Monday, December 3, 2012

Preventing Damage by Preventing Grade System Intrusions: Attacker Vectors

Social Engineering

Non-technical theft of account information is a people problem and can be solved through policy and enforcement of said policy. Back in the first case study it was discussed that the attacker was alleged to have used the same account information numerous time, 110 times to be exact (Lupkin, 2012), over the course of two years. Such a situation cannot happen if passwords do not stay valid for that long. If the superintendent had updated her password every three months then the attack would have quickly lost access.

Another policy that can prevent such account compromises is strict rules on how to protect account information. Since Lupkin (2012) did not mention any technical tactics used, it is likely that Venusto received the account information in a more direct way, such as the victim having the data written down at her computer or even having handed over the account for some reason. It can be convenient for an upper official to give their information to a secretary, say to schedule meetings, but that should always be considered a critical security violation.

Attack Vector: Malware Infection

Edwin Kim collected his required account information via a software keylogger that he had installed on a shared workstation (Gibbons, 2012). Security policies which required and enforced the principle of least privilege would have prevented this compromise. A common user, as an average student should be at a university, will not have the privilege to install software which runs outside of their own session. Any changes which can impact the running environment of other users should require an administrator to perform. Additionally, high value targets such as professors should avoid sharing hardware with students. A student that exchanges the expected keyboard with a ‘value-added’ look-alike can then log their keystrokes even without installation privileges.

Attack Vector: Physical Security

Palos Verdes High School’s intrusion was the result of poor physical security. Defense in depth should have prevented access. Altman (2012) makes no mention of how the teens entered the grounds or the building, so one has to assume that those steps were fairly trivial. Both should have been secured and surveilled with either recording devices or human guards. Once inside, the intruders collected a master key after picking the lock on the janitors’ office. An object of such value as the master key should not be available just behind a lock that itself can open. Clearly, the protections on the key were significantly lacking.

Altman, L. (January 26, 2012). 3 Palos Verdes High students arrested in grade-tampering plot. Retrieved from:

Gibbons, M. (February 8, 2012). Bucks college student fails in attempt at an easy A. Retrieved from:

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from:

No comments:

Post a Comment