Saturday, May 22, 2010

Taxpayers Should not be Paying for Computers for Students

Taxpayers should not be paying for computers for students in the first place. Laptops are not essentially for education. This article points out just one of the many problems of children having laptops. No computer should have the capability for a school to spy on students.

The following piece appeared on Wired.com.

Quote of the Day - “Putting a computer in front of a child and expecting it to teach him is like putting a book under his pillow, only more expensive” Anonymous


Cathy
Spelling errors, grammar errors, misuse of homonyms and typos are left an exercise for my readers.


School Spy Program Used on Students Contains Hacker-Friendly Security Hole
By Kim Zetter May 20, 2010

A controversial remote administration program that a Pennsylvania school district installed on student-issued laptops contains a security hole that put the students at risk of being spied on by people outside the school, according to a security firm that examined the software.

The LANrev program contains a vulnerability that would allow someone using the same network as one of the students to install malware on the laptop that could remotely control the computer. An intruder would be able to steal data from the computer or control the laptop webcam to snap surreptitious pictures.

The vulnerability was discovered by researchers at Leviathan Security Group, who provided Threat Level with a video (see below) demonstrating an exploit they developed.

They began examining the program after customers who saw media coverage of the Pennsylvania case expressed concern that the program might be exposing their employee computers to intrusion from outsiders. The same software is used by many businesses to monitor and maintain their employee laptops.

The Lower Merion School District in Pennsylvania is embroiled in a lawsuit and FBI criminal investigation over use of the LANrev software. The cases involve allegations that administrators spied on students through the software installed on 2,300 school-issued Macbooks.



LANrev is a suite of remote-management software. The primary issue in the Lower Merion case is the optional Theft Track feature in the software designed to let administrators covertly snap images through the computers’ webcams. The school district insisted that the cameras were rarely activated and only when a laptop was reported stolen or missing.

But a class-action lawsuit against the school district alleges that the program surreptitiously snapped tens of thousands of pictures of the pupils at home, school and elsewhere, through school-issued laptops that were not lost or stolen. Lawyers for the plaintiffs allege that some of the pupils were even photographed nude and partially undressed.

The district discontinued the LANrev webcam-tracking program in February after the spying allegations came to light and says it’s now addressing security issues in the LANrev software.

“The District is taking aggressive and immediate steps to ensure that issues related to security and technology are effectively resolved,” said school district spokesman Douglas Young in an e-mail.

The vulnerability in the LANrev system lies in the symmetric-key encryption it uses for authentication between the client and the server, and isn’t related to the optional Theft Track feature. Therefore, even computers that are not using the theft feature are potentially vulnerable.

The authentication key is stored in the client-side and server software and is fairly easy to decipher, says Frank Heidt, president and CEO of Leviathan. It took Leviathan just a few hours to determine that it’s a stanza from a German poem. The key is the same for every computer using LANrev.

The LANrev client software on a computer is configured to contact a server every minute or so to check in and see if the server has any commands for it. Knowing what the key is would let an attacker who has installed a sniffer on the network intercept that ping and masquerade as the server in communication back to the laptop. It requires the attacker to be on the same network as the target machine — for example, on a wireless network at the school or anywhere else that offers free Wi-Fi the student might use.

“If we give you this stanza of poetry, it’s over and the fat lady sings,” Heidt says. “There would be [hackers] turning on webcams.”


Absolute Software, which acquired LANrev last December, said it identified the vulnerability at the time it was purchasing the software and is fixing it in a more robust version to be released in July, which will use Open SSL for encryption.

“Is it theoretically possible [to exploit this]? Of course it is,” said Tim Parker, vice president of research and development for Absolute. “[But] we are not aware of any customer who ever had an issue with this. If any customer did express concern, we would immediately supply them with a patch.”

The attack only uses the LANrev software as an entry point to install malware. Because a LANrev administrator can remotely install and execute other programs on the client machines, once an attacker is on a machine, he can then install malware to take over the machine.

In the hack demonstrated in the video below, Leviathan researcher Joel Voss is seen intercepting communication between a LANrev computer and its server, and then impersonating the server to install a remote control program that gives him complete and surreptitious control over the machine. He can operate its web camera to capture imagery of the person sitting in front of the machine.



No comments: