School District Still Using Default Login For Admin Account Surprised To Learn Its Site Has Been Hacked

from the the-password-is-'password'-but-with-a-1 dept

A Texas school district is learning the hard way about website security basics. If you'd like to keep your site from being compromised, the very least you can do is reset the default login. According to a post at Hackforums, the Round Rock Independent School District of Austin, TX was using the following name and password for its admin account. (h/t to Techdirt reader Vidiot)

hacked - idiots used default login/pass

u; admin
p; admin1
Once compromised, the hacker(s) dropped sexual terminology, racist statements and a few memes all over the Round Rock ISD site. The "Welcome" splash screen was altered to deliver the following "warning:"
ATTENTION PARENTS AND STAFF: REDDIT HAS BEEN RAIDING ALL OF THE WEBSITES IN ROUND ROCK ISD AND POSTING PORNOGRAPHIC IMAGES. PLEASE REFRAIN FROM USING ANY ROUND ROCK ISD WEBSITES UNTIL FURTHER NOTICE. THANKS
Needless to say, this wasn't an official message from the school. Additional text next to the principal's photo noted that Caldwell Heights Elementary was a "Jewish Internet Defense Force (JIDF) World School" and that the school's goal was to "develop strong partnerships" with parents and "touch every child -- especially the littler ones." The "statement" was signed by "moot."

Another page features an apology from the principal ("Sorry for the AIDS") and a copy-pasta spinoff of the Navy SEAL rant meme that takes the memorable posturing and sweary proto-military threats and spins them into a defense of every slighted non-white male ever.

The district's reaction to this hacking has been particularly hilarious and prone to over-sensitive overstatements, especially if its hands-off approach to security provided the hole for the hackers to waltz on through.
"We have a third party managing the site (SharpSchool) and we have instructed them to take their time getting everything back up and running," said JoyLynn Occhiuzzi from the Round Rock ISD. "We want them to pull everything together and protect as much information as possible about how this happened so we can make sure it doesn't happen again."
Well, I would assume changing the login and password was at the top of the To Do list. This may not entirely be the district's fault. SharpSchool likely bears some of the blame here, especially if it never bothered to ensure the admin login was something stronger than admin/admin1.
"It's disappointing that someone would take the time to hack into our websites…"
Yes, it's "disappointing" that someone would have to try more than a handful of variations of the World's Dumbest Passwords before being granted access to the back end.

The site remained down for a few days, replaced with a placeholder image and a somewhat cheery apology. Local police say they will press charges if they manage to find the hacker(s) behind the defacement. The school district has also made statements along the same lines, but finding who's responsible will be a considerably harder than accessing the site without permission.

The altered message on the welcome screen pinned the blame on Reddit, but considering its obviously fake origin, it probably shouldn't be trusted.

The Houston Chronicle article contains this sentence which strains credulity to its breaking point.
Many of the pages can't be printed but one did name a group "9gag'' as being behind the "raid" that came from their "mother's basement."
Given Reddit's antipathy towards 9gag, this would seem to swing the finger of blame back on the Front Page of the Internet. Of course, the internet is filled with people and groups who hate 9gag, so that's hardly conclusive. The faux signature appended to the principal's photo ("moot") would seem to implicate 4chan, but Not Your Personal Army doesn't really sign its work. And the fact that the actual principal (Barbara Bergman) wasn't doxed and scattered across the internet would seem to indicate that the Internet Hate Machine didn't perform this particular defacement.

The details that have been made public indicate a rather amateurish job. There's a lot of namedropping going on, but a school site with an unfortunate login/password combination is hardly the sort of target these "groups" would expend much energy hassling.

Considering no real damage was done (other than a few people being offended), perhaps the district should just count its blessings and change the damn password. No data was lost and whatever downtime resulted from the defacement should be borne cost-wise by the third party paid to run the site(s). Prosecuting some low-level vandal for this temporary inconvenience won't prevent anyone from doing this sort of thing in the future. The easiest way to dissuade bored hackers is to put up at least a tiny bit of resistance in the security department -- something a simple login/password change months ago would have ensured.



Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Ninja (profile), Jan 8th, 2014 @ 1:39am

    We should try to access their bank accounts. I suspect the password 123456 will do. And my account would be quite happy with an extra dough ;)

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Rikuo (profile), Jan 8th, 2014 @ 3:36am

    Can this even be called hacking? For me, this is like finding a keyring with a bunch of keys and trying them all on a door. Eventually one would work and the door would open. Did the hacker use a brute force program or just manually type admin and admin1 into the boxes to see if they would work?

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 4:01am

    This is what happens when you treat your IT staff like digital janitors and cut then in the first round of layoffs.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 4:15am

    Re:

    > Can this even be called hacking?

    Yes, it can. Password guessing is a well-known hacking technique.

    If there was no password, or if the password was exposed (like on a password prompt which says "the password is hunter2", or visible with "view source" on the page), or if simple and obvious URL manipulation were enough to get in, THEN you could rightfully ask whether it could be considered hacking.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    PaulT (profile), Jan 8th, 2014 @ 4:42am

    Re: Re:

    "if the password was exposed"

    The password was the same as the login name with "1" tagged at the end, and the way the article is written suggests it's the standard default password for the system they were using. It was exposed.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 4:48am

    Re: Re: Re:

    > and the way the article is written suggests it's the standard default password for the system they were using. It was exposed.

    If you are right, I apologize. One can rightfully ask whether it could be considered hacking.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    me@me.net, Jan 8th, 2014 @ 4:50am

    The Administration and IT staff should be fired

    How stupid can you be?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 4:54am

    Re:

    Cut them, then outsource to a third party. And of course, the outsourced party only kinda gives a crap cause, hey, worst comes to worst, they say, "oops" and fix it. Like now. Whereas the in-house guy knows if he doesn't do it right, he's fired.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 4:56am

    Re: Re: Re: Re:

    Thank you for giving your permission to question whether this can be called hacking. Society will be eternally grateful for your generosity.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 5:02am

    Re: Re:

    > "Can this even be called hacking? For me, this is like finding a keyring with a bunch of keys and trying them all on a door. Eventually one would work and the door would open."

    This is the definition of a dictionary attack.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 5:12am

    /s

    I guess it's better than 123456.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Bengie, Jan 8th, 2014 @ 5:14am

    Re: Re: Re:

    Depends on if they even used a dictionary attack. If all they did was port scan systems until they found a hit, then checked what app it was running, then tried the default password, then they did not do a dictionary attack.

    This would not be "hacking" in the typical sense of the word, it would just be "probing", then using publicly known information.

    Kind of like walking past a bunch of cars and trying the door in each one to see if it's locked. You wouldn't say someone "broke into" the car, but "entered" the car.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 5:55am

    Re: /s

    Not by much lol

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    S. T. Stone, Jan 8th, 2014 @ 5:58am

    Naw, 4chan didn't do this.

    I've posted to 4chan for years. I remember when you could follow /b/ by the front page alone. 4chan didn't do this.

    How do I know this?

    Well, look at the clues. You have the Angry Marine Rant meme, but someone modified it; 4chan would've posted the real thing. You have porn, but no guro images; 4chan would've posted some of the nastier stuff /b/'s ever seen. You have an apology to parents; 4chan would've gotten scared and gone to live with their aunt and uncle in Bel-Air.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 6:53am

    Re: Re: Re: Re:

    I have no idea whether these guys used a dictionary attack; I was just pointing out that the commenter's description: "Can this even be called hacking? For me, this is like finding a keyring with a bunch of keys and trying them all on a door. Eventually one would work and the door would open." is the definition of a dictionary attack, commonly used for password cracking. To be pedantic, the term "hacking" is not specific to the act of gaining unauthorized access to systems, though it commonly carries that connotation.

    To sum up:

    The keyring with a bunch of keys is the dictionary.
    The door on which the keys are tried is the password hash.
    When a "key" from the "keyring" is found to work with the door, i.e., hasing a word from the dictionary creates the same hash that the cracker is trying to crack, "the door would open".

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Paul Renault (profile), Jan 8th, 2014 @ 7:21am

    Re: /s

    But not quite as good as 00000000.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Pat, Jan 8th, 2014 @ 7:24am

    Ahem...

    Win...

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Ninja (profile), Jan 8th, 2014 @ 7:31am

    Re:

    According to CFAA you face penalties akin to life imprisonment for such sophisticated hacking. Notice the sarcastic use of sophisticated.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Ninja (profile), Jan 8th, 2014 @ 7:32am

    Re: Re: /s

    That's a bombastic flaw!

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 7:47am

    Re:

    Actually trying to steal money this way is not as easy as you think.

    http://research.microsoft.com/pubs/161829/EverythingWeKnow.pdf

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 7:54am

    Re: Re: Re: Re: Re:

    >REDDIT HAS BEEN RAIDING...
    Its obvious that Reddit did it. I have no idea why would anyone think that it was 4chan.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 8:09am

    Re: Re:

    I don't really think it's considered hacking. More like "cracking" as in trying to crack the password maybe?

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 8:11am

    Re: Re: Re: Re: Re:

    Especially coming from some unknown AC, such a reliable authority.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 8:14am

    Re:

    "Can this even be called hacking?"

    I think it should be called 'hacking' in the legal sense in that whoever does it should still be liable for any damages caused. In the "techie" sense ... probably not.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 8:23am

    Re: Re: Re: Re:

    Maybe a more appropriate term would simply be "password guessing".

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 9:31am

    Chances are this was a child at the school if you ask me. I was more than capable of doing this while I was at school and in fact did many times with teachers logins.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 10:43am

    My advice: Change admin username to "stupid" and password to "stupider". At least it will be harder to crack.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Jan 8th, 2014 @ 12:17pm

    Top Lel

    This stuff happens all the time on 9gag/reddit.

    User posts login credentials.
    Lots of people login and change stuff.


    Definitely not /b/

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    John Fenderson (profile), Jan 8th, 2014 @ 1:43pm

    Re:

    It's black-hat hacking, but it's not cracking. It's the sort of hacking that the pre-teen set routinely engages in, and is so trivially easy to stop that it's hard for me to be more upset about the kiddies than about the fact that the school district is so incompetent that they shouldn't be running servers at all.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    John Fenderson (profile), Jan 8th, 2014 @ 1:45pm

    Re: /s

    No, it's the same bad as 12345678. Maybe worse, because all manufacturer default login credentials can be easily found with a quick web search.

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    John Fenderson (profile), Jan 8th, 2014 @ 1:46pm

    Re:

    Yes, it was very clearly a student at the school.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    toyotabedzrock (profile), Jan 8th, 2014 @ 2:04pm

    4Chan

    I can tell you it was 4chan. They love poking fun at reddit and dislike 9gag. And another common meme is to imply that moot likes kids.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous, Jan 9th, 2014 @ 7:04am

    Re: Re:

    It makes me think of the scene in "War Games" where David Lightman is sent to the office and obtains the new password.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous, Jan 9th, 2014 @ 7:06am

    Re: 4Chan

    Cheese pizza. Is it time?

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    John Fenderson (profile), Jan 9th, 2014 @ 10:23am

    Re: Re:

    As that paper points out, getting into an account and emptying it isn't hard at all. Getting away with it and keeping the money is much more difficult.

    That's why electronic thieves prefer to steal credit card numbers.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    John Fenderson (profile), Jan 9th, 2014 @ 10:26am

    Re: Re: Re: Re:

    Technically, if you open an unlocked car (or house) door without authorization, you've "broken into" it. Entering is a separate crime.

    If you leave your house unlocked (but the door closed) and someone comes in, they've committed the crime of breaking & entering. If you left your door open so that they don't need to open it, then no "breaking" has occurred. The crime is "trespassing".

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Jan 13th, 2014 @ 9:50am

    Re:

    The Navy SEAL rant has many well-known derivatives; 4chan's users frequently make spinoffs to these copypastas that evolve over time.

    The biggest smoking gun towards 4chan here (other than casting the blame on 9gag and Reddit, two sites that aren't held in high regard by the 4chan userbase) is the reference to the Jewish Internet Defense Force. I don't think I've seen that mentioned anywhere online other than the 4chan /pol/ board.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Max Edwards, Feb 1st, 2014 @ 11:32am

    The real scoop

    As a witness, I can firmly confirm that one of the mentioned websites was behind the attack but due to my loyalty it's name will remain secret.
    However, I can tell you all that there was no hacking involved in this little escapade, just merely some student (probably given permission to help his teacher out or something) posting the username and password to my site.
    I hope this will remind all to use an actual password and not give full access to dozens of sites to kids.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Steve Alsen, Mar 20th, 2014 @ 1:28am

    Re: The real scoop

    I think its not a bad idea! I am agree with you!

    http://best-boarding-schools.net/

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This