By CHRISTINA DeNARDO
Palm Beach Post Staff Writer
November 23, 2007
Following a security breach by a high school student who hacked into the
Palm Beach County School District's computer system to change grades and
attendance records, more than $1.5 million has been spent to beef up
security of its extensive network.
So far, the investment has paid off.
Since the student's arrest in April 2006, there have been no major
security threats, even as those opportunities increase. The district is
so confident in its security, it has dared students and hackers to crack
it, offering a free wireless router for anyone who could.
"We had people trying to hack in from China," said Bob LaRocca, the IT
security chief, who gave hackers a specific assignment. "Some days we
got thousands of hits. The prize is still sitting in my office."
Every day, the computer network gets 16,000 attacks. Every week, the
employees receive 100,000 e-mails, and 80 percent of them are spam and
potentially dangerous. Outside schools and district offices, hackers
using devices attempt to capture the data that runs across the
district's network to crack password files. Unlike a decade ago, people
don't have to be computer geeks to become hackers. Online chat rooms and
Web sites give step-by-step directions on how to hack, making it easier
for students or anyone to tap into networks.
The first serious security breach occurred after a student stole a
password to a server, giving him access to every user profile in the
school district's system. Ryan Duncan, then an Inlet Grove High student,
hacked into the computer system at school and home in December 2003 and
January 2004. Though he didn't alter any records, his access could have
resulted in great harm to the system, officials said. In a plea deal,
Duncan agreed to help create a video on the seriousness of computer
Less than a year later, another student, Jeff Yorston of Dreyfoos School
of the Arts, used employee passwords to change his friends' grades,
erase suspensions and give himself credit for classes he never took. In
another case, an employee posted a detailed instruction sheet for how to
log in to the district server in case of a power outage, including login
and password information. Yorston avoided jail by deferring prosecution
after agreeing to complete a pretrial intervention program, undergoing
state supervision and paying a $5,000 fine.
Since those incidents, the district has spent more than $1.5 million in
security upgrades, as well as changing policy to require employees to
change passwords every 60 days. Previously, passwords never had to be
A year ago, the district's middle and high schools had no one on staff
responsible for fixing problems and relied on the district's office for
help. But now each school is starting to bring in its own computer
Three computer security personnel were hired to scan for holes in the
network's security, monitor e-mail traffic and prevent intrusions such
To prevent terminated employees from accessing district information, in
the next few weeks, a new program will automatically disable their
Computer administrators, who have the greatest access, will soon need
another device in addition to a password to connect to the system. The
device, called a token, generates a new pin number every 60 seconds.
"If someone would steal the unit, they wouldn't have your user ID and
password, and if they had your user ID and password, they would need the
unit," LaRocca said. The district has spent about $1 million to upgrade
its anti-virus software for every computer in the district.
The district is also moving to prevent what is called "sniffing," where
hackers with wireless access sit outside school buildings, often in
their cars, and scan traffic in order to capture passwords and view the
content of messages send over the Internet.
In response, the district is spending about $500,000 to purchase a
package of sensors for every school and district building which will
pinpoint the location of the sniffers and alert police. The technology
will also encrypt the data so sniffers can't understand it.
Though the safeguards have been successful, experts say the only way to
fully protect against an attack is to unplug the computers.
But LaRocca said the incidents involving Duncan and Yortson have made
raising security a greater priority.
"The board gave us their full support in light of all the things that
have happened," he said. "What happened here helps me get the message
out that we had to tighten security and make more prudent investments."
Visit InfoSec News