logo

Are Your Child's Records at Risk? The Current State of School Infosec

Conference:  Defcon 27

2019-08-01

Summary

Importance of holding companies accountable for securing sensitive information in school software systems
  • Schools should require third-party auditing of software where sensitive information is stored
  • Companies should be held accountable for negligent actions
  • Marketing talk should not be trusted when it comes to data security
  • Children's data should be a top priority in securing school software systems
The speaker found vulnerabilities in their school's grading system and worked with the school and a third-party organization to patch them. They also discovered that the Chief Security Officer left the company after the vulnerabilities were disclosed and fixed.

Abstract

From credit reporting agencies to hotel enterprises, major data breaches happen daily. However, when was the last time we considered the data security of children and middle-level education students? The infosec community spends so much time thinking about enterprise security and user privacy, but who looks after those who can't defend themselves? Unknown to most, there are only just a handful of major educational software providers—and flaws in any of them can lead to massive holes which expose the confidential information of our rising generation, this speaker included. Additionally, while many dismiss educational data as “just containing grades”, the reality is that these systems store extremely sensitive information from religious beliefs, health and vaccine-related data, to even information about parental abuse and drug use in the family. This talk will cover never-before-seen research into the handful of prominent educational software companies, the vulnerabilities that were found, the thousands of schools and millions of students affected, and the personal fallout of such research. Vulnerabilities discussed will range from blind SQL injection to leaked credentials for the entire kingdom. If a high school student can compromise the data of over 5 million students and teachers, what can APT do?

Materials:

Tags: