Months after school server hacked, IT security remains an issue
The New Canaan school district received mixed grades on the security of its technology from town auditor O'Connor Davies.
The firm listed 21 observations and recommendations for improvement on the school district's IT department in more than 10 of the 36-page management letter it submitted and presented to the town.
The issues range from passwords to protocols. One item the audit identified was the district's firewall traffic restrictions.
"The firewall is not configured to restrict outbound communications," the report noted, explaining that "without a proper level of restrictiveness in the type of communications that can or cannot cross the firewall, the (Board of Education) is at risk for potential covert channels of communication through the firewalls."
The firewall concern comes nearly a year and a half after a server at Saxe Middle School was left unprotected and was hacked, leading to a phone call from the FBI to Chris Kaiser, New Canaan's director of information technology.
More InformationFact box
"AGAIN, Someone from your network has been trying to hack into my server for a while today," James Stotz, vice president of information technology at the Association of General Contractors of Texas, wrote in a Jan. 31, 2012, email addressed to Kaiser. "You may want to let whomever know that their server/computer has been compromised. Please put a stop to it ASAP I have blocked your network range IP from making connections to our server as of now. I have also notified the FBI and Internet Crime Complaint Center (IC3)."
In a phone interview Monday, Stotz said he recalled at the time his organization was being attacked from many sources, not just the New Canaan school server, and that he reported them all to the FBI. AGC is an Austin-based organization that lobbies on behalf of contractors. He said he believed a Saxe Middle School server was hacked and used by hackers to bombard his network with randomly generated guesses of passwords and user names in an attempt to gain access.
Stotz said he believes the hackers mistakenly thought he had Aloha/Point Of Service software, such as those used by restaurants, which typically contain credit card information. Ironically, the hackers were smart enough to hack into a server, but not smart enough to realize his was a contractors' organization and not a restaurant. He said he found the IP addresses the attempts were coming from, one of which was New Canaan's, and contacted the town.
And then the FBI called.
"An agent out of New Haven said the IP address associated with the server was linked with a known hacking group," Kaiser said in an interview. "The schools had elected to leave one of their servers wide open. Someone had dumped some kind of software on there that would target Aloha/POS systems."
Kaiser addressed the problem in an email to the school district.
"This is the second time this month," Kaiser wrote in a Jan. 31, 2012, email to the school district IT department. "You are jeopardizing the integrity of our network and the Town of New Canaan's WAN. I have spoken to Jim at AGC and he informs me that for the past two weeks, your server (redacted) has been attacking his network in search of an Aloha/ POS system."
Kaiser then disabled the server and town and school IT workers fixed the problem. The schools wiped the server clean and reinstalled all its software.
Stotz said the attacks stopped around March 2012.
"That's when I disabled all remote desktop connections, so we weren't as appealing. I think we also changed IP addresses at the same time," he said. He said several restaurants in Austin had credit card information compromised. He also said he believes the FBI ended up arresting about 32 people in connection with the cyber attacks.
Rob Miller, New Canaan Public Schools' director of technology, said he doesn't remember the specifics of the issue and that the server itself was run by an outside firm, which operated it on behalf of the middle school. When he was alerted to the problem, he said, the district fixed it.
But almost a year and a half later, the management letter found what appear to be many basic security precautions still unperformed.
Another issue the audit identified was poor password controls in the school district's active directory, which "provides the basis for account and system security for all the users and systems on the network," the management letter states. Problems included passwords with no minimum length requirements, meaning an employee could choose a blank password. It also noted that there were no complexity requirements or controls which would lock an account after a number of incorrect password attempts.
Additionally, the audit found issues with antivirus protection, noting that the "password used to access the BOE antivirus administration console was the vendor default password," among other problems, including the lack of a mechanism to alert IT employees if a virus is detected and not removed.
Miller said he's read the audit and that the district already has rectified some of the issues listed in it, and would be addressing the rest of them shortly.
"Clearly, some recommendations in there are no-brainers," Miller said Tuesday. "There are some we've already solved, there are some we were in the process of fixing while they were here, and there are others that we've created action plans to solve them."
Miller said he felt the school district is not vulnerable to further attacks, but noted that they would not be inconceivable.
"There's nothing that's 100 percent foolproof, whether you're here, or [at] Microsoft, or [at] Google," he said. "You take every precaution to mitigate those vulnerabilities to being hacked. As an IT department, whenever we learn about a vulnerability, we take the steps that are appropriate to secure our technology."
email@example.com; 203-972-4413; https://twitter.com/Woods_NCNews