many "hackers" are ratbags, but.....
letting loose the dogs of war (aka Lawyers) because you got found out hard coding keys....
Sadly, it is no more than most of us expect .....
Brit biz Impero unleashed its legal eagles after someone published details of a security cockup in its school network management software. The disclosed design flaw in Impero's Education Pro can be exploited to execute commands and run malicious code on a school's Windows PCs. Last month, a security researcher called …
"must first have access to the network?!?!"
Who do you think will use these exploits, the students, 14-15 year olds who want to cause mayhem or just look at something they were not supposed to!
When I was at school 20 years ago, I had access to every other students accounts on the network, all because of a stupid choice by a teacher....
"no, everyone's password was their student id used for tests!"
You'll be glad to know that the initial migration password I am setting on destination user accounts are md5sums calculated on a few bytes from (effectively) /dev/urandom, for each one. If the real source password doesn't sync and overwrite the random one then at least the account has a pretty decent password!
The default was to use the surname field!
@Jamie Jones
"C'mon - Who here *didn't* successfully hack the school Econet system?"
Me, for one, as it would have taken just far to long to hand punch out all of the 80 column cards necessary to send off to the local Tech to be run through their 3rd hand ICL mainframe.
Getting the lawyers is probably not the smartest move for a company using a hard coded key.
From their website,
The hype around cloud computing has never been greater, yet many vendors often overlook the need for secure identity validation when implementing remote solutions. YouID Access offers an intuitive and secure portal for seamless sign in to all your web applications. Sign in once to your personalized web desktop and access everything you need for online working. From everyday work tools such as Office 365 and Google Apps to online resources and individual accounts such as Purple Mash and Edmodo, YouID Access makes accessing, navigating and securing the cloud easy. YouID Access works from any browser or device and does not require client installation.
is it safe?
The answer is ‘yes.’ No longer do users need to jot down passwords on notepads, in word documents or spreadsheets, for all to see. One set of login details means only one set of login details to remember.
YouID Access seamless sign in applies secure encrypted tokens; it doesn’t store passwords, so the risk of interception is eradicated.
As soon as the software’s set up and running, all traffic to and from the portal is secured using SSL and industry standard protocols (very secure protocols), and all user data stored in the database is encrypted using AES-256bit encryption (very secure encryption).
I like the use of the word "very". I am also unsure but with access to the tokens does that not equate to access to the account?
They've now alerted every hacker to a flaw in one system. Now what are the odds it's an issue in all of them and if so that YouID software would be a prime target.
The baked-in key is in use in Impero Education Pro. This doesn't affect Impero Remote Manager or YouID.
YouID is a completely separate product which uses standard https encryption.
Impero Remote Manager uses rolling 30 day (default, it could be tuned to be shorter or longer, last time I saw it) certificates for client communications.
Education Pro is used to control client PC's, typically students. It's also completely local, as in, installed on client PC's. Remote (vpn, rootkit etc.) or physical access to the network is required to compromise the system.
Even knowing the key, the damage someone can do is going to be quite limited, as they won't have console access rights, which means the Impero Server will probably disregard their commands, so only the peer-to-peer functions will work.
A much bigger problem than hackers is teachers leaving their computers unlocked when they leave the room.
Getting the lawyers is probably not the smartest move for a company using a hard coded key.
Exactly my thoughts.
Get this to court and bang all the explots will become public knowledge. Ny sending in the lawyers they have an immediate 'Striesand' effect. The more people who know the less viable their biz is.
What a bunch of numpties... calling in the lawyers instead of fixing the problem. They deserve whatever crap hits them. I guess the new mantra is: "Think of the profit and then maybe the children..."
Yes and no. I think there has been a severe lack of clear thinking in this case, but from both sides. If the "researcher" wants to engage in these sort of activities he ought to have respected established protocol: warn the company of the problem and set a reasonable timeline for release. On the other side, the way this has been reported suggests the company immediately opened a can of lawyers instead of engaging in discussion which is also just about the most stupid way to deal with a reported issue (it pretty much guarantees press coverage and reactions as yours, and thus promotes wide disclosure).
I think *both* parties could have done better.
Worth remembering
That lawyers have no power.
Ah, but their power comes from endlessly dragging on a case which incurs fees, fees and then some more fees. It turns legal threats from any attempt to justice into blackmail by the entity with the biggest wallet. Even if you're right, your finance may not last to see that proven in court, which is why there is quite a gap between court cases and the concept of justice. The enormous timespan over which such cases take place is not helping either.
"We were made aware that someone had maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence," Impero told The Reg in a statement.
That there is what we call "slander". Sue Impero into the stone age.
This post has been deleted by its author
heh - nope ... but air travel is seriously over-rated as a experience - I say that as somebody who' gets 100K +++ miles a year in sometimes.
I've long argued that broken or structurally inadequate software is no different in principle to a failed mechanical part and should attract the same level of attention - this doesn't happen in general.... Although some folk get it - an awful lot - including far too many developers dont :-(
I worked for a short time doing support for a Merkan corporate - the number of bugs was astonishing and the main strategy for dealing with them was dissembling and denial.... Things are improving - but then you get the A400M FADEC fiasco...... anybody there have Chinook FADEC on their cv I wonder?
Personally - I'd reward any and every bug found in a piece of software with T-shirts + mugs - up to serious amounts of money - Google have already cottoned to this iirc?
A number that is supposed to be secret?
That's a new one in deeper levels of retardation.
They could have called up "disclosure of trade secrets", but still...
If they had registered a trademark on that number, it would make sense, but then it would no longer be a secret.
Dear Impero's lawyers,
Please note that I have a copyright on the following sequences of 256 bit numbers as generated by the following code.
<insert loop to generate all possible permutations of 256 bits *except* the one used by the s/w>
Please ensure your client does not infringe my copyright by using any of these sequences in its software.
Yours etc.
The following is a partial transcript of a chat I had, trying to explain a security flaw I found.
7:48:05 PM
Actually it is _________ ________. The upper O is a typo
By having then set to auto or manual, makes it easier to hack in.
Josephine M:
7:49:13 PM
you could also raised your concern at our community
any additional concerns JP?
You:
7:50:03 PM
HACKERS read the community. I don't want to give anyone ideas. If I can write a program that reads the programs think what a JAVA expert could do.
Oddly, [redacted] could fix it with just two changes to the next batch.
Josephine M:
7:51:38 PM
okay. just suggesting if you wanted to post on the [redacted] Community, we'll it up to your choice then
You:
7:52:22 PM
Do you recommend posting whenever you hear of security flaws?
Send
"Slip's advisory gist disappeared from GitHub soon after the letter from Impero's lawyers Gateley arrived in his Yahoo! Mail inbox. El Reg has seen the full exploit, and withheld publishing specific details in the interests of responsible disclosure."
As soon as any outfit starts threatening lawyers over a bug discovery it's time to publish everything.
_Anything_ else is irresponsible. The fact that the bug exists and has been mentioned means that bad guys will find and exploit it within days or hours but the company will continue to lie to its customers that things are secure (Customers probably have a pretty good civil case against the vendor for attempting to cover up vulnerabilities)
Full disclosure policies appeared precisely because of this kind of response by companies with insecure software.
As soon as any outfit starts threatening lawyers over a bug discovery it's time to publish everything.
No, it is not. You still give them time to think, because you may be facing a gut reaction. Even El Reg itself knows full well what can happen if you publish an article that wasn't terribly bright, and how a friendly insider can help turn that around into less embarrassment for everyone. There is always enough time to start a war, but you start with dialogue.
_Anything_ else is irresponsible. The fact that the bug exists and has been mentioned means that bad guys will find and exploit it within days or hours but the company will continue to lie to its customers that things are secure (Customers probably have a pretty good civil case against the vendor for attempting to cover up vulnerabilities)
The company actually has a decent chance of getting its pound of flesh in court because established protocol was skipped - there must be a reasonable time for the company to react and address the problem before the issue is published, otherwise you tell me what the difference is between this researcher and a hacking site with banking zero days. There is a reason this protocol exists, it has proven over time to be the best compromise between being a jerk seeking publicity and letting companies cover up a security problem.
"The company actually has a decent chance of getting its pound of flesh in court because established protocol was skipped"
There _is_ no established protocol.
Some researchers send notification to companies, which never do anything,
Some researchers give them 30 days, then publish - but this has historically resulted in injunctions being taken out to prevent disclosure.
Some publish immediately and damn the torpedos - mostly as a result of the last item.
Some sell the bug to the highest bidder (Hacking Team?)
Claims about "established procedure" show a fundamental ignorance about what happens in the real world.
First off, I think Slipstream did the absolute worst thing by publishing the exploit BEFORE telling the company that they had a problem.
Second, in many areas it is, in fact, illegal to attempt to break the security on products without prior authorization. One commentard referenced a bounty program put in place by United Airlines. In that case the company expressly encouraged hackers to not only break their network but to also do the *responsible* thing by privately disclosing the information to them. The point is: authorization was given PRIOR to performing the work.
Third, the lawyers are idiots in trying to get a copyright claim on a key. That's just dumb. What they *should* have done is fixed the problem FIRST then go sue the crap out of Slipstream for being completely irresponsible. Not the other way around.
First off, I think Slipstream did the absolute worst thing by publishing the exploit BEFORE telling the company that they had a problem.
Absolutely. That is why genuine security researchers have established the waiting time.
Second, in many areas it is, in fact, illegal to attempt to break the security on products without prior authorization. One commentard referenced a bounty program put in place by United Airlines. In that case the company expressly encouraged hackers to not only break their network but to also do the *responsible* thing by privately disclosing the information to them. The point is: authorization was given PRIOR to performing the work.
I think it's the Computer Misuse Act which indeed states just that. It's actually one of the problems a security researcher faces when publishing a vulnerability, even after a waiting time. What can happen here is that Slipstream can actually made liable for breaches now as they have published a weakness without giving the company time to address it (I think, IANAL).
Third, the lawyers are idiots in trying to get a copyright claim on a key. That's just dumb. What they *should* have done is fixed the problem FIRST then go sue the crap out of Slipstream for being completely irresponsible. Not the other way around.
What they should have done is ask the guy nicely first, telling him it wasn't the brightest thing in the world to do but they'd forego all the annoying legal stuff if he would be so kind to take the site down and discuss the matter so it can be fixed. This stupidity of getting lawyers involved from first breath is something that has blown over from the US< and we all see what a fine society that has made. Sure, keep them on standby but you may want to invest some time in finding lawyers that actually have a clue about software. The copyright approach smacks of desperation trying to find a stick without knowing IT law, and for a company selling IT products that is plain stupid. I'd change lawyers.
The issue is, at least in part, that the software is used in schools.
If one of the tabloids picks it up and runs with it on the fallacious 'paedo hackers are stealing your children' line, the company will suffer *huge* losses so, sadly, to be seen to be carrying out swift and 'decisive' action to remove the 'threat' of hordes of nerd child molesters is possibly the best course of action to take in terms of image management.
We all know it's bollocks, we all know Slip was an arse for doing it this way (unless there's more to this than we are being told) but it's the way of the world, posturing for effect in the public arena is a business tool.
You can be absolutely certain that the tabloids will promulgate some bizarre sensationalist blather - and the company will collapse within a week or two.....only to rise - phoenix-like - with a different name, re-selling the same old crap-ware to schools under a new product name from a "new" company.
Except that the company DID patch the exploit reported on github. The lawyers came in when Slipstream told them their patch was inadequate. There's no report that the failings of their fix were disclosed. So while the initial reporting method was poor, it was the correctly-managed followup that resulted in the lawyering.
But lawering up and screaming "copyright" on a number just makes the company look like whiny ass b**ches with clueless legal representation.
I think the fellow who reported holes with the remote access to a CCTV system used by a lot of day care centres (reported by El Reg) did it better.
That companies reaction (called in the lawyers as well) was also pretty cretinous.
Companies. If there is any kind of serious competition in your market sector you will lose sales if you behave like this.
It's not like there aren't lists of "stupid s**t to avoid doing when writing software" already available.
This post has been deleted by its author
So basically:
- Hacker publishes working exploit code on GitHub without warning company first
- Company scrambles to patch exploit
- Hacker subsequently emails company to diss the patch
- Company, now having contact details for the hacker, throws lawyers at him to discourage future stupidity by him or anyone else, using the only civil (rather than criminal) legal basis available to them - copyright.
All things considered, he's lucky they didn't call in the police - irrespective of *his* motives, releasing working exploit code that accesses school systems to the weird wild web is just dumb and dangerous.
/Dons flame retardant jacket
//Replaces with retard retardant jacket
Going public with the exploit before giving them notice of it, and time to fix it, was a dick move.
Impero was recently acquired and there have been some management and other changes, which is part of the reason for the knee-jerk lawyering up. Some people are very heavily invested and don't want to loose their shirts.
"Some people are very heavily invested and don't want to loose their shirts."
Maybe what they should spend their "heavily invested" money in is better development and testing then.
Shooting the messenger never solves the problem, although perhaps in the rarefied boardroom world of "perception is reality" it satisfied their arrant egos.
Mostly, what they spent it on was buying in. Also, the Impero boardroom's not really high enough to be rarefied, Oak House is only 3-ish floors, but I bet their lawyers offices are. I agree with the sentiment though, but a developers solution is to develop and a lawyers solution is to litigate. It's pretty obvious who's driving the boat.
" a developers solution is to develop and a lawyers solution is to litigate. It's pretty obvious who's driving the boat."
And it's also fairly well known what historically happens when the non-developers start doing it.
If anyone administering schools has any sense they should be looking for an exit scenario in case the company goes titsup or simply starts jacking license fees through the roof (the new management will want a quick return on all tha money they just ploughed into buying the company).
Sadly, school administrators are not generally well known for their sense in these kinds of issues.
Shooting the messenger never solves the problem, although perhaps in the rarefied boardroom world of "perception is reality" it satisfied their arrant egos.
It's the result of a dangerous mix of ignorance and arrogance. Ignorance because it is "tech" and thus the domain "of some geeks/underlings/minions" (take your pick, it all represents "pond scum from many levels down doing stuff I don't understand"), arrogance because it considers people below their level not worthy talking to (hence the absence of any discussion), and calling in the lawyers is about the only punitive move these people know. I worked for idiots like this, and you spend most your time massaging massive egos. Why do you think City office need such huge doors?
Releasing an exploit before there is a full patch is a stupid thing to do, but you can recognise boardroom arrogance by the tools they deploy to solve conflict at any level. The results here aren't good. If I were an investor, I'd be rather worried about their approach.
"Releasing an exploit before there is a full patch is a stupid thing to do"
That depends on the circumstances and the companies involved.
_Anything_ involving Impero will be treated this way by most people now, given that they've demonstrated that they prefer to lawyer up over fixing software.
I work in schools, I can't say I'm one bit surprised. Not just Impero but any "educational" (though the buzzword is pedagogical nowadays) software. MIS software, in particular, scares the pants off me.
Bear in mind that MIS software will probably contain:
Salaries
Bank details.
Disciplinary notes.
CRB checks and details of passport, driving licence, etc. for all staff.
Pupil details (including parents names, numbers and arrangement for pickup)
Medical info (staff and kids, everything from long-term conditions to issue of sanitary pads, etc.).
Info on witness protection programs, child abuse records, Learning Support information, every minor concern about a child imaginable.
Timetables.
Events, including arrangements for transport, pickup, whether a child will be alone, etc.
Parent's banking details for fees, paying meals, etc.
And yet their "security" is some of the most lax I've ever seen. I've yet to fully push our MIS online because of these kinds of problems - the only MIS gateway available to us VPN's into our site to pull SQL information to their remote site, which then puts it into a "secured" web interface. I have paranoia over us executing SQL statements which ultimately originate from some random guy on the web logging into a website.
If I can crash your MIS software in a hundred different ways off the top of my head (everything from overflow, to not entering a number when required, to choosing one option before another) and you want to put that accessing my SQL data containing all the above into a web interface that parents and even children can log into to see their little darling's school report? You can think again until you tighten up your coding and security and at least integrate some decent error checking.
"30 days is adequate time for a company to fix a flaw once notified"
Assuming the company isn't one of the ones which have a predilection for lawyering up and getting gagging orders - which is why full disclosure without notice became commonplace during the 1990s.
Impero have demonstrated that tendency. They lost any chance of the courtesy of advance notification when they did so.
We had a Novell based setup and the IT teacher had a disk that contained all of the management tools.
A quick copy of that disk later and almost everyone was able to "manage" everytbing on the network.
Took them months to figure out why were able to keep getting Doom installed.
Mind you even after we were found out we still managed to get doom installed into the print spooler folder.
It'd cause the network to churn out endless printed pages of crap but it worked well and at the time there was no way to lock that down.
Years later at college we had an RM based network which was even worse, there used to be a site called "crash dummies" with all manner of tools for modifying the network and granting yourself extra priviliges.
Each time I found ways to get games on various networks it was heralded as an era based on the game I deployed. Novell was the Doom era. RM was the Atomic Bomberman era.
Ah I miss those days. Innocent times when fun loving hackers got a slap on the wrist and asked politely with respect how they managed it rather than the modern equivalent which is lawyer-mageddon, multiple death sentences and 5 generation curse on your family that doesnt exist and previous generations of ancestors. Plus their dogs.