Technology in Schools: The Heartbreak of Heartbleed
With the adoption of Chromebooks and smartphones in the classroom and virtual private networks throughout, schools have steadily become more technologically sophisticated.
Using these devices and networks allows students to interact with their learning environment in exciting new ways. Network systems also reduce paperwork and simplify tasks for administrators.
But using technology also means having to deal with its inherent vulnerabilities.
One of the latest—and worst—examples is Heartbleed. Until it was discovered in April 2014, the Heartbleed bug in OpenSSL allowed hackers to read encrypted information like usernames and passwords in locations that were supposedly secure. Some 66% of Internet servers use OpenSSL. That includes a lot of schools and school vendors.
“This is one of the worst security issues we’ve seen in the last decade and will remain within the top five for many years to come” said Adam Ely, COO of Bluebox Security told SecurityManagement.com.
All schools using hosted applications for student information, online testing, or anything else, should check with service providers to find out if their systems were affected and whether appropriate fixes have been put in place.
“Even conservative experts have said that on a scale of 1 to 10, this is an 11,” said Rachel Wente-Chaney. The chief information officer of the High Desert Education Service District in central Oregon, Wente-Chaney, like many school IT departments, has been working overtime to deal with ramifications of the problem.
Like most school systems, High Desert stores sensitive data that includes everything from student information to finances and staff Social Security numbers.
“Our first response was securing our own infrastructure,” Wente-Chaney said. All of the district’s hardware, software and vendor products were examined to see if OpenSSL was used. If it was, it needed to be patched. Some patches had to come from outside vendors, who responded quickly. Staff kept watch for these patches around the clock and put them in place as soon as they were received.
The next step—protecting school district resources from anyone who may have harvested usernames and passwords during the two years the bug was operational—proved more difficult. The IT department had to force username and password changes for all of its systems and all the people using them. That’s hard enough, and the timing—in the middle of grading periods and busy schedules—couldn’t have been worse.
“It’s messy and it’s painful, and it sends the help desk into overdrive because people forget their passwords,” Wente-Chaney said. “Or they’ll say, I reset it here, but now my wireless isn’t working.” IPads, VPN’s and personal computers all require separate changes.
The final step is an education program for teachers, staff and students on technology vulnerabilities and protection. This includes telling them that passwords for accounts outside of school systems should be changed, too.
But getting people to change their passwords is an increasingly uphill battle, as hackers make headlines breaking into high-profile sites like Target, Forbes, LinkedIn and others that contain huge amounts of user data. As people are forced to change their usernames and passwords time and again, password fatigue sets in and some people just shrug their shoulders and hope for the best.
The password system certainly has limitations, and many new computers and mobile devices are moving to biosensors like fingerprint scanners or eye trackers instead. But those systems have vulnerabilities of their own.
“I don’t know that anyone has the answer for what comes next,” Wente-Chaney said. “But tools like password managers [which generate and store strong passwords] are a good intermediate step.”
The post Technology in Schools: The Heartbreak of Heartbleed appeared first on Insight ON.