Hack this school network, win a router

There's a wireless router gathering dust in Bob LaRocca's office. It's yours if you can hack into his network.
First, some background. LaRocca is director of IT security with the School District of Palm Beach County in Florida, where he oversees a network of 60,000 computers in 175 schools and which he says covers more acres than any other school district east of the Mississippi River. Computer security has traditionally been a low priority in the public school system, but that's not the case in Palm Beach County.

That's because a computer breach stung the school system in a very public way two years ago when local papers reported that Jeff Yorston, a student at one of the county's schools, got hold of an administrative password and gave himself an "A" in a French class he never took. He also managed to boost the grades of a few friends.

Yorston was discovered when another student complained that her ex-boyfriend -- with worse grades than she had -- was accepted into the University of Florida while she had been rejected. He has since paid a fine and agreed to state supervision in connection with the charges, according to the Palm Beach Post.

After an investigation, county officials discovered that they hadn't been hacked. Instead the breach occurred because of a leaked password. "One of the administrators lent her password out to one of the students who was working on a project," LaRocca said. "That's what happens when you share passwords. We could put $1 million worth of controls in place, but when I give you my password, all bets are off."

LaRocca says that the grades-changing incident was "a wake-up call for the district," which has now made security a top priority.

Palm Beach County has spent more than $1.5 million over the past two years overhauling systems throughout the county's schools. It has upgraded the county's desktops with antivirus, host intrusion prevention and network access control software from McAfee. Network-based intrusion detection and content-filtering have also been added, and the county is now logging its grading systems, which have much stricter access controls.

The county has also made security awareness a priority, taking steps to educate users about safe online behavior.

And that's where the hacking challenge comes in. LaRocca issued it as part of an April security awareness event held at county schools, setting up a target server that attackers would have to break into in order to claim the prize. This type of "capture the flag" game is popular at hacking conferences.

Any students who might see the contest as a chance to hack the system, change their grades and win a router need to think again. "We set up a honeypot server that they specifically had to hack into and capture a flag," he said. "We didn't say if you go in and change your grades you'll get a router"

That hasn't deterred some attackers. Thanks to the publicity surrounding his Wi-Fi challenge, LaRocca says the schools are being hit by about 16,000 online attacks per day.

Still, LaRocca says the insider threat remains his biggest concern. "All my hackers are inside the network," he said. "I'm not too worried about the ones from the outside."