Transcript Slide 1

Turnabout: When the New Tools For
Communication are Turned Against Us
Presented by
Victor Cosentino & Pete Robbins
Chatsworth Hills Academy
at
CAIS Trustee/School Head Conference
January 24, 2009
Presentation:
1. The Turnabout
2. Our Response
3. Lessons & Observations
4. Issues for Discussion
5. Questions & Answers
Viewer Discretion Advised
We have toned down the language used by the attackers as
much as possible and obscured the identity of our targeted
teacher. We are also leaving out references to the various
hacker websites we found.
1. THE TURNABOUT
On December 30, 2007 our school website was hacked. This was the start
of an attack on our school, on a beloved teacher, and on the Board of
Trustees. The attack and our response played out over a two week period.
• Board President received a forged email to our (via Facebook)
stating that one of our teachers was engaged in a vaguely described
“internet sex scheme” and an anonymous “concerned organization”
was taking steps to “help” us.
• The hackers replaced our school website homepage with a new one.
• Our Wikipedia entry was modified with similar “warning” messages.
Original Home Page
Hacked Home Page
Message:
“It has come to the attention of a concerned organization
that there is something going on in your child’s school
that you should be aware of. There is a teacher teaching
kindergarten there by the name of _______ who has been
running an internet dominatrix business in her spare
time. Ms. _______ proudly proclaims on her website that
“_________” and that she is interested in things such as
“_________” and blackmail. This concerned organization,
which would prefer to remain anonymous, has taken action
against Ms. _____, including making sure her website is
taken down and that she has been reported to the IRS for
tax evasion, however, we felt that you, as parents at
Chatsworth Hills Academy, have the right to know that
this is going on. We understand that you value your
children’s safety and the quality of the education they
are getting. Because of this we believe you have the
right to know about Ms. ______’s transgressions.”
Things get personal:
• New Year’s Day, the Board President gets a phone call at home from
the hackers.
• Harassing phone calls and emails to several other Trustees also
occurred.
• The names, telephone, email addresses, home addresses and
sometimes spouses’ name of our Trustees were posted on an internet
website used by various hacker groups.
• The partial Social Security numbers for two Trustees were also posted.
What we were dealing with: Anonymous
• Who is “Anonymous”: A name claimed by ad hoc groups of people who
use the internet to hide their identity and who break into computer
systems in order to steal, change or destroy information as a form of
cyber-terrorism or cyber-bullying.
• In our case the hackers were targeting a woman in southern California.
At some point she indicated to them that she had a teaching
credential. They searched for her name and found a similarly named
teacher at our school and concluded they had the same person.
• Indifferent: The hacked version of our website had language that was
inappropriate for our students. It also had links to websites with
profanity, racism, and explicit sexual content.
• Persistent: Fixes to our website and Wikipedia entry were hacked
within minutes of being fixed.
Scope of Attack Expands:
• School’s Wikipedia entry is vandalized constantly over the course of
several days with information about the “scandal” at our school.
• Defamatory messages are posted on other websites like
greatschools.net, ratemyteachers.com and classmates.com.
• MySpace profiles for several students and teachers receive similar
messages.
• There were also indications that the hackers attempted to access our
school’s EDLINE system.
Scope of Attack Expands (continued):
• Forum postings appear on unrelated websites such as topix.net,
bodybuilding.com, basilmarket.com (a children’s website).
• The school’s main office gets calls and faxes from individuals
pretending to be “concerned parents” and “newspaper reporters.”
The calls are untraceable using VoIP technology and come from
numbers that on Caller ID appear as 000-000-0000 and 123-456-7890.
• Jim McManus of CAIS receives a call from someone pretending to be a
CHA parent complaining about the school and the teacher.
2. OUR RESPONSE:
•
After continued hacking of our website, we contacted Network
Solutions, our website host, to take our website down until we
identified how it was being attacked. After we discovered the flaw, we
put our site back online.
•
We permanently removed information identifying our Trustees and
teachers from our website.
•
We contacted administrators at Wikipedia and had them freeze the
Wikipedia entry after deleting the improper changes.
•
We reviewed log files to trace IP addresses to figure out who was
attacking us.
•
We discovered several sites where the attackers recorded their
activities which gave us insight into their conduct and motivations.
2. OUR RESPONSE (continued):
•
Local Police and FBI (through Internet Crime Complaint Center –
www.ic3.gov) were notified.
•
We briefed office staff on the matter and told them how to respond to
communications related to this event.
•
We contacted moderators at the various online forums and notified
them about the material, indicating that it is defamatory and
dangerous to the children at our school. Generally, they were
responsive in removing information.
•
Head of School and Board President had a series of discussions with
our teacher over the next several days to explain everything that had
happened and everything we learned. She was very upset that
parents might think she was actually involved in this type of behavior.
2. OUR RESPONSE (continued):
•
Communication: Head of School communicates with parents:
o
explained in very general terms what happened;
o
assured them that our teacher was the victim of mistaken
identity and not involved in any way;
o
explained that we had engaged law enforcement and taken
steps to reduce our website’s exposure;
o
warned them that they may run across postings or other
aspects of this attack and that these messages are false;
o
asked them not to engage the hackers or respond in any way to
these postings.
Key Responsive Strategy:
Undo everything the attackers do as fast as possible but do not engage them
or respond to them.
Rationale:
Based on the first phone call and reviewing the websites that catered to
these hackers, the attacks were intended as harassment. The “reward” for
these acts was the ability to generate a response from the victims and then
ridicule the response as a source of amusement. It was our observation that
the greater the response of the victim the longer the attack continued.
Additional questions considered in formulating a responsive strategy:
• Was there actual physical danger to the students from hackers?
• Should we hire lawyers and private investigators?
• Should we hire additional campus security?
• Should we have a townhall meeting to discuss this with parents?
3. LESSONS AND OBSERVATIONS
•
We were lucky:
o
Timing: School was out for Winter Break, many families on
vacation, parking lot gossip was non-existent. We could control
situation and get our message out ahead of rumors.
o
Mistaken identity was clear: The hackers’ inclusion of a photo of
their target immediately dispelled any possibility that it was our
teacher, allowing us to respond with greater certainty. While the
targeted teacher was an excellent educator with an impeccable
reputation, if there had been any uncertainty, our responsibility to
our students would have required us to take the extra step of
making sure that she was not actually involved in any of the alleged
activities.
3. LESSONS AND OBSERVATIONS (continued)
•
There was a need to quickly organize a coordinated response.
•
Everyone at our school who was aware of the details of the events felt
victimized by this nonsensical and random harassment and the new
perspective that the Internet had been turned against them.
•
Our teacher became a unifying voice in the faculty when she was able
to speak passionately to her peers about the support she received from
the administration and Board.
•
The Internet greatly expands the geographic reach and effect of
malicious individuals. The pool of people who can cause harm expands
from the local neighborhood to the nation.
3. LESSONS AND OBSERVATIONS (continued)
•
Tools that we think communicate our message, such as Wikipedia,
education websites, and forums, are all public websites with little or no
moderation. All can be manipulated to defame and harm us.
•
We have little control over websites that our children and alumni use
without the school’s participation (myspace, facebook, classmates.com).
•
On the internet it is hard to make things disappear: web pages are
cached, backed up, or mirrored. In our case, the Trustee’s personal
information remains online at some of these sites.
•
There is more information about us on the web than we’d like to believe;
some of it we’ve put there and some is gathered by other information
aggregators. By listing trustee and faculty names we opened the door.
(More than google, look at whozat.com, zoominfo.com, zabasearch.com,
peekyou.com and spock.com.)
4. ISSUES FOR DISCUSSION
•
Don’t assume websites are secure. Standard configurations are often
vulnerable to simple hacking. Our site was built by a professional
website development company and hosted on a national web hosting
service.
•
Designate someone who’s both PR and tech savvy to monitor
Wikipedia, greatschools.net, yelp and other online resources that can
be modified by parents, students, neighbors and strangers. Keep an eye
on youtube, too.
•
Don’t overreact in dealing with online criticism which can trigger
further attacks. In the online world, even the debate is recorded, not
just the outcome.
•
Use Google Alerts to get reports of new or changed web pages logged
by Google.
4. ISSUES FOR DISCUSSION (continued)
•
Anticipate the need for a public relations crisis response plan along
with your physical crisis management plan.
•
Don’t count on help from law enforcement. This type of hacking
undoubtedly violates state and federal laws but appears to be
prioritized far below crimes involving harm to persons and physical
property. LAPD investigated but it don’t go far. The FBI never
responded.
•
There is a need to make careful, deliberate decisions about placing
identifying information about faculty and trustees on school
websites. We take great pride in the qualifications of our people
and their contributions to our schools but have a responsibility to
protect them as well.
4. ISSUES FOR DISCUSSION (continued)
•
Schools with older students may face more risk of this than schools
with younger children. Older students may instigate, participate in
or be the victims of online attacks that engulf the school.
•
Educating students in the safe use of sites such as myspace,
classmates.com, and facebook might be an appropriate part of our
school technology programs.
•
When hacking does occur in a way that might reach parents,
communicate with parents and faculty in a measured way, relative
to the harm.
QUESTIONS
&
ANSWERS