techLEARNING.com | Technology & Learning - The Resource for Education Technology Leaders

SchoolCIO | K-12 Blueprint | 21st Century Connections | Digital Learning Environments

Requires
Flash Player 9
Version Test
Download Flash

Technology & Learning

Educators' eZine

Digital Media in the Classroom

School CIO

Latest eBook

More eBooks

1:1 Computing Guidebook

Digital Media in the Classroom

NEW! Buyers Guide Listings

Professional Development

Leadership

Overview

About Techlearning.com

FAQ

Sales and Advertising

Media Kit

T&L magazine

TechLEARNING News

RSS Feed: Learn more

Please Visit Our Other Web Sites

September 1, 2000

Talking Tech: Security & Passw***s

By Bill Bateman

What better time than the beginning of the school year to take a fresh look at the way we deal with security and passwords? Let's start with a dose of reality. I don't care how many initials we put after our names, there is a 15-year-old kid in the third row who is sharper than both of us put together when it comes to computers. Add to that the fact that technology seems to be changing hourly--it can be daunting, to say the least. So this effort will be a bit different for both of us.

Normally, I make suggestions on what to do. This time I'll be telling you what not to do. I also must say I am a bit leery about this topic, as a little information is a dangerous thing, and we are in the deep end of the pool on this one. Mistakes can be serious in the security department.

Let's take a quick survey to see if any of these events have happened to you:

You return from vacation and find that one of your machines is running slowly. After hours of troubleshooting, you open the case and are stunned to discover that one of the memory chips is gone.
Perhaps you come back from sick leave and find that your machine, the one right there on your desk that no one is supposed to touch, is very "hooky". It hangs up during start-up, and Explorer is constantly sending you "this program has performed an illegal operation and will be shut down" messages. You find the Control-Alt-Delete keys are your new best friends. What is going on? Someone has tried to hack into your machine.
One of the students calls you over in lab and points out that it no longer says "Dell" on your start-up screen, but "Hell". Or perhaps the Microsoft version is no longer 95 or 98, but something inappropriate. They are as shocked as you are but, guess what? He or she can fix that nasty little problem for you. Wow, you're certainly lucky to have such a nice kid in your lab to help, huh?

Sound far-fetched? Not really. Each of those things has happened to me. That's right. Mr. Computer Guy has been ripped off, hacked, and "socially engineered". I hope I can help you learn from my mistakes. There are two steps.

First, we start thinking about security overall. In our first example, simply locking the computer cases could have prevented the theft of the chips. Our cases will accept a lock or a seal to prevent tampering. (We could also enable a cover removal alert message in the BIOS. More on that idea later).

Of the top ten problems relating to security of computer systems, the first four are password issues. The fifth is not using the existing locks. Be honest with yourself about your work environment. Do you need some of those mini-locks or a seal unit that will show tampering? Price the materials, then price the new RAM and sound cards. Now do the math for your site. But you need not crack the case to do mischief.

How do people gain access to computers? If you work where I do, you wait until lunch. Or, you can ask somebody for a password. Walking around on the day I wrote this, I found five computers in sleep mode, but fully accessible and logged on. I could have ordered myself a new Robert Crais book, as one of the staff has the Amazon 1-ClickSM ordering. I could have sent a scathing letter to the Superintendent under your name. I didn't because that would be wrong. Others may be less charitable. My point is that as educators, we need to take security seriously.

Big business does. Give an administrator's password to a guest at one of the big ten companies and see how long it takes a team of security guards to show up to escort you from the building. Somehow, working with children makes it seem less serious. Am I saying all districts are lax? Of course not--I haven't been to all the districts. But I know one para-educator who gave out not just a password, but also an administrator�s password to a substitute teacher. In business, this would get you fired, and rightly so.

The world's best security system is only a good as it weakest link. Two hundred pages of policies are only as good as your weakest Administrator. So take passwords and system safeguards with a grain of salt. That para-educator may soon be working for you.

My hints for survival? Glad you asked. That is step two. In addition to thinking about security, you must be proactive and do something about it as well--even if it is only an attitude adjustment on your part. Consider the following suggestions:

If you remember nothing else: Passwords are case sensitive. Joe2 is not the same as JOE2 or joE2.
Do not use your children�s names, your Social Security Number, birthday, or my favorite, your dog�s name for passwords.
Use a combination of letters, numbers, and symbols, bearing in mind that certain symbols may not work. Keep in mind the case-sensitive issues, but use them to your advantage.
If the minimum number of character is six, go for eight at the maximum.
Anyone, with the possible exception of the President, the Joint Chiefs of Staff, or NORAD, who comes up with a 42-symbol password deserves to forget it. Be serious.
Do not share your passwords. If others need to use your machines, ask the IS staff about Guest Log-On with restricted privileges that expire within a fixed period. I trust one teacher out of 30 with mine. He also has my ATM code. The operative word here is trust.
I keep four levels of passwords. Level one is for the sites that are for fun. I use the same word on all five sites. If it's hacked, who cares if somebody else gets my personal horoscope from Swami Cindy? Does the site have my credit card--such as Amazon? I have a level two single password--more complex, thank you--for those sites. How about my stock trading sites? I have a third and fourth level word for my most secure sites like on-line banking.

To summarize the above, the more risk to you, the more security you should have.

If you have different passwords, don't write them down. If you have trouble, write a clue if you must, but do not be obvious. You may think, "Our quarterback�s jersey number" is pretty slick, but with good old number 35's picture in the paper every two days, somebody might just crack it. That's why I keep it to four words. Even I can remember that.
Change your passwords occasionally--especially when you find a helpful student hovering around your desk frequently. If you are on a Novell system, go to the N in the lower right corner of the screen and a right click will lead you to changing passwords. Access User Administration for your network name.
Forget using your screen savers as a roadblock. I have a student who goes through them like warm butter. I just have to figure out how he does it.

The only true block to the computer's operating system is to keep the person from accessing it in the first place. That means a BIOS password. The BIOS is accessed by hitting F2 or Delete during your initial start-up. (It shows up briefly on your screen right after your turn it on.) We take our BIOS password so seriously here that only one person on site knows it. The second person is the Systems Administrator for the entire system at the district. I do have it in an envelope in case of a "dire" emergency. But if that one is opened, I will re-do all 100 hundred computers with a new one.

If you've read any of my previous columns, this is the place where I tell you to check with your System Administrator before you wade into the case of a networked machine. In most cases, a school will have the BIOS secured and you cannot access it. If it isn't, you�d best get to it before the kids do. If it's your own machine, please be advised: this BIOS stuff is VERY serious. No fooling. Is it possible to bypass a forgotten BIOS password? Yes. Can I do it? No. I know how, but lack the skills.

I have had countless security programs purported to do countless things. Both example one (the missing memory chip) and example two (the attempted hack) would have been stopped by the BIOS settings. On our machines, you can set an "Alert! Computer Cover has been removed!" message to display on start-up. This will alert a staff member that something is amiss--like the lock being gone. If you aren't checking each start-up, I suggest that you budget the time.

Example two (the machine that became increasingly weird) was the result of a failed hacking attempt by a substitute teacher in my class. He apparently had taken a Novell class in college, and for reasons yet to be explained, thought he could use the old system password to get into my machine. We have system 5. He was using system 3.xx. The result was that I had to scrub my disk and re-install all kinds of software.

Had this vandal been stopped at initial start-up, the problem would have been avoided. On the advice of our System Administrator, I now have a password that prohibits anything past start-up. It is set up in the security section of the BIOS. My machine says: Password, and is followed by enabled and a click will toggle it off or on.

Can it be bypassed or hacked? The 15-year-old who helped me perform Y2K checks says it can, but it is a lot harder and I believe him. But then we have a verifiable termination action, not just an "Oh, did I do that?"--at least, according to the union representative.

That young man who helped me brings up our third area of concern: social engineering. I like, respect, and trust the students with whom I work or I wouldn�t be here. Several of them have proven invaluable in testing the newly installed system. When IS left, stating, "The system is bulletproof," I asked for volunteers to crack it. With my permission, they tested it and, in less than five minutes, we were at a Gamer site on the computer that "could not possibly access the Internet".

Using the example above--creating a "problem" on a computer and then showing the teacher how to fix it--is listed on a Hacking site as step one to social engineering. It is loosely defined as winning the person�s trust for purposes of system entry. Think "kissing up" if it helps.

I searched the Internet using HotBot > Computers>Hacking and then poked around in the "Newbies" section. Interesting reading. There are entire "how-to" books on this stuff! Most of my kids who point things out to me are legitimate. They want to show me that they are good, and I encourage that. But when they set up a problem to do that, I become suspicious.

Several students tried to win my trust to gain system access. One did find my password, and then used it to broadcast messages to all of the classrooms from another classroom machine. I'm not saying you shouldn't use, work with, or trust the computer kids. I am saying that passwords are there for a reason. I have given students passwords with more than student-level permissions. I have never given a student administrative-level access. Since the first problem, I have been pleased with the results.

To sum it up, please take security seriously. Guard your passwords and support your peers. Give that 15-year-old in the third row an opportunity to learn and grow. That�s what we�re here for. But be sensible about how you do it. Often our good intentions are our own worst enemy.

Email:Bill Bateman

Hands-On, Instructor-Led Computer / IT Training
Instructor-led information technology (IT) training in 75 cities. Learn Java, SQL, NET, and more. On-site training available. Request a free proposal.

Postsecondary IT Programs
100% Online Six Sigma Certificate from Villanova. Find Out More Now.

Web Based Microsoft Certification Training
44 course topics study for MCSE, MCDBA, MCSD, MCSA, and MCP. Get $2,600.00 worth of Microsoft Certification training for only $149.95. 100% Guarantee.