Transcript NYSIR 08 - edtechjourneys

Risk Management for
Technology Exposures
National Charter Schools
Pete Reilly
[email protected]
http://edtechjourneys.pbwiki.com
Sponsored by
NYSIR
Agenda
Student Security
Network/Data Security
Employee Issues
Foil/E-Discovery/Audits
Physical Security
Audit Case Study
CWG Survey Results
Security Vulnerability Survey
QuickTime™ and a
decompressor
are needed to see this picture.
Student Security
Cyberbullying
Student Safety
Web 2.0 RSS Blogs
The Facts About Online Sexual Abuse
Enforcement and Strategies
Employee Issues
Personal Use
Advertising
Privacy
Politics
Improper Access
Fundraising
Harassment
Teacher Web Sites
Copyright
Teacher Links
Confidentiality
Common Security Risks
Bad & Getting Worse
External Hacks
Prevention
WAN
Servers
Network
Desktops
Applications
Policies
Forensics
Recovery
Internal Hacks
Denial of Service
Phishing
BOTs
Spyware
Spam
Trojan
Web 2.0
Managing Internet Risks
Educational Forum
Disclosure and disclaimers
Enforcement
Educational Restrictions
District Strategies
The Facts About Internet Sexual Abuse
Managing Security Risks
Firewalls
Applications
Servers & Network
Policies
Desktops
User
Awareness
Initial & Annual Security Audit
FOIL & E-Discovery
FOIL & E-Document Policy
E- Discovery
Open Meetings
Software Audits
Domain Names
CIPA & E-Rate
Comptrollers Audits
Security incidents are rising exponentially
128,678 incidents from July 1-December 31st, 2001
8, 064 vulnerabilities reported – up from 1,090 in 2000
41% of companies experienced “critical attacks”
12.7% encountered 1 “emergency” and had to use
recovery measures
Source: Washington Post, January 28, 2002
Tension between security and ease of use
•
Many/most serious security incidents are caused by
your own students and disgruntled employees
Bad & Getting Worse
More data online than ever
More devices attaching to the network
More network complexity (ie. VOIP, wireless)
Security Incidents – 2007
Alone
OREGON - January 2007:
Students hacked into the school
network and obtained
confidential student and
staff information
CONNECTICUT - August 2007:
Computers containing the names
and social security numbers of
former students were stolen
ARIZONA - May 2007:
Ninety-one substitute teacher
names and Social Security
numbers were stolen from a car
WEST VIRGINIA – June 2007:
Computers containing the
names and social security
numbers of district employees
were stolen
LOUISIANA - March 2007:
Rosters containing Social
Security numbers of 380 school
employees were accessed by a
search engine crawler
According to the
Privacy Rights
Clearinghouse,
www.privacyrights.o
rg, more than 155
million records*
have been stolen
since 2005
*Includes Social Security numbers,
account numbers, and driver's
license numbers
Threats Propagating Faster
Vulnerabilities Exploited Faster
Months
Avg. exploit in 2005 5.8 days.
Hours
Weeks
Minutes
Days
Seconds
2003
2004
2005 - 90% of the hosts
within 10-minutes.
2001 2002 2003 2004 2005
2005
Botnet Launched DDOS on the Rise
SPAM: 80% of Emails in 12/06
Sources: CERT/CC, Symantec, NVD, OSVD
Pre-Nachi – ICMP/8 (Echo) 8/17
2200GMT
Pre-Nachi – ICMP/8 (Echo) 8/17
2400GMT
Watch Here . . .
Pre-Nachi – ICMP/8 (Echo) 8/18
0100GMT
Watch Here . . .
Pre-Nachi – ICMP/8 (Echo) 8/18
0200GMT
What?
Pre-Nachi – ICMP/8 (Echo) 8/18
0300GMT
What?!
Pre-Nachi – ICMP/8 (Echo) 8/18
0400GMT
What?!
Pre-Nachi – ICMP/8 (Echo) 8/18
0500GMT
What?!
Pre-Nachi – ICMP/8 (Echo) 8/18
0600GMT
Whoa??
Wow!!
Nachi Worm Lifecycle View
Nachi begins
decay
1/1/04
Nachi start
8/18/03
Sasser Worm (04/04/04)
Sasser Worm
(May 04)
Exploit Code
(April 21)
Patch (MS04-011)
(April 13)
Warning Spike
(April 28)
ZOTOB Worm (08/16/05)
Zotob Worm
(August 16)
Exploit Code
(August 12)
Patch (MS05-039)
(August 09)
Warning Spike
(August 15)
IRC-MOCBOT Worm (08/14/06)
IRC-Mocbot Worm
(August 14)
Exploit Code
(August 10)
Patch (MS06-040)
(August 08)
Warning Spike
(August 13)
Spyware
Three Shocking Statistics on Spyware!
1. 8 out of 10 PC’s are infected with some sort
of Spyware, with an average of 24.4 spies per
PC scanned.
2. Microsoft estimates that 50% of all PC
crashes are due to spyware.
3. Dell reports that 20% of all technical support
calls involve spyware.
Spyware
* Severe Threat – 15% of spyware threats send private information gathered
from the end user currently logged on to the infected system: logging the user's
keystrokes, logged-on user name, hash of administrator passwords, email
addresses, contacts, instant messengers login and usage, and more.
* Moderate Threat – 25% percent of spyware sends information gathered
from the victim's operating system, including the computer (host) name, domain
name, logs of all processes running in memory, installed programs, security
applications, client's internal IP address, OS version, the existence and
versions of service packs and security updates, TCP ports the spyware is
listening to, Computer Security Identifier (SID) ,default browser's homepage,
browser plug-ins, etc.
* Minor Threat – 60% of spyware transmits gathered commercial-value
information about the end user's browsing habits. This includes keywords used
in search engines, browsing habits and ratings of frequently visited websites,
shopping reports etc.
Spam
Spam = 40%-70% of all e-mail
Spam floods overloading servers and
acting like DoS
IE Vulnerability For Sale
Web Attacker Toolkit –
Order Page
Drive-by, While visiting Web
sites
Innocent Free Games site
Drive-by, While visiting Web
sites
Innocent Free Games site
Exploits our desktop
to install a Trojan
Case Study: Botnetwork
Hacker confirms price – “You wanna buy 0”
Typical Perimeter Network
Internet
Service Provider
Backbone
Enterprise
Security
Responsibility
- Network Management
- Core Infrastructure Protection
- Manual Blackhole (Customer Initiated)
- Manual Rate Limit (Customer Initiated)
Enterprise
DMZ
- Firewalls
- IDS
- Anti-Virus
- Anti-Spam
- Worm Detection
Large Enterprise Investment
(People, Capital, Software)
Enterprise
Intranet
- Packet Filtering
- LAN Filtering
- Security Patching
- Policy Enforcement
- Incident Response
Prevention - Firewalls
Intrusion Detection Software
5,000 port scans per day
Apply update and patches immediately
Review Firewall policies annually
Hole opened for server install - not closed
Server decommissioned - hole not closed
Prevention - WAN
Periodic Network Traffic Analysis
Prevention - WAN
Prevention - WAN
Prevention - WAN
Prevention - WAN
BOTs
Music Sites & other improper uses
Prevention - WAN
Configure your routers with access lists
Check hubs, switches and routers for web
management modules and change default
passwords
Use security on your wireless networks
Prevention - Servers
Server maintenance and security patches
immediately
Nmda took advantage of known holes
Remove all generic and guest defaults
after install
Web server hacked via generic login
Check for inactive web modules
They can be accessed and generic setups
abused
Prevention - Network
Use Virtual Private Networks (VPNs)
Require specific logons
Lab aid giving generic logons so students
could bypass filter
Pornography found on C: drive in teachers’
room
Prevention - Network
Periodic network and server scans
Consultant with website on school server
Secure remote access to network
Maintenance done by third parties
Prevention - Desktops
A: drive
Vulnerable to infected floppy disks, flash
drives, and other non-authorized files and
applications
C: drive
Vulnerable to configuration changes, and
access to restricted resources (students hide
Internet access)
FTP
Vulnerable to downloads of infected files or
other non-authorized files and applications
Prevention - Desktops
Windows Explorer
Students see all network resources
Right Click
Students can cut, paste, and delete important
files including system configuration
Prevention - Applications
Microsoft Office – “save as”
Can student see network drives?
Downloads of plugins and other software
Programming courses such as C++ and Visual
Basic
Have access to basic network functions
.exe files
Slow Internet and/or network performance
Overwhelmed hard drives and network servers
Passwords
No policy on changing
Fewer passwords for ease of use purposes
“Shoulder surfing” , yellow stickies, etc.
Disks from home
Technical vulnerabilities
Copyright vulnerabilities
Prevention - Policies
Loading software locally
Technical issues – not in “Ghost image”
Printing and application support issues
Copyright issues
Accidentally “blow out” system
Docking home computers
Students running “cracking” programs and
access SASI passwords
Keychain hardrives
Removal of access when someone leaves
E-mail, Calendar, network logon, etc.
Early notification of problems such as viruses
What process in place to notify users of new viruses,
etc.
More than one person with key knowledge and
access.
Network backdoors setup
Secret backups and password changes done before
termination
18 months rebuilding system because of no
documentation
Prevention – Policies
Log-off apps, log-off network
Students doing “high level” maintenance
May compromise security intentionally or
unintentionally
Enforcement of Policies
If practice doesn’t follow policy than policies
are not valid.
Forensics
Log files:
Intrusion detection logs
Firewall logs
Router logs
Server logs
Application logs
Forensics
Unique log-ins
Isolate systems
Notify authorities
Print screens (IM’ing, chat, e-mail, etc.)
Terror threat to local HS
Hard Dive recovery
Save to the network
Saving to the C: drive means no backups
Verify that backups are complete
Who is responsible? Who is their backup?
•
External backups vs internal
Proper tape rotation - off site storage
Off-site storage
Periodic backup check before and emergency
Do you have a “Hot Site”?
Recovery
Damaged servers & switches
RAID drives
UPS on all servers and switches
Maintenance 24x7x7 contracts or spares
Mirrored or backup servers
Routers, switches, hubs
Maintenance 24x7x7 contract or replacements
Recovery
Formalize a Hot Spot Partnership
Applications media archived
Escalation procedure to move to recovery
quicker and to limit damages
Must notify if privacy is compromised
May need to isolate problem
May need to change passwords
Internal Hacks
QuickTime™ and a
decompressor
are needed to see this picture.
Internal Hacks
QuickTime™ and a
decompressor
are needed to see this picture.
Internal Hacks
Internal Hacks
60%-80% of hacks are internal -FBI
Bypassing the filter
- IP address (ping)
YouTube UK
Superintendent’s private files
Employee w Backdoor access
Internal Hacks
Anonymous surfing - Port 443
Inadvertent damage
Loading software from home
Deleting important configuration files
Attempting to help wiping our systems
Denial of Service
In this type of attack, the attacker begins the process of
establishing a connection to the victim machine, but
does it in such a way as to prevent the ultimate
completion of the connection.
In the meantime, the victim machine has reserved one
of a limited number of data structures required to
complete the impending connection. The result is that
legitimate connections are denied while the victim
machine is waiting to complete bogus "half-open"
connections.
BOT
Phishing
Trojan
Improper Access
Access to Obscene and Inappropriate Material
from the School’s System
Inadvertent Access to Pornography
Julie Amero Story: 4 felony counts, firewall license expired,virus
protection lapsed, no spyware defense, on an old Win98 system obscene popup.
“It was an innocent search”
Domain name spoofs
Hate Sites …How to Build a Bomb...
Doom & Duke Nukem
What Is Web 2.0?
Refers to the most recent generation of web
technologies and products including:

Blogs
• Podcasts
• Wikis
• RSS Newsfeeds
• Social networking (MySpace, Friendster)
• Web applications with rich, interactive interfaces
•

User created content
Hey - 19,241,561
QuickTime™ and a
decompressor
are needed to see this picture.
Hahaha - 34,181,513
QuickTime™ and a
decompressor
are needed to see this picture.
Dance - 71,712,140
QuickTime™ and a
decompressor
are needed to see this picture.
What Is RSS?
•RSS
stands for Really Simple Syndication or RDF Site
Summary. Is based on XML and is simple to learn.
•Used
by blogs, websites, browsers and applications to
deliver content to subscribers.
RSS in Plain English
QuickTime™ and a
decompressor
are needed to see this picture.
Security Problems of RSS
•As
an avenue for automated delivery of web-based content, can be
easily used as a delivery method for spam and phishing.
•Popularity
of RSS syndication aggregators can make it easier to
subvert feeds and redirect them from originators.
•But
the biggest problem is the RSS enclosure capability, which is
the feature of RSS which enables things like podcasting. Nothing in
the specification which limits this to MP3 files. Can also be used to
deliver anything from Flash to executables. In most cases
downloads happen automatically.
•
How To Secure RSS
•
Verify accurate address of content delivery from your RSS
feeds.

Block downloads of executables and other high-risk content
at the gateway

The Security Problems of Blogs
•As
a complex web application, blogs have the same potential
problems as most web applications, such as bugs and
security holes which require patching, and susceptibility to
classic web hacking techniques.
•However,
interactivity of blogs provides some unique areas
of attack, specifically in the typical ability for any reader to be
able to comment within a blog. At the lowest level this makes
blogs susceptible to spam but also opens up more dangerous
exploits.
Example: The Storm Worm Variant
•
New Storm Worm Spreading Via Blog Posts
•A Storm worm variant using both e-mail and Web sites to infect
Windows-based PCs is injecting itself into the responses people are
leaving on blogs.
When infected systems visited blogs, worm inserted script into the
blog comments that linked to malware.

How To Secure Your Blogging
Infrastructure
•Keep your blogging platform software fully patched and up-to-date
•Don’t allow unmoderated comments
• Configure blog to only allow straight text in blog comments
• Use software designed to block or limit what is know as “comment
spam”. Examples of these include Bad Behaviour and Akismet
QuickTime™ and a
decompressor
are needed to see this picture.
Cyberbullying Statistics
90% of MS
students have had
their feelings hurt
online
42% have been
bullied online
QuickTime™ and a
decompressor
are needed to see this picture.
Cyberbullying Statistics
35% have been
threatened online
21% have gotten
threatening e-mail
QuickTime™ and a
decompressor
are needed to see this picture.
Cyberbullying Statistics
53% have said something mean or hurtful
online
58% have not told their parents about
bullying incidents
Cyberbullying
Bully
Cyberbully
At school
At home
Poor relationship
with teachers
Good relationship
with teachers
Fear of physical
retribution
Fear of loss of
tech privileges
Further under the
radar than bullying
Copyright Infringement
Everything on the Internet is protected by
Copyright
If employer has the right & ability to supervise
the actions of the employee & has a financial
interest in exploitation…even if the employer
didn’t know…he may be liable
SIA lawsuits, Record industry lawsuits
Copyright Infringement
Students cutting and pasting parts of Web pages
onto their own
Improper use of student material
District Strategies
Supervise!
Educate staff, students, and parents
Develop a site limitation strategy
Develop a solid AUP
Keep policy decisions at the highest level
Establish an Educational
Forum
Insure that policy and practice are aligned
Insure that AUP is signed - affirmative consent
You can allow limited “self-discovery”
If it is educational, access can’t be
denied,restricted or suspended without due
process.
Notice to student of alleged violation
Opportunity for student to respond to allegation
No denial of an account in advance of a hearing
Missouri suit
Arkansas suit
Ohio suit
Pennsylvania expulsion upheld
Court to school district: You can't stop a kid from creating a
personal web site critical of your schools: Missouri school district
becomes the latest to learn the hard way
From eSchool News staff and wire service reports
Sending a clear signal to educators everywhere, a federal judge ruled Dec. 28 that Woodland
School District in Marble Hill, Mo., violated a high school student's free speech rights when it
suspended him for posting a personal web page criticizing his school. The ruling makes clear
that schools have no jurisdiction over what their students do in cyberspace, provided it's done
on their own time and from their own computers.
U.S. District Court Judge Rodney Sippel issued a preliminary injunction that prohibits the
district from using the suspension against student Brandon Beussink in grade and attendance
calculations. It also bars the district from punishing Beussink or restricting his ability to post his
home page on the internet.
"Dislike or being upset by the content of a student's speech is not an acceptable justification for
limiting student speech," Sippel wrote in his opinion.
Newslines--Arkansas district settles lawsuit over student’s sexually
explicit web page
eSchool News staff and wire service reports
Arkansas’ Valley View School District has settled a lawsuit involving a student’s internet site so
it could begin the school year without the distractions of a court hearing, a school district
attorney said Aug. 18.
Dan Bufford said the court case was causing too much disruption. “We were looking at sending six to eight
teachers, seven to eight students, and three sets of parents from Jonesboro to Little Rock to testify,” Bufford
said. “The distractions and the expense of that was just too much.”
The American Civil Liberties Union sued the school district, contending the district wrongly
suspended Justin Redman for 10 days. He was suspended for producing a web site that mirrored
the school’s official web site, but included sexually explicit photos and text, some of which named other
students and administrators.
John Burnett, the ACLU’s state legal director, said the settlement doesn’t mean the organization
agrees with the district’s actions. “Every school board and every school board attorney in the state is going
to know about this case,” he said. “The schools are going to have to come to realization that, just as they
cannot visit discipline on students for something they said at a weekend party, they cannot do it because of
something a student said on the world wide web.”
District must pay teacher-bashing student $30K: Court
overturns suspension and upholds protection of student speech
on the internet
Gregg W. Downey
A school district will pay $30,000 to one of its students who was suspended for making fun
of his band teacher on the internet, according to the Associated Press (AP). In return, the
student will drop his half-a-million-dollar lawsuit against the district for the 10-day
suspension, AP reported.
Superintendent Beverly Reep of the Westlake school district in suburban Cleveland was
ordered in March by a federal judge to reinstate16-year-old Sean O'Brien. O'Brien had
been suspended for using his home computer to create a web site disparaging a band
teacher.
The superintendent said the district suspended O'Brien for violating a policy forbidding
students from showing disrespect to employees. A federal court told the school district to
stop trying to restrict O'Brien's right to free expression.
Pennsylvania judge: Expelling student for web site threats is
OK
From eSchool News staff and wire service reports
A Lehigh Valley, Pa., school district did not violate a student’s constitutional right to free
speech when it expelled him last year for allegedly threatening a teacher on his personal
web site, a Northampton County Court judge ruled July 23.
Justin Swidler, now 15, was expelled in August 1998 after Bethlehem Area School District
officials saw his web site, in which he allegedly asked for donations to hire a hit man to kill
Nitschmann Middle School math teacher Kathleen Fulmer. Swidler’s family described the
site as
an attempt at satirical humor, not a terrorist threat.
The long-since-dismantled web site reportedly had a heading saying “Why She Should
Die” above a sentence reading, “Take a look at the diagram and the reasons I give, then
give me $20 to help pay a hit man.”
Enforcement Consistency
Schools have double standard for computer
vandalism and crime
“It was just a joke.”
Nerd discipline
School yanks Internet access
Legal punishments
Incident policy
$10,000 damage award
The Evolution of 'Nerd Discipline'
As with most schools, our overall experience with computer technology,
classroom applications, networks, and controlled internet access has been positive and productive. There is,
however, a small, smart, and venturesome
segment of our student population whose actions sometimes make it otherwise.
These are individuals who use school computers--occasionally in conjunction with computers at home--to
test every rule, procedure, and established
guideline ... and thus challenge us to devise new and
different ways of dealing fairly and effectively with a whole new category of "electronic" infractions. The
infractions can range in severity from downloading objectionable material to exchanging passwords, and
from intentionally deleting student files to planting software devices designed to disable one or more
targeted workstations, a whole department, or the school's entire network.
Through constant monitoring and review of policies and rules, we can make
every school's experience with computer technology as positive and productive
as it can and should be.
Jeannine Clark is an assistant principal at Clarkstown High School North in New City,
N.Y., and the school's building coordinator for the district's technology initiative.
School yanks student internet access
By Rebecca Flowers
A school in Cloverdale, Calif., is being criticized for its decision to shut down student access to the internet after two local
teens were accused of hacking Pentagon
computers. Some charge the school overreacted in issuing the internet ban, but school officials disagree.
The two students, sophomores at Cloverdale High School, have not been charged with any crimes, and investigators are
certain the school's computer network was not used during any of the attacks. But the fear of sabotage or retaliation
compelled school officials to close down access to the internet for all students at the school on March 5
Although the FBI had not contacted the school, John Hudspeth, the boys' computer science teacher, disabled the hackers'
network accounts and froze their personal directories.
"We had tried to limit the privileges of only the two hacking students, to allow the rest of the student body and faculty to
enjoy continued online services," said Bill Cox, president of the board of education. "But either other students were helping
our hackers out of friendship or because they saw hacking as 'cool’ or our hackers had captured other account passwords
and were using those accounts in direct violation of our Acceptable Use Contract that all network users sign."
Threats of further retaliation in the Wired article coupled with attacks on one of the ISPs were enough to convinced Cox that
strong action was necessary. "Do we just wait around for our high school server to be trashed?" he said. School officials said
the temporary suspension was needed to allow them to regroup and learn more about security. Cox also felt that the student
body needed to think about the hacking issues in a more reasoned light.
Enforcement - Legal
Charges
Some of the Legal Charges Against
Students/Staff
1st Degree Computer Tampering -Felony
3rd Degree Computer Tampering - Felony
2nd Degree Aggravated Harassment - Misdemeanor
1st Degree Attempt to Distribute Indecent Material to
Minors
Enforcement
Who do I call?
When should I escalate
How do I secure the evidence?
How do I limit the damage?
Do I have to notify users of the breach?
What long term actions are needed?
Personal Use
“School computers, networks, and Internet
access are provided to support the educational
mission of the school. They are to be used
primarily for school-related purposes. Incidental
personal use must not interfere with the
employee’s job performance, must not violate
any of the rules contained in this policy or the
student AUP, and must not damage the school’s
hardware, software, or communications
systems.”
•
NSBA Legal Issues and Education Technology
Privacy
Parents & Public can access Web Logs
Exeter Schools
Indiana Superintendents
E-Mail and all electronic data is discoverable in
litigation
Utah lawsuit
School Board’s e-communications may be in
violation of state’s Sunshine Laws
South Carolina, Pennsylvania,
Improper Access
Images from web pages are stored in cache and
can be accessed from hard drive even without
Internet access
Physics Teacher fired
Dean of Harvard Divinity School
Amero Tragedy
N.J. district sues teacher for allegedly viewing web
porn
From eSchool News staff and wire service reports
The Bergenfield, N.J., board of education is suing a physics teacher to recoup wages it paid
him while he allegedly viewed computer pornography during school hours. The viewing took
place in a school physics room and included times when students were in the room, school
officials said.
According to the Associated Press, Alan Ross, who taught 11th- and 12th-grade chemistry,
physics, and earth science before being suspended without pay last year, also has a tenure
challenge pending. If Ross is found guilty, he would lose tenure and the board would be
allowed to fire him.
A report on computer-stored information viewed from Nov. 3 through Dec. 19, 1997 showed
visits to about 2,900 sites, more than half of which were categorized as adult or personal.All of
the online visits occurred during school time--and about 55 percent while students were present
in the physics room, school officials said. No sites were visited on the three days Ross was
absent during that period, they said.
Harassment
Off color and potentially offensive Internet jokes
and e-mails circulating among staff may create a
“hostile” environment
Teacher suspended
Harassment rules apply equally to electronic
communications
Report abuse
Take immediate steps
Newslines--Judge upholds teacher’s suspension over sexually
explicit eMail
eSchool News staff and wire service reports
A judge has upheld the three-week suspension without pay of a Scottsbluff, Neb.,
middle school teacher accused of repeatedly sending sexually explicit materials on
the school district’s eMail system.
Gerald Schmeckpeper was suspended in December for insubordination when he
disobeyed repeated requests to stop his eMail practice. The school board upheld the
suspension in January.
Schmeckpeper argued that he was told only to use caution when opening eMail. But
District Judge Robert Hippe on July 13 said there was sufficient evidence to suspend
Schmeckpepper. Schmeckpeper was receiving and sending eMail with crude jokes
and cartoons and had several sexually explicit pictures stored electronically, Hippe
said.
Copyright
LA Schools sued for $4.8 million in copyright
abuse case
LA Schools settle copyright suit
Fair Use suit could influence what schools can
publish on the web
Alleged software piracy could cost LA schools $4.8 million
eSchool News Staff Reports
A coalition of software makers that includes Microsoft Corp. has targeted the Los Angeles Unified
School District (LAUSD), alleging its teachers and other employees have illegally copied software
programs.
The charges of piracy could cost the nation's second-largest school district (after New York City)
nearly $5 million over the next three years.
Under a proposed settlement, the district would pay $300,000 to the Business Software Alliance
(BSA), a trade group based in Washington State that was formed by Microsoft and other software
producers to protect their copyrights.
But the real cost of the settlement, which at press time was still subject to board approval, is the
estimated $4.5 million the district would be forced to spend to replace the unlicensed software
that allegedly has spread throughout its classrooms.
Newslines--LAUSD school board settles software piracy charge
eSchool News Staff and Wire Reports
The Los Angeles Unified School District (LAUSD) will pay a computer trade group $300,000 to settle a
lawsuit alleging that copyrighted computer programs were being unlawfully duplicated for use in schools.
The settlement, approved Feb. 9 by the LAUSD school board, also requires the district to spend $1.5 million
over the next three years on an eight-member team to find and eliminate any unauthorized software and to
train staff and students on district policy prohibiting the unlawful duplication of computer programs.
The Business Software Alliance, an organization formed by Microsoft Corp., Novell Inc., and other computer
software companies, alleged that the West Valley Occupational Center in Woodland Hills used unauthorized
copies of numerous types of software, including Microsoft Word and Adobe Photoshop.
The group said it had found at least 1,399 copies of software that it contended were being used without
authorization and asked for more than $562,000 in compensation.
LAUSD officials admitted no wrongdoing, but their legal counsel recommended settling to avoid an even
more costly court battle.
Newspaper 'fair use' challenge could limit what schools and others
post on the web: LA Times and Washington Post sue web site for
copyright infringement
From eSchool News staff and wire reports
In a case with broad implications about what you can post on your schools' web sites, the Los
Angeles Times and the Washington Post have filed a copyright-infringement lawsuit against the operator of
a site that posts their stories without permission.
The lawsuit, filed Oct. 1 in a federal court in Los Angeles, accuses the Free Republic site of using hundreds
of stories from the two newspapers, violating their copyrights and diverting users and potential revenue from
their own sites.
Rex Heinke, an attorney for the newspapers, said the Free Republic site has been posting the stories "on a
very large scale for a very long time.” Reproducing the stories without the publishers' consent is financially
detrimental to the newspaper companies, Heinke said. The newspapers rely on hits to their own web sites to
generate advertising sales, he said.
The Free Republic site, based in Fresno, Calif., posts the stories and allows users to write
comments about them. The site's operator, Jim Robinson, said he has ignored warnings from the
newspapers because the practice is protected by the First Amendment and the "fair use" doctrine of
copyright law.
Teacher Web Sites
Sites created by teachers for their students that
are not hosted on the school’s computer system
may expose the teacher to risk.
Whenever possible migrate the teacher’s site to
the school system where he/she is protected by
the schools AUP, and computer use policies
Teacher Assigned Links
“The links in this area will let you leave the
school district site. The linked sites are not under
the control of the district, and the district is not
responsible for the contents of any linked site, or
any changes or updates to such sites. The
district is providing these links to you only as a
convenience, and the inclusion of any link does
not imply endorsement of the site by the district.”
•
NSBA Legal Issues in Education Technology
Confidentiality
The Family Education Rights and Privacy
Act (FERPA) requires schools to have a
policy that grants parents the rights to
inspect and review the educational
records of their children within 45 days of
a request.
FERPA also requires a parent’s written
consent before disclosing personally
identifiable information about a student.
Advertising
School employees are often involved in outside
businesses and they may find it tempting to
advertise or solicit using the school’s e-mail.
Prohibition should include sending messages
from home or other outside computer to
school district e-mail users.
Politics
Any e-mail sent from the school computer
system contains the school’s return address. It is
the same as using the school’s letterhead.
Accordingly, employees should be put on notice
not to have their own opinions mistakenly
attributed to the district.
Superintendent’s e-mail sparks state inquiry
Newslines--Middle school principal suspended for eMail violation
eSchool News Staff and wire service reports
A Massachusetts middle school principal was suspended for 10 days because she sent an eMa
message to her staff urging them to vote for a political candidate. Mary A. Toomey, principal of
the South Lawrence East School, might also have violated state ethics laws.
“As a result of the investigation, I determined that Mary Toomey exercised poor judgment,” said
Lawrence Public Schools Superintendent Mae E. Gaskins.
Toomey eMailed the school’s staff soliciting their votes for Nancy J. Kennedy, who was running a
sticker campaign for school committee. She sent the eMail the day before the Oct. 5 primary
election.
The eMail said Kennedy needed voters to place stickers printed with her name directly on the
ballot. The stickers would be available at the school’s front office, according to the eMail
message.Kennedy received the votes she needed and went on to win a spot on the committee.
School committee spokeswoman Martha E. Previte said Toomey should have received a harshe
punishment.
Fundraising
Schools may decide to permit fundraising with
prior approval or they will prohibit it.
If they permit fundraising activity they must be
careful not to discriminate and bar any speakers
based on the message.
FOIL
Are e-mail, web logs, spreadsheets & word
processing documents considered records under
FOIL?
Web site logs
Policy directives
Correspondence and memos related to business
Work schedules and assignments
Agendas and minutes of meetings
Drafts of documents circulated for comment
Any document that initiates, authorizes or completes a
business transaction
FOIL
Parents & Public can access Web Logs
Exeter Schools
Indiana Superintendents
E-Mail, IM, Voice Mail, etc. is discoverable in
litigation
Utah lawsuit
FOIL
Administrators must plan for and design a
filing structure that can adequately
support operational needs and record
keeping requirements.
You will have to retrieve everything - no
matter where it is stored in mandatory
Discovery.
If you keep everything it’s a problem
If you delete everything it’s a problem
Generally, records transmitted through email and electronic systems will have the
same retention periods as records in
other formats.
Court: Schools must let parents view internet-use logs
From eSchool News staff and wire service reports
In a decision with broad implications for schools nationwide, a New Hampshire judge has ruled
that the Exeter school district must make public copies of its internet history logs so a father
can check whether officials are doing enough to keep pupils away from the web’s seedy side.
James Knight, a father of four whose children attended district schools until recently, filed a
lawsuit asking a judge to force the district to hand over its internet logs after educators decided
not to use filtering programs on computers children use.
The programs, which have been criticized for their accuracy, block access to objectionable
internet sites. The district decided to use supervision and spot checks by teachers instead
Superintendents’ use of school computers questioned
From eSchool News staff and wire service reports
An investigation of computer records from 49 Indiana school districts by the Indianapolis Star has raised
questions about what constitutes appropriate use of computers by administrators. In a Feb. 18 story, the
Star reported that superintendents who are in charge of enforcing their districts’ web-surfing policies often
violate their own rules. While many school internet policies say web surfing should be for educational use
only, some Indiana superintendents are shopping for cars, planning trips, and looking for other jobs on their
district-issued computers, the Star reported.
In fact, one superintendent’s internet records reportedly included two sites with pornographic material—an
apparent violation of common school district internet policies, and one that cost former Hamilton
Southeastern Superintendent Robert Herrold his job in September. It was Herrold’s example that prompted
the Star’s investigation.
The Star’s review of 6,691 web sites on superintendents’ computers showed that half of the sites clearly
were education pages. But 3,000 other sites—some of which also could have been viewed for educational
purposes—ranged from the popular Amazon.com shopping site to more obscure
sites.
DA eyes agency's failure to release school internet logs: Utah
Education Network faces sanctions for overwriting data it was
ordered to disclose
Failure to hand over certain logs that track the wanderings of school computer users on the
world wide web--including records showing attempts to visit sexually oriented or other banned
sites--could result in a criminal investigation by a county district attorney in Utah. The target of
the probe: the Utah Education Network (UEN), a public/private consortium that provides
internet service to Utah's K-12 schools districts.
In April, Michael Sims, an anti-censorship internet activist, filed for access to the school
computer logs under Utah's sunshine law. He wanted to check what web sites were being
blocked by internet content filters used by Utah schools.
At first, UEN officials refused Sims' request, claiming they didn't own the logs. They said those
records belonged to the individual school districts. Sims appealed that denial to the State
Records Committee. At a hearing last month, the committee agreed with Sims and ordered that
the computer logs, purged of any confidential material, be released.
Electronic Discovery Overview
In December 2006, Civil procedures for discovery were updated to include
more specific guidance on the production of electronic records.
Duty to
Disclose
Preserve
Evidence
Pre-trial conference and preparation (what do you have?)
Produce electronics records, if requested
Cost allocation for producing records (Undue burden?)
Prevent document spoilage
Privilege work product waiver
Sanctions and Safe Harbor
E-Discovery
Create an enforce an e-Document policy that
minimizes the time Non-FOILable information is
kept.
Create a litigation response that preserves data
at the outset of litigation.
Educate employees on the need for a business
approach to e-documents.
NSBA Legal Issues and Ed Tech
Duty to Disclose
•Define the environment and data controls
•Restrict data storage locations
oEmail & Voice mail
oShared folders and files
oDatabase
•Data classification, handling and disposal policy
•Document Retention Schedules (especially email)
•User training
•Audit and assessment to validate controls
•Forensic Analysis capabilities
oInternal discovery
oOpposing counsel - "come and get it."
Preserve Evidence
•Records Management System
oEnterprise wide
oLitigation support only
•System controls
•Encryption
•Backup Records
•Notice to stop operations or restrict
data disposal
Open Meeting &
Sunshine Laws
The use of e-mail and
conferencing tools have raised
questions.
If one Board member e-mails another about
school board business is that a violation of the
state’s sunshine laws?
How about when board members use the
telephone, e-mail, or faxes to poll one another
about board business?
What about soliciting feedback from the public
electronically?
Open Meetings Law
Electronic distribution of Board packets:OK
E-mail between members considered a written
memo and is discoverable.
Interaction via e-mail, bulletin board, chat, instant
messaging, or video conference most likely
constitutes a meeting and is in violation.
Open Meetings Law
Resource:
Robert Freeman
Committee on Open Government
www.dos.state.ny.us.coogwww.html
[email protected]
Board’s web feedback criticized
Elizabeth B. Guerard, Assistant Editor
A Pennsylvania school board’s use of comments received over the internet has set off
a controversy involving the state’s sunshine laws, which require open access to public
meetings.
When Central Bucks School District officials were faced with tough decisions that
would uproot and place some 2,800 students in new schools, they solicited feedback
from parents over the internet instead of using the traditional, face-to-face format of a
school board meeting.
Administrators at the Doylestown, Pa.-based district—the third largest in the state—
say the process made it easy for them to see where the greatest need for change
was. But some parents who were unhappy with the proposed changes have
questioned the validity of transferring the democratic process online.
For one thing, the hundreds of electronic comments that were posted to the district’s
web site were not made public. Barry Kaufmann, executive director of Common Cause
Pennsylvania, a state public interest lobby, said parents should be concerned that
comments made online were not shared with others in the community.
Private web forum snags school board
eSchool News staff and wire service reports
Members of the Beaufort County (South Carolina) School Board and district Superintendent
Herman Gaither have come under fire for using a private internet bulletin board to discuss
school district matters. The private electronic forum might constitute a violation of the state’s
freedom of information laws, a South Carolina media attorney says.
The issue raises questions about how existing laws meant to ensure the open exchange of
public information should be applied to modern technologies such as eMail and the internet.
Gaither said he set up the bulletin board so he could share information with board members on
“sensitive or semiprivate information.” Only Gaither and board members had access to the site,
which let them read and respond to internal messages.
Jay Bender, the attorney for the South Carolina Press Association, said the state’s Freedom of
Information Act prohibits public agencies from using technology to conduct their business in
private and that the bulletin board might violate the law.
Domain Names
Norwichschools.org vs Norwichschools.com
Purchase all available names
Maintain all school domain names rigorously
Porno site appears under school name
High cost of re-purchase
Legitimate third parties have put up school web
sites that many parents believe is the “official”
school site.
Irate e-mails that school didn’t respond
CIPA & E-Rate
Must certify that all users are protected from
inappropriate materials
Must have public meeting
Must have AUP
Software Audits
LA Schools
RICs/Schools/BOCES
P.O.’s, Licenses, Hard drive snapshots
Data Monitoring
Monitoring student e-mail, as well as who is
accessing that data, is a first line of defense in
keeping networks and students safe, yet:
• 56 percent of districts do not monitor student e-mail
• 16 percent do not keep track of who is accessing student information
Percentage of districts monitoring
student e-mail
Q2c) Does your district monitor student e-mail? N=381
Percentage of districts monitoring
access to student data
Q2a) Does your district monitor access to student records? N=381
Network Access
•
Access
39 percent of districts allow outside devices on the network, increasing the
chance of introducing viruses and other malware to the network.
“In the last year, we’ve prevented
faculty and students from installing
software. We now remotely push out
software because it can be very
dangerous when they do this on their
own.”
Q3) Does your district allow non-district owned devices to access the district’s network? N=381
User Authentication
•
Authentication
Without proper authentication, districts may not become
aware of holes or intrusions until it’s too late
11 percent of rural districts and 19 percent of western
districts do not authenticate users
Tactic: Authentication limits the threat of
malicious activity on the network. Consider
dual-factor authentication with password and
revolving key for access to sensitive data
Q3) Does your district authenticate users to the network? N=381
Education
•While
acceptable use policies (AUP) are nearly universal (99
percent of districts report having one), 55 percent of districts
update AUPs no more than once a year.
Tactics: AUPs should be treated as
living documents, posted on district
Web sites, and updated as often as
necessary.
All users should sign an AUP before
receiving access to district computers
and networks.
Educate students and teachers
throughout the year about online
safety.
Q5b) How often is the AUP updated? N=381
•
Network Protection
95 percent block or limit Web sites
89 percent place computers in view of adults
81 percent monitor student Web activity
Tactics
38 percent maintain
a closed district network
Tactic: Many districts are turning to closed
networks to limit access to only filtered content and
to monitor e-mail communication.
Districts can also evaluate Web sites on a regular
basis to block them or make sites available,
protecting First Amendment rights.
Q9b) Does your district do any of the following to protect students while they are online at school? N=381
Network Protection
•Districts
rely on filtering software as a primary defense method.
More districts could benefit from using safety education as a tool to
improve security.
IT Security Defenses
Tactic: Filtering software is not a
substitute for educating students,
parents and staff about the dangers
of the Internet. Districts need to
engage the entire community in the IT
security process.
“I would say that we’re constantly
looking for ways to improve. At a
minimum, [these new technologies]
take a lot of management. What we’re
looking for as technology evolves are
new ways to defend.”
Q10) What are some additional ways your district protects students while they are online? N=375
IT Breaches
•9
percent of districts report at least one IT security breach
in the last 12 months.
Urban and large districts are at greater risk
6 percent of districts say their networks are somewhat or very
vulnerable to attack

Breaches by Metropolitan Area
Breaches by Enrollment
Q7) Have you experienced any breaches in IT security in the last 12 months?
IT Barriers
Respondents say that a lack of funding and sufficient staff
resources are the biggest barriers to improving district
security.
What are the biggest barriers to security?
Q11a) What are your district’s main barriers to Improving IT security?

IT
Breaches
&
Barriers
–
Tool
Users
23 percent of tool users reported an IT breach in the last twelve
months

“Lack of budget” and “too few human resources” come out as top
barriers to improving IT security at 74 percent each
Q) Have you experienced any breaches in IT security in the last 12 months?
Q) What are your district’s main barriers to Improving IT security?
Campus Access
At 63 percent, security cameras are the preferred access control
method among districts.
•Cameras, restricted entry and access cards are cited as having the most
effective impact on physical security
•Retrofitting older buildings can be costly, hampering improvement efforts,
forcing many schools to still use traditional locks and keys
Effective Security Tools
Tactic: Most districts do not have
real-time access to sex offender
registries. Districts can add another
level of security by cross-checking
visitors with the registry before
granting visitors access to campuses.
Q19) Does your district currently use any of the following methods to monitor or control access to the buildings in your district? N=381
Q22) What changes implemented by your district have made a positive impact in physical security? N=381
Local Authorities
•During
an emergency, real-time access and instant communication with
local authorities improves response time and the ability to quickly address
situations.

Only 35 percent of districts are connected to authorities
Is your district connected via the Internet to
local authorities?
Tactic: Work with local fire
departments and police to coordinate
emergency plans and
communication.
Run regular mock drills to work out
issues ahead of time.
Consider IP security cameras to give
authorities an “inside view” of
schools.
Q24) Are the schools in your district connected via the Internet to local police and fire departments in case of emergencies? N=381
Faculty Communication
•Districts
rely heavily on traditional communication methods,
like the phone and intercom, to reach faculty during
emergencies.

Less than 3 percent of districts use cell phones as a tool
Weather-related Faculty Communication
Emergency-related Faculty Communication
Q25) In a weather emergency, during school hours, how does your district communicate with faculty? N=381
Parent Communication
•To
reach parents during emergencies, districts use the phone
far more than any other communication tool.
Only 1 percent of districts report that they are considering emergency
alert/notification systems that send e-mail and text messages to
pre-selected groups

Weather-related Parent Communication
Emergency-related Parent Communication
Q26) In a weather emergency, during school hours, how does your district communicate with parents? N=381
Physical Breaches
•21
percent of districts report experiencing a physical security
breach in the last 12 months; 50 percent of urban districts have
had a breach.
“Physical security has definitely
been on our radar screen for a
while. Columbine was, I think, the
catalyst that has really increased
security awareness.”
Q23) Has your district experienced any breaches in physical security in the last 12 months? N=381
Physical Barriers
Respondents say a lack of budget, tools and staff are the
biggest barriers to improving physical security.
What are the biggest barriers to physical security?
“We’ve done a lot of planning and
thinking and some practicing, and what
led to all that was our growth. We’re
growing so fast that we’ve had to sit
down and really think about the issues
we will have to face in the future.”
Q11a) What are your district’s main barriers to Improving physical security? N=381