Privacy Update: Student Hackers

Published
17 November 2016

Hacking: a prank or something more serious?

A young Bill Gates once drew the attention of girls in his class by hacking. He is now the richest person in the world, a philanthropist and also one of the most respected international industry leaders. Julian Assange and Edward Snowden, regardless of their motives or political alliances, have throngs of supporters of their cyber skills. Indeed, high school hacking into school networks or teacher's private accounts seem to be a rite of passage for budding tech-heads and programmers.

And recently, Jarryd Hayne was left red-faced after such a 'harmless prank'. The rugby league player for the Gold Coast Titans was making a presentation on online security when pornography appeared on the screen apparently by one of the students in the crowd. The punchline? His presentation was sponsored by internet security firm, Norton.

But beyond the pranks and the jokes and what may seem like harmless fun, lies a dangerous pattern of escalating attacks on schools. Over the last year, there have been numerous arrests worldwide for cyber security breaches in schools. The hackers? Students. Students who feel somehow invincible and anonymous behind their screens and who have undertaken audacious hacks, including sourcing private information stored by schools, are even altering examination results or final grades.

What is the profile of a hacker?

A hacker does not look or appear in a certain way. He or she can come from any socio-economic, cultural, racial or religious background. Teachers may be aware of students who spend a significant amount of time online or seem to have a proclivity for computers but many students who are technologically advanced choose to use their abilities for good not harm. The only trait that all hackers seem to share is that they are willing to manipulate computer systems, often in breach of the law.

Student hackers in the news

In September this year, two teenage students from Chino Hills in the United States were arrested for allegedly hacking their school's system. According to an article on CBS Local, the pair attempted to change their grades as well as attacking data for other purposes. The investigation is ongoing and will be forwarded to the Juvenile Division of the District Attorney's office. In an unrelated American incident in Panther Creek, another teenager was charged with two felonies for hacking – accessing government computers and breaking and entering. If convicted, he could face more than four years in prison. Hacks of these kinds are also found in universities, with one Kennesaw State University student arrested for illegally accessing a school network. He did so to change grades, but also, alarmingly, to access the medical, employment and financial records of 36 professors at the University.

Penalties for hacking

The penalties for breaching a school's system can be severe and can include jail time if it amounts to a criminal offence. If students are involved in hacking a more senior government agency, as one man has discovered, the penalties can be very severe and far reaching. Lauri Love, an English-Finish former student of Glasgow University has been charged with a list of cybercrime-related felonies in the United States. He hacked the US Army, Military Defense Agency and NASA among other agencies. American officials are seeking extradition for Love who has Asperger's Syndrome. A conviction for all charges would result in a 99-year sentence.

What are the legal implications in Australia?

Students involved in hacking could be charged with 'unauthorised access to, or modification of, restricted data', or 'unauthorised impairment of electronic communication.' These offences were introduced to the Criminal Code by the Cybercrime Act 2001 (Cth). The first penalty results in a maximum of two years imprisonment, the second has a maximum term of ten years. There are an array of other cyberhacking offences that could apply to hacking conduct. And, as we have seen, associated offences such as breaking and entering can also apply where school facilities have been entered unlawfully.

What can schools do about student hackers?

With the end of year examinations and school report marks nearly here, now is the time to be vigilant about your school's cyber security. There are two very clear ways of increasing the protection of your systems:

1: Ensure your systems are secure and that teachers and other staff, volunteers and guests are provided with guidance on how to protect their data from attack.

Basic tips to keep your online space safe

  • Passwords: use complex passwords, change them often, don’t share them or write them down. Better yet, use a password manager like LastPass or 1Password;
  • Don’t leave computers unattended: if leaving your computer for an extended period of time, log out or password lock your screen. Better yet, you can set your computer to automatically lock your screen after a period of inactivity;
  • If you are leaving your classroom for a break or to attend another lesson, if possible, take your laptop or tablet with you.
  • Do NOT share or give any access to your laptop, tablet or computer with students for any matter at any time;
  • Set a lock screen on your mobile phones and tablets, requiring a pin or fingerprint recognition to unlock;
  • Don’t leave USB drives containing sensitive information unattended;
  • Don’t leave any equipment unattended; and
  • Unplug projectors or screen cast connections if you need to type in a password.

More advanced tips to keep your online space safe

  • Make sure all wireless networks are encrypted, better yet, have a separate wireless network for teachers;
  • Set strong network firewall rules;
  • Secure network wall ports;
  • Make sure access to sensitive information available on school networks (eg: share drives) is sufficiently secured and has the correct permissions;
  • Remind staff regularly of the risks, and if necessary the penalties, associated with breaches of privacy and access to school data by unauthorised users due to staff failing to secure their IT equipment;
  • Ensure accounts for separate staff are promptly disabled; and
  • Conduct a security audit by an accredited provider.

2: Educate students on the privacy expectations regarding online usage. This lesson is important for a school context and to protect your own information but it will also protect students from incriminating themselves outside of school.

Some suggested tips include

  • Presenting seminars on the dangers and penalties associated with cybercrime (not just at the commencement of the year- but also throughout the year);
  • Having students contribute to the cybercrime conversation (see this article from The Conversation);
  • Identify students who are making small online pranks and provide additional support;
  • Provide lessons in ethical hacking (Simply telling an aspiring hacker “don’t hack” works about as well as the other abstinence-only approach). This radical approach is a suggestion but is not outwardly promoted or condoned by CompliSpace.
  • Provide time for students who excel on the web to get involved in school projects that are based online and assist other students; and
  • Involve parents in the education process by inviting guest speakers to attend parent forums or Parents and Friends Meetings to discuss the issues and penalties associated with hacking. Most student hacking usually takes place off campus and parents need to be able to support the school's message.

There are sites set up specifically for budding student hackers and sites that assist schools to deal with student hackers. There are even books available for schools that provide tips to help avoid hacking and/or to educate children regarding the issues associated with hacking. A quick Google search reveals dozens of easily accessible websitesblog sites, on-line documents and books available for students and schools.

Schools need to realise that many budding student hackers often know more about computer technology than many teachers and parents. Student hackers, as we have already noted, develop a sense of anonymity and impunity from the law, especially if their minor forays into hacking go unnoticed. It is imperative that schools have clear policies and procedures regarding the use of and access to their IT and online environments. It is also essential for parents and students to know, understand and accept that there are serious penalties that may apply to students who attempt to hack into or manipulate school IT systems and that these penalties involve more than just school sanctions. They may involve the Police.

Refer to our article Privacy Update: compulsory data breach notifications to be introduced for more information on the privacy laws applying to a potential misuse of personal information due to a hacking incident.

 

CompliSpace Media

CompliSpace is an Australian company that helps over 600 non-government schools across Australia with their governance, risk, compliance and policy management. What makes us different is that we monitor over 200 sources of legal and regulatory change to ensure our clients have the updated policies and tools they need to meet new requirements. We share that knowledge with the broader Education community via School Governance.