Education

Student arrested for cyberattack against Miami schools used ‘easy to prevent’ program

By Colleen Wright and David Ovalle

The 16-year-old teen accused of launching a cyberattack that helped shut down Miami-Dade’s online classes used a simple, easy-to-download program to overwhelm the servers of the nation’s fourth-largest school district, experts say.

A South Miami Senior High student is accused of orchestrating no fewer than eight of at least two dozen cyberattacks that helped paralyze the first three days of the district’s virtual classes, law enforcement officials said Thursday. All cyberattacks ceased around 3 a.m., though officials said that last attack is not connected to the raid of the 16-year-old’s home in the pre-dawn hours Thursday.

The Herald is not naming the student because he is a juvenile.

School Board members — along with the general public — have been skeptical of the district pinning a failed start to the first week of online classes on cyberattacks. Board members have focused on questioning the vetting and effectiveness of My School Online, the district’s new online platform operated by the for-profit education tech company, K12.

Concerns over the district’s cybersecurity

But the teen’s arrest raises new concerns about the district’s cybersecurity.

The home in Northwest Miami-Dade where the 16-year-old South Miami High School student who was arrested and charged in the Miami-Dade Schools’ cyberattacks lived.
The home in Northwest Miami-Dade where the 16-year-old South Miami High School student who was arrested and charged in the Miami-Dade Schools’ cyberattacks lived. cjuste@miamiherald.com

The simplicity of the 16-year-old’s attack alarmed cybersecurity experts, who cautioned that the district should have been able to withstand such an attack.

The student admitted to using a tool called a “Low Orbit Ion Cannon (LOIC),” according to an unredacted arrest report obtained by the Herald. Experts say it is software that is easy to download and can be used to disrupt websites. It’s the same tool that the hacker group Anonymous used a decade ago to cripple companies such as MasterCard, Visa and PayPal.

The program is designed to overwhelm a system with what’s known as a “distributed denial of service attack,” or DDoS attack, which basically uses a slew of random computers to overwhelm a website with packets of data.

“It’s like if you own a restaurant and 1,000 people show up without reservations and don’t order food,” said Barrett Lyon, the CEO of Netography, a cybersecurity firm. “Your real customers are going to arrive and suddenly, you have to sort out a huge mess.”

Lyon said using the primitive LOIC software is the “modern-day equivalent” of pulling a school’s fire alarm, but cautioned it may just be the start of cyberattacks as more teaching goes online.

“There’s going to be more sophisticated attacks, and more sophisticated players that know how to write code,” said Lyon, who started the first anti-DDoS security company in Hollywood in 2003.

The LOIC program is not particularly sophisticated, cybersecurity experts say.

“It’s a point-and-click program. You don’t have to have a great degree of sophistication to launch it,” said Mark Rasch, a cybersecurity expert and former federal cybercrimes prosecutor.

Rasch said he was surprised that the school district’s servers could not handle the LOIC attack — the firewalls on the district’s computer network should be able to detect and handle the traffic.

“It’s really easy to prevent,” Rasch said. “The school must be really out of date on their router configuration.”

Rasch said teenage hackers normally communicate on online video gaming platforms, which makes it difficult for law enforcement to monitor. “They’re not using email or chat,” he said.

Doug Levin, a cybersecurity expert and president of EdTech Strategies, said it’s easy for someone as young as 16 to perform a DDoS attack on the scale of those experienced by Miami Dade Schools.

“[With] the right search terms, you can find tools available to launch this kind of attack for free,” he said. “While your identity would likely be known … these tools are trivial to locate and operate.”

Even so, he said, it is alarming that a school district of Miami-Dade’s size could be taken down so easily.

“This speaks to the cybersecurity posture of school districts,” he said. “Historically, it has not been an issue they have worried much about. They have long believed they wouldn’t be a target.”

Attacks also traced to Russia, Ukraine, China

Miami Dade Schools Police, with help from the FBI, the Secret Service and Florida Department of Law Enforcement, traced other Miami-Dade Schools’ cyberattacks that began Monday to Internet Protocol addresses, or IP addresses, of Russia, Ukraine, China, Iraq and other countries.

Police on Tuesday served a subpoena on Comcast, the school district’s internet provider.

Alberto M. Carvalho, Superintendent of Miami-Dade County Public Schools, holds a press conference Thursday, Sept. 3, regarding the arrest of a 16-year-old South Miami Senior High student accused of some of the cyberattacks plaguing Miami-Dade County Public Schools since Monday, the first day of distance learning in the public schools.
Alberto M. Carvalho, Superintendent of Miami-Dade County Public Schools, holds a press conference Thursday, Sept. 3, regarding the arrest of a 16-year-old South Miami Senior High student accused of some of the cyberattacks plaguing Miami-Dade County Public Schools since Monday, the first day of distance learning in the public schools. Al Diaz adiaz@miamiherald.com

Miami-Dade Schools Superintendent Alberto Carvalho said some of these disruptive attacks may have been purchased through the dark web, a part of the World Wide Web that cannot be accessed by search engines.

“Money can buy access to entities in this country and beyond,” he said.

Schools Police Chief Edwin Lopez said the complexity of the 16-year-old’s cyberattacks are still being analyzed.

“This is the first time we are dealing with anything of this magnitude,” said Lopez, whose department regularly fends off cyberattacks from students and scans the web for social media threats.

Schools Police detectives visited the student’s Flagami home just before 3 a.m. Thursday. Lopez said the student confessed but the conversation was brief, and he did not give a motive. Detectives said the student’s parents were unaware of the attacks and distraught at their son’s arrest.

Lopez said detectives confiscated a computer and a gaming console with capabilities to wreak havoc, but did not specify which kind of game system.

Lopez said the student was released later Thursday from the Juvenile Assessment Center into the custody of his parents. His court hearing is scheduled for Oct. 8.

Student faces felony charge

The student faces a felony charge of using a computer to attempt to defraud and a misdemeanor charge of interference with an educational institution. He is likely to be charged by Miami-Dade prosecutors and tried in state court, and not by federal prosecutors with the U.S. Attorney’s Office.

The FBI in Miami said it is assisting the ongoing investigation, but would not comment on the nature of the cyberattacks on the district’s computer network.

Scott Friedman, assistant special agent in charge with FDLE, was at Thursday’s news conference at Schools Police headquarters.

“We have been through this before with similar cases,” he said.

Sen. Marco Rubio, R-Florida, announced that he asked for a briefing from the Department of Homeland Security late Wednesday night. On Thursday, he encouraged the school district to use federal resources, provided by the Cybersecurity and Infrastructure Security Agency (CISA) to secure its networks, including virtual classrooms.

“The recent arrest of a 16-year-old student suspected of being responsible for these attacks demonstrates how a sophisticated network enterprise is not required to perpetrate them,” Rubio said in a statement.

U.S. Rep. Debbie Mucarsel-Powell, the Democrat representing the 26th Congressional District, has requested a briefing from the FBI.

Carvalho reiterated the cyberattacks never penetrated district servers or breached data.

‘Far better day’ on Thursday

He said students and teachers in Miami-Dade County Public Schools had a “far better” day at school Thursday.

Read Next

Aside from the ceased cyberattacks, he credited a smoother school day to moving students and teachers in grades six through 12 off My School Online, the new virtual learning platform developed by K12, an online education company whose investors included Michael Milken, the convicted junk-bond king whom President Donald Trump pardoned earlier this year, and current Secretary of Education Betsy DeVos.

The district asked teachers in grades 6-12 to use Microsoft Teams and Zoom until at least Sept. 11. The district will assess then whether to go back to the K12 platform or stick with Teams and Zoom.

Carvalho reported some individual issues with the K12 platform for Kindergarten through fifth grade, though he said it worked fairly smoothly. Some teachers, however, did feel the need to pivot to Zoom.

He said the district’s call log was vastly reduced compared to Wednesday, and 200,000 students logged on to the K12 platform. That’s not counting secondary students using Teams and Zoom.

There are 275,000 students and nearly 20,000 teachers in traditional public schools, not counting charter schools.

It has been 48 days since the state approved Miami-Dade’s school reopening plans, which included My School Online. It was revealed Wednesday that the $15.3 million no-bid contract was never fully executed, missing one key signature: Carvalho’s.

Carvalho said at Thursday’s press conference that he had not signed it. Asked when the contract would be made public and given to board members, he said, “I think today.”

After multiple requests, the Herald received the contract at 6:30 p.m. Thursday.

K12’s platform has driven students, teachers and parents near tears. Teachers and students have had trouble seeing and hearing each other on the platform’s video chat feature, called Newrow. Classes and their content have been deleted, users have been booted from the program and students have been falsely marked as no-shows.

Read Next

The district’s nearly 20,000 teachers sat through over a week of K12 training to learn My School Online. The training, they said, had little hands-on learning. Teachers did not get access to their platform until the end of last week and spent the weekend training each other ahead of an already surreal first day of school.

Teachers, students and parents have taken to social media to express anger and frustration with the platform.

On Thursday, School Board member Mari Tere Rojas again visited schools and said she witnessed more connectivity between teachers and students, though there were still issues.

“I have received countless emails today from parents and teachers listing issues, including K-5, which include a lack of adequate lessons, problems with video sessions, students getting kicked out of lessons and students not appearing in rosters,” she said in a statement. “I am not done asking questions about My School Online. The situation we are currently in must be resolved.”

Miami Herald staff writers Rob Wile and Jay Weaver contributed to this report.

This story was originally published September 3, 2020 at 9:50 AM.

CW
Colleen Wright
Miami Herald
305-376-3003
Colleen Wright returned to the Miami Herald in May 2018 to cover all things education, including Miami-Dade and Broward schools, colleges and universities. The Herald was her first internship before she left her hometown of South Miami to earn a journalism degree from the University of Florida. She previously covered education for the Tampa Bay Times.
Get unlimited digital access
#ReadLocal

Try 1 month for $1

CLAIM OFFER