On #edsec: Education’s massive security problem

Dinosaurs are a very important part of the security conference experience.
Dinosaurs: a very important part of the security conference experience.

A few months ago, I gave a talk at BSidesLV on the state of security in education technology. My talk, #edsec: Hacking for Education isn’t a hacker talk in the truest of senses— I had no l33t, sophisticated hacks to show off, no beautiful backdoors into well-maintained code to make my point. Instead, I went the route of discussing the lack of security standards, the dire state of security awareness among educators, the deplorable state of school infrastructure, and the security-averse attitude of developers within education technology .

I should have written this post months ago— I am thankful for alot of people who helped me get through my first-ever talk at a national conference— but I’ve been struggling to overcome an awful, awful feeling that in the pit of my stomach after I finished my week away at hacker summer camp. After being surrounded by people who discussed securing the critical infrastructures that make our web work, protecting medical devices from attack, and preparing for the Internet of Things that is to come, I realized that I didn’t go far enough.  Continue reading “On #edsec: Education’s massive security problem”

Advertisements

A rant: Twitter, your 2-factor Authentication Sucks, or Why #Brands Get Hacked On Twitter

For the past six years, I’ve worked in online marketing. As such, I have been the holder of ALL the keys to the social media accounts for many brands I have worked for and worked with in the Silicon Valley and beyond. My biggest nightmare as the holder of the keys is waking up in the morning to find my company on the frontpage of Mashable as the latest of the #brands (I mean that hashtag ironically) who had a social media account hacked via phishing, spearphishing, or something worse. To prevent the worst from happening, I’ve implemented a variety of multi-layered security strategies over the past few years  to protect myself and my brand’s self to foil any attempts of account takeover.

Today, I logged in to my brand account to reconfigure one of these layers of security on Twitter. When I finally got to the spot in account settings where I can enable 2-factor authentication, however, I was informed that Twitter only allows use of 2factor authentication with one phone number.

Thanks, Twitter but no: THIS IS NOT OKAY. Continue reading “A rant: Twitter, your 2-factor Authentication Sucks, or Why #Brands Get Hacked On Twitter”

How Educators Can Protect Students’ Data from Security Breaches

This article was written for MindshiftKQED, where it appeared here.

getty

By Jessy Irwin

Every day, teachers are responsible for maintaining numerous logins, passwords, data, and other private information about their students. As chief technology officer in the modern century classroom, an educator’s role becomes more complex (and potentially overwhelming) as more tablets, computers, and web tools are put in the hands of students. With so many tools, security and privacy are often an afterthought despite the increasing number of websites that fall victim to data breaches and security vulnerabilities each day.

Last week, researchers discovered Heartbleed, a massive security flaw in an encryption tool used to protect data across some of the most popular sites on the web. For almost two years, this hole in OpenSSL may have quietly left two-thirds of the web vulnerable to eavesdropping, leaking private data including logins, passwords, and other information stored in Web servers to anyone who might be listening. Given the enormous amounts of information entrusted to teachers about their students, colleagues, and their communities, here are a few important measures teachers can take to protect themselves from Heartbleed.

  • Don’t login to a site or attempt to change your passwords unless you’re certain that a vulnerable site has been fixed. Though most major web companies have fixed the Heartbleed bug, it’s important to note that logging in and changing passwords on a vulnerable site will leave you vulnerable to the likelihood of an attack.

  • There are numerous resources that can help you determine whether a site is vulnerable or if it has been patched. If you use Google Apps for Education, Yahoo! Mail, Pinterest or Minecraft in your classroom and you haven’t changed your passwords in the last week, it’s safe to do so now. For Android users, this tool from mobile security firm Lookout will help identify whether your operating system is susceptible to Heartbleed. Alternately, there are many tools that can check encrypted sites for the bug herehere, and here.

  • Your online accounts are more likely to be compromised by a phishing attack that attempts to steal account credentials than a hacker exploiting Heartbleed to steal data from servers. Because public awareness of Heartbleed is high, malicious hackers will do their best to make the most out of this situation as they can. For maximum security, educators should be manually accessing the sites they use when they want to login and change passwords instead of clicking through links within an email.

  • If you’re using the same password for multiple accounts on the web, it is safest to assume all of the accounts using that password have been compromised. In the wake of major data breaches, criminals can and will employ tools that attempt to break into any online accounts they can. If you are one of many educators exercising this insecure habit, now is an excellent time time to break it. Password managers like LastPass1Password and KeePass are valuable tools that can help educators to generate, store, and audit passwords for all of your web accounts.

  • Heartbleed may be affecting your school or district network, too. Security engineers are beginning to discover that firewalls, switches, virtual private networks, servers and other important network hardware are also susceptible to the hole in OpenSSL. In some cases, the records of your current and former students stored in an SIS are vulnerable, and sensitive information could be leaked without a trace to the rest of the web. District technology leaders, technology coordinators, and anyone maintaining databases full of student information should double check with hardware vendors to confirm whether their systems need patching or not.

Though technologists and engineers have patched many of the sites vulnerable to Heartbleed, it’s impossible to determine if sensitive user data may have leaked onto the web. While there is no such thing as being completely safe from hacking and data breaches on the web, there are many preventative measures that can be taken to protect sensitive data and online accounts. If there’s a lesson that can be taken away from Heartbleed, it’s this– there’s never a bad time to be proactive about online security.

Jessy Irwin is a privacy and security advocate who once integrated technology and social media into a class of 3,000 students.

 

 

How Educators Can Protect Students’ Data from Security Breaches

This article was written for MindshiftKQED, where it appeared here.

getty

By Jessy Irwin

Every day, teachers are responsible for maintaining numerous logins, passwords, data, and other private information about their students. As chief technology officer in the modern century classroom, an educator’s role becomes more complex (and potentially overwhelming) as more tablets, computers, and web tools are put in the hands of students. With so many tools, security and privacy are often an afterthought despite the increasing number of websites that fall victim to data breaches and security vulnerabilities each day.

Last week, researchers discovered Heartbleed, a massive security flaw in an encryption tool used to protect data across some of the most popular sites on the web. For almost two years, this hole in OpenSSL may have quietly left two-thirds of the web vulnerable to eavesdropping, leaking private data including logins, passwords, and other information stored in Web servers to anyone who might be listening. Given the enormous amounts of information entrusted to teachers about their students, colleagues, and their communities, here are a few important measures teachers can take to protect themselves from Heartbleed.

  • Don’t login to a site or attempt to change your passwords unless you’re certain that a vulnerable site has been fixed. Though most major web companies have fixed the Heartbleed bug, it’s important to note that logging in and changing passwords on a vulnerable site will leave you vulnerable to the likelihood of an attack.

  • There are numerous resources that can help you determine whether a site is vulnerable or if it has been patched. If you use Google Apps for Education, Yahoo! Mail, Pinterest or Minecraft in your classroom and you haven’t changed your passwords in the last week, it’s safe to do so now. For Android users, this tool from mobile security firm Lookout will help identify whether your operating system is susceptible to Heartbleed. Alternately, there are many tools that can check encrypted sites for the bug herehere, and here.

  • Your online accounts are more likely to be compromised by a phishing attack that attempts to steal account credentials than a hacker exploiting Heartbleed to steal data from servers. Because public awareness of Heartbleed is high, malicious hackers will do their best to make the most out of this situation as they can. For maximum security, educators should be manually accessing the sites they use when they want to login and change passwords instead of clicking through links within an email.

  • If you’re using the same password for multiple accounts on the web, it is safest to assume all of the accounts using that password have been compromised. In the wake of major data breaches, criminals can and will employ tools that attempt to break into any online accounts they can. If you are one of many educators exercising this insecure habit, now is an excellent time time to break it. Password managers like LastPass1Password and KeePass are valuable tools that can help educators to generate, store, and audit passwords for all of your web accounts.

  • Heartbleed may be affecting your school or district network, too. Security engineers are beginning to discover that firewalls, switches, virtual private networks, servers and other important network hardware are also susceptible to the hole in OpenSSL. In some cases, the records of your current and former students stored in an SIS are vulnerable, and sensitive information could be leaked without a trace to the rest of the web. District technology leaders, technology coordinators, and anyone maintaining databases full of student information should double check with hardware vendors to confirm whether their systems need patching or not.

Though technologists and engineers have patched many of the sites vulnerable to Heartbleed, it’s impossible to determine if sensitive user data may have leaked onto the web. While there is no such thing as being completely safe from hacking and data breaches on the web, there are many preventative measures that can be taken to protect sensitive data and online accounts. If there’s a lesson that can be taken away from Heartbleed, it’s this– there’s never a bad time to be proactive about online security.

Jessy Irwin is a privacy and security advocate who once integrated technology and social media into a class of 3,000 students.

 

 

Say No, No, No to LinkedIn “Intro”

no way

Just a few days ago, a new LinkedIn feature called “Intro” — a series of technological hacks that would display a bar featuring the LinkedIn profile of anyone who communicated with you through email.  As a long-time user of Rapportive, an add-on that shows you the LinkedIn account, Twitter feed, and the last few posts a contact has made across other social media properties, even I was excited about it.

Until I spent some time digging around their engineering blog, that is.  Continue reading “Say No, No, No to LinkedIn “Intro””

Four Reasons To Love A Hacker

Yours truly, soldering for the first time ever. Here, I'm receiving excellent instruction on how to put together a DarkNet badge.
My first-ever attempt at soldering at Def Con 21. (#defconboyfriend was an excellent teacher, as confirmed by every person who surveyed my work for the rest of the conference.)

A few months ago– August, to be exact– I hopped a plane to attend my second-ever DefCon, a renowned hacker conference that entered its 21st year. This year’s gathering of security experts, hackers, makers, and technology enthusiasts from around the world was full of incredible talks (all of which seemed like pretty incredible feats of technology to me, given my current status of Codecademy dropout), hardware hacking, hacking contests, and other shenanigans felt feistier than ever. After having spent ten collective days in the middle of the desert (so, so hot) with hackers, here are the top four reasons I think that everyone should love them: Continue reading “Four Reasons To Love A Hacker”

Edmodo: Securing user data, ur doin’ it wrong #edtech

Awhile ago, I mentioned in an epic rant post that a certain ridiculously well-funded education technology company *coughEdmodocough* should spend more money on its security and less money on, say, things that don’t serve to actually make its product better for its users.

The original article that has inspired hours of passionate ranting can be found here, but its main takeaway from it is this: the biggest K12 LMS out there doesn’t secure its user data. Edmodo (and Schoology’s*) user data can be intercepted and viewed by someone other than its intended audience (students, parents, teachers). While the chances of an actual hacker being out there just waiting to prey on some kid’s homework data are slim, this lack of encryption is deplorable—absolutely unacceptable.

Edmodo’s spokeswoman attempted to quash the issue by saying SSL encryption has been available to schools for some time— and that all they have to do to get it is to “opt-in.”

Instead of doing what is right for all of their users and securing their data with industry-standard encryption, Edmodo is making their users opt into something that should just be standard in their platform. 

Let that sink in for a moment, and then, think about it again.

Instead of protecting their user data, instead of taking the time to build out faster and more efficient ways to do right by their userbase, they’re only offering it on an opt-in basis. In essence, your Facebook, Twitter and Pinterest accounts are more secure than a network you use professionally meant to house assignments and sensitive communications among teachers, students and parents.

Are you mad yet?

Education technology news rarely ever makes the New York Times— this was kind of a big deal, a majorly, majorly big deal— and I’m sad to see that  so many people in edtech dropped the ball on pitching an absolute fit. In the case of education and student data, using SSL or any other method of encryption (pick one, there are many!) is the right thing to do… and that anyone would make it an opt-in feature, not a standard feature that protects all of the users on their platform is absolutely unacceptable

Education technology gets a day in the New York Times, and the usual edtech players fail to point out the obvious. How many four-line stubs of this article did you come across during Edmodo/Schoology/edtechencryptiongate?