Toronto police alerted after online exam shut down amid ‘”intentional, malicious and sustained” cyber attack.
By Kristin Rushowy | Queen’s Park Bureau | Mon., Oct. 24, 2016
Ontario’s education testing agency has called Toronto police about an “intentional, malicious and sustained” cyber attack that shut down the Grade 10 literacy exam across the province — a targeted attack carried out by hackers who may never be found.
The technical troubles, in what’s called a sustained “Distributed Denial of Service (DDoS),” affected almost 150,000 students across the province and sabotaged a $250,000 pilot project to move the test online.
While the source of the attack is not yet known and the testing agency says it may never be uncovered, one or more people could be behind it — possibly even teenagers, say cyber experts.
“I’m not sure if this kind of thing can ever be figured out,” said Richard Jones, director of assessment for the Education Quality and Accountability Office, or EQAO. “There were IP addresses from all over the world, and to find the source is a really difficult thing. We are moving forward and trying to uncover as much information as we can.”
The EQAO “should have foreseen this type of scenario,” said cyber security lawyer Imran Ahmad, because such attacks are increasingly common — including one last week that hit Twitter and Netflix that is so far unconnected to the EQAO’s troubles.
“This should not come as a surprise; any kind of online interface is inherently vulnerable,” said Ahmad, adding the EQAO should have hired a third party solely to filter out “bad” traffic that clogs sites in such strikes.
“I would not be surprised if a teenager was behind it,” added Ahmad, of Miller Thomson LLP. “The skill set among the younger generation is extremely advanced.”
At the EQAO, last Thursday began with good news, Jones said, after officials learned an Ontario-run school in Egypt had completed the online test “with no issues … they did the assessment well prior to 8 a.m. our time.
“And then at 8 a.m. our time, there was a huge influx of junk traffic from IP addresses from all around the world, inundating our host application for the assessment … As far as I’m concerned, they were absolutely targeting us. Somebody knew the timing and somebody knew the IP addresses to attack.”
Despite the four hours of technical troubles that followed — where at the worst, 99 per cent of traffic was not from schools or boards — it appears almost 16,000 teens in Ontario managed to complete the test. The EQAO is now debating whether to give them credit if they were successful.
IT experts and a third-party forensic team spent the weekend trying to figure out what happened and Jones said they will “eventually be able to provide us with some advice” on how to prevent such a strike in the future.
“This was not the trial online that we expected — we are getting a trial all right,” Jones said. Five prior field tests led to some minor tweaking, but found no major issues and “load” testing showed the system could handle the equivalent of 250,000 students as well as up to 10,000 teacher supervisors.
“This type of attack was so intense and so sustained that the system was not able to handle it,” Jones said, adding the investigation will look at the EQAO’s system, as well as their service provider’s.
Jones likened the cyber attack to “the idea that you invite friends to a party, you’ve invited your 10 closest friends, and word gets out and all of a sudden, 1,000 uninvited guests show up at your door and are trying to get in, while the invited guests are having trouble getting in.”
However, he assured that student privacy was “not breached in any way … They were basically clogging the system so students weren’t able to get into it.”
But even if information was not stolen, Ahmad said “I’m pretty sure there’s a financial cost to this at some level” as well as the number of work hours of preparation, now wasted. “They’ll have to go back to the drawing board, and it’s very difficult to layer on security after the fact.”
Ahmad also wondered if the EQAO had been on the lookout for “probing” in the weeks prior, which is akin to hackers testing the system ahead of time.
“Somebody must have done their homework,” he said. “You don’t just launch an attack and assume it will be successful.”
By press time, the EQAO had not provided a response to questions as to whether it had hired a company to filter traffic, or if any “probing” was detected in recent weeks.
At Queen’s Park, Education Minister Mitzie Hunter said “it is extremely disappointing that this deliberate and manipulative attack, this malicious attack has happened and prevented our students from completing the test as planned.”
A new version of the literacy test, which teens must pass in order to graduate, will be offered online in March to all Grade 10 students. A paper and pen version will also be available. Hunter said she’s confident the move online will go ahead.
“It’s been particularly disappointing now that we know somebody intentionally directed an attack,” Jones said. “… It’s disgusting and shocking.”
Progressive Conservative MPP Vic Fedeli said he wants assurances that no student information was compromised.
NDP MPP Peter Tabuns scolded the Liberals for their poor record with IT projects, saying “it looks like they’ve gone off the rails with EQAO. Clearly, they don’t do their homework when it comes to these things.”
With files from Rob Ferguson