STE WILLIAMS

Diabetes: it’s a killer, both literally and figuratively.

The Type 2 market is predicted to almost double, from $31.2bn in 2015 to $58.7bn by 2025.

It’s great if you’re an investor, horrible if you’re a diabetic struggling to afford pricey drugs, devices and treatments. So it’s understandable why elderly diabetics, eager to sign up for programs that promise discounts on diabetic supplies, would hand over sensitive financial and health information to telemarketers – in other words, to complete strangers.

Unfortunately, because of that willingness, 918,000 seniors now have even more to worry about than diabetes. Their records have been discovered, freely available online, left exposed for months by a software developer who’d been working on a project for a telemarketer. He’d uploaded a backup of the telemarketer’s database to the internet and left it wide open.

The database was discovered by a Twitter user named Flash Gordon – @s7nsins – on what turned out to be an Amazon Web Services (AWS) instance at an IP address. Flash Gordon found it by using Shodan, a search engine for connected devices that crawls the internet, connecting to likely services, logging what comes back, and creating a searchable index of the results.

Shodan has powered the discovery of a laundry list of leaky databases. It’s been used to index internet-connected baby monitors, for one. Another target has been improperly configured MongoDB databases, like those at MacKeeper, Sanrio’s Hello Kitty, kid site uKnowKids and Hzone, a dating app for HIV-positive people, among others.

On March 25, Flash Gordon reached out to DataBreaches.net – a data security blog run by a health care professional – about the discovery of the telemarketer database. In turn, DataBreaches.net called on ZDNet’s Zack Whittaker and Troy Hunt, who runs Have I Been Pwned, to help investigate.

What they found: the records weren’t from a health insurer. Nor were they from any other entity covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), according to DataBreaches.net’s writeup.

Rather, it was plain that they came from a telemarketer, given that the records contained scripts to follow when calling patients, along with notes about the individuals listed in the database.

They also contained both personal and health information: names, addresses, dates of birth, telephone numbers, email addresses, taxpayer IDs, health insurance carrier, policy numbers, and information about what types of health problems the individuals had in terms of needing diabetic supplies, back braces, or pain gel, according to DataBreaches.net.

Given the timeline, I’m guessing that the screenshot below, posted by Flash Gordon on March 25, shows some of the table rows in question. You’ll notice that the final rows refer to insulin and “AtHomeTesting”: presumably a reference to blood sugar testing.

Ok wow came across something 1.2gb file not sure on total rows yet. But just seeing the table creation fields you know its serious. pic.twitter.com/PUvRU1d664

— Flash Gordon (@s7nsins) March 25, 2017

The records also contained fields populated with sensitive information that would be a goldmine to spearphishers or other scammers: that a given individual was blind, for example, that they’d suffered a stroke, or that they had an aide or a child helping them out… and what those assistants’ names were.

Not everybody listed in the database had handed over their health insurance information. But most did, DataBreaches.net said:

It appeared that although a few people were reluctant or declined to give out their health insurance information, many people seemingly gave out their health insurance information to total strangers for the promise of diabetic supplies at lower prices, pain gels, or even free back braces.

The IP address was owned by a company called MediBoxSolutions.com. That website was owned by a developer named Daynier Brown. According to ZDNet’s Whittaker, Brown had intended the site to eventually provide database solutions for medical providers.

Brown told Whittaker in a phone call last week that he’d gotten a copy of the database when he was working for an outfit called HealthNow (not to be confused with HealthNow New York, Inc., which is an independent licensee of Blue Cross Blue Shield).

HealthNow is owned by Dino Romano, whom Whittaker identified as “a former Unistar executive and securities fraud recidivist“.

HealthNow went belly up in 2015 after failing to file an annual report with Florida authorities. It’s one of many companies that Romano opened and quickly closed, in seemingly disparate fields, including diabetes supplies, education advising, telemarketing, wellness management and more.

Brown told ZDNet that he found the backup drive on a failing hard drive on a development server he owned that was left over from the HealthNow project. He put the data on to his AWS instance, which in turn pointed to his MediboxSolutions.com site.

Brown told Whittaker that MediboxSolutions.com never did provide the database solutions he had intended it to because it was “too much work.”

He gave more details on that:

The data in question was an old system that I developed for healthnow.co in recent years. The files were temporarily placed on the server to get the old crm up and running as the box that I had it sitting on had drive issues and could not run the related platform properly. The system was found to be too unstable and I opted to start a different crm flavor on a MEAN stack. Frankly, I found myself without the time to venture further into it and put the project on hold.

“On hold?” Is that another way to say “stored in an unencrypted format online where anybody playing around with Shodan could have a look at it”?

As of Friday, when ZDNet published its writeup, Brown hadn’t yet told Whittaker why he’d left the database unencrypted … nor why he retained the database after he stopped working for HealthNow three years ago … nor how many distinct IP addresses had improperly accessed the data during the months it was on the AWS instance.

It’s since been deleted.

ZDNet and DataBreaches.net gave a copy of the database to Troy Hunt, over at Have I Been Pwned: a breach notification site that lets you look up your email address or user name to see if you’ve been swept up in a breach.

Hunt determined that the database contained 321,920 unique email addresses. When it comes to reaching out to inform all those involved in the breach, those hundreds of thousands of emails are a start, at least. At any rate, Hunt said that about 80% of the records were already in his database.

If you’re concerned that you might have been affected by the breach, you can look yourself up on Have I Been Pwned.

For future reference, the next time a telemarketer offers you a great deal on diabetes supplies and in return wants to know your doctor’s name, your social security number, personal details about your condition and more, bear in mind that you don’t know whether the caller is legit or a scammer (it’s happened before with diabetes-related fraud). Even if the caller is legit, those details could wind up in replicated databases that appear who knows where, like in this case.

It doesn’t have to be an intentional crime that all your personal and medical information got spilled on the internet. It could just be sheer sloppiness.

To an ID theft or a phisher, it doesn’t matter how or why your details have shown up. All that matters is that they did.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iyp9ztoWKw8/

We all know that feeling of unboxing a cherished new tech toy. It’s such a part of tech culture now that people post online videos dedicated to carefully prising open the packaging, fondling the product, and turning it on with a hushed sense of awe. But as it turns out, your shiny new product may not be entirely unsullied; someone might have already infected it with malware.

Checkpoint analysed Android devices owned by two large companies, and found malware infections in 36 of them. Moreover, the users hadn’t downloaded them; they arrived with the devices, meaning that they were installed somewhere along the supply chain.

The malware in the phones ranged from adware that displayed illegitimate commercials, through to information stealers. There was even a mobile ransomware instance lurking on some of the phones. In this case, attackers installed malware on device ROMs using system privileges, meaning that the user couldn’t get rid of it.

What’s in the box?

The fact that someone installed this malware on the phones before users got the devices raises concerns about the security of the supply chain. A device goes through multiple stages at the factory before shipping to logistics companies that may hand it off to yet more logistics firms multiple times. Eventually, it will hit the local sales channel, where again there are many opportunities for malicious actors to get their sticky hands on it.

This isn’t the first time that an Android phone has shipped with something nasty under the hood. In 2014, phones from Chinese manufacturer Star were infected by spyware integrated directly into the firmware, that sent personal data back to Chinese servers and also allowed controllers to install additional applications. In December 2016, Dr Web discovered trojan software in the firmware of 26 Android devices.

There have been cases of supply chain compromise in other devices, too, with malware turning up in something as innocuous as a digital picture frame. In 2011, Microsoft researchers bought a Windows laptop from a computer reseller in Shenzen which had been “carelessly or intentionally infected” with the botnet malware Nitol.A.

Sometimes, vendors willingly install software at the factory in the mistaken belief that customers will be okay with it. Lenovo installed Superfish, an adware product that also served up man in the middle certificates. Some antivirus software even detected the software as a virus.

Perhaps the most insidious supply chain compromise yet, though, is the one carried out by the US government itself. Glenn Greenwald’s book No Place To Hide revealed how the NSA systematically intercepts the delivery of computer network devices and redirect them to a secret Tailored Access Operations location. There, its operatives install “beacon implants” before repackaging them and sending them on their way. This then gives the organization direct access to “hard target” networks around the world.

Such was the outrage about the NSA’s campaign over at Cisco that it began shipping boxes to vacant addresses for its more sensitive customers, making it more difficult for government spooks to identify shipments destined for interesting targets.

The problem with the digital supply chain is that it has many moving parts, including not only the various vendors that make the hardware, software and firmware in the final box, but also the people that create the standards they’re based on.

For example, when Juniper discovered that someone had tampered with its source code and produced a backdoor, it turned out that the attackers had exploited weaknesses in the Dual_EC encryption method – weaknesses that some have said were intentionally left there during the standardisation process. This is part of a broader NSA project – Bullrun – that was revealed in the Snowden files.

What to do?

What can people do about compromises that happen even before they receive their device? In an ideal world, you’d audit everyone in the supply chain to see how well their cybersecurity practices stood up, but in a world where you often don’t get to see who’s involved three or four hops along that chain, it’s simply too resource-intensive an idea for one customer to pursue.

There are all kinds of best practices to help minimise the risk of compromise. Only buy from top-name vendors. Check to see what encryption standard the vendor is using and see if there’s a known weakness. Use multiple encryption technologies anyway, rather than relying on the manufacturer’s chosen one. Segment assets that hold data from each other, so that if one device or network segment is compromised, companies can’t move laterally through the organization.

Another more controversial measure might be to look at the product’s own technology ecosystem and conduct a risk analysis. Android phones are the ones getting pwned at the factory because it’s an open source operating system and manufacturers have a great deal of latitude in terms of how they configure it.

These are all worthwhile measures that can help protect you against a variety of attacks, but ultimately, none of them can guarantee you a clean device. We have economics to thank for that. One characteristic of an economy with cheap transportation is the fragmentation of the production process, and the introduction of many different players, often half a world away. You’ll never meet, but every once in a while, someone in that supply chain might decide to send you a little something extra, hidden away in a binary somewhere.

Follow @NakedSecurity
Follow @DannyBradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Z80ecvQ0V_s/

It should be no surprise this time of year that criminals are once again taking advantage of our focus on taxes and our hope to get some money back from the government. In this day and age we may need to update the old Benjamin Franklin adage “Nothing can be said to be certain, except death and taxes” to include phishing and malware.

This year is certainly a little different in that we are not just seeing phishing attacks, but also document attacks that are delivering ransomware strains like Locky.

If you are a subject of Her Majesty living in the UK, you may see phishing attacks that are quite convincingly mimicking HMRC. This year they mostly promise refunds due for modest amounts to get you to click the link.

If you were convinced to click through, you would be delivered to a seemingly legitimate site asking for your name, address, phone, credit card details, mother’s maiden name and ID numbers. Interestingly, the link to the Welsh version of the site was broken.

We are seeing similar lures for France as well. The emails and web sites are quite well crafted and you could understand how people may become victims.

It isn’t tax season yet in Australia (although, even so, we have seen a few ATO phishes), but that isn’t stopping phishers from targeting Australia’s MyGov accounts. Sadly, the consolidation that makes government services easier to access for residents also attracts criminals. The only way to know this one isn’t real is to realize it shouldn’t be on a compromised Italian WordPress site.

Lastly, the Americans. Too big an opportunity to pass up, as we have been seeing both phishing and document attacks since Friday April 7, leading to information theft and ransomware. The left email leads to data theft (copied from an HMRC phish, note the “Crown Copyright”); the right contains a .docx attachment with a malicious macro and script.

The phishing attempt here asks for a lot more information than needed for simple tax fraud, including credit card PIN, driver’s license, and email password, which means they are likely using this information for full-fledged ID theft as well.

The document attached to the second IRS scam follows a familiar pattern for those following the scourge of ransomware-poisoned Office documents. It asks you to enable a macro that decodes a JavaScript file that retrieves a copy of Locky ransomware from a compromised blog.

There’s nothing special about tax season; we need to stay on our toes all year round. This is just a reminder that these tricks can be very sophisticated and we need to stay vigilant. Your tax agency will never email you a refund, and if you have any questions, always contact them through their official government websites.

Sophos detects the malicious document as Troj/DocDl-IPH and payload as Mal/Generic-S, and these emails are blocked by Sophos email products. Sometimes phishing can only be prevented through careful habits and we can help with that too. Sophos Central now offers Sophos Phish Threat to teach and test your security awareness initiatives, including a free 30-day trial.

Follow @NakedSecurity
Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/973aSdTPL0I/

Attackers are using a previously undisclosed security hole in Microsoft Word to install a variety of malware on victims’ computers. Microsoft knows about the zero-day and is expected to patch it later today. As we await that security update, here’s a review of the bug and the available defenses.

In its investigation, SophosLabs determined that exploits against this vulnerability have been happening for some time. SophosLabs principal researcher Gábor Szappanos said:

This vulnerability has been used for months in targeted attacks. Most of the activity went on in March-April 2017, but the first sample we could locate dates back to November 2016.

What we know so far

The vulnerability is triggered by opening a document that provokes a benign-looking download warning, followed by a download from a booby-trapped server that sends a document of a more dangerous sort. 

In this case, the booby-trapped server sends out a compiled HTML file with an embedded program script. Word accepts and runs the script without producing the warning you would expect to see.

It affects all current Office versions used on every Windows operating system, including the latest Office 2016 running on Windows 10. Attacks do not rely on enabled macros, so no warning for macro-laden documents will appear. The Dridex banking Trojan is among the malware being used in some of the exploits.

Details of the vulnerability were first released by McAfee and FireEye over the weekend. It’s the latest in a long line of bugs attackers can take advantage of through maliciously constructed files.

Naked Security’s Paul Ducklin reviewed SophosLab’s findings and said of the attack technique:

It’s a bit like wearing overalls to get into a fancy dinner party venue by blagging your way in the front door as the plumber come to do a quick check for a possible leak in the Gents. Once inside, you strip off to the dinner jacket you’re wearing under the overalls, so you now pass muster as a dinner guest, with everyone assuming you showed your invitation at the door already. Dressed up properly in the DJ wouldn’t have got you in through the lobby at the start, because of no invitation, and the overalls wouldn’t have got you into the dining room, because of violating the dress code. So you wear the right clothes at the right moment and subvert both places where you would otherwise get spotted.

This attack does depend on the user accepting a “load remote content” warning. Without that, the external content will not be pulled.

Additional defensive measures

As mentioned, Microsoft will release a patch for the vulnerability. Meantime, Sophos detects the first stage RTF downloader used in these exploits as Troj/DocDrop-TJ, and the second stage HTA code as Troj/DocDrop-SU. Sophos customers are protected.

Additional advice, for this threat and many others, include the following:

• If you receive a Word document by email and don’t know the person who sent it, DON’T OPEN IT.
•  It appears that attacks seen in the wild thus far can’t bypass the Office Protected View, which means enabling it may provide some extra protection.
• Watch for Microsoft’s patch, and – once it’s released – install immediately.
• Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense, for example, by stopping the initial booby-trapped word file, preventing the Dridex download, blocking the downloaded malware from running, and finding and killing off the Dridex malware in memory.
• Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.
• Consider using Microsoft’s dedicated Word and Excel viewer programs to look at email attachments. Most documents will display just fine, but embedded macros aren’t supported and thus cannot run.
• Never turn off security features because an email or document says so. Documents such as invoices, courier advisories and job applications should be legible without macros enabled.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/A-4mynnpDb4/

Cybercrooks are actively exploiting an unpatched Microsoft Word vulnerability to distribute the Dridex banking trojan, claim researchers.

Booby-trapped emails designed to spread the cyber-pathogen have been sent to hundreds of thousands of recipients across numerous organisations, according to email security firm Proofpoint.

The switch to document exploits by the hackers represents a change of tactics by a group that previously leaned heavily on malicious macros to distribute their wares.

The Word document exploit at the centre of the attack was only discovered last week, so its abuse represents a rapid weaponizisation of the exploit.

FireEye researchers who discovered a bug in Word’s Object Linking and Embedding technology were working with Microsoft, but were pre-empted by a disclosure from McAfee, as previously reported.

An update addressing the flaw is anticipated in April’s edition of Redmond’s Patch Tuesday later today. A Microsoft spokesman told the BBC: “We plan to address this through an update on Tuesday April 11, and customers who have updates enabled will be protected automatically.”

Sherrod DeGrippo, director of emerging threats at Proofpoint, commented: “Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers’ toolkits. New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign that relied on this new exploit.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/11/dridex_cybercrooks_abuse_word_exploit/

Two properties in the North West were raided this morning as part of an ongoing investigation into nuisance calls related to data thefts from car body repair shops.

The pair of search warrants — which had been obtained in court by Information Commissioner’s Office — were executed this morning at homes in Macclesfield and Droylsden by the ICO, which informed The Register that it was usual practice for its officers to be accompanied by police in these circumstances.

The searches relate to an ongoing investigation into nuisance calls, which are made to people to encourage them to make personal injury claims in following on from road traffic accidents. The same investigation also saw a business and two homes in Macclesfield and Heald Green searched by ICO officers back in December.

According to the ICO, the investigation was initially prompted by complaints from car body repair centres and the National Body Repair Association (NBRA). The NBRA responded to The Register‘s enquiries by directing us to a statement made at the time of another raid in February, this time at a property in the Palmers Green area of London.

This was described as part of an investigation into the “illegal access of customer details from a nationwide car repair company” which it identifies as the Norfolk Accident Rescue Service, although it is unclear if this is part of the same investigation as that which led to today’s raids.

“NARS told investigators that a computer system it uses had been unlawfully accessed to view car repair estimates which contained personal data,” it said, adding that “the person of interest to the search warrant carried out today is not a current employee of NARS.”

At the time, Jason Moseley, the director of NBRA, commented: “We are delighted that further actions are being taken against this criminal activity, our trade association stands firmly in support of NARS and others for their work with the ICO.”

Mike Shaw, the enforcement group manager at the ICO, said “Many people get unsolicited calls suggesting they’ve had been involved in an accident, and wonder how the caller had their details. Calls can leave them feeling uneasy and frustrated.

“We’re working hard to crack down on the illegal trade of personal details that fuel this part of the nuisance call industry. In December we searched three properties as part of an investigation focused on the North West. That investigation has now progressed, enabling us to search two homes today in order to gather more evidence.”

The ICO declined to comment regarding the nature of the data theft. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/11/homes_raided_in_north_west_over_data_thefts_from_car_body_repair_shops_and_nuisance_calls/

Customers in the UK and Poland may have had their bank account details compromised.

British payday loan company Wonga has admitted to suffering a data breach affecting 245,000 customers in the UK and probably 25,000 in Poland, BBC News reports. The company is investigating what is “looking like one of the biggest” data breaches in the country involving financial data.

What could be a serious issue in the Wonga breach is the likely theft of customer bank account details including sort codes and the last four digits of bank cards. Earlier major hacking incidents in the country, like those linked to Talk Talk and Yahoo, did not involve financial data.

Information Commissioner’s Office has said “All organizations have a responsibility to keep customers’ personal information secure. Where we find this has not happened, we can investigate and may take enforcement action.”

The company does not think its loan account database has been compromised, but nevertheless asked customers to be alert. It has set up a helpline and help page for those affected.

Read more on BBC News.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/uk-loan-firm-wonga-suffers-financial-data-breach/d/d-id/1328603?_mc=RSS_DR_EDT

Zhengquan Zhang arrested for stealing over 3 million files containing company trade secrets from his employer, a global finance firm.

Zhengquan Zhang of California has been arrested and charged by a US federal court with stealing trade secrets from his employer, a New York financial services firm. A US Department of Justice (DoJ) release says that between March 2016 and March 2017, Zhang stole over three million files of confidential data and computer code.

According to the DoJ, Zhang stole the company’s source code for algorithmic trading models and trading platforms by installing a code that gained access to the network’s encryption keys. He allegedly also stored the stolen files on his employer’s network before installing another code to transfer the data to a third-party software development site.

William F. Sweeney Jr. of the FBI says, “Proprietary computer code may not be a tangible asset that people can observe, but it is indeed one of the most critical assets that companies possess.”

Zhang is also accused of illegally accessing the computers of his co-workers by stealing user credentials.

Read details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/computer-engineer-charged-with-theft-of-proprietary-computer-code-/d/d-id/1328602?_mc=RSS_DR_EDT

If you think fake news is a problem, how about the possibility of fake medical or financial information making the rounds with no way to verify its legitimacy?

Recent leaks, intelligence reports and the world’s response to them have set a new precedent. Cyberattacks are no longer just for the sake of siphoning data or extortion, but for discrediting their targets, be they large entities or individuals.

Incidents, ranging from the DNC hack to the record compromises of Yahoo, have been more than opportunistic — they’ve happened with full intent to mar and compromise the target’s image. Regardless of who did it, there was no ransom, there was no financial information stolen. Instead, there were seemingly purposeful leaks, timed breaches, and the expected public fallout.

And because these campaigns were successful, we’re likely to see an increase in cyberespionage and sabotage campaigns in the year to come. Now, more than ever, we need to shore up our defenses or continue to suffer attacks on public image and reputation that could have impactful and long-term effects.

It’s already Happening
The incidents I briefly touch on above are not the first of their kind. The Sony Pictures hack and the Ashley Madison breach are two prime examples.

At Sony, attackers destroyed data and leaked compromising emails, and they aired the dirty laundry of company employees and contacts. Monetary gain was never the goal of the hack; the goal was to bend the company into submission, allegedly so that it would not release the movie The Interview.

At Ashley Madison, the breach exposed the data of users looking for clandestine affairs via the website. If an important name was on the list and a malicious actor caught wind of it, it was certain to become a problem for that individual. It sent users into a panic. And the company itself was caught using fem-bots and other underhanded measures to entice users. The fallout was real.

Most hacks damage a target’s reputation, especially for not being able to protect itself. But something has changed, and now we see more high-profile hacks where the main objective is to damage the victim’s public image. And now, the trend has slowly grown to become a real problem we will have to deal with in 2017 — even if you are not a Presidential candidate or media megabrand.

Tampering and Tarnishing People
The biggest risks from these hacks is not the exposure of personally identifying information, but the erosion of trust in our organizations and notable figures. This is because cyberespionage and sabotage campaigns don’t just deal with leaked information. Once a hacker gains high-privilege access to a network, he or she can change internal data, public-facing assets and even insert fake data. If you think fake news is a problem, what about the possibility of fake medical or financial information making the rounds with no way to verify its legitimacy?

Unfortunately, like most issues in security, there isn’t a straightforward solution to the problem. It’s impossible to predict how extortion can take place, or what data will be used to tarnish the victim’s image.

There are the normal steps to safeguard sensitive data — e.g. multi-factor authentication, segmenting networks, encryption, and training. But it will remain difficult when just one click on a phishing email by an inattentive user could mean it’s too late. And the slew of smart devices invading networks, often unbeknownst to IT, is another issue.

Still, there is good reason for optimism in new, automated technology that leverages machine learning and automated intelliegence. These tools will help the human element in security address these higher level concerns, and perhaps do something about the attacks on trust we will continue to face.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

• Russian Cyberspies’ Leaked Hacks Could Herald New Normal 
• 3 Lessons From The Yahoo Breach
• Ashley Madison To Pay $17.5 Million In Breach Settlement

 

Michael Sutton has dedicated his career to conducting leading-edge security research, building world-class security teams and educating others on a variety of security topics. As CISO, Sutton drives internal security and heads Zscaler’s Office of the CISO. Zscaler has built … View Full Bio

Article source: http://www.darkreading.com/endpoint/when-hacks-are-about-image-instead-of-money/a/d-id/1328599?_mc=RSS_DR_EDT

UK school regulator Ofsted has downplayed security concerns about its website, adding that its policies will be further involved once a planned revamp is completed.

El Reg learnt of the concerns from parent Oli, who approached us after failing to receive a response to his concerns either from Ofsted (Office for Standards in Education, Children’s Services and Skills) or data privacy regulators at the ICO (Information Commissioner’s Office).

Oli’s main concern was the complete absence of any form of identity validation on the Ofsted-run Parent View site. The site is used by parents to provide feedback that contributes to a school’s Ofsted report. Anyone can use disposable email addresses, sign up and submit multiple responses for a school, negative or positive.

“There is no mechanism for verifying the person providing feedback is a parent, no token or means of identifying the person, any email address can be used to sign up and the process could easily be automated,” according to Oli.

“I raised this concern to the school my child goes to when we were asked to post responses on the site about the school as part of the Ofsted inspection process. And now a few months later I have been informed that following a grievance raised about the process by the school, an investigation has shown that 50 per cent of the responses from online were tampered with.”

As part of the same process parents are asked to get their kids to leave voice recordings about the school. “Ofsted claimed to have received 1 recording for this school but 55 (or so) parents have stated their children left recordings,” according to Oli. “I’m not sure of the details of what’s happened here as it’s not my data to contact them about, but if they’ve lost the voice recordings of a number of children that obviously represents a DPA [Data Protection Act] breach.”

Oli was also concerned that the site provided no option to opt out from receiving cookies, and faulted the site for allegedly poor accessibility.

Experienced security consultant Paul Moore downplayed Oli’s concerns. “There’s nothing really substantial here,” Moore told El Reg. “There’s no proof that any data has been lost, so far as I can see … and although the report process could be refined, it’s not exactly a security concern.”

In response to queries from El Reg, an Ofsted spokesman said it was in the process of revamping its site. This was not directly related to the security concerns raised by Oli, but ought to serve to reassure nonetheless. In a detailed response it said it already had systems in place to prevent trolling by imposters or other forms of abuse of the Parent View feedback mechanism.

We introduced Parent View in 2011 to enable parents and carers to give their views about their child’s school at any time of the year. As well as being useful to Ofsted, we know that many schools find this feedback helpful in terms of identifying areas of strength and relative weakness. In September 2015, a free text facility was added to support the gathering of views by our inspectors at the point of inspection only.

Parents wishing to submit a review must first register with a password, verify their email address and accept the terms of use. Our aim in designing the system was to strike the right balance between security and ensuring the log-on process was simple enough to encourage as many parents as possible to share their views.

We have put in place a range of measures to minimise the risk of abuse by individuals or groups and ensure that all schools are treated fairly. This includes systems to flag up signs of potential misuse. If a school has any concerns about responses on Parent View, we ask the headteacher to contact Ofsted and we will investigate the issue within 24 hours. We also monitor IP addresses to check that individuals are not creating multiple user accounts to circumvent security and try to influence results.

While we are never complacent, our experience has been that despite more than a million reviews completed, cases of abuse are rare. There have only been a handful of occasions where we have had to take action to remove reviews. However, our current redesign project is an opportunity to assess whether we are maintaining the right balance between security on the one hand, and ease of use on the other.

Parent View is just one of many sources of evidence that Ofsted inspectors draw on to inform their view of a school’s performance. Reviews submitted to the site would never, on their own, lead to an unfairly negative judgement. Inspectors always weigh the views submitted by parents against the other first-hand evidence they gather, in order to reach their final judgement about the overall effectiveness of the school.

Ofsted also said that it did not ask for feedback in the form of voice recordings from pupils.

We do not ask schools to provide feedback from pupils in the form of voice recordings. Prior to an inspection, a letter is emailed to the school requesting they gather the various information and documents inspectors will need to review. This includes a request for pupils at the school to complete an anonymised online questionnaire. This written questionnaire is confidential and complements the other evidence inspectors gather from talking to pupils. In the case of this particular school, 81 completed questionnaires were submitted and all were taken into account by inspectors.

The school’s inspector said it was changing its policy on cookies. “Up until now, we have opted for a non-disruptive approach, based on the ‘implied consent’ of users,” it said. “However, as part of our current website rebuild and redesign project, we are committed to reviewing both our use of cookies and the methods for obtaining user consent.”

Ofsted acknowledged that Oli had a point about accessibility, which it hoped to improve with the redesign of the site. “We’re aware that our sites do not currently comply fully with the latest accessibility standards. Indeed, improving usability and accessibility is one of the principal aims of our redesign project,” it said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/11/ofsted_site_security_concerns/