Shocking: Software Used To Monitor UK Students Against Radicalization Found To Be Exploitable
from the hack-attack dept
Well, that didn't take long. It was only a month or so ago that we brought to you the delightful news that software for monitoring the UK youth in classrooms was being recommended to comply with the UK's insane policy that conscripts teachers to watch out for scary future-Muslim-terrorists. The idea was that the software, from American company Impero Software, would report back to teachers should the children under their watchful gaze search around for terms deemed to be terrorist related. The teachers were then supposed to involve school admins, law enforcement, or parents as deemed necessary. Because, see, possible-might-be-future-terrorists sprouting up from our own children is a very scary, albeit not-yet-existing threat to something something.
Unfortunately, Impero's monitoring agents themselves come with an actual threat, thanks to the laughably cliche security fails within the software's design.
Impero has a lot of power over its clients’ data, whether stored on PCs, servers or children’s personal technology. If compromised, it could expose reams of information on pupils, teachers and the school as a whole. And that’s certainly possible in light of the findings of researcher ‘raylee’, real name Zammis Clark, who discovered the Impero platform was using a default password of “password” to connect clients to its servers. “Basically, if you use Impero, please don’t,” the researcher wrote in a Github post describing the flaw and releasing attack code to prove the problem existed.Impero set the software up so that the password between the students' devices and the server was "password." They made the password "password." Okay, here's a new rule for the world: if you're a company whose single reason for existing has anything to do with both technology and security, and you create your system in such a way that it ships to your customers and is allowed to work with a default password of "password", then you don't get to exist any longer. This is the kind of stuff people who work in IT consulting like me see all the time... at companies that don't have any actual IT staff onsite. But this came from the software designer itself. And the most hilarious thing? Well, part of Impero's response to the publishing of the exploit was to release a fix after its disclosure... which failed to actually fix the exploit.
The researcher told FORBES that if an attacker can gain access to the Impero server, all connected machines “are completely open to compromise”, due to the apparent lack of decent authentication. “Given that schools have been affected with malware like CryptoLocker in the past, exploit kits or spearphishing could be a way for an attacker to get into a school network. Also, there’s the threat of someone inside such a school (a student perhaps) exploiting the vulnerability,” he added.
The other part of Impero's response was to go all legal on the security researcher for publishing the exploit in the first place, because of course it was.
In a letter to Clark dated 13 July, delivered by legal firm Gately, he is accused of breaking the terms and conditions laid out by the firm, including a stipulation that the software not be tampered with; modification is only allowed to achieve “interoperability”, meaning hackers looking for security issues are not welcome. He is also accused of copyright infringement and has been asked to remove all links from Github, Twitter and other channels that point to the public vulnerability disclosure.Excuse me, but no customers have been affected by this exploit... yet. And now they probably won't be, assuming your team can get a proper fix in place. And the youth of the UK will have the security researcher to thank for it, since that appears to be what lit a fire under your collective asses to get this thing fixed. The marketing director also had this to say.
In an emailed statement to FORBES, Impero director of marketing Nikki Annison claimed the offending party had “maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence. No customers have been affected by this and no data has been leaked or compromised.”
This hack could only be exploited if basic network security does not exist and if the attacker is physically present with local network access. We have been in communication with all our customers throughout.Interesting response. I'm sure antivirus makers, under the notion above, could simply release software that didn't actually do anything and then claim that if customers have a perimeter firewall up and use basic browsing common sense, their non-working software would work just fine to prevent malware. If Impero isn't going to bother to use basic best practices when it comes to security passwords, it probably shouldn't be issuing lectures to its customers about basic security best practices.
Or we could just side-step this whole problem by not using Impero's sotware.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: copyright, radicals, security, students, threats, uk, zammis clark
Companies: impero
Reader Comments
Subscribe: RSS
View by: Time | Thread
Well he got it half right at least
In an emailed statement to FORBES, Impero director of marketing Nikki Annison claimed the offending party had “maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence. No customers have been affected by this and no data has been leaked or compromised.”
Hey, that's a good point, clearly he should have privately gone to them first, I'm sure they would have acted responsibly, thanked him for his discovery, promptly admitted that the vulnerability existed, and got right on fixing it.
In a letter to Clark dated 13 July, delivered by legal firm Gately, he is accused of breaking the terms and conditions laid out by the firm, including a stipulation that the software not be tampered with; modification is only allowed to achieve “interoperability”, meaning hackers looking for security issues are not welcome. He is also accused of copyright infringement and has been asked to remove all links from Github, Twitter and other channels that point to the public vulnerability disclosure.
... or not, if their reaction is anything to go by.
Had he done the stupid thing and gone to them first, I have absolutely no doubt they would have accused him of violating the terms of the software, just like they did here, along with including a hefty threat should he go public with his findings.
Once again the message is clear, though apparently this particular researcher forgot it: Always go public with your findings, always do it anonymously, and never try and contact the company in question beforehand. Break the 'rule' and you'll be sued into the ground, and the problem will never be fixed.
[ link to this | view in chronology ]
Re: Well he got it half right at least
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Intimidation.....
I'm sure the hackers responsible for the likes of Cryptolocker are running scared now..
[ link to this | view in chronology ]
Re: Intimidation.....
Someone get the US Government on the line, I think we have the solution to their encryption problem.
[ link to this | view in chronology ]
Flawed thinking from the get go
So the idea is that when schoolchildren look up terrorist related material on the web they are flagged up and reported to the authorities, well, what happens if a bright and inquisitive schoolchild has an interest in current affairs and is wondering what gives with all this "terrorist" talk that grownups engage in, and googles said stuff?
http://news.bbc.co.uk/1/hi/uk/6359363.stm
Bad in 2007 and not getting any better...
[ link to this | view in chronology ]
Re: Flawed thinking from the get go
[ link to this | view in chronology ]
Re: Flawed thinking from the get go
[ link to this | view in chronology ]
Re: Re: Flawed thinking from the get go
Be afraid, be very afraid.
[ link to this | view in chronology ]
Re: Re: Re: Flawed thinking from the get go
[ link to this | view in chronology ]
Re: Re: Flawed thinking from the get go
If you want to be down with the hipsters, though, you'll need to go with this.
(http://www.theguardian.com/commentisfree/2015/jul/04/politicians-love-to-declare-things-unacce ptable)
[ link to this | view in chronology ]
Re: Re: Flawed thinking from the get go
[ link to this | view in chronology ]
Re: Re: Flawed thinking from the get go
I agree, it's called parenting.
[ link to this | view in chronology ]
Apparently people at Impero have watched to many bad hacker movies where several passwords are entered before shouting "Im In" and they thought that was cool.
On a side note, the UK students are forced to use this crappy spyware on their own machines or is it on school machines only?
Better not eat Ike & Mikes in front of the computer spy cam.
[ link to this | view in chronology ]
I'm guessing no.
Does anyone with even a tiny bit of IT security experience think for a second that software setup with no authentication and a default password of "password" has no other glaring security holes?
[ link to this | view in chronology ]
Well duh, that's how most server-client setups work creepy spyware or not.
[ link to this | view in chronology ]
(see Dan Geer's talk last year for a decent framework for liability to start with)
[ link to this | view in chronology ]
Re:
That said, the case under discussion may contain grounds for legal action, as it can be described as gross negligence due to the vendor ignoring a well known and well publicised problem.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
That...that is just babytown frolics.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Because it's a school and they don't know the first thing about software.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
What are the odds?! Even if we restrict ourselves to case-insensitive letters only, it must be somethin' like 1 in 26^8. I mean, like, cue the Twilight Zone theme, man...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Hacking shmacking
Impero assumes the researcher hacked their product, so the onus of proof would need to be on them unequivocally show this was the case.
Meanwhile there's like a gazillion website with 'most common password' lists... who's to say the researcher didn't start at the top of the list and bingo, 1-3 entries down the list he's in.
If I was the researcher my response to Impero would be a clear and concise GFY
[ link to this | view in chronology ]
Re: Hacking shmacking
A depressing large number of people consider this "hacking".
[ link to this | view in chronology ]