29

I am a student at my local school.

About eight months ago, I stumbled upon a security hole that could allow any user to discover any student's ID in the entire district, and I am aware that the IT department has a tendency to keep student IDs as confidential as possible as the ID is the only unique identifier bound to a student.

When I originally found the problem, I was suggested by my computer science teacher to just lay low and not report it to anybody. However, eight months have passed, the IT department has not done anything to fix this issue.

I have finally built up the courage to responsibly disclose the security issue to management. The reason I have feared reporting is that I must tread very carefully, as one wrong step could land me in hot waters and possibly suspended for "hacking." And at this point, I have no idea who else has found this exploit other than myself.

Again, I was not actively searching for security holes; rather, I simply stumbled upon one.

What is the best course of action to take in responsibly disclosing the security issue while minimizing the risk of being punished for it?

oldmud0
  • 593
  • 4
  • 9
  • 1
    Please tell us more about the student ID. Identifiers should not need to be secret. It is authenticators that need to be secret. Of course, schools could be doing something ill-advised, like posting grades by identifier, thinking that each student knows his and only his identifier. – Bob Brown Sep 12 '15 at 03:20
  • 11
    Students pay in the cafeteria by entering their ID in the keypad. For this reason, the administrators constantly advise students to "never ever share your ID with anyone" since students could draw funds from each other. And, the default password on Google accounts and Windows domain accounts uses this ID because, again, it's assumed that the ID is always kept private. – oldmud0 Sep 12 '15 at 03:30
  • 6
    There likely is no way to do this safely. You will be showing up the IT staff who seem to have created a very insecure system (student IDs can be used for purchases without a PIN - sheesh!). Perhaps the least riskiest way to do this is to find a faculty member who will raise the issue for you, keeping you anonymous. But if the school pressures the faculty member for your name, the situation will get ugly quickly. – Neil Smithline Sep 12 '15 at 04:03
  • If I use a totally unrelated email address (doesn't have my real name in it anywhere, and Google turns up with no results) to send the message, would this keep me protected to an extent? – oldmud0 Sep 12 '15 at 04:27
  • 2
    @oldmud0: Regarding using the unrelated email address, I think it should be safe, however the best would be to use a new email address created just for this purpose and not reused afterwards, and not access it from the school's computers. – WhiteWinterWolf Sep 12 '15 at 06:55
  • 1
    @WhiteWinterWolf And probably use tor along the way too. IPs can otherwise be disclosed using a subpoena. – curious_cat Sep 12 '15 at 11:16
  • possible duplicate of [Ethical question regarding accessible sensitive data at school](http://security.stackexchange.com/questions/58783/ethical-question-regarding-accessible-sensitive-data-at-school) – Xander Sep 12 '15 at 12:44
  • i had a case where my email server got spammed in a way that was obviously from a hacked-in server at a small county school district in the mid-west (USA). i found the email address of a school board member there and notified him of the issue with details for him to pass on. instead, he insisted his IT staff were the most competent and accused me of hacking in (a contradiction). with few exceptions i find school admins to be the most incompetent people. – Skaperen Sep 12 '15 at 13:11

4 Answers4

19

I have many years experience working within a college ICT team. This is what I would recommend based on my experience.

I wouldn't go to management, they won't care or a non-technical manager will overreact and take the issue on as a personal mission. Additionally if you are worried about being accused of 'hacking' it is non-technical management who are most likely to do that.

I would recommend documenting the security flaw and submitting it to the ICT service desk.

If you do not have access to the service desk as a student, then email them directly or just chap the door of the office and explain the situation to them and they will advise you on how to proceed. (Chapping the door is probably the best option) They will probably just raise a ticket for a technician to have a look at the issue, it will go through the escalation procedures from there.

Do not be worried about about bringing this issue up with them, even if it turns out to be nothing, most teams will be happy for the proactive reporting of these kind of flaws. From experience I can say that most in academia be it support staff or academic staff only raise faults with ICT when it affects them personally.

I have discovered faults in the past, only for a member of staff to tell me that the fault in question has been there for months. My response was always the same, "Well why didn't you raise a ticket with ICT to fix it?"

TheJulyPlot
  • 7,729
  • 6
  • 30
  • 44
  • 9
    I'm not sure. Some of the IT guys are as bad and as misguided as the non-technical management. If he does want to report it to the IT guys I'd do it anonymously. Even if done anonymously, if once reported it is going to be obvious who discovered the hole I'm not even confident I'd go ahead. Perhaps just let sleeping dogs lie. – curious_cat Sep 12 '15 at 11:18
  • If the IT guys are that unprofessional, then do you think they are going to initiate disciplinary proceedings against them anyway. Even if they do, they will have a hard time being successful with them, even if there is a breach of the acceptable use policy, as all this individual was trying to do was responsibly disclose a possible security flaw. Regardless I find it hard to believe that any ICT team would do this anyway, as most are staffed (or at least managed) by IT professionals. – TheJulyPlot Sep 12 '15 at 13:26
  • ICT team doesn't have an office in our campus. I believe they roam between campuses and the district's central office upon request. – oldmud0 Sep 12 '15 at 14:34
  • This is fairly normal procedure for schools, I would email them. As I said above document the issue first. Do not be afraid to identify yourself, as long as you have not abused the flaw in anyway you will be fine. In fact hiding who you are will make you look way more suspicious. Try and email the generic email - if there is/you can find - one. (I.e Ictservicedesk@acmeschool.edu). Alternatively call the schools main phone number and ask to be put through to the ICT service desk (A little social engineering experiment for you). Or just go up to a technician the next time you see one on campus. – TheJulyPlot Sep 12 '15 at 16:28
10

Do not raise the issue as a student. Your concerns are valid: Schools usually perceive students as children whose actions are pointless at best and malicious at worst. In the best case you will be ignored, in the worst case they will shoot the messenger and discipline you for hacking. They might even blame you for any unsolved abuse of student IDs in the past.

I would recommend you to raise the problem through your parents. School management is usually far more cooperative when approached by adults. A "fix the issue or I talk to the press" kicker often works quite well.

Philipp
  • 49,017
  • 8
  • 127
  • 158
  • 1
    With all due respect, I disagree. It really depends on the attitude of the team. But from my experience, working with and within a number of teams, they will appreciate anyone who proactively brings issues to their attention in a professional manner. – TheJulyPlot Sep 12 '15 at 10:12
  • 5
    I agree with Phillip. Let sleeping dogs lie. Most School management I've seen and even some of the IT guys are horribly clueless and not people I'd trust to react in any reasonable way to this. – curious_cat Sep 12 '15 at 11:20
  • 1
    @TheJulyPlot that's the *ideal* case. There's a *very* real risk of this backfiring. OP has a choice to make, and it isn't an easy one. Either way. – Jared Smith Dec 13 '18 at 12:16
7

Find an attorney to disclose it for you. They are required to keep your identity confidential. Maybe you can find one willing to do this for free. Or maybe you parents know of one.

Skaperen
  • 315
  • 2
  • 11
  • 4
    I cannot determine whether the seriousness of the issue would make it worthwhile to pay an attorney. Just bringing out the attorney would be looking for trouble (i.e. legal battlle). – oldmud0 Sep 12 '15 at 14:39
  • 1
    I disagree that an attorney would be inviting trouble. An attorney would be a great way to underscore the seriousness of the situation. What's more, unlike other more cloak and dagger ways of remaining anonymous, this approach doesn't put your proxy in any danger, either. If you can find a pro bono attorney, by all means, ask them what they think. (Fwiw there's also a law.stackexchange now.) – kojiro Sep 13 '15 at 22:51
1

I agree with TheJulyPlot that security issues should be brought to the IRT/CSIRT/SOC/CERT team responsible for the website security. A small school might not have any dedicated position, while a university most certainly do.

The goal is that these people is both (a) technically competent to understand what you are reporting and (b) aware that you are actually helping them, while being able to route it to a more accurate recipient if needed (eg. the actual fault might need to be fixed by a separate development team).

If you do not know which is the team handling security issues on your institution or how to contact them, you can go up one level: Contact the National CERT or -for a university- a CERT for the Research network it belongs to.

For example, depending on where you (and the entity) are based on, you could notify in the US the US-CERT, on UK JANET CSIRT, on Spain INCIBE-CERT, on Kazakhstan the KazAcad CSIRT...

There is not a complete guide of teams, but generally you can look up the most relevant CSIRT for your case on FIRST or -for European CERTs- Trusted Introducer.

Please note that there each one will have its own constituency. A national CERT for your country may handle the report redirecting it to the University if needed, but the CSIRT for a private company completely unrelated might discard it.

On (almost?) every case, it is possible to send a report of the incident by email (if you don't find one listed, look for their RFC 2350 section). Which means, for a basic level of anonymity, you can just create a new freemail account and use that to send your incident report. In fact, you could even skip the creation of a new email and send from your usual email address (you may also mention on the report that you prefer not to stay anonymous). If you didn't commit any crime, it is unlikely that anyone would care who you really are. Rather than "send and forget", I recommend you to check that email (ask them for an update if needed). You may simple be thanked and let know that they will handle it from now on, but they might also request more information from you, or ask you to send it to a different team.

I also recommend you to report it as soon as you can after discovery in order to minimize the potential to backfire. Misguided people might assume that whatever you discovered, you will have abused it and are an evil hacker, no matter how silly it could be to the actual vulnerability. However, by taking promptly action to have that fixed (and actually not having abused it!). There are probably some logs that could be checked. If they find out that you tested the vulnerability (even if it takes them months to find on their own), that you did it 1 hour ago before they got a report emails paints a quite different image than realizing that you discovered it 6 months ago. Even if your communication for some reason didn't reach them (suppose for instance that their abuse mailbox were full!), the record itself on the email provider (ie. the Sent mail) disclosing the vulnerability shall be helpful, should you need it.

Ángel
  • 18,188
  • 3
  • 26
  • 63