from the hack-attack dept
Well, that didn't take long. It was only a month or so ago that we brought to you the delightful news that software for monitoring the UK youth in classrooms was being recommended to comply with the UK's insane policy that conscripts teachers to watch out for scary future-Muslim-terrorists. The idea was that the software, from American company Impero Software, would report back to teachers should the children under their watchful gaze search around for terms deemed to be terrorist related. The teachers were then supposed to involve school admins, law enforcement, or parents as deemed necessary. Because, see, possible-might-be-future-terrorists sprouting up from our own children is a very scary, albeit not-yet-existing threat to something something.
Unfortunately, Impero's monitoring agents themselves come with an actual threat, thanks to the laughably cliche security fails within the software's design.
Impero has a lot of power over its clients’ data, whether stored on PCs, servers or children’s personal technology. If compromised, it could expose reams of information on pupils, teachers and the school as a whole. And that’s certainly possible in light of the findings of researcher ‘raylee’, real name Zammis Clark, who discovered the Impero platform was using a default password of “password” to connect clients to its servers. “Basically, if you use Impero, please don’t,” the researcher wrote in a Github post describing the flaw and releasing attack code to prove the problem existed.Impero set the software up so that the password between the students' devices and the server was "password." They made the password "password." Okay, here's a new rule for the world: if you're a company whose single reason for existing has anything to do with both technology and security, and you create your system in such a way that it ships to your customers and is allowed to work with a default password of "password", then you don't get to exist any longer. This is the kind of stuff people who work in IT consulting like me see all the time... at companies that don't have any actual IT staff onsite. But this came from the software designer itself. And the most hilarious thing? Well, part of Impero's response to the publishing of the exploit was to release a fix after its disclosure... which failed to actually fix the exploit.
The researcher told FORBES that if an attacker can gain access to the Impero server, all connected machines “are completely open to compromise”, due to the apparent lack of decent authentication. “Given that schools have been affected with malware like CryptoLocker in the past, exploit kits or spearphishing could be a way for an attacker to get into a school network. Also, there’s the threat of someone inside such a school (a student perhaps) exploiting the vulnerability,” he added.
The other part of Impero's response was to go all legal on the security researcher for publishing the exploit in the first place, because of course it was.
In a letter to Clark dated 13 July, delivered by legal firm Gately, he is accused of breaking the terms and conditions laid out by the firm, including a stipulation that the software not be tampered with; modification is only allowed to achieve “interoperability”, meaning hackers looking for security issues are not welcome. He is also accused of copyright infringement and has been asked to remove all links from Github, Twitter and other channels that point to the public vulnerability disclosure.Excuse me, but no customers have been affected by this exploit... yet. And now they probably won't be, assuming your team can get a proper fix in place. And the youth of the UK will have the security researcher to thank for it, since that appears to be what lit a fire under your collective asses to get this thing fixed. The marketing director also had this to say.
In an emailed statement to FORBES, Impero director of marketing Nikki Annison claimed the offending party had “maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence. No customers have been affected by this and no data has been leaked or compromised.”
This hack could only be exploited if basic network security does not exist and if the attacker is physically present with local network access. We have been in communication with all our customers throughout.Interesting response. I'm sure antivirus makers, under the notion above, could simply release software that didn't actually do anything and then claim that if customers have a perimeter firewall up and use basic browsing common sense, their non-working software would work just fine to prevent malware. If Impero isn't going to bother to use basic best practices when it comes to security passwords, it probably shouldn't be issuing lectures to its customers about basic security best practices.
Or we could just side-step this whole problem by not using Impero's sotware.