Wij willen met u aan tafel zitten en in een openhartig gesprek uitvinden welke uitdagingen en vragen er bij u spelen om zo, gezamelijk, tot een beste oplossing te komen. Oftewel, hoe kan de techniek u ondersteunen in plaats van dat u de techniek moet ondersteunen.

If you can’t trust your bank, government or your medical provider to protect your data, what makes you think students are any safer?

Turns out, according to one student security researcher, they’re not.

Eighteen-year-old Bill Demirkapi, a recent high school graduate in Boston, Massachusetts, spent much of his latter school years with an eye on his own student data. Through self-taught pen testing and bug hunting, Demirkapi found several vulnerabilities in a his school’s learning management system, Blackboard, and his school district’s student information system, known as Aspen and built by Follett, which centralizes student data, including performance, grades, and health records.

The former student reported the flaws and revealed his findings at the Def Con security conference on Friday.

“I’ve always been fascinated with the idea of hacking,” Demirkapi told TechCrunch prior to his talk. “I started researching but I learned by doing,” he said.

Among one of the more damaging issues Demirkapi found in Follett’s student information system was an improper access control vulnerability, which if exploited could have allowed an attacker to read and write to the central Aspen database and obtain any student’s data.

Blackboard’s Community Engagement platform had several vulnerabilities, including an information disclosure bug. A debugging misconfiguration allowed him to discover two subdomains, which spat back the credentials for Apple app provisioning accounts for dozens of school districts, as well as the database credentials for most if not every Blackboard’s Community Engagement platform, said Demirkapi.

“School data or student data should be taken as seriously as health data. The next generation should be one of our number one priorities, who looks out for those who can’t defend themselves.”
Bill Demirkapi, security researcher

Another set of vulnerabilities could have allowed an authorized user — like a student — to carry out SQL injection attacks. Demirkapi said six databases could be tricked into disclosing data by injecting SQL commands, including grades, school attendance data, punishment history, library balances, and other sensitive and private data.

Some of the SQL injection flaws were blind attacks, meaning dumping the entire database would have been more difficult but not impossible.

In all, over 5,000 schools and over five million students and teachers were impacted by the SQL injection vulnerabilities alone, he said.

Demirkapi said he was mindful to not access any student records other than his own. But he warned that any low-skilled attacker could have done considerable damage by accessing and obtaining student records, not least thanks to the simplicity of the database’s password. He wouldn’t say what it was, only that it was “worse than ‘1234’.”

But finding the vulnerabilities was only one part of the challenge. Disclosing them to the companies turned out to be just as tricky.

Demirkapi admitted that his disclosure with Follett could have been better. He found that one of the bugs gave him improper access to create his own “group resource,” such as a snippet of text, which was viewable to every user on the system.

“What does an immature 11th grader do when you hand him a very, very, loud megaphone?” he said. “Yell into it.”

And that’s exactly what he did. He sent out a message to every user, displaying each user’s login cookies on their screen. “No worries, I didn’t steal them,” the alert read.

“The school wasn’t thrilled with it,” he said. “Fortunately, I got off with a two-day suspension.”

He conceded it wasn’t one of his smartest ideas. He wanted to show his proof-of-concept but was unable to contact Follett with details of the vulnerability. He later went through his school, which set up a meeting, and disclosed the bugs to the company.

Blackboard, however, ignored Demirkapi’s responses for several months, he said. He knows because after the first month of being ignored, he included an email tracker, allowing him to see how often the email was opened — which turned out to be several times in the first few hours after sending. And yet the company still did not respond to the researcher’s bug report.

Blackboard eventually fixed the vulnerabilities, but Demirkapi said he found that the companies “weren’t really prepared to handle vulnerability reports,” despite Blackboard ostensibly having a published vulnerability disclosure process.

“It surprised me how insecure student data is,” he said. “School data or student data should be taken as seriously as health data,” he said. “The next generation should be one of our number one priorities, who looks out for those who can’t defend themselves.”

He said if a teenager had discovered serious security flaws, it was likely that more advanced attackers could do far more damage.

Heather Phillips, a spokesperson for Blackboard, said the company appreciated Demirkapi’s disclosure.

“We have addressed several issues that were brought to our attention by Mr. Demirkapi and have no indication that these vulnerabilities were exploited or that any clients’ personal information was accessed by Mr. Demirkapi or any other unauthorized party,” the statement said. “One of the lessons learned from this particular exchange is that we could improve how we communicate with security researchers who bring these issues to our attention.”

Follet spokesperson Tom Kline said the company “developed and deployed a patch to address the web vulnerability” in July 2018.

The student researcher said he was not deterred by the issues he faced with disclosure.

“I’m 100% set already on doing computer security as a career,” he said. “Just because some vendors aren’t the best examples of good responsible disclosure or have a good security program doesn’t mean they’re representative of the entire security field.”


TechCrunch

Hotstar, India’s largest video streaming service with more than 300 million users, disabled support for Apple’s Safari web browser on Friday to mitigate a security flaw that allowed unauthorized usage of its platform, two sources familiar with the matter told TechCrunch.

The incident comes at a time when the streaming service — operated by Star India, part of 20th Century Fox that Disney acquired — enjoys peak attention as millions of people watch the ongoing ICC World Cup cricket tournament on its platform.

As users began to complain about not being able to use Hotstar on Safari, the company’s official support account asserted that “technical limitations” on Apple’s part were the bottleneck. “These limitations have been from Safari; there is very little we can do on this,” the account tweeted Friday evening.

Sources at Hotstar told TechCrunch that this was not an accurate description of the event. Instead, company’s engineers had identified a security hole that was being exploited by unauthorized users to access Hotstar’s content, they said.

Hotstar intends to work on patching the flaw soon and then reinstate support for Safari, the sources said.

The security flaw can only be exploited through Safari’s desktop and mobile browsers. On its website, the company recommends users to try Chrome and Firefox, or its mobile apps, to access the service. Hotstar did not respond to requests for comment.

Hotstar, which rivals Netflix and Amazon Prime Video in India, maintains a strong lead in the local video streaming market (based on number of users and engagement). Last month, it claimed to set a new global record by drawing more than 18 million viewers to a live cricket match.


TechCrunch

How Antivirus Software Can Be Turned Into a Tool for Spying

New York Times

It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool. Security software r …

Read more …

Vervuilde data stremt big data analytics

De verwachtingen rondom big data zijn hooggespannen. 74 procent van de West Europese bedrijven verwacht een return on investment (roi) te realiseren binnen twaalf maanden na implementatie van big data analytics. Dat blijkt uit het onderzoek ‘Big Data in Western Europe Today’. uitgevoerd door Forrester Consulting in opdracht van Xerox. Verder laat het onderzoek zien dat vooral een vervuilde database organisaties ervan weerhoudt om big data te omarmen.

Het onderzoek maakt onderscheidt in drie belangrijke trends omtrent de inzet van big data. Zo is big data essentieel bij het nemen van strategische beslissingen. Meer dan de helft van de respondenten (61 procent) geeft aan steeds vaker beslissingen te baseren op datagedreven informatie dan op factoren zoals onderbuikgevoel, mening of zelfs ervaring.  56 procent van de 330 respondenten op managementniveau in Nederland, België, Duitsland, Frankrijk en het Verenigd Koninkrijk ervaart momenteel al voordelen van werken met big data.

Een vervuilde database is kostbaar. Het blijkt dat 70 procent van de organisaties nog steeds onjuiste data ….

Read more …

Gapend gat in Microsoft Active Directory ontdekt

Microsoft Active Directory, de basis voor toegangsbewaking van de meeste bedrijfsnetwerken, bevat een essentiële ontwerpfout die hackers de mogelijkheid geeft elk wachtwoord te wijzigen.

Microsoft stelt in een reactie dat het probleem al enige tijd bekend is en er al aan gewerkt wordt. Toch beweert het Israëlische beveiligingsbedrijf Aorato dat de mogelijkheid voor een hacker om wachtwoorden naar zijn hand te zetten, zeker niet bekend was. Het bedrijf heeft een proof-of-concept ontwikkeld waarmee het kan aantonen hoe de aanval kan worden uitgevoerd.

Het probleem is groot omdat zo’n 95 procent van de Fortune 500 bedrijven, gebruik maken van Active Directory. Het vormt onderdeel van het standaard authenticatie- en autorisatiemechanisme in Windows Server.

De fout beperkt zich overigens niet tot Active Directory. Het probleem zit in NTLM, een authenticatieprotocol, dat in meer systemen voor single sign-on voorkomt. NTLM blijkt kwetsbaar te zijn voor een ‘pass-the-hash’-aanval. Daarbij kan een hacker die de login-gegevens van een gebruiker heeft weten te bemachtigen het hashing-algoritme (versleuteling) gebruiken om ook toegang te krijgen tot andere accounts. Het is een vaker gebruikte methode om een login voor een onbelangrijke dienst op het netwerk die makkelijk te verkrijgen is, te gebruiken om de login ..

Lees het artikel ‘Gapend gat in Microsoft Active Directory ontdekt’ hier verder

Created by R the Company. Powered by SiteMuze.