Wij willen met u aan tafel zitten en in een openhartig gesprek uitvinden welke uitdagingen en vragen er bij u spelen om zo, gezamelijk, tot een beste oplossing te komen. Oftewel, hoe kan de techniek u ondersteunen in plaats van dat u de techniek moet ondersteunen.

If you can’t trust your bank, government or your medical provider to protect your data, what makes you think students are any safer?

Turns out, according to one student security researcher, they’re not.

Eighteen-year-old Bill Demirkapi, a recent high school graduate in Boston, Massachusetts, spent much of his latter school years with an eye on his own student data. Through self-taught pen testing and bug hunting, Demirkapi found several vulnerabilities in a his school’s learning management system, Blackboard, and his school district’s student information system, known as Aspen and built by Follett, which centralizes student data, including performance, grades, and health records.

The former student reported the flaws and revealed his findings at the Def Con security conference on Friday.

“I’ve always been fascinated with the idea of hacking,” Demirkapi told TechCrunch prior to his talk. “I started researching but I learned by doing,” he said.

Among one of the more damaging issues Demirkapi found in Follett’s student information system was an improper access control vulnerability, which if exploited could have allowed an attacker to read and write to the central Aspen database and obtain any student’s data.

Blackboard’s Community Engagement platform had several vulnerabilities, including an information disclosure bug. A debugging misconfiguration allowed him to discover two subdomains, which spat back the credentials for Apple app provisioning accounts for dozens of school districts, as well as the database credentials for most if not every Blackboard’s Community Engagement platform, said Demirkapi.

“School data or student data should be taken as seriously as health data. The next generation should be one of our number one priorities, who looks out for those who can’t defend themselves.”
Bill Demirkapi, security researcher

Another set of vulnerabilities could have allowed an authorized user — like a student — to carry out SQL injection attacks. Demirkapi said six databases could be tricked into disclosing data by injecting SQL commands, including grades, school attendance data, punishment history, library balances, and other sensitive and private data.

Some of the SQL injection flaws were blind attacks, meaning dumping the entire database would have been more difficult but not impossible.

In all, over 5,000 schools and over five million students and teachers were impacted by the SQL injection vulnerabilities alone, he said.

Demirkapi said he was mindful to not access any student records other than his own. But he warned that any low-skilled attacker could have done considerable damage by accessing and obtaining student records, not least thanks to the simplicity of the database’s password. He wouldn’t say what it was, only that it was “worse than ‘1234’.”

But finding the vulnerabilities was only one part of the challenge. Disclosing them to the companies turned out to be just as tricky.

Demirkapi admitted that his disclosure with Follett could have been better. He found that one of the bugs gave him improper access to create his own “group resource,” such as a snippet of text, which was viewable to every user on the system.

“What does an immature 11th grader do when you hand him a very, very, loud megaphone?” he said. “Yell into it.”

And that’s exactly what he did. He sent out a message to every user, displaying each user’s login cookies on their screen. “No worries, I didn’t steal them,” the alert read.

“The school wasn’t thrilled with it,” he said. “Fortunately, I got off with a two-day suspension.”

He conceded it wasn’t one of his smartest ideas. He wanted to show his proof-of-concept but was unable to contact Follett with details of the vulnerability. He later went through his school, which set up a meeting, and disclosed the bugs to the company.

Blackboard, however, ignored Demirkapi’s responses for several months, he said. He knows because after the first month of being ignored, he included an email tracker, allowing him to see how often the email was opened — which turned out to be several times in the first few hours after sending. And yet the company still did not respond to the researcher’s bug report.

Blackboard eventually fixed the vulnerabilities, but Demirkapi said he found that the companies “weren’t really prepared to handle vulnerability reports,” despite Blackboard ostensibly having a published vulnerability disclosure process.

“It surprised me how insecure student data is,” he said. “School data or student data should be taken as seriously as health data,” he said. “The next generation should be one of our number one priorities, who looks out for those who can’t defend themselves.”

He said if a teenager had discovered serious security flaws, it was likely that more advanced attackers could do far more damage.

Heather Phillips, a spokesperson for Blackboard, said the company appreciated Demirkapi’s disclosure.

“We have addressed several issues that were brought to our attention by Mr. Demirkapi and have no indication that these vulnerabilities were exploited or that any clients’ personal information was accessed by Mr. Demirkapi or any other unauthorized party,” the statement said. “One of the lessons learned from this particular exchange is that we could improve how we communicate with security researchers who bring these issues to our attention.”

Follet spokesperson Tom Kline said the company “developed and deployed a patch to address the web vulnerability” in July 2018.

The student researcher said he was not deterred by the issues he faced with disclosure.

“I’m 100% set already on doing computer security as a career,” he said. “Just because some vendors aren’t the best examples of good responsible disclosure or have a good security program doesn’t mean they’re representative of the entire security field.”


TechCrunch

Facebook has failed to clean up the brisk trade in fake product reviews taking place on its platform, an investigation by the consumer association Which? has found.

In June both Facebook and eBay were warned by the UK’s Competition and Markets Authority (CMA) they needed to do more to tackle the sale of fake product reviews. On eBay sellers were offering batches of five-star product reviews in exchange for cash, while Facebook’s platform was found hosting multiple groups were members solicited writers of fake reviews in exchange for free products or cash (or both).

A follow-up look at the two platforms by Which? has found a “significant improvement” in the number of eBay listings selling five-star reviews — with the group saying it found just one listing selling five-star reviews after the CMA’s intervention.

But little appears to have been done to prevent Facebook groups trading in fake reviews — with Which? finding dozens of Facebook groups that it said “continue to encourage incentivised reviews on a huge scale”.

Here’s a sample ad we found doing a ten-second search of Facebook groups… (one of a few we saw that specify they’re after US reviewers)

Screenshot 2019 08 06 at 09.53.19

Which? says it found more than 55,000 new posts across just nine Facebook groups trading fake reviews in July, which it said were generating hundreds “or even thousands” of posts per day.

It points out the true figure is likely to be higher because Facebook caps the number of posts it quantifies at 10,000 (and three of the ten groups had hit that ceiling).

Which? also found Facebook groups trading fake reviews that had sharply increased their membership over a 30-day period, adding that it was “disconcertingly easy to find dozens of suspicious-looking groups in minutes”.

We also found a quick search of Facebook’s platform instantly serves a selection of groups soliciting product reviews…

Screenshot 2019 08 06 at 09.51.09

Which? says looked in detail at ten groups (it doesn’t name the groups), all of which contained the word ‘Amazon’ in their group name, finding that all of them had seen their membership rise over a 30-day period — with some seeing big spikes in members.

“One Facebook group tripled its membership over a 30-day period, while another (which was first started in April 2018) saw member numbers double to more than 5,000,” it writes. “One group had more than 10,000 members after 4,300 people joined it in a month — a 75% increase, despite the group existing since April 2017.”

Which? speculates that the surge in Facebook group members could be a direct result of eBay cracking down on fake reviews sellers on its own platform.

“In total, the 10 [Facebook] groups had a staggering 105,669 members on 1 August, compared with a membership of 85,647 just 30 days prior to that — representing an increase of nearly 19%,” it adds.

Across the ten groups it says there were more than 3,500 new posts promoting inventivised reviews in a single day. Which? also notes that Facebook’s algorithm regularly recommended similar groups to those that appeared to be trading in fake reviews — on the ‘suggested for you’ page.

It also says it found admins of groups it joined listing alternative groups to join in case the original is shut down.

Commenting in a statement, Natalie Hitchins, Which?’s head of products and services, said: ‘Our latest findings demonstrate that Facebook has systematically failed to take action while its platform continues to be plagued with fake review groups generating thousands of posts a day.

“It is deeply concerning that the company continues to leave customers exposed to poor-quality or unsafe products boosted by misleading and disingenuous reviews. Facebook must immediately take steps to not only address the groups that are reported to it, but also proactively identify and shut down other groups, and put measures in place to prevent more from appearing in the future.”

“The CMA must now consider enforcement action to ensure that more is being done to protect people from being misled online. Which? will be monitoring the situation closely and piling on the pressure to banish these fake review groups,” she added.

Responding to Which?‘s findings in a statement, CMA senior director George Lusty said: “It is unacceptable that Facebook groups promoting fake reviews seem to be reappearing. Facebook must take effective steps to deal with this problem by quickly removing the material and stop it from resurfacing.”

“This is just the start – we’ll be doing more to tackle fake and misleading online reviews,” he added. “Lots of us rely on reviews when shopping online to decide what to buy. It is important that people are able to trust they are genuine, rather than something someone has been paid to write.”

In a statement Facebook claimed it has removed 9 out of ten of the groups Which? reported to it and claimed to be “investigating the remaining group”.

“We don’t allow people to use Facebook to facilitate or encourage false reviews,” it added. “We continue to improve our tools to proactively prevent this kind of abuse, including investing in technology and increasing the size of our safety and security team to 30,000.”


TechCrunch

Millions of people have been signing up to receive what they think is a $ 125 cash reimbursement from Equifax for its criminal mishandling and exposure of their personal and financial data. But the FTC warns that you may see only a small fraction of that, if any, because of the way the $ 575 million settlement with the company actually breaks down.

In the settlement, Equifax set aside $ 300 million to pay for credit monitoring for everyone affected by the historic hack (rivaled perhaps only by this week’s of Capital One), and you’re due that if you want it.

But say you already had credit monitoring set up because of, say, yet another of the various hacks and leaks that have plagued the careless stewards of our data in recent years. In that case you can state this is the case and receive up to $ 125 as an alternative claim.

There’s just one problem: Equifax only set aside a paltry sum of $ 31 million for these cases, which is just enough for about a quarter of a million people to receive that $ 125 — well under the millions that are now submitting claims. So the pie, already a small one, gets sliced even thinner than before.

If even one in 10 of the victims asks for the alternative payout method, that nets them about two bucks each. Meanwhile, the CEO received a $ 20 million (conservatively) golden parachute after overseeing one of the largest and most damaging hacks in history, which was called “entirely preventable.” He wasn’t fired, you know — he retired. Overall the company is in pretty good shape!

There is more money set aside for people who have out-of-pocket expenses for hack-related issues, like identity theft that resulted in the loss of a loan and such. You’ll need to document that, though, and relatively few people will be able to take advantage of it.

The FTC’s Robert Schoshinski explains that the credit monitoring is the more valuable option anyway:

If you haven’t submitted your claim yet, think about opting for the free credit monitoring instead. Frankly, the free credit monitoring is worth a lot more – the market value would be hundreds of dollars a year. And this monitoring service is probably stronger and more helpful than any you may have already, because it monitors your credit report at all three nationwide credit reporting agencies, and it comes with up to $ 1 million in identity theft insurance and individualized identity restoration services.

Fair point, and given the ongoing failure of financial institutions, social networks and other companies to protect your data, it might be nice to know that you’re protected.

Of course, the credit monitoring is provided by Equifax. But don’t worry, I’m sure they learned their lesson.


TechCrunch

SpaceX CEO Elon Musk believes that both the Texas and Florida Starship prototype rockets being developed by the private space company will fly “in 2 to three months,” which is an aggressive timeline considering the planned untethered flight of its Starhopper demonstration prototype missed its target of running this past week.

SpaceX is developing two Starship prototypes in parallel, at both its Texas and Florida facilities, in what is sometime referred to in the technology industry as a ‘bake-off.’ Both teams develop their own rockets independently, in an attempt to spur a sense of internal competition and potentially arrive at combined progress that wouldn’t be possible with just a single team working together on the task.

Earlier this month, Musk stated that the inaugural untethered test of its Starhopper (Hopper for short) Starship tech demo prototype would happen this past Tuesday, July 16. Those plans were derailed when a preliminary test firing of its engines resulted in a large fireball captured on camera by many local observers. Musk later said on Twitter that this was the result of a “post test fuel leak” but added that there was actually no significant damage to the sub-scale Starhopper itself.

The SpaceX CEO then continued with a new timeline for the untethered test, saying it should happen sometime this coming week instead. That’s definitely a required step for the company to take ahead of any test flights of the more complete Starhopper prototypes.

Those initial test will be sub-orbital flights, Musk said on Friday, with orbital tests to follow some “2 to 3 months” after those first test flights 2 to 3 months from today – so, that puts the earliest orbital test flights for Starship at just 4 to 6 months from now. Based on how Musk’s stated timelines match up with reality, you should definitely consider that an extremely optimistic assessment.

Musk also shared some detail about how Starship will launch – it’ll use a launch structure, which is currently under construction at another site, much like Falcon 9 and Falcon Heavy does today.


TechCrunch

Created by R the Company. Powered by SiteMuze.