by Dave Moore, 09/13/2020
As if dealing with the current Covid-19 crisis wasn’t enough, school districts are finding out just how lame their Internet defenses have been all along, as criminal hackers ramp up attacks that even the most basic of defenses should stop.
The problem is, too many schools don’t take Internet safety and security seriously until there’s a problem. I shudder to think what the situation would be if truly skilled high-end hackers decided to get involved. Here are some of the disasters around the country that have occurred during these covid-crazy times.
The Miami-Dade, Florida school system was humiliated, paralyzed and shut down by one of its students launching over a dozen “DDoS (Distributed Denial of Service)” attacks. The 16-year old succeeded by using an unsophisticated kindergarten-level hacking tool that even entry-level cybersecurity defenders have known about for over 10 years.
DDoS attacks simulate hundreds, or even thousands of people clicking on website links every minute. Most websites can’t handle the activity and crash, resulting in a “denial of service.”
The district had contracted with K12.com, a tech education company, and was using their “My School Online” platform. It was K12’s platform that fell to the simplistic attack, much to the dismay of outraged parents and school authorities. Only this week, September 10, did the school system decide to fire K12.com.
Hartford, Connecticut public schools delayed opening because of a “ransomware” attack. The attack worked its way through City of Hartford servers, making it impossible for school and city workers to access vital records and files.
Ransomware attacks usually begin by someone ignorantly clicking on a bogus link on a website, in an email, or opening an infected attachment, which opens the door to a computer virus. The virus encrypts important files, and holds them hostage until the victim pays a ransom, amounting to many thousands, and even millions, of dollars.
Members of the Connecticut National Guard’s Joint Cyber Response Team were called in to help rebuild the city’s network, and shore up the City’s lax security policies.
Five school districts in North Carolina suffered criminal ransomware attacks. Beginning August 26, Haywood County Schools shut down for over a week after “School officials announced the district’s computers had been hacked and that the hackers wanted money to unfreeze the district’s files,” according to TV station WLOS. “The recent ransomware attack is requiring us to rebuild our entire network and related technology services,” school officials announced.
Experts from the North Carolina National Guard were focusing on forensic work, as teams from the Microelectronic Center of North Carolina (MCNC) and the North Carolina Local Government Information Systems Association (NCLGISA) Strike Team were helping reconstruct and strengthen the district’s vulnerable networks.
Mansfield, Ohio schools suffered ransomware attacks, with Cleveland TV station WJW reporting that district computers had been hacked, and parents weren’t notified. After the fact, Superintendent Stan Jefferson sent a letter stating, “At no time was any of the personal information of our students, families or staff compromised.”
Of course, ransomware attacks have nothing to do with compromising personal information, in the first place. Ransomware attacks are about collecting money, ergo, the “ransom.” Milk-toast announcements like this are typical from bureaucrats who want to deflect attention, and more importantly, responsibility, away from what’s really happening. It is a classic, beat around the bush, “pay no attention to that man behind the curtain,” tactic.
Superintendent Jefferson also noted that the school network had “reinforced its network, added additional security and enhanced network protocols.” This is all double-speak to say that, under the pressure of an active criminal attack, they finally got around to putting in protections that should have been there in the first place, years ago.
According to Jefferson’s announcement, the protections were put in place with the help of third-party forensics experts, the FBI, and, interestingly enough, the district’s insurance company.
Parents in New Hanover County, North Carolina, were shocked as criminals “Zoom-Bombed” in-home online student learning events with sexual profanity during remote virtual classroom sessions hosted by online meeting service Zoom. Numerous schools systems around the country have reported similar incidents with Zoom.
“Zoom-Bombing” is an attack where criminals can join online Zoom meetings because the meeting hosts have failed to properly secure the meeting with good passwords.
Criminals Zoom-Bombed Oklahoma City University’s virtual graduation in May by broadcasting racial slurs and a swastika as a student gave a blessing. “We are heartbroken and outraged at the hate-filled attack,” said OCU President Martha Burger. “Although we took safety precautions, unfortunately the digital platform we used to connect has become a target.”
This is sad, noting that, due to security concerns, and after a months-long string of national hacking attacks known as “Zoom Bombing,” the Oklahoma Supreme Court banned the use of Zoom on all equipment provided by the Administrative Office of the Court and its Management Information Systems in Emergency Joint Orders issued as early as April, 2020. Online conferencing services like Skype were allowed.
Were local governments paying attention, and following suit? You would think so, but no; two months after the Supreme Court edict, City of Norman, Oklahoma, officials were begging the viewing public to engage in a cover-up by deleting online evidence of a Zoom-Bombing attack.
An online meeting of Norman’s Animal Welfare Oversight Committee was abruptly interrupted and ended after hackers, using the meeting password that was publically posted on City Council member’s Facebook pages, began showing images of child pornography, a naked man dancing and masturbating, and racial and homophobic slurs.
City spokeswoman Annahlyse Meyer said, “We are asking anyone with screenshots to please delete them because they will be in possession of child pornography.” But, instead of shifting responsibility to innocent viewers, shouldn’t the City be held accountable for its incompetant security policies, which allowed child pornography to be broadcast, in the first place?
There are many, many more examples of the hacker problems we are facing in these vulnerable times. We all need to take responsibility for the safety measures we are able to put it place, measures we should have put in place long ago.
Dave Moore has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd., he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.org