weakness for the hackers. There is a big difference between a USB drive functioning purely as a file storage device and one from which a malicious application is able to run undetected, so assuming disabling the USB ports is not practical due to legitimate uses of USB devices, the use of end-point device monitoring or even closer monitoring of Windows security and event logs would presumably provide technical administrators sufficient visibility into what’s happening on the computers to close down this attack vector.
• The grading system would appear to provide user authentication and authorization based only on usernames and passwords, which may or may not be appropriate given the perceived risk to the school of an intrusion into this system. The use of a keylogger renders moot the question of password strength, although in the wake of the attack school administrators apparently did urge teachers to change their passwords immediately, and to do so again on a regular basis, suggesting that users were not required to change their passwords periodically.
• On a positive note, it appears the grading system did log all record updates, including tracking which records (and grades within records) were changed and at what time, but unfortunately not by which user. This audit log did give the school some ability to reconstruct the unauthorized changes, although the school had to enlist the help of its teachers, asking each of them to review their grades. It is not clear if any sort of log inspection or alerts are generated from the logs, potentially based on factors such as the number of times a single grade is changed, the time lag between changes (especially for changes after the end of the grading period), or the number of grades changed in a single session for a given user. Automated log analysis of this sort would go a long way towards more quickly identifying suspicious grade changes.
• Despite the fact that transactions like grade changes are recorded, the unauthorized changes apparently only came to light because a teacher noticed discrepancies in his or her own grades.This seems one of the hardest elements of this story to understand, as it implies that over a period of a semester or longer, individual teachers were not sufficiently detail oriented to recognize grade changes among their rostered classes. It’s not a stretch to think that most or all teachers would have some paper-based grading records that are used to support the entry of course grades in the system, so presumably the raw data should exist to help investigators as they examine the grade records of all students.
• The level of security awareness among users may be somewhat less than it should be at the school. It may be unreasonable to assume that an average user would visually inspect the computer he or she was using, and it’s entirely likely that the keylogger-containing USB drive was attached to a port on the back of the machine or other unobtrusive location. Organizational security awareness (or more generally, risk awareness) also seems sub-optimal, based on no other evidence than the permitted student use of faculty computers without supervision.
• As noted previously, there is nothing in published reports to suggest that the grading system can be accessed remotely, whether over the Internet using a Web-based interface or perhaps after establishing a VPN session or other secure connection to the school’s network. Many school districts run centralized computing resources, including administrative systems such as grade reporting and online classroom applications, so network-based access appears likely, and remote access is at least feasible. While the ability to access the system remotely might facilitate student hacking efforts (removing a risk of being caught while misusing a school computer), the use of additional network access credentials (such as a separate username and password for a VPN connection) would provide an additional layer of security for scenarios not involving student use of on-site workstations.

The most positive aspect of this incident appear to be the simple fact that the unauthorized changes were discovered at all, although there is still some question as to how long the changes had been occurring. Subsequent news reports placed the number of teacher gradebooks involved in the unauthorized changes at 35, far more than originally reported. It may be that the student hackers were victims of their own ambition, and if they had changed fewer grades they might have escaped notice, or at least delayed the discovery of the intrusion.