Waco, Texas - Teen hacks school computer system
05/25/07. By David Doerr. Tribune-Herald staff writer
Sean Erickson, a 17-year-old high school student under investigation by Waco school officials for accessing sensitive information on a district computer system, says he’s not the malicious hacker some might assume. To paraphrase the tag line from the movie Hackers, the poster for which hangs in his bedroom: His crime was curiosity, he says. nd he disputes Waco Independent School District officials’ claim that he “acquired unauthorized access” to one of the district’s servers, saying they left it wide-open for anyone to enter. “The door was unlocked, it was open and you had your giant plasma screen TV sitting there for anybody,” he said.
In this case, the potential loot for any would-be criminals was confidential information such as Social Security numbers, which can be misused to conduct financial misdeeds.
On Wednesday, Waco ISD officials disclosed that they were investigating whether sensitive student and staff personal information was compromised when two high school seniors allegedly used software on their personal computers to gain unauthorized access to a portion of one of the district’s servers. On Thursday, officials said the students attended A.J. Moore Academy, the district’s magnet school specializing in career and technology education.
Erickson, a senior set to graduate on Saturday, says he was simply pursuing the hobby he hopes to turn into a career — testing computer network security. “I was just looking at some of the servers they had,” Erickson told the Tribune-Herald. “I thought they would have it pretty well secure. It never hurts to try something. I just came across one that didn’t have a password or user name (protection). It didn’t ask me for anything.” Once inside the server, Erickson said he found names, addresses and Social Security numbers for students and district employees. He said he looked up his information, that of his younger brother and of his friend, a fellow computer-savvy A.J. Moore senior also caught up in the investigation.
Erickson said his friend, who he declined to name, “freaked out” when he told him about the unprotected information on the district’s server. He said his friend, who he has known since elementary school, told him he should probably tell school officials about the problem but worried that Erickson would be kicked out of school if he did.
Sgt. Ryan Holt of the Waco Police Department, which is not involved in the investigation, said knowingly accessing a computer network without the owner’s permission would constitute “breach of computer security,” a Class B misdemeanor. However, it was unclear Thursday night if the charge applied to servers that are left unsecured.
Erickson said he did not download any information from the Waco ISD server.
The event in question occurred in December, Erickson said, but Waco ISD officials were not made aware until two weeks ago, when Erickson found himself in the middle of another controversy at school involving other students testing their network wizardry. Erickson said he had shown his friends an “exploit” on the computer network at A.J. Moore Academy that allowed them to install software enabling them to take control over computers remotely. When one of his classmates tried the trick on a computer where a teacher was updating her digital grade book, the students found themselves in trouble, he said. Erickson said he intended to tell school officials about the unprotected server after he graduated, so they couldn’t punish him. But when school officials began investigating the remote-controlled computers incident, he knew their attention would turn to him because he had shown his friends how to do it. ‘I might as well tell them’ “I figured if they were going to kick me out about that, I might as well tell them about the unprotected site so they could fix it,” he said.
Erickson said he told A.J. Moore principal Debra Bishop about the computer server with the unprotected Social Security numbers on May 11, when he was called in for questioning about the other incident. Since then he says he has cooperated with the investigation by handing over the laptop he used to access the server to district officials and answering their questions.
The friend he told about the unprotected server back in December refused to hand over his personal computer and district officials seized it with a search warrant, Erickson said.
Erickson said his friend is a “good kid” and doubted he was involved in any malicious activity. He said he didn’t know whether his friend had downloaded any sensitive information.
Since the investigation began two weeks ago, Erickson and his friend were suspended for three days, had their final exam exemptions revoked and their technology privileges removed. He and the “six or seven” kids involved in the remote-controlled computers incident had to take their finals under supervision, apart from the rest of the student body.
District officials plan to let Erickson and his friend participate in graduation activities on Saturday. No charges have been filed against the two, though they are still being investigated by Waco ISD police. Erickson said he “probably shouldn’t have messed with their network in the first place.” However, Waco ISD should have done more to protect its sensitive data, he said. In a statement issued Thursday, Waco ISD officials said they take the incident “very seriously” and are looking for ways to aggressively tighten network security.
The WISD statement blamed the security breach on “software that had been misconfigured by an outside vendor for use by child nutrition services.” Once the breach was discovered, Waco ISD computer technicians changed the software to prevent further “unauthorized access.”
The district is notifying parents about the security breach and informing them of ways to prevent the unauthorized use of personal information, according to the statement.
Erickson’s parents were present when he was interviewed by the Tribune-Herald Thursday evening. They declined to be identified for this article but vouched for their son’s integrity. His mother says he has been interested in computers since his grandfather gave him his first Packard Bell computer when he was in the fifth grade. Three days after he received it he took it apart so he could see how it worked, she said.
Erickson, who said he has earned the distinction as A.J. Moore’s Information Technology Student of the Year for the last three years, said he hopes the incident doesn’t get in the way of his college ambitions. He wants to pursue a degree in network security from Texas State Technical College.
ddoerr@wacotrib.com
RetrievedMay, 26, 2007 from http://www.wacotrib.com/news/content/news/stories/2007/05/25/05252007wacwisdhack.html
Sean Erickson, a 17-year-old high school student under investigation by Waco school officials for accessing sensitive information on a district computer system, says he’s not the malicious hacker some might assume. To paraphrase the tag line from the movie Hackers, the poster for which hangs in his bedroom: His crime was curiosity, he says. nd he disputes Waco Independent School District officials’ claim that he “acquired unauthorized access” to one of the district’s servers, saying they left it wide-open for anyone to enter. “The door was unlocked, it was open and you had your giant plasma screen TV sitting there for anybody,” he said.
In this case, the potential loot for any would-be criminals was confidential information such as Social Security numbers, which can be misused to conduct financial misdeeds.
On Wednesday, Waco ISD officials disclosed that they were investigating whether sensitive student and staff personal information was compromised when two high school seniors allegedly used software on their personal computers to gain unauthorized access to a portion of one of the district’s servers. On Thursday, officials said the students attended A.J. Moore Academy, the district’s magnet school specializing in career and technology education.
Erickson, a senior set to graduate on Saturday, says he was simply pursuing the hobby he hopes to turn into a career — testing computer network security. “I was just looking at some of the servers they had,” Erickson told the Tribune-Herald. “I thought they would have it pretty well secure. It never hurts to try something. I just came across one that didn’t have a password or user name (protection). It didn’t ask me for anything.” Once inside the server, Erickson said he found names, addresses and Social Security numbers for students and district employees. He said he looked up his information, that of his younger brother and of his friend, a fellow computer-savvy A.J. Moore senior also caught up in the investigation.
Erickson said his friend, who he declined to name, “freaked out” when he told him about the unprotected information on the district’s server. He said his friend, who he has known since elementary school, told him he should probably tell school officials about the problem but worried that Erickson would be kicked out of school if he did.
Sgt. Ryan Holt of the Waco Police Department, which is not involved in the investigation, said knowingly accessing a computer network without the owner’s permission would constitute “breach of computer security,” a Class B misdemeanor. However, it was unclear Thursday night if the charge applied to servers that are left unsecured.
Erickson said he did not download any information from the Waco ISD server.
The event in question occurred in December, Erickson said, but Waco ISD officials were not made aware until two weeks ago, when Erickson found himself in the middle of another controversy at school involving other students testing their network wizardry. Erickson said he had shown his friends an “exploit” on the computer network at A.J. Moore Academy that allowed them to install software enabling them to take control over computers remotely. When one of his classmates tried the trick on a computer where a teacher was updating her digital grade book, the students found themselves in trouble, he said. Erickson said he intended to tell school officials about the unprotected server after he graduated, so they couldn’t punish him. But when school officials began investigating the remote-controlled computers incident, he knew their attention would turn to him because he had shown his friends how to do it. ‘I might as well tell them’ “I figured if they were going to kick me out about that, I might as well tell them about the unprotected site so they could fix it,” he said.
Erickson said he told A.J. Moore principal Debra Bishop about the computer server with the unprotected Social Security numbers on May 11, when he was called in for questioning about the other incident. Since then he says he has cooperated with the investigation by handing over the laptop he used to access the server to district officials and answering their questions.
The friend he told about the unprotected server back in December refused to hand over his personal computer and district officials seized it with a search warrant, Erickson said.
Erickson said his friend is a “good kid” and doubted he was involved in any malicious activity. He said he didn’t know whether his friend had downloaded any sensitive information.
Since the investigation began two weeks ago, Erickson and his friend were suspended for three days, had their final exam exemptions revoked and their technology privileges removed. He and the “six or seven” kids involved in the remote-controlled computers incident had to take their finals under supervision, apart from the rest of the student body.
District officials plan to let Erickson and his friend participate in graduation activities on Saturday. No charges have been filed against the two, though they are still being investigated by Waco ISD police. Erickson said he “probably shouldn’t have messed with their network in the first place.” However, Waco ISD should have done more to protect its sensitive data, he said. In a statement issued Thursday, Waco ISD officials said they take the incident “very seriously” and are looking for ways to aggressively tighten network security.
The WISD statement blamed the security breach on “software that had been misconfigured by an outside vendor for use by child nutrition services.” Once the breach was discovered, Waco ISD computer technicians changed the software to prevent further “unauthorized access.”
The district is notifying parents about the security breach and informing them of ways to prevent the unauthorized use of personal information, according to the statement.
Erickson’s parents were present when he was interviewed by the Tribune-Herald Thursday evening. They declined to be identified for this article but vouched for their son’s integrity. His mother says he has been interested in computers since his grandfather gave him his first Packard Bell computer when he was in the fifth grade. Three days after he received it he took it apart so he could see how it worked, she said.
Erickson, who said he has earned the distinction as A.J. Moore’s Information Technology Student of the Year for the last three years, said he hopes the incident doesn’t get in the way of his college ambitions. He wants to pursue a degree in network security from Texas State Technical College.
ddoerr@wacotrib.com
RetrievedMay, 26, 2007 from http://www.wacotrib.com/news/content/news/stories/2007/05/25/05252007wacwisdhack.html