05 July 2023

Duh! Cyber security. It’s complicated.

Offloading the security responsibility on end users isn’t a great way to handle perceived security flaws. Giving every end user the power to see every other user’s information is a horrendous way to respond to a security audit.

www.techdirt.com

School Decides To Harden Security By Giving EVERYONE The Same Password 



Wed, Jul 5th 2023 10:47am - Tim Cushing
4 - 5 minutes

from the eyes-on-your-own-papers,-please dept

Cyber security. It’s complicated.

Protecting against threats means determining what your threat level is. Demanding everyone utilize a 53-character password with uppercase letters, numbers, and “special symbols” generally just makes people more irritated, rather than more secure.

Obviously, things must be secured. And passwords shouldn’t be so simple that anyone with an off-the-shelf HP desktop can hack them.

But people in charge of security need to weigh perceived threats against security responses. What they absolutely shouldn’t do is hammer the RESET button without considering the consequences of their actions.

When we first enter school, we’re constantly told to “be on our best behavior.” Apparently, that same warning doesn’t apply to educators. An Illinois school did one of the right things: it asked for an audit of its security. Its response, however, indicated no one at the school security level was on their best behavior. Here’s Lorenzo Franceschi-Biccierai with the details for TechCrunch:

Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, “due to an unexpected vendor error, the system reset every student’s password, preventing students from being able to log in to their Google account.”

“To fix this, we have reset your child’s password to Ch@ngeme! so that they can once again access their Google account. This password change will take place beginning at 4 p.m. today,” the school, which has around 3,000 students, wrote in an email dated June 22. “We strongly suggest that your child update this password to their own unique password as soon as possible.”

Yikes. I realize a blanket reset is far easier than simply revoking passwords to force end users to create a new one, but this is all sorts of wrong. Even if the school didn’t have a Plan B for this occurrence, it could not have done worse than informing everyone that everyone has the same password until each individual made the effort to change it.

And this was handled during the school off-season, which means the email was likely ignored or back-burnered by many recipients. But those who did read it — and any malcontents who might have realized what this reset meant — now had all the information they needed to access any account run by this school.

Fortunately, this doesn’t appear to have attracted the attention of malicious individuals. And the school has performed another reset that is far less stupid. The new reset involves sending every user their own “special password” via email, which should limit the collateral damage.

But before the damage was mitigated, not only could people access other people’s stuff, but they also had no functioning option to prevent others from accessing their stuff.

Manning Peterson, the mother of an OPRF student, replied that “this is terribly insecure and you have just invited every single students [sic] accounts to get hacked.”

Peterson said that after this email, she tried to reset her son’s password but it wasn’t possible.

“My son and I were able to log into several of his peers [sic] google accounts, which gave access to all emails, papers, class work—anything saved on google drive (docs sheets and slides),” Peterson said in an email to TechCrunch.

Manning Peterson isn’t being paid to ensure the school’s systems are secure. But that’s the service she ended up performing. Offloading the security responsibility on end users isn’t a great way to handle perceived security flaws. Giving every end user the power to see every other user’s information is a horrendous way to respond to a security audit.

Things may be (at least temporarily) under control at Oak Park and River Forest. But this catastrophe isn’t going to ensure any student, staff member, or parent that further fuck ups aren’t inevitable.

Filed Under: , , ,

No comments:

QOD: You can dig it