A recent news story tells of two teens hacking into school computers in order to change grades and steal tests. It’s probably not “new news” and, in fact, occurs on a fairly frequent basis. It just so happens these two teens were caught. If you dig further into the story you will see one of the students performed a bit of physical breaking-and-entering as well.

But this begs a question; What tools did these kids use for the purposes of their hacking, and how can we detect students that are prone to this sort of behavior?  In general, a student who performs illegal activities does not wake up in the morning and decide to become a criminal. There is typically a pattern of behavior leading up to a serious event such as this.

Initially, we should look at the overall Internet usage of the student. There are several 8e6 categories that can assist in this, with the Hacking category being a good place to start. This category should be blocked for all customers since the sites within this category center around tools and scripts that would often be used for questionable, if not illegal, activities.

Secondly we should look at the Dubious/Unsavory, Criminal Skills, Weapons, Illegal Drugs and School Cheating categories. Once again these are categories we would recommend as blocked as they can all lead to activities that would be considered questionable at the very least. This means that activity in these categories should be cause for concern.

Thirdly, we must look at the actual Internet activity of the students. Just having these categories blocked is simply is not enough. 8e6 is quite proud of the content, the depth and the breadth of our categories. But, like every other vendor out there, we simply cannot claim 100% coverage. If a student is not monitored, as well as blocked, you are essentially putting up a speed limit sign and hoping everyone obeys the speed limit. Unfortunately, many of us, myself included, may exceed the speed limit from time to time. It is absolutely imperative you use the reports available to you for the purpose of actively monitoring student activity. Waiting until after the event, will only verify the student was at risk to begin with.

By monitoring the use of these categories through real time and forensic reporting, we can often identify, and curtail this sort of activity. I am not advocating that you spend each and every minute of your day running reports to find the problem students. There is a much easier way to identify activity such as this. Using the Threat Analysis Reporter you can create a gauge called “At Risk” and include the above categories. Once the gauges are created, you can then set a threshold for activity in those categories in totem. An alert can be configured based on this threshold that will send an email to an administrator should the threshold be reached. The few minutes you spend setting up this alert will eliminate the need to be monitor reports day in and day out.

Once the alert is set, the next step is to look at the intent of the student. Using the Enterprise Reporter, run a detailed usage report of the student’s activity. This report will show - link by link - what activity the student was performing, including the username, IP, category, full length URL and, most importantly, the terms used on search engines.  By reviewing this detailed information it will be very easy to identify the at-risk students.  If the activity shows the student is on Google and searching for “Tools to hack grades” or “How to pick a lock,” you have a pretty good indication of what the student is up to.

The real time reports and alerts provided by the Threat Analysis Reporter will identify users who warrant a closer look. This doesn’t apply to just the illegal activity described here, but could be extended to all sorts of activity such as gang, racist, or terrorist activity. 

While I do not advocate looking at reports day in and day out, I do advocate active use of the reports available to you. At the very least you should be checking the reports on a weekly basis.  When talking with customers, all too often I hear they run reports only when asked to do so.  This request is usually because something was noticed or a student was caught violating the AUP. Taking time to monitor the activity of users, especially in categories other than Adult Content, can often show you the problems when they are just “smoke” rather than a “three-alarm fire.” Just imagine for a moment one of your users was doing a weapons-related search with the intent to harm others. Would you not prefer to know about it before they use the weapons, rather than after the event as you are you run reports for the police? 

This entry was posted on Monday, July 7th, 2008 at 6:12 pm and is filed under How To, Online Safety, Product Stuff, Security Best Practices. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.