Субзяsecs Pulse: ‘EduTikTok’ DOA, ExamSoft Woes, Twitter Teen Hacked And When BGP Broke 80% Of The Web

293
lmspulse cybersecs

If you thought TikTok would swoop in and dealt a fatal blow to a thousand EdTech apps… Well you might have been right up until a few days ago, when the U.S. government decided to ban the app, following a more drastic measure by the Indian government. Was a revolution delayed, or successfully stymied? Only time will tell. In China, short video in education is gaining ground, on par with the short-video trend that is gobbling up the digital lives of mainland citizens. (Maybe not including Apple users.)

Post Pages - Post Inline - WIRIS

But this is a recap on cybersecurity, not video. (You might want to go here.) If ever TikTok finds its way back into classrooms, alarms must be sounded. Not unlike those that rang as Zoom started ‘Zoombombing’ online learning experiences, and and the impact that the alarms had over our the embrace of the videoconference darling into our everyday lives and pop culture.

Artificial Stupidity In Automated Assessment

In fairness to Edgenuity, the automatic grading is not supposed to replace overworked teachers’ manual scoring, only to “provide scoring guidance.” The question then becomes, who is this EdTech helping, and how? If the automated checker is left on to provide instant feedback for students, who have learned to sprinkle some keywords in a sentence requiring no cohesive argument to obtain a full score in return, it clearly represents a pedagogical detriment in the time lapsed between the automatic ranking and the final revision of the teacher (if there is any.) In the ideal world, Edgenuity representative stress would the “guidance” qualifier as they pitch the solution, even at the detriment of its touted benefit; and would emphasize it to teachers during the onboarding period. Inability for a third party, let alone the public, to establish a casual sequence of events, permits everyone to evade blame, profit, and surely continue to erase the people’s trust in technologies meant to empower educators and evolve the learning experience.

China bans Scratch and we’re the witness of a ‘Socotra Island’ moment in EdTech

Of course China is not out of the “introducing masses of children to computer science” game. In fact all points out they are deeper into it than everyone else. At the very least, the absence of good almighty Scratch, the quintessential computational thinking app —which is free and open source, I might add— from Chinese curricula, is symbolic. Less disingenuous views should realize China does not really “need” Scratch, as much as a free information superhighway is not “needed” for the survival of humanity.

What will —continue to— happen is a decoupled evolution of educational insight, innovative business models and customer feedback between two worlds separated by Great Firewalls, censorship and trade wars. Much like the biome in the Yemeni island of Socotra, whose isolation has led to completely alien evolutionary paths. Except in this case, what’s not easy to figure out is who is the isolated realm, and who is the thriving, innovative ecosystem.

A side note for “EdTechpreneurs”: If your EdTech web app has achieved the ignoble distinction of being big enough to start being visited by thousands of robots whose IP address is associated with China, despite having no customers there, denouncing the government’s practices on your website might ensure no Chinese IP visits you which might save you valuable bandwidth.

Nevermind the cookies, your search history is your fingerprint. (PS. Do not give anyone access to your fingerprints.)

Researchers at Mozilla follow up on 2012 research, in which by taking advantage of the unique, “highly distinctive and stable” nature of a browsing history, it would be possible to single out a person with up to 99% accuracy, and potentially identify them. This despite having no access to personal information, cookies nor passwords.

Let’s be realistic for a minute. Unless you’re Stallman-like staunch in your protection of data privacy, the Goliaths of today have plenty of personal information about you, which they promise is kept encrypted and out of reach of third-party companies and marketers. (Less clarity is there about clearance for internal staff.) The Mozilla researchers are not the only ones demonstrating how, from apparently non-identifying information, people can actually be identified, no hacking skills required.

Lacking a social contract for digital rights, the safest way to proceed with our lives is assuming there is no privacy. In the 2020 addendum (PDF), the researchers not only find that you can be figured out from your search history, but that even just having your history from regularly frequented sites like Google or Facebook are enough to paint a fair picture of you. Add to that the identifiers Google are Facebook work so hard to sneak across the web. Without proper safeguards nor education, the debate on privacy is being settled with our actions as users: We’ve given up to the idea.

So what can you do with a bunch of people’s info? Phish Twitter employees for $100,000 worth of Bitcoin, for starters

In the OGUsers marketplace of digital goods, 17-year old Graham Clark is suspect of purchasing a database of Twitter usernames, identifying senior engineers at the company, and employ various phishing methods in order to trick them into giving them access to a subsystem only accessible to those with high-clearance. From the subsystem, Clark or a co-conspirator impersonated Bill Gates, Elon Musk, Jeff Bezoz and other high-profile accounts promising to double the amount of bitcoins anyone would send to their personal wallets. A mix of stolen and publicly available data, with a research effort authorities described as “painstaking,” allowed them —him?— to secure the trust of senior Twitter engineers who apparently had the ability to impersonate high-profile individuals online.

It is fascinating that three people, none older than 22, are the prime suspect of an attack that many insiders thought to be coming from an adversarial national intelligence agency. Interestingly enough, given the level of access he enjoyed to a needlessly influential platform, many are surprised the bounty —and the harm— was so modest.

The investigation is ongoing.

The ‘World’s Most Advanced Educational Assessment Platform’ Flunks The Michigan Bar Exam Test

Nothing to shake your trust on self-touted security authorities in such a special way as said authorities become prey of seemingly successful cyberattackers. Hundreds of test takers, many of whom had voiced their concerns in the days leading to the first time a fully online modality was chosen, were unable to complete the $500 USD exam required to practice law in the state, in the pre-established conditions. Backed by the Supreme Court of Illinois, ExamSoft never agreed to a stress test of the application prior to the examination date.

Generally speaking, proctoring exams don’t take kindly to unexpected eventualities. In 2017, ExamSoft was involved in a suit by a test taker who claimed software flaws incorrectly identified suspicious behavior during the proctoring sessions. In a session, the user’s webcam is active and controlled by the software, which continuously checks face movements and positions throughout the test. It also disables other apps and controls internet access on the computer. Finally, it checks the time taken in a test, a discrepancy on which led to the test taker disqualification and his legal response.

Sensibly pointed out, there is little incentive be a malicious actor to disrupt the process of accreditation of some 700 aspiring law practitioners in Michigan. Sure enough, in the weeks after the incident test takers began denouncing suspicious activity on the credit cards used to access the exam.

Cloudflare: Trust no one, not even yourself

Access to Amazon Web Services (AWS) servers through several routers around the world managed by Cloudflare were hijacked in early September, affecting access to popular sites to millions of internet users. The company responsible for the security of an estimated 10% of all internet requests employs the “Border Gateway Protocol,” which assigns traffics to routes. Without proper security measures added to BGP, malicious actors can take over routes to leak or disorient traffic.

While Cloudflare absolves itself from responsibility of the massive outage, which put sensationally “broke half the internet,” competitors were quick to criticize the “single point of failure” that the network service represented, and were unconvinced that it was not the result of a malicious actor, as Cloudflare has reiterated. At the very least, the fact that Cloudflare did not ensure their customers avoid “Single Points of Failure” is already troublesome and a worthy argument.

As of now, the agreed upon answer to BGP’s vulnerabilities is RPKI. The isbgpsafeyet.com campaign tracks and is asking companies involved in the global internet infrastructure to adopt RPKI for the peace of mind of everybody else.

eLearningInside News: The longer you’re online, the more vulnerable you are

Don’t be like Ponca City Public Schools, do not negotiate with ransomware hackers!

Reporting over at our friends eLearningInside News, Henry Kronk chronicles a handful of the several cyberattacks directed at schools, universities and other educational organizations, many of which have been successful and led to schools transferring some precious bitcoins to attackers. They have been subject of these types of incidents for years and continue to be on the rise, as they also become more sophisticated. As schools ready, if with some delay, to kick off their most online-dependent school years yet, awareness and protection should rank higher as a priority for everyone.

2 basic and mostly effective approaches are in order for schools:

  • Actively manage and filter requests to prevent Distributed Denial of Service (DDoS) attacks, which is sort of the equivalent of hiring hundreds of people to flood a shop to waste the staff’s time and affect their service —a possible goal in itself— or to take advantage of their divided attention to take over the warehouse and use it for your own business.
  • To create backups as early and often as possible, hosted in different locations, to make it easy to respawn and avoid paying any ransom.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.