PG - #edsec: Hacking for Education - Jessy Irwin

for Education um I'll just get right into this so who am I um by day I work in marketing and Communications for security company uh once upon a time though I work to integrate technology and social media into a classroom of about 3,000 students at Virginia Tech no big deal we did a couple of cool things we um we Skyped with some Nobel Peace Prize winners we might have gotten in touch with the Prime Minister of Australia once on Twitter and we even invited King Abdullah of Jordan to our class you know just hang out just for funsies just for a regular lesson um I like to dabble in code sometimes I have a thing for hacker conferences and I can

frequently be found yelling on Twitter about tacos dinosaurs and recently puppies sorry can't help it so we've all dreamed about hacking into a computer to avoid doing homework or to change a few bad grades if you came to my talk to learn how to do this sorry I'm not going to be able to help you out if you came to my talk to figure out how to do this for your kids definitely not going to be able to help you out with that either um what my talk will do is give an overview of the state of security and education and education technology poor security practices that are industrywide really make hacking education less difficult than you might

think so over the past few years there's been a massive influx of investment and investment money and resources into education technology education reform Advocates treat Tech technology as a silver bullet that's supposed to fix all of the societal ills that take place in schools it's also supposed to somehow magically reverse the effects of poverty on students technology is also seen as a solution to poor student achievement and because of its potential and it does have great potential to impa to positively impact learning there's a huge rush to get technology into classrooms into schools and into the hands of students as an industry education technology tends to raise less investment money than consumer technology according to the Gates

Foundation education has the lowest research and development budgets of any other industry out there and just as education and teaching don't attract the best and brightest Talent into classrooms education technology doesn't attract the best and brightest engineering talent to technology companies either typically education technology companies operate with limited resources they're pressured to launch products as quickly as they can in difficult market conditions and one of the first places they start to skimp when they're looking for time to save is security to developers in education technology security is this unnecessary expensive thing good job guys way to value your user data sometimes they claim that security will slow down the website but we all know that if you're doing security right

it shouldn't slow down your site at all it doesn't matter that there are free open Source software Solutions available that can be easily implemented from the ground up a lot of Education technology companies simply start to build now and then refactor with security in mind later in the terms of service and privacy policies of Education technology apps there are a couple of words that are pretty common commercially reasonable and Industry standard practices but what actually are these practices few companies are proactive enough to take the time to write a the document that says what kind of encryption they use or whether they've employed TLS in their web traffic servers in terms of password storage four of seven popular education apps

that I took a look at recently actually store passwords in plain text especially for student accounts in terms of two-factor authentication it just doesn't exist it's extremely rare and it's only available in schools to Educators who use Enterprise products like Dropbox or Google collapse in the classroom in terms of encryption this is something that's typically only implemented on login Pages for websites not full sessions a plug-in like fire sheep could really easily be used to hijack a student's entire homework session and this is something that recently happened with a popular education technology tool called ed moto it has since been fixed but in 2013 ed moto which is a Facebook for schools sort of project that lets teachers

students and parents connect with one another um a concerned parent started poking around just to see how much of his students data might be bleeding out of his homework tool when the parent poked around he discovered whoa what was that when literally when the parent poked around and discovered this issue he approached Oto and said hey what's going on here this isn't something that's new it's something the industry had seen before that had happened to Facebook in 2011 oto's official response was yeah so we have full session encryption but it's an opt-in feature if the school wants to use it you have to request it because every single educator and every single Tech coordinator at every school using

Edmodo knows that the option exists and then they're going to take the time to figure out what encryption is and opt into it on the Ed Moto platform in terms of testing and patching these are things that just don't happen in education Technologies tools are tested for usability and they have high uptime requirements so companies are just less likely to make massive patches during the school year development typically happens in bursts so it's something that happens during a summer break or winter holiday in terms of patching there was one security researcher who shared with me that education companies one specific education company that he was aware of had served malware to its users for about 7 months so it was lurking around

in some servers pretty much undetected no one knew about it when they found it they cleaned it up they got rid of it but they didn't disclose this to all of their users way to go guys way to go good job in terms of disclosure as well responsible disclosure programs are either rare or hard to find in education Technologies smaller companies typically don't have the resources or the relationships necessar to run into coordinate disclosure additionally there are pretty uneven application laws application of laws in security and technology so many educators are afraid of how these laws might be warped and used against them if they did find themselves in a disclosure in in an issue with

disclosure and education there's one specific case that took place in Australia in 2011 where a university asked for an independent audit of of a learning management system called Blackboard in this particular audit the researchers found 84 different vulnerabilities of varying criticality including multiple critical issues that left no trace of exploit behind if a student decided to use them to say change data fake successful course completion to make it to graduation the the security company actually disclosed these EX these vulnerabilities and it took more than a month to get a reply from the company Blackboard initially rejected the criticality denied that the issues existed and then took the better part of a year to roll out the patches to their

learning management system so the school that requested the audit ultimately was left with its hands tied they had already paid thousands of dollars per educator to use this tool for the school year and then they weren't even sure if it was safe to use or not education companies in general do store more information than just usernames and passwords linked to personal identifying information at the University level education tools hold research and Communications among students and among colleagues there are tons of collaborative education programs that will capture and store data with extremely sensitive information at the K12 level there are tons of new tools that track student learning there are Adaptive Technologies that basically learn what students know and then figure

out how best to teach them they don't know there are a few examples of this like Newton and grocket that stores sensitive analytics on learning and comprehension and even information about remedial coursework that students might need to go through for Content Mastery additionally there are numerous behavioral technologies that are used to track special education and guidance counseling these act really as instructional support and they transmit sensitive information between Ed special education teachers about mental health and about Behavior most of this is actually covered by Hippa in terms of content distribution channels we're talking about the places where kids do their math homework or they learn how to code most of these Only Store great information they will

have some personal identifying information like a username and a password um and in some extreme cases there are companies like code.org that request a full education background of students so that they can try to use big data to solve their greater mission of teaching kids how to code and how to use technology better um Learning Management Systems like Blackboard Edmodo scholar Moodle pretty much everything you can imagine that goes on between a teacher students and anything else in the classroom is here so in these programs you're going to find things like rosters parent information grade information classroom Communications again and sensitive contact information there are other programs that schools have begun starting to use like clever and learn

Sprout and these are programs that do data storage and warehousing they're going to stand they're going to store your standardized test scores they're going to keep track of personal identifying information things like attendance teacher Effectiveness records and all kinds of other records that schools are now starting to store and crunch because Big Data if some of this information ends up leaked and permanently connected to a student's identity this could be big trouble for the for these kids Futures information about disability abuse sexual orientation socioeconomic background core academic performance and disciplinary issues could be could be abused and could be used to actually discriminate upon the students that education is trying to help do better in

the world we're not talking about collecting and crunching the data that's generated by a whole bunch of middle and high school children either we're talking about kids who are as young as kindergarteners who can barely read and who are generating hundreds of data points a day even if their learning profiles and their performance data are anonymized it's possible to De anonymize this data and trace it back to the users who generated it the data trails that these kids are starting in the classroom could pretty much end up following them for the rest of their natural lives and potentially until the end of all time if someone figures out how to monetize that no word yet on that that's

happened education technology companies aren't the only places that store massive quantities of student data though schools schools love to capture collect and store data pretty much until the end of all time as well they have little to no budget for in infrastructure and few resources to implement the security that they need to really do it additionally uh school network setups vary wildly based on the amount of money available to a particular school they have difficult time or they have a difficult time finding the tools that they need to to solve their individual education problems and even though it's 2014 there are plenty of schools that still rely on manual data entry that into Legacy siloed systems to manage

student information at the University level only about 25 to 40% of universities actually end up encrypting the information in a student information system there are no solid numbers on this for K12 education but the numbers are probably the same if not a little bit lower additionally money is going to dictate whether schools are able to use computer labs for students share machines whether they can Implement a bring your own device program where schools have laner devices but then students maintain the devices that they use on a daily basis or whether they can Institute one-on-one programs for schools end up managing Hardware like laptop Chromebooks iPads you name it in most cases especially especially in the

case of teachers there's going to be a massive comingling of professional or educational and personal data there's little to no network segmentation in K12 environments between school and student data so all of this is basically going to be swimming around the same Wi-Fi network when really it should be separated the same way that we try to separate church and state the poorest of schools also have serious infrastructure issues they're typically running on Obsolete equipment and they can't upgrade to the latest and greatest software because of Hardware Hardware constraints that they incur a great example of this is actually in K12 education where 94% of schools are still using Windows XP by the way that's no longer being

supported by Microsoft as of I think it was May 8th so yay more zero days for everyone oops it's okay additionally um schools really love to use Ancient versions of Internet Explorer um Internet Explorer 8 tends to be pretty popular one classroom in paloalto that I visited was actually and this was in 2013 they were actually using Firefox 4 which was like 118 billion Firefox ago I don't know if anybody wants to help with math there um patching and updating infrastructure in schools is also pretty difficult most users have to install permission don't have installed permissions in a lab or a rotational learning environment so software is going to be upgraded maybe once or twice a year and even if schools

do have newer Hardware they're going to be disabling any kind of auto update software especially in browsers that might interfere with monitoring and filtering software that they use to keep track of what kids are doing all day for schools that have implemented mobile device programs there are also problems iOS doesn't get updated very regularly in schools because in mid-september well that's when the new version of iOS comes out so that's about three weeks after devices are assigned for the school year and it's pretty hard for these things to be coordinated in some schools when it comes to individual apps just just forget it don't even try there's no scheduling trick that technology coordinators are going to be able to

Implement that's going to help them keep up with patching the tools that students use most it Management in schools is actually focused on filtering and blocking traffic on the web it's not actually focused on securing systems it's that store student data most of the blocking that's done in Education environments is done to comply with eate which is the federal law that basically says kids you are not allowed to watch porn in schools and you cannot go to any blogs or any websites we do not like or we're taking your internet away there's a new trend in schools as well where software is purchased to monitor social media posts and activities or to even block these activities from being able

to take place on school grounds but it sends a really weird message there are people who are out there saying that student privacy is important and kids should totally have privacy by the way but we are going to go ahead and watch your every move that you do while you're on school grounds just to make sure that you're like all private and secure and stuff okay kids sound good the thing about this is the kids are really smart they find workarounds there's no one more determined than a 12-year-old who really wants to see Justin Bieber sorry girls um who's going to get through a system and hack away around filtering software set up against them in school and on Twitter kids are

asking each other hey have you heard about this Purple Onion tour thing it gets around the blacklisted site that we have in school all day so let's use it and do whatever we want when our teachers aren't looking in another case um and this happened in Los Angeles um LAUSD spent about $10 million on an iPad program so that's $10 million worth of iPads for a whole bunch of students who could totally benefit from them and the kids got their hands on them well the kids who got their hands on the iPads are now labeled hackers because doing anything with technology that's given to you that you shouldn't is bad hacking is bad folks and these kids were able to

jailbreak their iPads in just a few days what ended up happening is that the iPads were confiscated from the kids and now they're sitting in a warehouse somewhere pretty much being unused because the school system hasn't figured out how to keep kids from jailbreaking this software that they've installed as if that's not enough um in addition to these infrastructure issues there's another problem teacher teachers are great except teachers suck teachers suck at security for anybody watching this on YouTube I said teachers suck it's security I'm sorry if I hurt your feelings Educators tend to be early adopters of Technology but they're incredibly poor judges of risk they're more concerned with having access to the tools that they use in the classroom

than actually securing the data that's locked inside of them they don't want to lose instruction time they don't want to lose control of a classroom and typically educators are unaware of the individual responsibility that they have in protecting their students privacy Educators tend to not read the entire terms of service or privacy policy of new tool that they adopt and they think nothing of up uploading live student data to a new tool without checking who retains the rights to that data if the educator abandons the tool they typically forget to go back and go ahead and delete everything and remove all traces of things that they've shared in the program this doesn't even begin to touch

other issues with information security in schools fishing malware whatever is going to be out there to replace crypto Locker Educators tend to talk endlessly about modeling digital literacy and security is a very important aspect of that but that's something that's poorly modeled for students in addition to this Educators just don't think that they're going to be hacked or under attack that's something that happens to someone else else never mind that standardized testing in schools has created a very high stake system and the conditions are perfect for the typical motivations that drive hackers to take place there are cases where students have used key loggers to gain access to a student information system and to change their grades because they wanted

to avoid a really really bad report card review with Mom and Dad there are other situations where parents have hacked into school systems to change their kids grades before a college entrance exam before transcripts went out there's nothing out there that really requires Educators or schools to set bare minimum rules for security compliance and infrastructure and not even the laws that are meant to protect student data like fura and Copa do this either Copa which is the children's online protection and Privacy Act is basically um it's the reason that you have to do math every time you sign up for an email address you have to pretty much prove that you can come up with

numbers older than 13 that you can send and receive messages on the internet Furbo which is the family educational rights and Privacy Act is the law that says that pretty much all grades are private and any kind of grade disclosure involves parental consent when you're dealing with minors both of these laws are Rel are irregularly enforced and they're pretty truthless they fail to Define and establish important aspects of privacy for students and the laws don't create minimum encryption and transmission standards for for personal identifying information and for data they also don't establish standards for how data should be treated in longitudinal studies or how data collection should take place when it's being stored pretty much until

the end of the world instead the majority of the new laws out there that are affecting that that address student privacy and online tracking like a very originally named law called do not track kids these are focused on consumer tracking Technologies and advertising technologies that pop up in the games and that the games and the apps that kids use to entertain themselves there should be better laws that cover education Technologies used in schools though education is one of the most heavily data heavily data mind and industries that there is on Earth the laws that exist should prevent student data from changing hands without without any kind of enduser or parent consent at least in consumer Tech when you use Google or use

Twitter you get to retain the rights to your data and they only really hold on to some metadata that's knocking around the servers education technology companies they don't do that and 93% of the time when administrators are negotiating contracts with education technology companies they don't actually realize that they have the rights to negotiate and to retain the ownership of their student data a lot of these problems aren't new they happen in consumer technology too if you take a look at the computer Fraud and Abuse Act for example and what happened with Andrew arheimer the legal part of this is a nightmare consumer technology laws are about 15 to 20 years behind what's actually going to

be taking place in technology at any given moment and how can we expect this to get better for students when there are so many lobbyists and so many private interests at play it's a political game and if it's not taken care of in consumer Tech how can we expect for this to be fixed in education right now it's pretty much the wildlife West and all the way around there are really no incentives for incentives for anyone to self-regulate or to fix this problem and this is also problematic because despite the questionable legal legality of data being sold there are cases where students have been known to sell student schools have been known to sell student

data for profit and for income this isn't something that's new uh for a long time now schools have sold lists of pro prospective students to college admissions officers at universi but this isn't how things should be done there's a whole industry of data Brokers out there now who are known for doing some pretty nefarious and some pretty shady things to track and to track data and to hoard as much information as they can about consumers who are just knocking around the web a lot of them are under investigation because they don't allow consumers to access these massive profiles that contain hundreds of data points that have been gleaned from bajillions of transactions on the internet but what happens oh

sorry in some cases the information that these data Brokers are able to get from the internet have is worth quite a bit of money the lifetime value of an email address to a data broker and this is just an email address is about $101 what about all the other data that's just knocking around out there and leaking from school infrastructure systems we're not just talking about data that could be used for advertising we're talking about student performance data we're talking about testing scores we're talking about behavioral issues we're talking about familial background and all kinds of other information that could be used as deciders for important milestones and life events what happens if there's some sort of correlation

between low test scores do student loan interest student interest loans increase in rate size n ideal what happens if a remedial course triggers some sort of advertisement for a questionable education tool or what if information about Suicidal Tendencies depression or a history of abuse about a student get leaked out and are combined with a consumer profile additionally what could happen if people who do really really really badly on fractions like me and like third grade just happen to maybe not keep track of the 8,500 times their student loan people like to change like to sell their student loan around and maybe miss a payment here or there it happens do you get tracked do you get tracked and do you have all

kinds of crazy information follow you because of this education's supposed to be a great democratizer it's supposed to be a great equalizer and the technology that people are building should really facilitate that we need to be doing everything in our power that we can to shut down the tools that compromise student privacy and put it in danger technology adoption in schools is the future it's here and it's not going to go away the industry's years behind consumer technology and privacy protections schools rely on outdated insecure infrastructure and educators are pretty much blissfully unaware of their responsibility in protecting school and student data there's little oversight on how data should be handled and how it should be

protected by law and this sucks because kids are being encouraged to develop on online voices they're being encouraged to develop personas and they're not being given the tools and the skills that they need to secure to navigate and protect themselves on online if we're going to fix this we really really need to hack it teachers and administrators need to take ownership of security security and privacy in the classroom they need to go through a crash course in information security and they need to start demanding more transparent security from the tools they use and from the education technology companies they deal with parents parents need to start asking questions parents need to set up a time

to talk to their kids teachers to their school Tech coordinators to administrators and anybody else who can answer questions about how data is stored and how data is secured hackers they can help too we need more open-source software in schools that gives Educators and schools more options and more ability to customize the software that can fit their needs additionally this would give this would give Educators way more options to use in the classroom and wouldn't put student data at risk of being sold for profit security researchers need to be more persistent and they need to demand more and better channels for responsible disclosure security research could go a long long way in making the tools used

in classroom safer in addition to this lawmakers policy makers and technologists need to get it together they need to create standards for student and for educational data storage and transmission companies will hate this but it will work there needs to be a limit to the amount of time the data is stored and how easy that data is to access not everything needs to be at our fingertips all of the time until the end of all time there's a massive battle going on right now between organizations who are focused on defending student privacy pretty much to the death but without better security in each of these places and clear reliable information instead of fear and uncertainty and

doubt we're not going to be we're not going to be able to secure student data and to give students the Privacy that they really really deserve so yeah that's it um thanks for attending guys thank you to my mentor Dan also thank you Brendan um for helping me out and can we please go hack this pretty please pretty please so that our kids and my potential future child do does not have to have its poor information sold leaked and put all over the Internet cool