The Hidden Downside of Wireless Networking
Going wireless offers a panoply of attractive benefits to school districts. Because you don't have to run cables to every classroom, it's cheaper to deploy a wireless network than an old-fashioned wired network. Wireless makes it more convenient for administrators, teachers and students to connect.
But there's a perilous downside: A wireless network is easier for hackers to break into. Without the proper security measures, going wireless means opening a gaping hole in your computer systems' defenses.
Worse, you may already have a wireless security problem-even if your technology staff hasn't deployed a single wireless access point. At many school districts, parents and teachers have installed unofficial Wi-Fi hotspots that connect to the school's existing wired network. (Wi-Fi, short for "wireless fidelity," is the trade name for a family of wireless networking standards.) In so doing, they may have inadvertently compromised the school's network, and your district's IT staff may be none the wiser.
Charlie Garten, the former chief information officer for the Poway Unified School District in southern California, says his district's struggles with Wi-Fi security began as early as 2002. "We weren't surprised that there were ways to jump over our firewall using wireless," says Garten, who retired in 2005. "We were caught a little bit by surprise by the number of rogue access points that had been plugged in." In some cases, his staff would receive complaints about network slowdowns at a school; on investigating, they would find as many as 10 Wi-Fi hotspots that had been installed without the IT department's knowledge. "Well-meaning people wanted to get more access for the kids, but they didn't understand all the consequences of just throwing in a bunch of wireless access points," adds Garten.
In the Palo Alto (Calif.) Unified School District, the security holes introduced by rogue hotspots had a much more public and embarrassing effect. Located in the heart of tech-savvy Silicon Valley, Palo Alto's parent community includes many people who work for companies that supply Wi-Fi equipment. As a result, these parents brought wireless networking into their children's schools at a very early stage.
"We had open networks. When they were first installed, folks could sit in the parking lot if they wanted to get some access," says Marie Scigliano, the director of technology for the district. Scigliano's staff was aware of the security problem but hadn't been able to address it completely when, in the summer of 2003, a local reporter found that she could access the district office's network through an unsecured Wi-Fi connection. Worse, the reporter was able to log on to the student information system and download students' grades, phone numbers, home addresses, medical information, psychological evaluations and even full-color photos.
The district quickly took the network offline and began correcting the problem, according to Scigliano. "We came back up with secure networks, logons, authentication and so forth," she says. However, the story received wide national coverage-thanks in part to the severity of the breach-causing a significant public relations problem for the school.
While the reporter didn't publish or alter student records, press reports noted that it would have been easy for her to do so, if she had been a more malicious hacker. That in turn would have exposed the district to serious liability problems and could possibly have put its students in danger.
Time to Hack
Unfortunately, Wi-Fi networks can be much easier to hack into than wired networks. Hackers wanting to gain access to a wired network need to physically connect to that network somehow, making it difficult for them to be truly unobtrusive. By contrast, wireless network coverage doesn't require a physical connection. If it extends beyond the school walls, would-be hackers can gain access to the network from a parking lot or other nearby location, often in complete secrecy. All the hacker needs is time.
According to a former hacker and current student at St. Louis University who asked to remain anonymous, gaining access to an unsecured Wi-Fi network is as easy as eavesdropping on a spoken conversation. Even if the network is secured, obtaining the network key requires only a few hours of monitoring network traffic using software that's widely available on the Internet, in a process known as "sniffing."
Here's how it might work: A student could set up a network sniffing program on his or her laptop, then leave the laptop in a locker for a day. By the next morning, the program would have cracked the network key. At that point, the student hacker can "listen in" to any data transmissions over the Wi-Fi network. If a teacher logs on to the school's servers wirelessly, the student may be able to pick up the teacher's username and password. Also, if any teachers have left information on shared network drives or in unsecured, network-accessible hard drives or floppy disks, this data may also be accessible to the hacker.
"Any sort of sensitive information being transmitted or stored on a PC over a Wi-Fi network is definitely a risk," says the former hacker, who says he's hacked into school networks and found Excel spreadsheets with student grades, login passwords for student grade systems and even explicit pictures stored on teachers' hard drives.
Call in the Auditors
After discovering its problem with rogue hotspots, the Poway district engaged service provider Farm9 to conduct a security audit of the district's networks. Farm9 located all of the unofficial hotspots as well as other weak points in Poway's electronic defenses.
However, Garten notes that it has taken four years since that audit to implement all of the security recommendations, including removing rogue hotspots, upgrading servers, installing Wi-Fi encryption and creating a written security policy. "It's like everything in education-you have to have the funds to do it," says Garten. "What are you going to take funds from in order to do this?" Worse, security isn't a sexy topic, and it can be harder to garner support for security upgrades than for higher profile projects like upgrading computer hardware or fixing leaky roofs.
Complicating matters is the balance school districts must find between robust security and ease of use. "In business, you can put all sorts of security on there because you've got a limited number of programs and only certain people can access it," says Garten. In schools, there is a wide variety of software that teachers and students need to be able to use. It's also important that security measures aren't so onerous that they prevent students from getting legitimate access to the Internet. "There's a balance, where the kids can get the access they need, at a much lower price for the school district than with wired networks. But you can't leave it open so that anybody who wants to spend hours hacking has free access to your network," says Garten.
After Palo Alto's hacking incident, Scigliano says her staff conducted a security audit, upgraded systems and tightened security holes. They also developed a six-page pamphlet outlining basic computer security practices. Scigliano gave copies of this pamphlet to school principals, who then conducted training sessions with their staffs. "The pamphlet was very helpful for us in terms of teaching our staff and training them about security and confidentiality," says Scigliano. "They were aware of things they needed to do with student information stored in filing cabinets, but they weren't aware of what it meant for e-mail, online file storage and those kinds of things."
Barring the Doors
Four years after its audit, Poway has removed all of the rogue hotspots and has fully embraced Wi-Fi-this time, with district oversight and plenty of security. In fact, many schools now include a "clock tower" architectural feature where wireless transmitters can be located, providing greater range for the networks. However, network connections are encrypted. The district also has a designated chief security officer who can shut down a school's network if a hacking incident is underway. "In most districts, it would take four to five phone calls to shut down the network," Garten says. At Poway, it takes just one call to the security officer.
Brian Hernacki, an architect in the R&D lab for security software vendor Symantec, confirms that security is an issue for school districts, but notes that most wireless hacking incidents are not as serious as those described by the former hacker and Scigliano. "It is in pretty rare cases that they're actually hacking into school resources," says Hernacki. More common abuses are simply using the Wi-Fi network in an unauthorized fashion, such as connecting via a laptop in the cafeteria or playing games.
Still, the risk is present. Hernacki's suggestions include controlling access through usernames and passwords, limiting access to specific computers and setting up networks to minimize their reach outside school grounds (see the "Safer Wi-Fi" sidebar).
Garten urges school districts to address the Wi-Fi security problem as soon as possible. "They'll be able to secure their networks faster than we did because the tools have evolved, but they better start now. They should think about the consequences if someone breaks in."
Once the network is secured, you can't rest on your laurels. Hackers are continually honing their techniques and developing new attacks, so your staff needs to stay abreast of the latest security developments. That means refreshing your network security every three to six months to make sure it's hardened against the most likely attacks. "Security can get obsolete, just like your equipment," says Garten.
"Having an outside auditor come in and give you strategic advice is very helpful," adds Scigliano, whose district also used Farm9. The perspective provided by an outside party can uncover weaknesses you might otherwise miss, and also provides a roadmap for security enhancements and future upgrades.
"Compared with a typical network, Wi-Fi still has a lot of maturing to do," says the former hacker. "If a school decides to take the risks in setting one up, they need to make sure that all of the teachers and faculty know to be cautious in keeping sensitive information off the network. And administrators need to stay up to date with vulnerabilities in the network." Do all that, and you can rest easy, knowing you've kept hackers away from the gates-for now.
Dylan Tweney is a writer based in San Mateo, Calif.