January 2011 Maria's Blog Draft Post, Never Posted--Until Now
Not much time for blogging is left when one has family over, but I couldn't help feel relief by Mark Spivey's report that --"only certain employees have the type of custodial access to the database that would allow for the vandalism that recently took place..."
Well, this is certainly a relief that it was not a commoner's password that was stolen.
I now wonder if the used password to vandalize the system, poopnuggets, was the real password of one of our "certain employees". Please let it not be. But, if it was, hopefully the BOE will add in their policy a clause for the use of less graphic passwords.
How successful is Genesis today? Do you know?
*Genesis is the school-home communication system that was hardly used by parents. Teachers also lacked clarity as to how to use it as a tool to communicate with parents...one challenge: Genesis regular posting was not part of their contract.
9 comments:
Let me help you out as was disclosed at the public meeting that discussed this: the password was not developed by district personnel but was in fact a pre-assigned password issued by the company who develops the software.
12;49,
Even if your information is accurate, don't district staff know that a pre-assigned password must be changed? Even my 12 year old knows that. I'll bring out the Minutes, both public and executive, to see if at least what you are saying was captured. Thanks.
It wasn't at that level employee level it was at the developer level and if you knew ANYTHING about software development there are always developer codes which the hackers used and user codes. I bet your 12 year old knows a lot about his mom.
2:15,
You should be careful what you post in here, Genesis being a technology company could easily track you down if you are not telling the truth. As a matter of fact, let me send them your comments and see what they say. Maybe they would like to clear the air on the Genesis thing once and for all. Thanks.
Please do and make sure you post your results. You are welcomed.
As someone who works in technology, I have a comment.
If the password was set at the "developer level", then the fact that the hackers could get it points to a very insecure system. No application developer puts passwords in the code -- at least not good ones. For the hackers to find the code, it means it had to be stored or embedded in the code. Not a good thing at all!
If this is true, the password was in the code itself -- then at best it was sloppy coding.
Plus, any system which holds confidential information should be designed with passwords associated to specific IP pairs. Most of us work from the same computer, and the computer IP and password can be bundled together for robust security.
In other words, the system can look at the IP the request is coming in from and the password. if the IP is a new IP (like a hacker's computer), then the system should challenge with a security question, or something along those lines.
This is web developer security coding 101. If Genesis doesn't have this type of security in place, then parents and the BOE should either demand better security be put in place or get another system.
Olive Lynch
Not true ALL true Olive. The FBI took over this case and NO ONE was found. So you see hackers do well what they do.
And the security breach was fixed, but if you are in the IT business then you know NOTHING a hacker-proof. They get smarter and smarter and it happens to the Best system developers in the world. Ms. Pellum is revisiting very old news.
Thanks Olive. After reading the previous comment I had the same concern. And while hacking happens to the best, time and time again it has been reported that hacking has happened because someone forgot to "properly lock the key". This is something that, as you can read from 5:38, will never be admitted here in Plainfield. Thanks Olive.
The fact FBI couldn't trace the hackers IP means the hackers were able to cover their tracks. They probably were using some kind of virtual IP through layering.
If this was the case, then the IP-password pairing still would have stopped them from gaining entry.
Every web application (if it is well written) that uses a user/password on the web can read the IP used to access the application.
This is how people get viruses on their computer -- they go to a web site, the website has an application that detects your IP touching the page, and it sends a little software executable to your computer. Web pages detect user IPs all the time -- like cookies that a webpage will set up on your computer, so you don't have to log in every time.
Another security nightmare are websites that load "keyloggers" onto your computer. You touch the website, the website puts a program on your computer that tracks your every keystroke and sends it back to the website. The bad guys can get your userid/password that way.
Simple, robust web security can match a userid, IP address and password. Typically most users use the same computer, and if the user accesses the system from another location -- the application can simply challenge the user with another layer of security.
So -- even if the hackers were able to cover their IP tracks or use "virtual IPs" -- this methodolgy would have worked.
The system would have detected the IP was different from the normal user's IP address, and challenged them with another security layer (typically security questions of a personal nature answered by the user).
This protocol is used by banks on the web and other companies that don't want their users' information compromised.
The best security system is for the user to have a "key" that generates a random password. You press the button, get a password, then enter that in the web along with your userid/password. This is pretty hard-core security, and most banks use this for employees working remotely on the bank systems. It's what I use when working from home. This type of security even if your userid/password is hacked from a keylogger, you're information is secure, because you have a the randomly-generated key.
When I read the hackers' posts, they indicated the password was "out there" and very easy to get. Hackers know how to look at a website's code. So it makes me think the password was right there in the code -- which anyone could get to it, if they can read code.
Olive
Post a Comment