Generic Passwords Expose Student Data 251
Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"
Don't Do It! Think Of The Fscking Children! (Score:4, Interesting)
Yes, and she could also be criminally negligent [slashdot.org] for doing so.
Don't you believe for one MINUTE that we won't prosecute either. Hell, we could just bypass the criminal justice system and sue [slashdot.org] your precious little girl.
Mwwwwwaaahahahahahaha!
1234 (Score:5, Interesting)
I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)
One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.
The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.
The default password was (for 50,000 employees) "1234".
sloppy admining (Score:5, Interesting)
(yeah, even the timesheet software has the same password -FOR ALL USERS!-)
The Password (Score:3, Interesting)
You think the password was "Pencil"?
(If this didn't make sense to you, then you're probably not old enough to remember the 1980's teen fantasy movie War Games)
Not new to me... teachers discovered! (Score:3, Interesting)
The press is your friend. (Score:5, Interesting)
Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.
No credit, no publicity, but results. (My kids will be students there soon!)
Been going on since the 80s if not earlier (Score:2, Interesting)
I mention Art School accounts because back in 83 an Arts Major would never set foot in a data center but was issued a account nonetheless. If they never logged in nobody cared. There were many non-student users at 'The Apocalyptic Cyber Coven' back then. Name the school and you get a cookie.
That's nothing, really (Score:3, Interesting)
Re:My college did a similar thing (Score:5, Interesting)
I discovered that the purpose of this was to allow the Managing Director to read everyone elses E-mail after work to see what his staff were up to. External E-mail was only available from one machine which just so happened to be next to the same person's desk, and could only be used with supervision.
I left the place after 2 days of work in disgust at this and the other equally shady practices of this dodgy company.
Everything is as it should be (Score:4, Interesting)
Lazy Admins (Score:3, Interesting)
This is the same system admin who mapped drives on the Samba3 domain to regular users using as the Domin Admin, shared up the entire C drive of a server read-only (on top of the existing administration share), uses eMule at work and who reformats his windows box every 3 months because of excess spyware.
The problem comes from system administrators who are lazy and stupid. All this admin had to do was write some scripts to check when teachers updated their passwords, and if they didn't after x amount of time, lock their accounts. Either that or send out unique passwords.
Stupid people shouldn't be in charge or important things that involves the physical and informational security of many people. However we keep putting them in those positions and keep them there cause it's easier and we "trust" them even though they are incompetent. We else would American reelect Bush?
Re:Integrity (Score:4, Interesting)
I 100% agree, why bother even having passwords in the first place?
"We don't rely on passwords, we rely on integrity"
Re:California Penal Code 502 (Score:2, Interesting)
Re:Weak passwords are an epidemic (Score:2, Interesting)
False security (Score:3, Interesting)
1. Migrate client authentication over to NT
2. Create trust relationship between Netware and NT, allwing clients to access old Netware resources.
3. Migrate file/print/email and whatever else over to NT as it suited them.
I don't know enough about Netware to say whether the migration plan should have worked or not, but something definately mucked up. They couldn't get Netware to trust the NT logons. The solution?
They simply removed ALL access restrictions from ALL Netware resources!!!!! The hospital ran for months with no no access controls on ANYTHING!! Sure, people were to enter a valid password, but once you were logged in, you could open up anyone's network shares and do as you pleased. Patient information was freely available, even from the virtually unsupervised computers at mostly abandoned reception desks.
The network admins did their best to keep it a secret. After watching these admins hiding a security hole this large, I have almost no faith that security in large networks is ever implemented properly.