[ISN] Jackson hackers tell how they got access

[InfoSec News]

http://www.cantonrep.com/index.php?Category=9&ID=231245

By Melissa Griffy 
Repository staff writer  
July 6, 2005 

JACKSON TWP. - Always log out.

That's one of the first things you learn when you use a computer.

But one day last spring, Jackson High student David Paola stumbled 
across an exception to the "always log out" rule - a teacher failed to 
exit the school's grading system.

"Pinnacle (the grading program) was open and completely accessible to 
anybody who would have moved the mouse as we had," wrote Paola in his 
narrative statement released by Jackson police as part of the 
department's investigation. 

Paola and his friend and classmate Adam Gross were enrolled in an 
evening course at Jackson High in preparation for college entrance 
exams when they made the discovery.

When their senior year began in August, Paola said he found that 
teachers' user names, and sometimes their passwords, were located on 
students' schedules.

Paola began accessing the Pinnacle program two times a week, 
"sometimes less, rarely more frequently," he wrote.

As honor students who were respected by their peers and teachers, 
neither Paola nor Gross aroused suspicion.

Gross said they watched a teacher type in his user name and password, 
and figured it out by trial and error. The duo saved the information 
on a computer drive about the size of a car key. That way they could 
access the information anywhere.

But Paola said he only changed grades while in Jackson High's library 
in the mornings, and sometimes during study halls. There, he was able 
to access local administrator accounts and even the school's e-mail 
server. The students said they found staff information, including 
Social Security numbers, was accessible along with security cameras 
and the school's sprinkler system.

Paola admitted to changing grades for himself and three other 
students, including Nathan Johnson.

Johnson told police Paola asked him to insert a disk into one of his 
teacher's computers. Johnson said he was aware that the software would 
extract the codes necessary for Paola to change his grades in that 
particular class.

When a fellow student turned the seniors in, their scheme came to a 
halt - so did their hopes for honors diplomas.

The students were barred from the Jackson Local graduation ceremony in 
May.

They were found guilty of unauthorized use of property, a first-degree 
misdemeanor. 

Paola, Gross and Johnson will serve their house arrest and community 
service, but school officials said the district will live with the 
ramifications for quite some time.