Security gaps exploited in grade scandal remain, may be difficult to close

Parents of Churchill students and other community members gather at a meeting with school officials.
Parents of Churchill students and other community members gather at a meeting with school officials. (Jim Lo Scalzo For The Washington Post)
  Enlarge Photo    
By Michael Birnbaum and Jenna Johnson
Washington Post Staff Writers
Wednesday, March 10, 2010

Montgomery County school officials have not yet closed gaps in their computer system that allowed students at a high-performing Potomac high school to change dozens of grades using a device that can be bought from for $69. And other school systems, including Fairfax County, remain just as vulnerable, school officials said Tuesday.

At least eight students at Winston Churchill High School are believed to have used the readily available device to obtain teachers' passwords for the school system's grading system. The school system, Maryland's largest, has determined that the grades of 54 students were improperly changed in 35 teachers' records.

"There are solutions out there, but we have to figure out which one fits best for us," said Dana Tofig, a spokesman for the Montgomery County schools. "We have to believe that our students are doing the right thing."

At a community meeting Monday night, schools Chief Technology Officer Sherwin Collette said the school system thinks students used a device that connects to the end of a keyboard's cord and then is plugged into the computer. Such devices can record everything that a teacher types without ever running any software on the computer itself. A similar gadget was the 11th-best-selling "computer security device" on Tuesday afternoon.

Computer experts said that Churchill teachers were lucky to catch the students. Just about every school system that protects its teachers' data with a simple username and password is vulnerable, they said, and accessing a teacher's computer files is extremely common.

"That's the first hack that every kid who becomes a criminal has done," said Alan Paller, director of research at the SANS Institute, an information security group. "Right now, attack software is so good that the average user in a small business or a school cannot protect himself and still get his job done."

That idea was echoed Monday night by Collette, who said Montgomery schools could prohibit USB devices, but that would mean banning most keyboards and mice, which often plug into a computer's USB port.

Even then, there are many other ways to obtain passwords, Paller said. The best way to protect grades and other information is to add an additional layer of security with an extra device such as a keychain fob or cellphone program that displays a frequently changing series of numbers that a teacher must type into a computer along with a username and password, he said.

But that solution can be expensive, and school systems expressed reluctance Tuesday to invest significant sums of money in tight fiscal times to defend themselves against their own students.

Maribeth Luftglass, assistant superintendent and chief information officer of the Fairfax County school system -- Virginia's largest -- said in an e-mail that the extra layer of security would be the "ideal" way to fix the problem but that it would be "cost-prohibitive."

Other basic ways for teachers to defend their records are to change their passwords frequently and to check their computers physically for the USB keylogger devices. Montgomery County started requiring its teachers to change their passwords every 120 days after the breach was discovered in January. But little is foolproof.

Even requiring more complex passwords can backfire, said Kevin Mahaffey, co-founder and chief technology officer of Lookout, a computer security firm.

"The more complicated the password, the more likely someone is to write it on a Post-it note" that anyone could find, he said.

© 2010 The Washington Post Company