+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 26 of 26
General Chat Thread, 'hacker' thread on uk.education.schools.it in General; I know of Google hacks that will let you do this regularly. But I think there are issues on both ...
  1. #16

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: 'hacker' thread on uk.education.schools.it

    I know of Google hacks that will let you do this regularly. But I think there are issues on both sides of the fence with this one. Blaming some *one* isn't going to fix the problem. How long do we think it would take someone with more savvy than this accidental cracker to actually damage school web pages that contain this kind of information now? Not long at all. It will be seen as a cracker's challenge now.

    These people have no real ethics or morals and take pride in themselves when they write little scripts that deface web pages, get passwords or whatever. It's like a game of Project Gotham- they get lots of "Kudos" points among their peers.

    Watch your web sites now people....

  2. #17
    woody's Avatar
    Join Date
    Jun 2005
    Location
    Carlisle, Cumbria
    Posts
    619
    Thank Post
    3
    Thanked 17 Times in 15 Posts
    Rep Power
    22

    Re: 'hacker' thread on uk.education.schools.it

    I really can't see why schools need to put very sensitive data on their websites such as medical history and the likes. Who needs to access that from home? Even names and addresses are risky. Shure, there is lots of sensitive info going around on the web. I use internet banking with the HSBC although I'm considering giving up the conveniences of THAT: http://www.theregister.co.uk/2006/08/10/flaw_hsbc/

    But when dealing with sensitive information about children, you have to ask whether you really need to publish that on a website, no matter how tight security is. Just keep it on the MIS in school. Maybe allow access through VPN where you can keep tight controll of who has access and when.

  3. #18
    limbo's Avatar
    Join Date
    Aug 2005
    Location
    Birmingham
    Posts
    460
    Thank Post
    2
    Thanked 41 Times in 36 Posts
    Rep Power
    25

    Re: 'hacker' thread on uk.education.schools.it

    There is more and more pressure from the government to put information about students online for parents to view - hence the instruction we have to have VLE's MLE's and online portfolio's over the next couple of years.

    This is only the start of this kind of story, and it can never be stopped completely because even the most secure system has one weekness - the users and their ability to either maintain a secure password or keep their password confidential.

    There is a school in Birmingham that has opened up Facilities e-portal system to parents allowing them to view their child's attendance, results etc. They are being hailed as a great success by the LEA but whn I asked them at a conference how they managed to organise getting the usernames and passwords to parents securely (every method we had thought of had a possible flaw) they said that parents just had to go to the website, put in their name, their childs name and form and an e-mail address and they would then be e-mailed the username and password.

    As I expressed to them, my concern with this is that it is not that difficult for someone to gather this information - especailly for a child in the same class but they, nor the LEA, seem to share this concern and they continue to be put forward as a leading light.

  4. #19
    woody's Avatar
    Join Date
    Jun 2005
    Location
    Carlisle, Cumbria
    Posts
    619
    Thank Post
    3
    Thanked 17 Times in 15 Posts
    Rep Power
    22

    Re: 'hacker' thread on uk.education.schools.it

    But you can limit the type of information you do put on there. For instance, attaching attendance data and maybe assessment data to a name is not as bad as attaching personal data like addresses, telephone numbers, DOB, medical history, family history, family links etc.

    As far as sending usernames and passwords out is concerned, what about the good old fashioned way of posting them in sealed envelopes once an account has been requested? You do have the issue however, of how protective the parent is with those account details. You would think if they cared for there child's welfare they would keep them secret.

  5. #20
    limbo's Avatar
    Join Date
    Aug 2005
    Location
    Birmingham
    Posts
    460
    Thank Post
    2
    Thanked 41 Times in 36 Posts
    Rep Power
    25

    Re: 'hacker' thread on uk.education.schools.it

    I believe in this case the school is not restricting the information, but I think even attendance and particularly assessment data should be just as confidential.

    We did think about sending information out by post - but we have settled upon giving them out to parents at parents evenings face to face - that way we know the parents are getting their hands on them, after that it is their responsibility.

  6. #21

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,992
    Thank Post
    1,359
    Thanked 1,827 Times in 1,134 Posts
    Blog Entries
    19
    Rep Power
    602

    Re: 'hacker' thread on uk.education.schools.it

    Just spoken on the phone to one of the techies.

    The issue is with Frogteacher and how it holds authenticated sessions open. That section of their site is being locked down again as we speak and Frogteacher are working with them on this. Sensitive information is removed for the time being. The school is also in regular contact with the police about the ongoing investigation (including the new website the OP has setup).

    The school could only give limited information about the issue for legal reasons but I can honestly say that it appears that the school has put sensitive information on a secure area of their website in good faith that it is secure and that the issue is with how Frogteacher holds sessions open. That is being worked on. They are aware of issues with DPA (hence why sesnitive information is removed until it is secure again).

    The *former* student continues to post information about this security breach (in a bragging manner) in spite of being asked not to ... and the ongoing police investigation means that no more can be done other than that.

    If you do use Frogteacher at your school please contact them about this flaw and check whether your site is vunerable. If you do hold sensitive information on there, they may advise you to remove it until you can be sure your information is secure. The basis of this flaw is authentication based and appears to require access to a staff password or be on a machine recently used by a staff account that still holds information in its history.

    HTH

    HAND

  7. #22
    petectid's Avatar
    Join Date
    Jun 2005
    Posts
    298
    Thank Post
    2
    Thanked 15 Times in 13 Posts
    Rep Power
    20

    Re: 'hacker' thread on uk.education.schools.it

    Quote Originally Posted by GrumbleDook
    Just spoken on the phone to one of the techies.

    The issue is with Frogteacher and how it holds authenticated sessions open. That section of their site is being locked down again as we speak and Frogteacher are working with them on this. Sensitive information is removed for the time being. The school is also in regular contact with the police about the ongoing investigation (including the new website the OP has setup).

    The school could only give limited information about the issue for legal reasons but I can honestly say that it appears that the school has put sensitive information on a secure area of their website in good faith that it is secure and that the issue is with how Frogteacher holds sessions open. That is being worked on. They are aware of issues with DPA (hence why sesnitive information is removed until it is secure again).

    The *former* student continues to post information about this security breach (in a bragging manner) in spite of being asked not to ... and the ongoing police investigation means that no more can be done other than that.

    If you do use Frogteacher at your school please contact them about this flaw and check whether your site is vunerable. If you do hold sensitive information on there, they may advise you to remove it until you can be sure your information is secure. The basis of this flaw is authentication based and appears to require access to a staff password or be on a machine recently used by a staff account that still holds information in its history.

    HTH

    HAND
    I believe the issue is with poor configuration of file and directory permissions this enables the google bots to index those pages. I will speak with frog about the open session issues but you will find pages on google that were indexed months ago. Would any developer code their software so that sessions were open indefinitely? And in many cases you do not need passwords to access information that would be deemed as sensitive. I brought this issue to the attention of Frog six months ago. As for the bases of the flaw mentioned in your last para, you will find that these sites are accessable from any internet connected PC.

  8. #23

    bossman's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    3,962
    Thank Post
    1,208
    Thanked 1,074 Times in 765 Posts
    Rep Power
    332

    Re: 'hacker' thread on uk.education.schools.it

    Well all i can say is that the OP needs a good lesson in manners. So he thinks he is clever bragging about it. Hope he gets some form of juvenile punishment like a swift kick in the b*lls. The LEA should also shoulder some of the blame as they must have approved of this software. My apologies if they didn't. I know up here in Durham that the LEA has washed it's hands of DP within secondary schools and made it the schools responsibility which ultimately comes down to me. So i have drawn up a legal document which the school governors are looking at and then hopefully they will endorse it. This means if any member of staff leaves a workstation and remains logged on with no locks set then they will be held totally responsible and it could be used against them in a court of law and it will go down the disciplinary route as well. So keeping my fingers crossed that this will indeed be endorsed.

  9. #24
    woody's Avatar
    Join Date
    Jun 2005
    Location
    Carlisle, Cumbria
    Posts
    619
    Thank Post
    3
    Thanked 17 Times in 15 Posts
    Rep Power
    22

    Re: 'hacker' thread on uk.education.schools.it

    I think that schools have been lax when it comes to security because they have got away with it for so long internally. Now they have started to put things online, you can't get away with it anymore. Granted in this case it looks like a lot of the blame goes to writers of Frogteacher.

    But for instance, for how long has SIMS used the word 'password' as a system password. I'll tell you how long. Right up to NOW!

    I had a problem re-installing FMS the other day and I don't normally get involved in Finance. Usually the local SIMS team come in and do the updates. But I had to ring the help desk (which is now a central one) and because I didn't know an administrator password for FMS, they asked me to log in as the default. What was it? Well, I won't say what here as it's publically assessible, but if you know much about SIMS, you probably won't have a hard time guessing.

    Logging on in this way, I had access to ALL of FMS and now I wonder how many other schools have this log on account on their system. Probably most if like me the Network Manager hasn't been involved in FMS. Safe to say I have changed it now. But you might want to check yours if you're not shure!

    My point is though, schools have always been lax with system security and it is only with the advent of system administrators and IT technicians that this has begun to change.

  10. #25

    Join Date
    Oct 2006
    Location
    Sowerby Bridge
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: 'hacker' thread on uk.education.schools.it

    My school has just bought FROG and I expect I will become responsible for security. What I have read above worries me more than a little. I am a UNIX and Internet security novice so I have no clear idea what the various comments about shells, sessions, google hacks and authentication mean. So I have just purchaseed 'Practical UNIX and Internet Security.'' Can anyone point me towards a fuller explanantion of what is going on here? If I talk to FROG about this what questions should I be asking? Is tbere any way I can test myself whether our system is vulnerable in the same ay as Hathershaw? I would be very grateful for any relevent comments or advice.

  11. #26

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,992
    Thank Post
    1,359
    Thanked 1,827 Times in 1,134 Posts
    Blog Entries
    19
    Rep Power
    602

    Re: 'hacker' thread on uk.education.schools.it

    I wouldn't worry to much ... as long as you are sure permissions are set on each page / resource then it will be fine. FROG do have some good instructions on the matter ... just follow those.

    If you are seriously concerned drop me a PM.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 10
    Last Post: 15th October 2007, 01:22 PM
  2. The Post Your Desktop Thread
    By mrforgetful in forum General Chat
    Replies: 59
    Last Post: 2nd July 2007, 10:25 AM
  3. BSF/PFI thread on ICTTechnician.com
    By GrumbleDook in forum General Chat
    Replies: 12
    Last Post: 26th April 2006, 01:45 PM
  4. Screencasts Request Thread
    By russdev in forum General EduGeek News/Announcements
    Replies: 4
    Last Post: 23rd April 2006, 10:59 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •