School security company has a cybersecurity breach.

[Bitter]

 

3 hours ago, leadeater said:

Well there are multiple factors to that, first being it very well could have been but since access was gained through the regular system access from a valid account (this case everyone/public) the ability to read was there. This would be encryption at rest or storage encryption etc. Something like that, rather than file encryption.

 

Realistically it'll be document scans of actual paperwork or external digital documents and the storage buckets are either temporary location used for file uploads in to the system or where those files actually get stored. More often than not since the location of where that data is stored is supposed to be secured you don't do file level encryption and it wouldn't actually help in a data breach through the application itself since the application would have the keys to decrypt.

 

The what and why is actually a lot more complicated than it may seem much of the time. Some things you'd think would help won't necessarily, it's all a big "it depends" and without information it's difficult to make any judgement calls.

 

I know the most widely used Student Manage System in my country used an SMB share for it's file upload temporary location and it wasn't really cleaned out in any special or automated way that I could tell, or at least not often enough anyway. Their systems were hosted by my work and I had full admin access to all their servers and databases as well as being responsible for all their data backups. We were also their technical support for server issues etc since it was all hosted by us and even joined to our Active Directory. We no longer host their systems though, haven't for a number of years, was very glad to see them go, very. Their software archecture and system archecture was not on the top end of data security and had some quite serious risk factors like that SMB share which had all the same documents and information in there from this story.

 

Obviously I'm not going to name names but all going well the data was secure but the issue was if for any reason things were not "all going well" even temporarily the potential exposure was very serious. It was something I noted to them a few times.

Got it, follow up...why not file level encryption for really important sensitive data like this? I used to PGP my tax returns with uhhhh 48 but Blowfish I think back on my Pentium 4 lol.

[leadeater]

4 minutes ago, Bitter said:

Got it, follow up...why not file level encryption for really important sensitive data like this? I used to PGP my tax returns with uhhhh 48 but Blowfish I think back on my Pentium 4 lol.

May not always ben possible, could be using software that just can't handle encrypted files and may not be able to get such a feature added if the software vendor doesn't want to do it. Cross compatibility can be a problem, every system needs to be able to read the files and if one can't deal with file level encryption then you simply aren't able to use it.

 

The situation I talked about was just a case of not bothering to do it, it was their own written software.

 

The "where the files are stored is secure" goes a long way to compliancy I'm sad to say. For what they were doing I'd never be storing uploaded files in a temporary filesystem like that anyway, yuck. Leave it in memory and send it directly to a secure document repository.

 

I don't have a good answer for why not, because there probably isn't a good answer lol

[DEERMYSTER]

16 hours ago, leadeater said:

That's certainly frustrating for sure but I do understand why they don't want to be saying anything too quickly. Personal details about minors, medical information, court protection order information, criminal background information are part of this and they all have heavy regulatory and compliance around them so basically everything will be going through legal representation and advice first. Sadly that also means details you might want to know will be withheld for a while or indefinitely. 

 

This will be Raptor Technologies' worst day as a company so far, hopefully ever. But it could probably get worse because in my opinion they should be called in front of some kind of review panel and grilled, very hard.

Legally they are going to have to disclose most every detail to us. In the State I'm located in there are specific laws on student data in regards to third party vendors. Goes back to that data agreement I mentioned before as well. Unfortunately,  I can't go into more detail or the exact language of the agreements or give you the specific laws just because of our legal requirements in this situation. We are working with the government though to work through this. I suspect that if evidence is found that the exposed data was accessed by unauthorized parties law suits are going to fly. I do know every aspect of data we specifically have sent to them. How bad this situation could be for districts is gonna be dependent on how they used the software and what components were used. Unlike others we never uploaded student displinary or medical records. 

[Bitter]

10 hours ago, leadeater said:

May not always ben possible, could be using software that just can't handle encrypted files and may not be able to get such a feature added if the software vendor doesn't want to do it. Cross compatibility can be a problem, every system needs to be able to read the files and if one can't deal with file level encryption then you simply aren't able to use it.

 

The situation I talked about was just a case of not bothering to do it, it was their own written software.

 

The "where the files are stored is secure" goes a long way to compliancy I'm sad to say. For what they were doing I'd never be storing uploaded files in a temporary filesystem like that anyway, yuck. Leave it in memory and send it directly to a secure document repository.

 

I don't have a good answer for why not, because there probably isn't a good answer lol

Because they're not required to would be the correct answer. I'd say. I can't imagine it being impossible to make work but maybe costly but if it were required I'm sure they could make it work.  Per file really needs to be a thing. Ugh.

[wanderingfool2]

21 hours ago, leadeater said:

That's actually not that serious information, the "what to do" in those situations is pretty standard and easily found information. Health information about minors is easily the most serious of anything, that's HIPAA breach hard core mode. If you want the book thrown at you almost nothing works better than "won't somebody think of the children"

It can be in the sense that it apparently contained full plans and actual analyses of where people will congregate when there is a situation (some of the school shootings, the perpetrators actually tried planning to maximize areas like that...so if they are accessible including what the reaction will be it could turn situations like that into a whole lot worse)

[leadeater]

40 minutes ago, wanderingfool2 said:

It can be in the sense that it apparently contained full plans and actual analyses of where people will congregate when there is a situation (some of the school shootings, the perpetrators actually tried planning to maximize areas like that...so if they are accessible including what the reaction will be it could turn situations like that into a whole lot worse)

No it really is not since the procedure is stay in place and to not move unless under direct immediate danger. One of the last things you want to do is congregate many people in to the same area which is why that's not what is done. The second thing you don't do is move around, movement = getting seen.

 

I've seen active shooter plans and similar (for schools), the instructions are stay in the classroom, lock the doors and stay way from the windows and keep low.

 

Seeing these plans doesn't help at all and the fact is this is not exactly unknown anyway.

 

These resources and guidelines are freely available online anyway so the only beneficial thing is a school map which can often be on the school website anyway too.

[ReidOnly]

On 1/12/2024 at 8:10 AM, Rapt0rHunter said:

Summary

A school cybersecurity company Raptor Technologies had a security breach containing sensitive information. 

 

Quotes

 

My thoughts

 I'm no cybersecurity expert, but to have extremely sensitive information in a non-password-protected database, especially pertaining to schools, is absolutely insane.

 It also shows that a cybersecurity breach can be as simple as "we didn't put a password on it and someone got in."

 

Sources

https://www.techradar.com/pro/security/school-software-breach-reveals-private-data-on-millions-of-users

Back in my student days, I could easily hack into both my elementary and high school networks, messing around with their servers. I wouldn't do anything stupid but all the claims from the businesses and so-called "IT Pros" gloating to us during their audits and "repairs" about having top-notch security with the "latest software & protection," I always figured most education systems were just outdated and didn't have the real protection they needed.

I am assuming that this is the case for most school systems in the USA & Canada / etc.

[wanderingfool2]

58 minutes ago, leadeater said:

No it really is not since the procedure is stay in place and to not move unless under direct immediate danger. One of the last things you want to do is congregate many people in to the same area which is why that's not what is done. The second thing you don't do is move around, movement = getting seen.

But that assumes that people who lock in place at the first sight.

 

Some of the plans apparently talked about things such as where they expect people to be flowing when a situation occurs with floor plans.  At least the school I was in there was also code words that the teachers would use for things such as all safe etc...which I'm assuming would be in similar plans, but also importantly there are many schools like where I went to school originally where the locks on the doors are none existent (or trivially broken).  Hunker in place simply doesn't work in situations where the rooms aren't protected.

[leadeater]

53 minutes ago, wanderingfool2 said:

but also importantly there are many schools like where I went to school originally where the locks on the doors are none existent (or trivially broken).  Hunker in place simply doesn't work in situations where the rooms aren't protected.

That still doesn't matter the best course is still stay in the classroom. You have no idea where is safe and when and you are talking about moving a classroom amount of people which is why not moving is the safest thing.

 

53 minutes ago, wanderingfool2 said:

At least the school I was in there was also code words that the teachers would use for things such as all safe etc

Most schools here use fire alarm ring code for all safe and the instruction is still stay in place until collected anyway.

 

What to do is so much different when talking about a school, teachers have the responsibility of protecting the students not themselves and ensure other students don't endanger the reset. It's honestly a really shit deal.

 

53 minutes ago, wanderingfool2 said:

Some of the plans apparently talked about things such as where they expect people to be flowing when a situation occurs with floor plans.

Through fire exits and walkways which isn't anything special. If you have a school map you already know, you don't need the school action plan.

 

Also schools practice these plans, none of this is secret. It just sounds worse than it actually is in reality.

 

Have a read from the bottom of page 18 onward:

https://assets.education.govt.nz/public/Documents/School/Supporting-students/Emergencies-and-traumatic-incidents/PLANNING-AND-PREPARING-FOR-EMERGENCIES.pdf

 

Quote

Lockdown:

Staff will move children and visitors into the closest school classrooms or inside areas of the early learning service and lock the doors immediately. The staff will take attendance, if possible, and prepare a list of missing and extra children/students in the room.

 

Everyone will remain in the room until further instruction is received from NZ Police or until a formal announcement is made signifying the end of the lockdown.

 

Quote

In the case of an intruder/attacker it may not be appropriate to sound any type of alarm – how will you communicate with staff?

 

[Monkey Dust]

On 1/12/2024 at 4:27 PM, TempestCatto said:

This shows how damn lazy these companies really are. Surely it can't cost that much to actually secure the data, right?

Won't someone think of the shareholders? Spending time and money on security is not time and money spent on making line go up.

 

Probably also doesn't help that contracts are awarded on either lowest cost, or who plays golf with who.