Are Your Child's Records at Risk? The Current State of School Infosec
Conference: Defcon 27
2019-08-01
Summary
Importance of holding companies accountable for securing sensitive information in school software systems
- Schools should require third-party auditing of software where sensitive information is stored
- Companies should be held accountable for negligent actions
- Marketing talk should not be trusted when it comes to data security
- Children's data should be a top priority in securing school software systems
Abstract
From credit reporting agencies to hotel enterprises, major data breaches happen daily. However, when was the last time we considered the data security of children and middle-level education students? The infosec community spends so much time thinking about enterprise security and user privacy, but who looks after those who can't defend themselves? Unknown to most, there are only just a handful of major educational software providers—and flaws in any of them can lead to massive holes which expose the confidential information of our rising generation, this speaker included. Additionally, while many dismiss educational data as “just containing grades”, the reality is that these systems store extremely sensitive information from religious beliefs, health and vaccine-related data, to even information about parental abuse and drug use in the family.
This talk will cover never-before-seen research into the handful of prominent educational software companies, the vulnerabilities that were found, the thousands of schools and millions of students affected, and the personal fallout of such research. Vulnerabilities discussed will range from blind SQL injection to leaked credentials for the entire kingdom. If a high school student can compromise the data of over 5 million students and teachers, what can APT do?
Materials:
Tags: