Shocking: Software Used To Monitor UK Students Against Radicalization Found To Be Exploitable

from the hack-attack dept

Well, that didn't take long. It was only a month or so ago that we brought to you the delightful news that software for monitoring the UK youth in classrooms was being recommended to comply with the UK's insane policy that conscripts teachers to watch out for scary future-Muslim-terrorists. The idea was that the software, from American company Impero Software, would report back to teachers should the children under their watchful gaze search around for terms deemed to be terrorist related. The teachers were then supposed to involve school admins, law enforcement, or parents as deemed necessary. Because, see, possible-might-be-future-terrorists sprouting up from our own children is a very scary, albeit not-yet-existing threat to something something.

Unfortunately, Impero's monitoring agents themselves come with an actual threat, thanks to the laughably cliche security fails within the software's design.

Impero has a lot of power over its clients’ data, whether stored on PCs, servers or children’s personal technology. If compromised, it could expose reams of information on pupils, teachers and the school as a whole. And that’s certainly possible in light of the findings of researcher ‘raylee’, real name Zammis Clark, who discovered the Impero platform was using a default password of “password” to connect clients to its servers. “Basically, if you use Impero, please don’t,” the researcher wrote in a Github post describing the flaw and releasing attack code to prove the problem existed.

The researcher told FORBES that if an attacker can gain access to the Impero server, all connected machines “are completely open to compromise”, due to the apparent lack of decent authentication. “Given that schools have been affected with malware like CryptoLocker in the past, exploit kits or spearphishing could be a way for an attacker to get into a school network. Also, there’s the threat of someone inside such a school (a student perhaps) exploiting the vulnerability,” he added.
Impero set the software up so that the password between the students' devices and the server was "password." They made the password "password." Okay, here's a new rule for the world: if you're a company whose single reason for existing has anything to do with both technology and security, and you create your system in such a way that it ships to your customers and is allowed to work with a default password of "password", then you don't get to exist any longer. This is the kind of stuff people who work in IT consulting like me see all the time... at companies that don't have any actual IT staff onsite. But this came from the software designer itself. And the most hilarious thing? Well, part of Impero's response to the publishing of the exploit was to release a fix after its disclosure... which failed to actually fix the exploit.

The other part of Impero's response was to go all legal on the security researcher for publishing the exploit in the first place, because of course it was.
In a letter to Clark dated 13 July, delivered by legal firm Gately, he is accused of breaking the terms and conditions laid out by the firm, including a stipulation that the software not be tampered with; modification is only allowed to achieve “interoperability”, meaning hackers looking for security issues are not welcome. He is also accused of copyright infringement and has been asked to remove all links from Github, Twitter and other channels that point to the public vulnerability disclosure.

In an emailed statement to FORBES, Impero director of marketing Nikki Annison claimed the offending party had “maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence. No customers have been affected by this and no data has been leaked or compromised.”
Excuse me, but no customers have been affected by this exploit... yet. And now they probably won't be, assuming your team can get a proper fix in place. And the youth of the UK will have the security researcher to thank for it, since that appears to be what lit a fire under your collective asses to get this thing fixed. The marketing director also had this to say.
This hack could only be exploited if basic network security does not exist and if the attacker is physically present with local network access. We have been in communication with all our customers throughout.
Interesting response. I'm sure antivirus makers, under the notion above, could simply release software that didn't actually do anything and then claim that if customers have a perimeter firewall up and use basic browsing common sense, their non-working software would work just fine to prevent malware. If Impero isn't going to bother to use basic best practices when it comes to security passwords, it probably shouldn't be issuing lectures to its customers about basic security best practices.

Or we could just side-step this whole problem by not using Impero's sotware.

Filed Under: copyright, radicals, security, students, threats, uk, zammis clark
Companies: impero


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 16 Jul 2015 @ 2:44am

    Well he got it half right at least

    He released the vulnerability publicly, but he forgot to do it anonymously.

    In an emailed statement to FORBES, Impero director of marketing Nikki Annison claimed the offending party had “maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence. No customers have been affected by this and no data has been leaked or compromised.”

    Hey, that's a good point, clearly he should have privately gone to them first, I'm sure they would have acted responsibly, thanked him for his discovery, promptly admitted that the vulnerability existed, and got right on fixing it.

    In a letter to Clark dated 13 July, delivered by legal firm Gately, he is accused of breaking the terms and conditions laid out by the firm, including a stipulation that the software not be tampered with; modification is only allowed to achieve “interoperability”, meaning hackers looking for security issues are not welcome. He is also accused of copyright infringement and has been asked to remove all links from Github, Twitter and other channels that point to the public vulnerability disclosure.

    ... or not, if their reaction is anything to go by.

    Had he done the stupid thing and gone to them first, I have absolutely no doubt they would have accused him of violating the terms of the software, just like they did here, along with including a hefty threat should he go public with his findings.

    Once again the message is clear, though apparently this particular researcher forgot it: Always go public with your findings, always do it anonymously, and never try and contact the company in question beforehand. Break the 'rule' and you'll be sued into the ground, and the problem will never be fixed.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 16 Jul 2015 @ 7:44am

      Re: Well he got it half right at least

      Pro tip: if the terms and conditions for a piece of software specifically call out that "hackers looking for security issues are not welcome," you can be 100% certain that the software has some serious security issues.

      reply to this | link to this | view in chronology ]

  • icon
    Agonistes (profile), 16 Jul 2015 @ 3:31am

    Impero must have some really hot women working in their PR and client outreach departments.

    reply to this | link to this | view in chronology ]

  • identicon
    spodula, 16 Jul 2015 @ 3:58am

    Intimidation.....

    "including a stipulation that the software not be tampered with; modification is only allowed to achieve “interoperability”, meaning hackers looking for security issues are not welcome. "

    I'm sure the hackers responsible for the likes of Cryptolocker are running scared now..

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jul 2015 @ 4:28am

      Re: Intimidation.....

      So their idea of security is to tell bad guys they're not welcome, and thus security is achieved?

      Someone get the US Government on the line, I think we have the solution to their encryption problem.

      reply to this | link to this | view in chronology ]

  • identicon
    Klaus, 16 Jul 2015 @ 4:43am

    Flawed thinking from the get go

    From Forbes: "...when any youngsters look at certain material on the web..."

    So the idea is that when schoolchildren look up terrorist related material on the web they are flagged up and reported to the authorities, well, what happens if a bright and inquisitive schoolchild has an interest in current affairs and is wondering what gives with all this "terrorist" talk that grownups engage in, and googles said stuff?

    http://news.bbc.co.uk/1/hi/uk/6359363.stm

    Bad in 2007 and not getting any better...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2015 @ 6:03am

    I guess hacking does not now mean what it used to.

    Apparently people at Impero have watched to many bad hacker movies where several passwords are entered before shouting "Im In" and they thought that was cool.

    On a side note, the UK students are forced to use this crappy spyware on their own machines or is it on school machines only?

    Better not eat Ike & Mikes in front of the computer spy cam.

    reply to this | link to this | view in chronology ]

  • icon
    Josh in CharlotteNC (profile), 16 Jul 2015 @ 6:45am

    "This hack could only be exploited if basic network security does not exist and if the attacker is physically present with local network access."

    I'm guessing no.

    Does anyone with even a tiny bit of IT security experience think for a second that software setup with no authentication and a default password of "password" has no other glaring security holes?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2015 @ 7:35am

    >if an attacker can gain access to the Impero server, all connected machines “are completely open to compromise”.

    Well duh, that's how most server-client setups work creepy spyware or not.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2015 @ 8:10am

    This is why - and I say this as a software engineer - we need liability for software products, just like every other product.

    (see Dan Geer's talk last year for a decent framework for liability to start with)

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jul 2015 @ 10:18am

      Re:

      When software can be subjected to holistic testing, such as the crash testing carried out on cars, or running them for thousands of miles on cobbles,, then it may be possible to get relevant liability insurance. Until that is possible, failure modes that a user can find will exist in software, because it is impossible to test all combinations of input data and user triggered actions.
      That said, the case under discussion may contain grounds for legal action, as it can be described as gross negligence due to the vendor ignoring a well known and well publicised problem.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2015 @ 8:35am

    Were these some of those "front doors" FBI's Commie is so found of?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2015 @ 8:57am

    I like how he should have come to them first to let them know their password

    reply to this | link to this | view in chronology ]

  • icon
    mattshow (profile), 16 Jul 2015 @ 9:41am

    Impero set the software up so that the password between the students' devices and the server was "password."


    That...that is just babytown frolics.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2015 @ 10:53am

    Why didn't the purchasers of the software insist on a third-party, independent security audit of the software BEFORE buying?

    reply to this | link to this | view in chronology ]

  • identicon
    ComputerCOP, 16 Jul 2015 @ 5:35pm

    Holy cow! Someone call Guinness, 'cause this is spooky: Impero uses the same default password that we use.

    What are the odds?! Even if we restrict ourselves to case-insensitive letters only, it must be somethin' like 1 in 26^8. I mean, like, cue the Twilight Zone theme, man...

    reply to this | link to this | view in chronology ]

  • identicon
    WaitWot, 16 Jul 2015 @ 7:52pm

    Hacking shmacking

    "including a stipulation that the software not be tampered with"

    Impero assumes the researcher hacked their product, so the onus of proof would need to be on them unequivocally show this was the case.

    Meanwhile there's like a gazillion website with 'most common password' lists... who's to say the researcher didn't start at the top of the list and bingo, 1-3 entries down the list he's in.

    If I was the researcher my response to Impero would be a clear and concise GFY

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 17 Jul 2015 @ 8:25am

      Re: Hacking shmacking

      " who's to say the researcher didn't start at the top of the list and bingo, 1-3 entries down the list he's in"

      A depressing large number of people consider this "hacking".

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.