'hacker' thread on uk.education.schools.it

[kingswood]

I know of Google hacks that will let you do this regularly. But I think there are issues on both sides of the fence with this one. Blaming some *one* isn't going to fix the problem. How long do we think it would take someone with more savvy than this accidental cracker to actually damage school web pages that contain this kind of information now? Not long at all. It will be seen as a cracker's challenge now.

These people have no real ethics or morals and take pride in themselves when they write little scripts that deface web pages, get passwords or whatever. It's like a game of Project Gotham- they get lots of "Kudos" points among their peers.

Watch your web sites now people....

[woody]

I really can't see why schools need to put very sensitive data on their websites such as medical history and the likes. Who needs to access that from home? Even names and addresses are risky. Shure, there is lots of sensitive info going around on the web. I use internet banking with the HSBC although I'm considering giving up the conveniences of THAT: http://www.theregister.co.uk/2006/08/10/flaw_hsbc/

But when dealing with sensitive information about children, you have to ask whether you really need to publish that on a website, no matter how tight security is. Just keep it on the MIS in school. Maybe allow access through VPN where you can keep tight controll of who has access and when.

[limbo]

There is more and more pressure from the government to put information about students online for parents to view - hence the instruction we have to have VLE's MLE's and online portfolio's over the next couple of years.

This is only the start of this kind of story, and it can never be stopped completely because even the most secure system has one weekness - the users and their ability to either maintain a secure password or keep their password confidential.

There is a school in Birmingham that has opened up Facilities e-portal system to parents allowing them to view their child's attendance, results etc. They are being hailed as a great success by the LEA but whn I asked them at a conference how they managed to organise getting the usernames and passwords to parents securely (every method we had thought of had a possible flaw) they said that parents just had to go to the website, put in their name, their childs name and form and an e-mail address and they would then be e-mailed the username and password.

As I expressed to them, my concern with this is that it is not that difficult for someone to gather this information - especailly for a child in the same class but they, nor the LEA, seem to share this concern and they continue to be put forward as a leading light.

[woody]

But you can limit the type of information you do put on there. For instance, attaching attendance data and maybe assessment data to a name is not as bad as attaching personal data like addresses, telephone numbers, DOB, medical history, family history, family links etc.

As far as sending usernames and passwords out is concerned, what about the good old fashioned way of posting them in sealed envelopes once an account has been requested? You do have the issue however, of how protective the parent is with those account details. You would think if they cared for there child's welfare they would keep them secret.

[limbo]

I believe in this case the school is not restricting the information, but I think even attendance and particularly assessment data should be just as confidential.

We did think about sending information out by post - but we have settled upon giving them out to parents at parents evenings face to face - that way we know the parents are getting their hands on them, after that it is their responsibility.

[GrumbleDook]

Just spoken on the phone to one of the techies.

The issue is with Frogteacher and how it holds authenticated sessions open. That section of their site is being locked down again as we speak and Frogteacher are working with them on this. Sensitive information is removed for the time being. The school is also in regular contact with the police about the ongoing investigation (including the new website the OP has setup).

The school could only give limited information about the issue for legal reasons but I can honestly say that it appears that the school has put sensitive information on a secure area of their website in good faith that it is secure and that the issue is with how Frogteacher holds sessions open. That is being worked on. They are aware of issues with DPA (hence why sesnitive information is removed until it is secure again).

The *former* student continues to post information about this security breach (in a bragging manner) in spite of being asked not to ... and the ongoing police investigation means that no more can be done other than that.

If you do use Frogteacher at your school please contact them about this flaw and check whether your site is vunerable. If you do hold sensitive information on there, they may advise you to remove it until you can be sure your information is secure. The basis of this flaw is authentication based and appears to require access to a staff password or be on a machine recently used by a staff account that still holds information in its history.

HTH

HAND

[petectid]

Quote:

Originally Posted by GrumbleDook

Just spoken on the phone to one of the techies.

The issue is with Frogteacher and how it holds authenticated sessions open. That section of their site is being locked down again as we speak and Frogteacher are working with them on this. Sensitive information is removed for the time being. The school is also in regular contact with the police about the ongoing investigation (including the new website the OP has setup).

The school could only give limited information about the issue for legal reasons but I can honestly say that it appears that the school has put sensitive information on a secure area of their website in good faith that it is secure and that the issue is with how Frogteacher holds sessions open. That is being worked on. They are aware of issues with DPA (hence why sesnitive information is removed until it is secure again).

The *former* student continues to post information about this security breach (in a bragging manner) in spite of being asked not to ... and the ongoing police investigation means that no more can be done other than that.

If you do use Frogteacher at your school please contact them about this flaw and check whether your site is vunerable. If you do hold sensitive information on there, they may advise you to remove it until you can be sure your information is secure. The basis of this flaw is authentication based and appears to require access to a staff password or be on a machine recently used by a staff account that still holds information in its history.

HTH

HAND

I believe the issue is with poor configuration of file and directory permissions this enables the google bots to index those pages. I will speak with frog about the open session issues but you will find pages on google that were indexed months ago. Would any developer code their software so that sessions were open indefinitely? And in many cases you do not need passwords to access information that would be deemed as sensitive. I brought this issue to the attention of Frog six months ago. As for the bases of the flaw mentioned in your last para, you will find that these sites are accessable from any internet connected PC.

[bossman]

Well all i can say is that the OP needs a good lesson in manners. So he thinks he is clever bragging about it. Hope he gets some form of juvenile punishment like a swift kick in the b*lls. The LEA should also shoulder some of the blame as they must have approved of this software. My apologies if they didn't. I know up here in Durham that the LEA has washed it's hands of DP within secondary schools and made it the schools responsibility which ultimately comes down to me. So i have drawn up a legal document which the school governors are looking at and then hopefully they will endorse it. This means if any member of staff leaves a workstation and remains logged on with no locks set then they will be held totally responsible and it could be used against them in a court of law and it will go down the disciplinary route as well. So keeping my fingers crossed that this will indeed be endorsed.

[woody]

I think that schools have been lax when it comes to security because they have got away with it for so long internally. Now they have started to put things online, you can't get away with it anymore. Granted in this case it looks like a lot of the blame goes to writers of Frogteacher.

But for instance, for how long has SIMS used the word 'password' as a system password. I'll tell you how long. Right up to NOW!

I had a problem re-installing FMS the other day and I don't normally get involved in Finance. Usually the local SIMS team come in and do the updates. But I had to ring the help desk (which is now a central one) and because I didn't know an administrator password for FMS, they asked me to log in as the default. What was it? Well, I won't say what here as it's publically assessible, but if you know much about SIMS, you probably won't have a hard time guessing.

Logging on in this way, I had access to ALL of FMS and now I wonder how many other schools have this log on account on their system. Probably most if like me the Network Manager hasn't been involved in FMS. Safe to say I have changed it now. But you might want to check yours if you're not shure!

My point is though, schools have always been lax with system security and it is only with the advent of system administrators and IT technicians that this has begun to change.

[AMcG]

My school has just bought FROG and I expect I will become responsible for security. What I have read above worries me more than a little. I am a UNIX and Internet security novice so I have no clear idea what the various comments about shells, sessions, google hacks and authentication mean. So I have just purchaseed 'Practical UNIX and Internet Security.'' Can anyone point me towards a fuller explanantion of what is going on here? If I talk to FROG about this what questions should I be asking? Is tbere any way I can test myself whether our system is vulnerable in the same ay as Hathershaw? I would be very grateful for any relevent comments or advice.

[GrumbleDook]

I wouldn't worry to much ... as long as you are sure permissions are set on each page / resource then it will be fine. FROG do have some good instructions on the matter ... just follow those.

If you are seriously concerned drop me a PM.