Welcome to Cybersecs Pulse 2021 Recap: Cybersecurity, privacy, digital rights and more. Whose school fell in the ransomware trap this year?
Here’s what made the Crypto news in 2021
- Teacher data breach in Missouri
- Would-be Teachers Arrested For Bluetooth-Enabled Flip-Flop Cheating
- 5 Ways Schools Fails Students’ Privacy
- 85 Virtual Universities Closed For Fraud
- Virtual Security And Surveillance Of Students
- Turn your browser into a proxy
- The Tor Project
- 100 million people kept from the internet in 29 countries in 2020
- Anti-terrorism tech hits schools, saves the day?
Teacher data breach in Missouri to wrap —or kick off?— school year
Due to the increasing use of social media, privacy has been a growing topic of discussion and concern. From scams and fraud to obsession, harassment and more, personal information continues to be a prized possession by malicious actors.
On October 14, more than 100,000 teachers, administrators and school counselors‘ personal data were breached and publicly exposed by failures on the state Department of Elementary and Secondary Education’s (DESE) website. The Post-Dispatch discovered the exposure of the data through a web application that allows internet users to search for teacher personal information such as certifications and credentials. Immediately after learning of this, the Department removed the affected pages from its website.
At the time, it was unknown how long the data exposure had been breached or if anyone had taken the information. Department spokeswoman Mallory McGowin said, “We have worked with our data team and the Office of Administration Information Technology Services Division to get that search tool pulled down immediately, so we can dig into the situation and learn more about what has happened.” McGowin also said that a comprehensive audit had already been started to ensure that no other applications contain similar data exposure.
The teachers Social Security numbers were found to be published in HTML source code.
Red flags had been raised about education-related data collection practices. An audit conducted in 2015 showed that the Department was unnecessarily keeping students’ Social Security numbers and personal information on file. The audit gave a warning to the Department, and according to them they had avoided doing this type of collection, but evidently another system contained undetected vulnerability. As a defense mechanism, DESE decided not to give any more information about it and then to blame the newspaper for having published this information to the public. It even accused the person involved in the discovery of the vulnerability of being a “hacker”.
As a possible solution, Shaji Khan, professor of cybersecurity, made a recommendation to teachers: Request a free report from credit agencies, so that they are carefully monitored. He also advised them to freeze credit if they notice suspicious activity.
Would-be Teachers Arrested For Bluetooth-Enabled Flip-Flop Cheating
Reminder: Check the teachers’ flip-flops.
In the West Rajasthan state of India, five men were arrested for making copy during a qualification exam for government teaching jobs. The men were caught with high-tech devices. These devices were extremely tiny and were hidden in their ears and in the middle of their footwear. That would be flip-flops, with tiny devices featuring SIM cards..
For the presentation of the exam, thousands of police officers guarded the facilities in order to prevent any cheating. In the city of Bikaner, officers observed irregular behavior in a group of people when they tried to enter the exam.The officers proceeded to do a search, finding the tiny, Bluetooth-enabled bug in their ears., The bugs werewere so deep in the teachers-to-be’s ears that the officers had to call in a doctor for the extraction correctly.
According to Priti Chandra, Bikaner’s principal officer, a gang designed these flip-flops and sold them to exam takers. It is estimated that the gang sold approximately 25 devices, acquiring each pair for Rs 30,000 (nearly $ 400 USD at time of writing) and selling them for Rs 600,000.
Fraud and cheating for high-stakes exams is a widespread practice. India is no exception. Add the fact that, while teacher’s salaries are significantly low, they come with job security and pension for life.
Going forward,the government will be suspending internet and SMS service during the time of the exam. Seven police officers were also arrested for helping candidates cheating.
5 Ways Schools Fails Students’ Data Privacy Protections
Data is the new oil. So it shouldn’t be a surprise to be living through an escalating series of data wars. It was only after information systems grew robust to the point we started to put our entire learning lives in their hands, that we realized how utterly fallible they can be, and in how profound ways. Doom is not imminent, mind you. We can still use technology to raise the barriers and make it economically prohibitive —never mathematically impossible— for a “sufficiently motivated” actor to deal a lethal blow to our modern way of living. But since technology sees no intent, said actors can always learn from their prey in order to increase the efficiency of their methods. This is why —barring an AI singularity or a quantum breakthrough from either camp— a cybersecurity arms race is basically guaranteed until the end of our days.
Here are 5 relatively novel, possibly fatal, and in all likelihood not long-lasting but definitely urgent security risks students face due to lacking institutional action.
№1. Deliberately sharing enough information about a student to make them identifiable on social media (or outright doxxing)
Does it need to be shout from the rooftops? Anyone who is a member of an academic community and is about to share an update publicly on social media, should only be allowed to do so after completing compliance training and signing a data privacy agreement; otherwise they should be forbidden to do so with prejudice.
Let it slide once, then the photo of a possible underage student will make its way onto a Facebook update set as “public.” From here, the sky is the limit: Cyberbulling and harassment by people unknown —and known to her— down to doxing.
Did you forget about Clearview already? Well for their algorithms, it’s impossible to forget your face.
№2. Failing to audit data practices of technology providers
The level of information security in an organization is as strong as the weakest link. In other words, if you haven’t checked your providers’ security credentials, you better do it now. (Go and look into the data insurance policy while at it).
Ever wondered why some organizations require cloud providers to comply with SOC 1 (ISAE 3402) 2 or 3; FISMA, DIACAP, and FedRAMP? To oversimplify, adherence to these standards means your provider has taken the effort and expense to certify its data handling processes. If you care about data privacy, look for compliance with ISO/IEC 27001 and related specifications from your vendor.
Ideally you should also make sure that any private information submitted to regulatory bodies and government agencies are in secure hands. Otherwise they’d better be in no hands at all.
№3. Failing to comply to data privacy requests, including but not limited to the right to be forgotten
Just because you don’t expect a lot of your users to wish for total erasure of personally identifiable data, there’s no excuse not to have the systems and processes in place to comply.
This is a key element in GPDR and the ensuring national and state-level data privacy regulations it sparked (and continues to). It also determines to a considerable extent the architecture of your application, which at the very least should always be able to account where personal data is stored, as well as to delete it.
№4. Failing to put safeguards on the ways ‘inscrutable’ AI, Machine Learning algos use private data
Notice the qualifier between quotes. Yes, it takes longer, it’s harder and more expensive to create systems people can actually inspect.
Unfortunately, for many the ship has sailed so we’re destined to be surprised here and there whenever an algorithm makes an odd —or racist— choice, with no easy way to pinpoint the exact step in which it was produced, let alone a way to quickly patch things. Unless a miracle happens and Explainable AI reaches the mainstream.
In principle, compliance to data security in general should cover general cases of identifiable bits falling into algorithms, then in the hands of an unauthorized individual. But the cases and examples, as well as deanonymization technologies, will continue to evolve into trickier scenarios.
№5. Failing to adopt appropriate preventative or mitigation action
No system being foolproof is a mathematically verifiable fact. Which means that, to a large extent, cybersecurity is the art of always having backup plans.
Data privacy risk management is, at best, a seldomly applied practice. At worst, a term your CIO or school IT admin has never heard of. This, despite the fact digital assets can be much better protected than physical ones. Funnily enough, information professionals’ main concerns on this matter revolve around being fined for not complying.
To sum up (And a bonus Fail)
To be clear: We’re focusing only on threats originated at schools. Students themselves are well capable of putting their own privacy and data at risk.
In the spectrum of situations involving student private data and schools, it can be easy to fail. So when in doubt, remember that social media can be detrimental to students even if it’s schools the ones posting.
In social networks, anyone can access the images. With age old techniques along with new technology in the hands of everyone, it’s increasingly trivial to deduce large amount of information from small details. There’s always a strand of hair at the scene of the crime, and so plenty of digital footprints in the backgrounds of pictures.
If the school has not involved students and other stakeholders in a process of privacy acknowledgment and acceptance, just assume that active use of social networks violates student privacy.
Fake College Degrees? 85 Virtual Universities Closed For Being Fraudulent | Cyberpulse
Fake titles have been a rising problem for the past 5 years.
85 websites posing as universities were shut down thanks to a government crackdown on degree fraud.
This problem has arisen due to the high demand for training for candidate people who want to apply for a job in a specific department.
The closures have been carried out by the government since 2015, with the aim of protecting the international reputation of universities in the United Kingdom.
As a result of this government program, it was established that more than 300 sites are being investigated because they appear to be offering bogus titles.
Some of these fake institutions offer degree certificates that were not authentic and that according to what they came from universities that if they are real.
The search found sites that sold the degrees for 500 pounds ($ 689.55 at time of writing) with the excuse that they could replace the lost documents.
Fraud regarding university certificates has increased in the United Kingdom since the pandemic began, as more people are working and studying from home and relying on the information they find online.
You might also be interested in:
Virtual Security And Surveillance Of Students During The Pandemic
Students are being watched at home while studying.
Before the pandemic, educational institutions observed what students did through cameras with facial recognition and microphones that could detect signs of abuse.
But with the pandemic, virtual education had to be forced to transform its methodologies to virtuality.
This means that while students are taking exams, spy technology arrives to prevent copying, fraud and plagiarism.
This invasive technology consists of making an easy recognition of students during their educational activities, this software can even collect thousands of confidential data belonging to the person being spied on.
Which in turn can bring prejudices, since this software does not adapt to diversity, white, neurotypical and without disabilities, making students even more exposed to any harm.
Do you agree that students are exposed that way?
Turn Your Browser Into A Proxy Using Snowflake Bridges
We know that in some countries there are restrictions on using certain websites. A clear example is China, there it is not allowed to use Facebook, WhatsApp, those services in that country are blocked.
And for this, if you want to enter and you are in a nation where services are blocked, it is necessary to use a VPN or a Proxy to simulate that you are connected from another place.
This is where the idea of the Tor server came from, to help anyone who is in the situation of wanting to access a blocked service.
But what does it consist of?
The extension or proxy network, Tor decided to call it Snowflake Bridges, is a browser extension that is made through a Chrome or Firefox installation, and so you can access any service, and you will also pretend that you are connected from another place.
This strategy created by Tor causes a mesh to be generated where users who resort to using the bridge to be unblocked are present, which means that the more people accessing the bridge there will be more proxies.
In addition, with this strategy, it will be difficult for governments to block any website due to the user traffic that the site has and the constant change of addresses.
In order for you to make use of the Snowflake bridges, you must have Tor Browser Alpha. If you have the desktop version, you can click on settings on the home screen, and you will see the option “Tor is censored in my country,” then click on “Select a built-in bridge” and then choose the option “Snowflake.”
Anonymous, Not Untraceable: What Elearning Professionals Need To Know About The Tor Project
What are the Tor Project, the Tor Proxy and Browser?
Leveraging the concept of “onion routing,” the Tor Project is a non-profit that advocates for the right to privacy and anonymity in the use of the internet. Named originally after “The onion routing network,” it seeks to educate the public on their rights not to be tracked, digitally targeted, nor facing repercussion for choosing to use anonymous ways to access the internet.
Tor develops free and open source technologies that help users navigate the internet at no cost to their privacy. The technologies Tor helps build and advocate for are the basis for what is popularly known as the Dark Web, on which the Hydra-like 2014 shutdown of darknet market Silk Road by the FBI took place. In earth temperature fashion, marketplaces break records or users every year they are busted. The biggest to date, DarkMarket, was shut down just last January.
Tor is supported by the Electronic Frontier Foundation (EFF) as well as countless (uncountable?) small donors. Growing interest in privacy and decentralization, and the strategic need for communication tools on which activists can rely on despite authoritarian intervention, has led to increased support in recent months, allowing the project to speed up their development roadmap. In particular, it has made the Tor Browser easier, more dependable and ubiquitous, in addition to strengthening protections with Tor v3.
An “anonymizing network” alternative is I2P, which is also growing in awareness but remains with a fraction of the popularity and support.
What are onions, and are they safe?
Onion routing, the principle behind the Tor network, scrambles the identity of the user who tries to access a website by going through a series of edges, none of which know both the origin of the request and final destination. They also work as edges themselves for the connections of others. Anonymity is not a guarantee but a probability, which increases proportionally to the number of users on the onion network, the browser they use and the type of website they access. (Those odd-looking URLs with .onion at the end instead of .com, .edu, ac.)
So while it is possible for a sufficiently motivated and resource-flush actor to track you and find you on the dark web —as researchers and authorities have repeatedly demonstrated— a larger number of users will increase the difficulty of doing so. For specific users, anonymity also improves in relation to the number of onion edges geographically close.
Tor-based education: Anonymity as practice and debate subject
Should your start conducting your classes through the onion browser? That might be overkill, not to mention infuriatingly slow with today’s technology. (Ongoing support to the Tor project might change the situation sooner rather than later, thought.)
But Tor, onion routing and the philosophy behind it are worthwhile additions to curricula on subjects of technology, culture, economics, humanities, society and even culture. Think debate questions like:
- What is the extent of data gathered about us during our internet use, and by whom?
- Do users, students in particular, have the right to request not to be tracked during their educational internet activity? Should schools have the discretion whether to honor or not these requests?
- What other principles or desirable practices deserve more widespread awareness and demystification?
Training resources are available at community.torproject.org/training
Get started: Download Tor Browser
From a convoluted proxy system, Tor’s technologies have been evolving rapidly in their ease of use. Nowadays, it’s a matter of downloading the Tor Browser, available for Linux, Windows, OSMac and Android devices. The latest release of current version, Tor Browser 10, became available for Linux in March 3.
iPhones and other mobile iOS devices can have the Onion Browser, which encrypts access through the Tor network. Given Apple’s imposed limitations it does not guarantee the traffic to always be onionly-routed.
The Tor Browser lets you use the web and visit normal sites, which still collect data. Find here a list of .onion sites and onion versions of public search engines and sites including BBC, NYT and the DEF CON Hacking Conference.
It is more likely to be identified on the Tor network through social engineering and statistical analysis about your than through technical methods or loopholes. Read some stay anonymous online by never providing revealing information
You can also join the Tor Community or follow the project on tracked (Twitter, Facebook) and untracked (Mastodon) social media.
29 Countries partially shut down their internet in 2020
Digital liberties advocacy group Access Now released the #KeepItOn report, documenting 155 instances of internet being shut down or interfered with by 29 national governments in 2020. In 29 times, they shut down entire internet access to citizens.
Highlights of #KeepItOn include:
- India shutting down the internet 109 times.
- 17 shutdown instanced tied to human rights abuse and cover-up attempts.
- Notable incidents in addition to India included Belarus, Venezuela, Bangladesh and the Chinese province of Xinjiang.
- In total, 100 million people faced blackouts and inability to access websites, social media or messaging apps.
At writing, internet is reportedly inaccessible in Uganda, Ethiopia and Myanmar, the latest of which records the largest shutdown, with 9 townships facing a 19-month restrictions period.
U.S. Schools are buying tech that lets them track students’ devices
In 2016 a student allowed his phone to be searched, with the intention of looking for evidence of a romantic relationship with his teacher.
The officer who searched his phone connected it to Cellebrite UFED, a software that retrieves deleted messages from the phone. Using Cellebrite UFED, school officials found out that the student was having an affair with his teacher.
While companies like Cellebrite have partnered with federal and local law enforcement for years, the controversial equipment is also available for school district employees to search students’ personal devices.
Cellebrite is a Digital Intelligence company that provides tools that allow organizations to better access, analyze and manage digital data.
Many school districts have Cellebrite devices for the purpose of ‘assisting with student safety, fraud, collision, or conflict of interest’. According to Gizmodo, school and district contracts with Mobile Device Forensic Tools, the likes of Cellebrite, run anywhere form $995 to over $11.5k USD a year. Cellebrite is reportedly on the lower pricing end. MDFT, commonly used in counter-intelligence and anti-terrorism operations, have found in schools a place to help employee misconduct investigators, who are usually able to do so covered by the law as long as there is “reasonable” belief there has been a violation of the law or the school policy.