Generic Passwords Expose Student Data

Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"

Don't Do It! Think Of The Fscking Children!

[geomon]

"'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students.'"

Yes, and she could also be criminally negligent [slashdot.org] for doing so.

Don't you believe for one MINUTE that we won't prosecute either. Hell, we could just bypass the criminal justice system and sue [slashdot.org] your precious little girl.

Mwwwwwaaahahahahahaha!

1234

[yagu]

I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)

One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.

The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.

The default password was (for 50,000 employees) "1234".

sloppy admining

[fak3r]

sloppy admining is everywhere unfortunately; it's seen as more of a nuisance rather than a safeguard. It's just pervasive, and even when new projects are brought onboard at my company, the password ends up being the username's name, or -blank-. I even wrote an article about my recent experience with this at work: Password deficiency in the workplace [fak3r.com] where the person implementing the software said, "Well, there's a password, it's not a really good password, and it's the same for everybody (hehe)" Yeah, she said that...and then laughed - during the presentation introducing the project to the team.

(yeah, even the timesheet software has the same password -FOR ALL USERS!-)

The Password

[Snowgen]

You think the password was "Pencil"?

(If this didn't make sense to you, then you're probably not old enough to remember the 1980's teen fantasy movie War Games)

Not new to me... teachers discovered!

[Thilo2]

..it worked just like that at my old school, too. Especially with teachers there are always those who don't like computers. So "we" created a user account under the generic name of a teacher and thus had access to several administrative features that only teachers were supposed to have access to. The irony is, we found out about a log file that logs every visited web page, +username. One of the unpopular teachers even revisited pages students had visited minutes ago just to look at what they were looking at, effectively spying on "our" privacy. It is not as if I had ever visited pornographic content. It just makes me feel uncomfortable knowing that "they" know what I surfed at.

The press is your friend.

[xxxJonBoyxxx]

A couple years ago I heard through the grapevine that the local district's computers were wide open. Sure enough, I did a quick scan and found a couple ports. Within about five minutes I had a list of the names, ages and addresses of every student in the district.

Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.

No credit, no publicity, but results. (My kids will be students there soon!)

Been going on since the 80s if not earlier

[infonography]

A common trick used by 'Art School account' holders at a certain University in 83 was to check the sequential account numbers and use the default password. If the rightful owner never logged in the account would be yours for the quarter. If they did, you got kicked and had to use on the other 100 or so you and your buddies built up.

I mention Art School accounts because back in 83 an Arts Major would never set foot in a data center but was issued a account nonetheless. If they never logged in nobody cared. There were many non-student users at 'The Apocalyptic Cyber Coven' back then. Name the school and you get a cookie.

That's nothing, really

[ZakuSage]

Some dumb teacher at my old school put up contact information for all students and staff in the school, as well as their accounts + email with passwords on a directory accessable without password. I found it the first year I went there (4 years ago), didn't tell anyone (would you? honestly...), and they just found out that it was there about 6 months ago. The kicker is that the thing got updated each year!

Re:My college did a similar thing

[shippo]

I worked at a place that had the same policy for their Exchange system - i.e. blank passwords for everyone. Not only that, but normal users were not able to change their account passwords.

I discovered that the purpose of this was to allow the Managing Director to read everyone elses E-mail after work to see what his staff were up to. External E-mail was only available from one machine which just so happened to be next to the same person's desk, and could only be used with supervision.

I left the place after 2 days of work in disgust at this and the other equally shady practices of this dodgy company.

Everything is as it should be

[iamacat]

Smart students are supposed to figure out the system, have a reasonable amount of fun and then show their integrity by not doing damage or creating unfair advantage for themselves. I had root on most systems in university and nobody worried much about it. Read Harry Potter and Enders Game and note that although it's fiction, the thrill of discovering secrets is what makes you really learn. There are always ways to catch those that truly abuse their knowledge.

Lazy Admins

[SumDog]

When I first got my current job, everyone had the same password! It's awful because even when someone leaves the company, they can still access everyone else accounts. The system admins response when I asked him about it, "Well if you let them choose their own passwords they keep forgetting them and keeping bugging me about it."

This is the same system admin who mapped drives on the Samba3 domain to regular users using as the Domin Admin, shared up the entire C drive of a server read-only (on top of the existing administration share), uses eMule at work and who reformats his windows box every 3 months because of excess spyware.

The problem comes from system administrators who are lazy and stupid. All this admin had to do was write some scripts to check when teachers updated their passwords, and if they didn't after x amount of time, lock their accounts. Either that or send out unique passwords.

Stupid people shouldn't be in charge or important things that involves the physical and informational security of many people. However we keep putting them in those positions and keep them there cause it's easier and we "trust" them even though they are incompetent. We else would American reelect Bush?

Re:Integrity

[thefirelane]

That's why you teach your child this thing called "integrity". Never mind that your child could do. There are lots of things your child could do, but should not do. One of your jobs as a parent is teach your child the difference.

I 100% agree, why bother even having passwords in the first place?

"We don't rely on passwords, we rely on integrity"

Re:California Penal Code 502

[TIMxPx]

Heck you can't even check another person's email according to many service agreements, etc. One time i had a low storage quota that i couldn't get raised on a college system, and i was about to go into the wilderness for 3 months (no net access at all), so i emailed the sys admin to get permission to have someone else check my email while i was away, but they wouldn't even grant me permission to do that. I was just testing them, but what if an important email were returned to the sender because i couldn't legally have someone delete the crap for me? So basically, lots of access is technically unauthorised, but that's supposed to be the function of passwords. I know what you're saying and i agree with you, just wanted to make the point that a password is designed precisely to prevent unauthorised access. If the password isn't sufficient to do that, it's superfluous. It's not as if one would accidentally login with a different username. It's kind of like opening a door with a key. The assumption is that possessing a key gives you the right to open the door. In conclusion, i hate people so very much.

Re:Weak passwords are an epidemic

[scholzie]

I put my hard-to-remember PWs on a sticky note, inside a locked drawer, taped to the bottom of my desk (inside the drawer). I figure if anyone can get into the desk and find the note, they probably deserve a prize anyway. Also, I have a small card in my wallet of phone numbers. Some of the "phone numbers" are really account numbers and their PINs, but they're formatted exactly the same as the real numbers... I was always pretty proud of myself for that one.

False security

[canadiangoose]

My first tech job was as the sole helpdesk technician of a small/medium-sized hospital in Canada. When I was hired, they were in the middle of transitioning their main servers from Netware to NT4. The plan had been simple:

1. Migrate client authentication over to NT
2. Create trust relationship between Netware and NT, allwing clients to access old Netware resources.
3. Migrate file/print/email and whatever else over to NT as it suited them.

I don't know enough about Netware to say whether the migration plan should have worked or not, but something definately mucked up. They couldn't get Netware to trust the NT logons. The solution?
They simply removed ALL access restrictions from ALL Netware resources!!!!! The hospital ran for months with no no access controls on ANYTHING!! Sure, people were to enter a valid password, but once you were logged in, you could open up anyone's network shares and do as you pleased. Patient information was freely available, even from the virtually unsupervised computers at mostly abandoned reception desks.

The network admins did their best to keep it a secret. After watching these admins hiding a security hole this large, I have almost no faith that security in large networks is ever implemented properly.