220 likes | 240 Views
Presented by Victor Cosentino & Pete Robbins, this presentation discusses the hacking attack on a school website, the response to the attack, lessons learned, and issues for discussion.
E N D
Turnabout: When the New Tools For Communication are Turned Against Us Presented by Victor Cosentino & Pete Robbins Chatsworth Hills Academy at CAIS Trustee/School Head Conference January 24, 2009
Presentation:1. The Turnabout2. Our Response3. Lessons & Observations4. Issues for Discussion5. Questions & Answers
Viewer Discretion Advised We have toned down the language used by the attackers as much as possible and obscured the identity of our targeted teacher. We are also leaving out references to the various hacker websites we found.
1. THE TURNABOUT On December 30, 2007 our school website was hacked. This was the start of an attack on our school, on a beloved teacher, and on the Board of Trustees. The attack and our response played out over a two week period. Board President received a forged email to our (via Facebook) stating that one of our teachers was engaged in a vaguely described “internet sex scheme” and an anonymous “concerned organization” was taking steps to “help” us. The hackers replaced our school website homepage with a new one. Our Wikipedia entry was modified with similar “warning” messages.
“It has come to the attention of a concerned organization that there is something going on in your child’s school that you should be aware of. There is a teacher teaching kindergarten there by the name of _______ who has been running an internet dominatrix business in her spare time. Ms. _______ proudly proclaims on her website that “_________” and that she is interested in things such as “_________” and blackmail. This concerned organization, which would prefer to remain anonymous, has taken action against Ms. _____, including making sure her website is taken down and that she has been reported to the IRS for tax evasion, however, we felt that you, as parents at Chatsworth Hills Academy, have the right to know that this is going on. We understand that you value your children’s safety and the quality of the education they are getting. Because of this we believe you have the right to know about Ms. ______’s transgressions.” Message:
Things get personal: • New Year’s Day, the Board President gets a phone call at home from the hackers. • Harassing phone calls and emails to several other Trustees also occurred. • The names, telephone, email addresses, home addresses and sometimes spouses’ name of our Trustees were posted on an internet website used by various hacker groups. • The partial Social Security numbers for two Trustees were also posted.
Who is “Anonymous”: A name claimed by ad hoc groups of people who use the internet to hide their identity and who break into computer systems in order to steal, change or destroy information as a form of cyber-terrorism or cyber-bullying. In our case the hackers were targeting a woman in southern California. At some point she indicated to them that she had a teaching credential. They searched for her name and found a similarly named teacher at our school and concluded they had the same person. Indifferent: The hacked version of our website had language that was inappropriate for our students. It also had links to websites with profanity, racism, and explicit sexual content. Persistent: Fixes to our website and Wikipedia entry were hacked within minutes of being fixed. What we were dealing with: Anonymous
Scope of Attack Expands: • School’s Wikipedia entry is vandalized constantly over the course of several days with information about the “scandal” at our school. • Defamatory messages are posted on other websites like greatschools.net, ratemyteachers.com and classmates.com. • MySpace profiles for several students and teachers receive similar messages. • There were also indications that the hackers attempted to access our school’s EDLINE system.
Scope of Attack Expands (continued): Forum postings appear on unrelated websites such as topix.net, bodybuilding.com, basilmarket.com (a children’s website). The school’s main office gets calls and faxes from individuals pretending to be “concerned parents” and “newspaper reporters.” The calls are untraceable using VoIP technology and come from numbers that on Caller ID appear as 000-000-0000 and 123-456-7890. Jim McManus of CAIS receives a call from someone pretending to be a CHA parent complaining about the school and the teacher.
2. OUR RESPONSE: • After continued hacking of our website, we contacted Network Solutions, our website host, to take our website down until we identified how it was being attacked. After we discovered the flaw, we put our site back online. • We permanently removed information identifying our Trustees and teachers from our website. • We contacted administrators at Wikipedia and had them freeze the Wikipedia entry after deleting the improper changes. • We reviewed log files to trace IP addresses to figure out who was attacking us. • We discovered several sites where the attackers recorded their activities which gave us insight into their conduct and motivations.
2. OUR RESPONSE (continued): Local Police and FBI (through Internet Crime Complaint Center – www.ic3.gov) were notified. We briefed office staff on the matter and told them how to respond to communications related to this event. We contacted moderators at the various online forums and notified them about the material, indicating that it is defamatory and dangerous to the children at our school. Generally, they were responsive in removing information. Head of School and Board President had a series of discussions with our teacher over the next several days to explain everything that had happened and everything we learned. She was very upset that parents might think she was actually involved in this type of behavior.
2. OUR RESPONSE (continued): Communication: Head of School communicates with parents: explained in very general terms what happened; assured them that our teacher was the victim of mistaken identity and not involved in any way; explained that we had engaged law enforcement and taken steps to reduce our website’s exposure; warned them that they may run across postings or other aspects of this attack and that these messages are false; asked them not to engage the hackers or respond in any way to these postings.
Key Responsive Strategy: Undo everything the attackers do as fast as possible but do not engage them or respond to them. Rationale: Based on the first phone call and reviewing the websites that catered to these hackers, the attacks were intended as harassment. The “reward” for these acts was the ability to generate a response from the victims and then ridicule the response as a source of amusement. It was our observation that the greater the response of the victim the longer the attack continued. Additional questions considered in formulating a responsive strategy: Was there actual physical danger to the students from hackers? Should we hire lawyers and private investigators? Should we hire additional campus security? Should we have a townhall meeting to discuss this with parents?
3. LESSONS AND OBSERVATIONS We were lucky: Timing: School was out for Winter Break, many families on vacation, parking lot gossip was non-existent. We could control situation and get our message out ahead of rumors. Mistaken identity was clear: The hackers’ inclusion of a photo of their target immediately dispelled any possibility that it was our teacher, allowing us to respond with greater certainty. While the targeted teacher was an excellent educator with an impeccable reputation, if there had been any uncertainty, our responsibility to our students would have required us to take the extra step of making sure that she was not actually involved in any of the alleged activities.
3. LESSONS AND OBSERVATIONS (continued) • There was a need to quickly organize a coordinated response. • Everyone at our school who was aware of the details of the events felt victimized by this nonsensical and random harassment and the new perspective that the Internet had been turned against them. • Our teacher became a unifying voice in the faculty when she was able to speak passionately to her peers about the support she received from the administration and Board. • The Internet greatly expands the geographic reach and effect of malicious individuals. The pool of people who can cause harm expands from the local neighborhood to the nation.
3. LESSONS AND OBSERVATIONS (continued) • Tools that we think communicate our message, such as Wikipedia, education websites, and forums, are all public websites with little or no moderation. All can be manipulated to defame and harm us. • We have little control over websites that our children and alumni use without the school’s participation (myspace, facebook, classmates.com). • On the internet it is hard to make things disappear: web pages are cached, backed up, or mirrored. In our case, the Trustee’s personal information remains online at some of these sites. • There is more information about us on the web than we’d like to believe; some of it we’ve put there and some is gathered by other information aggregators. By listing trustee and faculty names we opened the door. (More than google, look at whozat.com, zoominfo.com, zabasearch.com, peekyou.com and spock.com.)
4. ISSUES FOR DISCUSSION Don’t assume websites are secure. Standard configurations are often vulnerable to simple hacking. Our site was built by a professional website development company and hosted on a national web hosting service. Designate someone who’s both PR and tech savvy to monitor Wikipedia, greatschools.net, yelp and other online resources that can be modified by parents, students, neighbors and strangers. Keep an eye on youtube, too. Don’t overreact in dealing with online criticism which can trigger further attacks. In the online world, even the debate is recorded, not just the outcome. Use Google Alerts to get reports of new or changed web pages logged by Google.
4. ISSUES FOR DISCUSSION (continued) Anticipate the need for a public relations crisis response plan along with your physical crisis management plan. Don’t count on help from law enforcement. This type of hacking undoubtedly violates state and federal laws but appears to be prioritized far below crimes involving harm to persons and physical property. LAPD investigated but it don’t go far. The FBI never responded. There is a need to make careful, deliberate decisions about placing identifying information about faculty and trustees on school websites. We take great pride in the qualifications of our people and their contributions to our schools but have a responsibility to protect them as well.
4. ISSUES FOR DISCUSSION (continued) Schools with older students may face more risk of this than schools with younger children. Older students may instigate, participate in or be the victims of online attacks that engulf the school. Educating students in the safe use of sites such as myspace, classmates.com, and facebook might be an appropriate part of our school technology programs. When hacking does occur in a way that might reach parents, communicate with parents and faculty in a measured way, relative to the harm.