Sophos Cloud Optix
A US mother is facing six felony counts for allegedly hacking into her children’s school computer, changing their grades, and accessing the school’s human resources system to open thousands of personnel files that contained contracts, employee reports and other information.
The mother, Catherine Venusto, 45, from New Tripoli, Pennsylvania, worked as a secretary for the Northwestern Lehigh School District from 2008 through April 2011 and has at least two children in the district, according to the District Attorney’s office.
Venusto is accused of changing her daughter’s grade from an F to an M for “medical,” of allegedly boosting her son’s grade of 98 percent to 99 percent, and of using the superintendent’s information to log onto the district email system and to access Northwestern Lehigh’s human resources system.
According to Lehigh Valley Live.com, Venusto allegedly used the superintendent’s password 110 times over the course of a year and a half to conduct the mischief.
Authorities told news outlets that Venusto also used the information of nine other Northwestern Lehigh employees, most of whom were in the guidance department, to access computer systems.
According to Lehigh Valley Live, officials first suspected a problem in January after the high school principal told superintendent Dr. Mary Anne Wright that teachers didn’t understand why she was checking their computer-based gradebooks.
Wright told the principal that she hadn’t looked at the books. That’s when the jig was up.
The district immediately shut down the student information system, quickly initiated steps to bolster security, and turned the matter over to state police, Wright told Lehigh Valley Live:
"Within three hours of suspecting unauthorized access, email, student information system and the district shared drive were shut down until we were able to fully identify the issue. New security measures were put in place before the systems were accessed again by staff, students or parents."
Venusto is facing three counts each of unlawful use of a computer and computer trespass, which are third-degree felonies.
She was arraigned on Wednesday and released on $30,000 unsecured bail, which she’ll only have to pay if she fails to appear in court for her preliminary hearing on July 26.
If she’s convicted, Venusto could face a maximum of 42 years in prison or a $90,000 fine, District Attorney’s office spokeswoman Debbie Garlicki told ABC News Radio.
Garlicki said that the maximum penalty on each count is seven years or a $15,000 fine.
The school district may well have acted promptly to clamp down systems and improve security after they discovered the trespassing and tinkering, but the plain fact is that leading up to this incident, employees seemed to play fast and loose with security.
Perhaps it’s necessary for a superintendent’s secretary to know her boss’s login information. Even if it is, it’s hard to imagine why Wright failed to change her password after Venusto left her job.
This is a good reminder that a password that walks out the door inside the brain of an ex-employee (as well as a current employee, insider-threat-wise) could well come back to haunt us.
Mom is an interesting role model, “look children, we can earn our grades by studying or do it the easy way with someone’s stolen password”.
How is it hacking, when she worked there and used other peoples U/P?
social hacking
Right on Batesie. Unfortunately, over the years with new people learning on the Internet, and assuming everything is correct, terminology and real meanings go awry. Another example is malware, viruses, Trojans, spyware, spam, and pop ups, thanks to CNN, are all different. Malware, use to mean any malicious software, not a separate problem as CNN’s “experts” call it.
We need a constantly updated dictionary of Internet terminology but, then who will decide what anything means.
Journalists tend to throw words in to a story not even knowing the true meaning of the word, and those reading it, accept it. I like spam when I go camping. There is just something about Spam, ashes, fried eggs, and toast cooked over an open fire.
What is the difference between spam mail and junk mail?
As readers, we just need to get the gist of the content and ignore the hype an fluff around the story.
Despite the obvious issues with the school not having a better security module in place, I'm surprised at how absurd the maximum penalty works out to be. Not that she is allowed to choose her punishment but, 42 years or $90k. For this particular crime with the number of count I'd really think 5-10 would be a little excessive as well. The dollar amount I'm actually OK with and might argue it could be higher.
I disagree StephenB. I don't think 42 years is enough and she should not be given a monetary option at all. Her children need to learn that there are consequences to our actions; and since the mom obviously isn't trying to teach them that; she should be made an example to others that this behavior is not allowed and will not be tolerated.
The school is the one that should be fined! They are supposed to be educators, thus implying they are educated. Why weren't safeguards in place to prevent this? Why did the school not have a password policy?
It was both their faults (the mom & the school) that this happened and they should both be held accountable.
First off, giving this woman 42 years will NEVER happen. Even if she did have a 42 year sentence, she would be out on parole within a year or so. All that would serve to do is become a needless mouth for tax payers to flip the bill for anyway. She is not violent – just stupid. Get a grip with your over zealous penal opinions. Just put a big ugly scarlet letter on her record and you can be sure she will suffer enough in trying to find another job to support her children.
agreed you get 40 to life just for killing someone
There are so many things that are wrong with your statement.
42 years is an absurd amount of time for an offense like this. A couples of grades were changed and obviously this was realized. While she has been a terrible role model for her children 42 years would be unbelievable.
As for the fines the school definitely should not have to pay. Perhaps they should be forced to adopt a password changing policy but nothing more.
password changing policies are a huge waste of time, the supervisor would have given her the new password anyways. And even beyond that, most people who are forced to change their passwords every few months simply adapt to “unsecurepassword01, unsecurepassword02” and so on, so she could have simply guessed it well within a 3-try lockout.
You want more password security? Fire Mary Ann Wright for sharing her password. Since you guys seem to like “people being made example of” so bloody much.
The policy that was needed was this: "When an employee is terminated, all passwords to which they had access (or might have known) must be changed."
If this had been in place, this incident would not have happened.
I'm sort of curious how they arrived at those numbers… She is facing THREE counts…The maximum sentence for each crime is 7 years or $15,000….Now, admittedly I haven't plugged the numbers into a calculator, but I'm reasonably certain that 3 x 7 = 21 years… and 3 x $15,000 = $45,000….
Sorry but ‘hacked’? Knowing your bosses password because you were told it by your boss is hardly akin to hacking
I bet the Denver Batman killer won't even get 42 years.
How can the justice system give 42 years for something so harmless, So tiny and unimportant compared to a mass murdering case ?
Not correct 'troller'. The Denver killer will be given the maximum penalty and will never see the outside of a prison or mental health lockup forever. Not sure how you even conflate the two….
I agree with Batesie. This isn't hacking. If she had the password it might be misuse of resources, or even misappropriation or misconduct, but I don't think it's hacking when the person you work for actively hands over the password to an assistant. And if you're a person in any position that is one that affords you an assistant, then you're (1) going to be handing over your password frequently because (2) you will consider a majority of things that require your password to be to pedestrian to attend to yourself.
I work in IT for scientists and doctors, and they regularly hand over their passwords to their assistants because many of it find it beneath them (described as "not a good use of time") to work directly with the IT support staff. While passwords are needed less and less for a great deal of what we do to support clients, a great deal of what we do requires a client's presence or interaction, much of it often is simply because we need the password.
I vote misconducts of misuse of electronic resources over hacking here.
The headline is wrong… Using someone else's password to log in as them without their permission is unethical and generally illegal but it certainly isn't "hacking." Hacking assumes a modicum of technical skill to exploit flaws in the security of a system. Her activities can at best be described as vandalism.
The article also seems to have left out who got fired from the I.T. department for such poor management of the security of the school's information systems.
And the Superintendent should be fired for giving her password to other people. Until those at the top are held accountable for security, nobody will take it seriously.
Correct InfoSec, when you become a employee, you are told not to share your password. But everyone knows that managers/teamleads/superintendents/principals/etc will give their password to their secretary to check their email. Until this practice is stopped it will continue to happen.
Agree – this practice also leads to other forms of abuse and bullying that are not getting attention in the press.
There's another lesson here: If you leave an organization with access credentials in your head, you're not the sharpest knife in the drawer if you choose to use them…
Sounds like lousy security policies and auditing are a big problem. She absolutely misused trusted info, but this is not hacking. Unauthorized access at best. As for a penalty? Seems like the typical street drug dealer gets a few months, tops. How does this compare? The staff responsbile for security oversight needs replaced – severe deriliction of duty.
I don't even see the motive for doing this, changing a 98% grade to a 99% what difference does that even make?
Knowing passwords also isn't 'hacking' in any sense of the term.
This is no hack. Sche used her own, not yet, revoked logins.
This is not hacking, it's poor security. Clearly, self-expiring passwords were not implemented. If she was able to manipulate the system, who else in the school has? She should not be jailed for this. She should be jailed for being a terrible parent. What kind of message does this send to her kids? She is not helping them by changing their grades. If they are failing, they should
I doubt the charge is ‘hacking’, as it really isn’t. It’s a bulbous inflated and imaginative use of the word. It appears to be fraud, nothing more and as glamorous as the news MEDIUM likes to befuddle us with so the story gets more attention.
Ms. Vaas can only report what was reported so the real misleader here is the original story-designer (certainly isn’t a reporter).
It is called the news medium (shortened to media), because it is very rare that it it is ever well done 🙂
The alleged culprit, Ms. Catherine Venusto must have known what she was doing. She was commuting fraud. In her case, the courts will soon define “hacking”.
Please remove all references to "hacking" in this story; she did not "hack" anything. She was given the login credentials for the superintendent's account. The real story is that the superintendent obviously thinks of security as an inconvenience, if at all.
Knowing a password == hacking. Obviously. While I won't disagree with what she did as being stupid, 42 years is a bit harsh. Then again, most white collar crimes seem to result in longer sentences than blue collar.
She didn't hack, she was basically cheating for her children, but I think maybe she does deserve the $15,000 fine because she broke the trust of the school. This is not a good role model for children. I sound like an absolute snob don't I?
Yep, not hacking at all…
That's not hacking.
i get it, I get it, not hacking, was lazy use of word, yes yes yes, I got it.
Technically, this is hacking according to the definition of the word, which refers to unauthorized access to a computer or system. Using someone else's credentials, regardless of whether or not you were given them, in order to gain access to something you aren't supposed to have access to, is "hacking."
Of course, more generally the term is used to describe someone using technical knowledge to gain access to a system. But the use of the term here is *technically* correct.
http://www.google.com/search?q=define+hacking&…
In the original sense, “hacking” just means using something in another way than it was intended to. In the security domain, where it’s used as getting access to something you should not have access, there is also the notion of social hacking, i.e. tricking someone into telling you their password.
While the main password might not have been “hacked” just given and not changed, the report says she accessed information and used it to gain further access, probably by guessing passwords right given the birthdate and full names of employees. This definitely would account as hacking.
Now where is the "crime"? Changing grade from 98% to 99%? This seems so trivial.
Hacking? You are giving too much credit for someone who stumbled upon primitive computer security (or lack off).
Not to condone inappropriate computer usage but to give the death penalty (42 years in prison) is as unhumane as is stoning people to death in the dark ages.
Civil society? really?
Internet terminology changes daily. There are also hordes of online "dictionary" pages, that often times disagree on such words.
Hacking, not long ago, meant 'hacking' in to software to break the protection codes. Then it was hacking Hotmail accounts, hacking a friends computer, the school lab computers, and so on.
If the boss hands off a password, and expects the employee to perform specific tasks, grade adjusting not being one of them, then she hacked.
The meat of this is not whether or not the terminology is correct, it is about the crime that was committed. If a store manager gives a clerk the key to the register, and she removes money and puts it in her pocket, is she a thief? Or not, because the manager gave her the key?
Draw some lines people and allow some author privileges.
Your strawman analogy fails. A clerk with a key stealing is still a thief, true. BUT accusing her of breaking and entering is a different thing altogether.
The word HACKING clearly implies that Mrs. Venuto BROKE in, when that is not the case at all, is it? Since she had the password, there was no breaking of any code necessary to gain entry. No hacking occurred.
An more apt analogy would be: accusing a burglar of breaking and entering when you left the door WIDE OPEN.
When my son was in grade 8 the first thing he did was hack the school computer. Then he showed their tech expert how easy it was. But that was 13 years ago.