Security

Victoria's educational apps-for-students let creeps contact kids

World+Dog can contact any student via a shared doc


Updated Google and the Victorian Department of Education have set parents, students, teachers, and the Office of the Australian Information Commissioner a poser: at what point does a feature become a vulnerability? Or just too creepy to put in front of kids?

Victoria's teachers and students have adopted a system based on Google Apps for Education, accessed through a portal on the department's EduSTAR system.

As people become more familiar with the setup, however, parents have identified system behaviours which are reasonable for business tools used by adults, but look out-of-place in the hands of primary school students.

The two brought to Vulture South's attention by a concerned parent appear to be normal Google Apps features, but we can understand how they could be worrying to a parent: easy access to around 170,000 EduSTAR profiles of teachers and students via Google Contacts; and the ability for anybody with a Google account – for example, Google Drive – to contact a student as an “outsider” with no connection whatsoever to education.

These are features – but, as one parent told The Register, in the sensitive setting of school education, they're prone to abuse.

In short: first, someone willing to abuse a legitimate EduSTAR login could easily scrape all the profiles; and second, those profiles would let a malicious outsider identify students and abuse other Google features to (as an example) chat with and groom students via shared editing of a Google document.

Profiles

The concerned parent who contacted The Register arrive at their estimate of 170,000 profiles simply enough: they multiplied the number of pages (nearly 700) in EduSTAR's Google Contacts database with the number of entries per page.

The URL tells all: navigation to the last page of contacts in EduSTAR. Image supplied. Click to embiggen

The profile fields include name, nickname, title and company*, a “file as” field, notes, e-mail, phone, address, birthday, URL, “relationship”, instant messaging contact, and Internet call contact.

E-mail, the parent told us, is disabled for primary children.

Whoever is responsible for the implementation, The Register feels it's arguable that a system-wide open directory is a de facto bad idea and probably privacy breach: nobody should be able to see what school your kids attend.

We asked the Office of the Australian Information Commissioner (OAIC) for an opinion on this, and were told the office is investigating.

Kids contactable by World+Dog

The second, more serious issue the parent pointed out to Vulture South is that any of these profiles can be contacted by other people with Google accounts – contact to or from EduSTAR accounts is not limited to people with EduSTAR logins.

The parent provided us with the following image as an example – an exchange created in a Google Drive shared image between parent (without an EduSTAR account) and their child (with an EduSTAR account). The back-and-forth is possible thanks to EduSTAR and Google's collaborative features.

The parent created this chat with their child in Google Drive. Image supplied

The parent worried that such chats offer opportunities for grooming by outsiders – most easily if someone had scraped and then shared the Google Contacts profiles, since that would let the malicious try to target their approaches.

The parent commented: “Effectively [Google Docs] is a low-grade instant messaging app, shared unsolicited and unflagged to a seven year old child.”

Nor does it seem that such a contact would be flagged to system administrators or parents.

It's also feasible that an outsider who knows how identities are created could try to brute-force their way into getting a student to respond. And not much force would be required because EduSTAR IDs are formulaic.

We included this aspect of the system in our inquiries to the OAIC.

As the parent pointed out, other attack vectors also exist.

It's easy to imagine account IDs becoming part of a phishing campaign, for example: getting students or teachers to open an “official-looking” document that happens to include malicious links.

Even if a malicious outsider had not accessed EduSTAR, an unrelated privacy breach could yield student identities – the education application Mathletics was in 2016 criticised for weak client-side security, and later, because its competition leaderboard seemed to contain enough information to identify individual students (first name, surname initial, and school).

“Two semi-innocuous breaches with personally identifiable information are then combined to create a much greater pedophile risk, where the would-be offender now knows where the child is at school, has a photo, a name, and now can instant message them (via Google Drive)”, the parent told us.

Aren't these features?

Vulture South considered whether or not to publish this story, because after all, accessing Google Contacts or sharing in Drive or Docs are features of G Suite.

Our contact argued that these features might be suitable for adults who log in to G Suite either because their employer uses it or because they want the features for themselves.

But kids can't consent in the same way as adults, so surely an application suite intended for school students must be built to the particular requirements of its intended audience. Students also need and deserve more than generic click-to-accept privacy and safety.

The Register raised the parent's concerns with Victoria's Department of Education. We do not yet have a definitive response from the Department.

We have also asked Google for comment. ®

Updated to add

The Victorian Department of Education has provided the following responses through a spokesperson:

“The Department runs Privacy Impact Assessments on key systems that house any student information and has performed an assessment on this system.

“Google Apps is a collaboration tool which necessitates students being able to find and connect with other students – either at their own school or at another school. As such, the directory function is a known and controlled function of Google Apps.

“Parents are provided privacy information about Google Apps which explain the tool, what information it collects (and why), and are offered an opt-out process.

“Students are supervised when they use the system, and are also educated around digital citizenship and encouraged to raise any concerns.

“The Department runs Privacy Impact Assessments on key systems that house any student information and has performed an assessment on this system.”

In a follow-up email, the Department outlined the following concerns:

The Department is concerned that we wrote that “EduSTAR profiles are exposed. There is no such thing as an EduSTAR profile, the only profile that is exposed is the limited (by the Department) profile that is created in Google Apps for Education.“

The Register’s response: We accept the correction, that what’s exposed is not an “EduSTAR profile”, but a Google Apps for Education profile, and have amended the copy.

Department: “The address book is not exposed to external people and does not contain a student’s location/school. Moreover, students are unable to add additional information to their address book profile which is locked down so that it provides only the essential information required to operate the system.”

The Register’s response: We did not claim that the address book was exposed to external people. However, it could leak to the outside via a malicious insider, as described in the article.

Department: The article implies this is the same Google Apps that is used in business. It is not – it is Google Apps for Education – built specifically for K-12.

The Register's response: Our concern was, and is, that Google Apps for Education inherits too many default features from Google Apps.

Department: Additionally, the Department’s Privacy Impact Assessment reviewed the privacy and data security controls implemented by Google as a pre-requisite to providing system-access. Google comply with, and are independently audited on, the relevant industry standard controls such as ISO270001, 27017, 27018, SOC2/3.

The Register's response: We accept that this took place. If breach opportunities exist, it may also indicate that standards compliance does not cover all use-cases.

* What's “title and company” doing in a contacts database for teachers and students? Could it be that either the Department of Education, Google, or both, have rolled out Google Apps into schools with unmodified defaults?

Send us news
4 Comments

Chat among yourselves: New EU law may force the big IM platforms to open up

Send an iMessage to Facebook, and we'll talk

The European Parliament's new Digital Markets Act, adopted as a draft law this week, could compel big platforms owned by large firms including Apple, Google, and Facebook to make their tech interoperable.

Among other things, this might mean forcing the tech vendors' messaging apps to allow communication with other services.

If the EU deems a company to be what it calls a "gatekeeper", it could impose "structural or behavioural remedies" – compelling the largest outfits to allow interoperability, or imposing fines. The Act would also restrict what companies could do with personal data – not the first time it's tried.

Continue reading

Sweden asks EU to ban Bitcoin mining because while hydroelectric power is cheap, they need it for other stuff

Lighting and warming homes in winter, or ransoming encrypted files and buying drugs? Hmmm

The directors general of Sweden's Financial Supervisory Authority and Environmental Protection Agency have called upon both the EU and Sweden's government to ban cryptocurrency mining.

Continue reading

The rocky road to better Linux software installation: Containers, containers, containers

Let's be real: Everyone is trying to catch up with Apple

Analysis Linux cross-platform packaging format Flatpak has come under the spotlight this week, with the "fundamental problems inherent in [its] design" criticised in a withering post by Canadian software dev Nicholas Fraser.

Fraser wrote in a blog published on 23 November that "these are not the future of desktop Linux apps," citing a litany of technical, security and usability problems. His assertions about disk usage and sharing of runtimes between apps were hotly disputed by Will Thompson, director of OS at Endless OS Foundation a day later in a post titled: "On Flatpak disk usage and deduplication," but there is no denying it is horribly inefficient.

Most people don't care about that any more, one could argue. But they should.

Continue reading

EU needs more cybersecurity graduates, says ENISA infosec agency – pointing at growing list of master's degree courses

Skills gap needs filling somehow

The EU needs more cybersecurity graduates to plug the political bloc's shortage of skilled infosec bods, according to a report from the ENISA online security agency.

The public sectors of EU countries should "support a unified approach" to infosec-focused higher education, it says, addressing an issue that is by no means unique to the bloc.

In a new report titled "Addressing the EU Cybersecurity Skills Shortage and Gap Through Higher Education", academics Jason Nurse and Konstantinos Adamos, together with ENISA's Athanasios Grammatopoulos and Fabio Di Franco, said the European Union needs to get more students signing up for cybersecurity degrees.

Continue reading

Nuclear fusion firm Pulsar fires up a UK-built hybrid rocket engine

A win in the rocketry world: 'Flames came out of the right end'

UK nuclear fusion outfit Pulsar Fusion has fired up a chemical rocket engine running on a combination of nitrous oxide oxidiser, high-density polyethylene fuel and oxygen.

The acceptance tests of the UK-built rocket were conducted at COTEC, a UK Ministry of Defence site at Salisbury Plain in southern England.

We spoke to CEO of the company, Richard Dinan, in 2018, when he discussed the prospects for fusion power, and the use of the technology for space travel as well as electricity generation. In 2020 he was showing off an ion thruster with plasma running at several million degrees and particles fired at speeds over 20km per second.

Continue reading

Bad news for Tencent: Chinese companies steer employees away from Weixin or WeChat

Middle Kingdom's internet giant: It's a switch to enterprise apps. Try ours?

Managers of large Chinese state-run companies have told employees to delete, shutdown and discontinue use of Tencent messaging app Weixin for work purposes, citing potential security breaches, according to the Wall Street Journal.

The news outlet named China Mobile, China Construction Bank and China National Petroleum among nine companies that confirmed the communication policy change, although none have officially gone on record.

Employees have reportedly also been warned to beware Weixin's sister app, WeChat. No details were given regarding what communication tools personnel were directed to use instead.

Continue reading

Privacy Sandbox saga continues: UK watchdog extracts more commitments from Google over ad tech

Roll up, roll up. Come and be the CMA-approved trustee to keep an eye on the Chocolate Factory's antics

The torrid tale of Google's Privacy Sandbox took another turn today with the UK's Competitions and Markets Authority (CMA) saying it has "secured improved commitments" from the ad giant over the cookie crushing tech.

The CMA's claims come in the wake of yesterday's call by the UK's data watchdog, the Information Commissioner's Office (ICO), for Google and co to sort out the privacy risks posed by ads. The ICO continues to work with the CMA to review the plans of the Mountain View gang.

The investigation by the competition regulator kicked off in January amid worries that Google's intention to change its Chrome browser and phase out third party cookies in favour of a so-called Privacy Sandbox would, in fact, strengthen the megacorp's grip on the online ad ecosystem.

Continue reading

Government-favoured child safety app warned it could violate the UK's Investigatory Powers Act with message-scanning tech

Redesigned SafeToNet feature highlights tech law mess

A company repeatedly endorsed by ministers backing the UK's Online Safety Bill was warned by its lawyers that its technology could breach the Investigatory Powers Act's ban on unlawful interception of communications, The Register can reveal.

SafeToNet, a content-scanning startup whose product is aimed at parents and uses AI to monitor messages sent to and from children's online accounts, had to change its product after being warned that a feature developed for the government-approved app would break the law.

SafeToNet was hailed this week by senior politicians as an example of "new tech in the fight against online child abuse," having previously featured in announcements from the Department for Digital, Culture, Media and Sport over the past 12 months.

Continue reading

Reviving a classic: ThinkPad modder rattles tin to fund new motherboard for 2008's T60 and T61 series of laptops

When vendors don't update old models, someone must step up

The range of Thinkpads you can modernise is getting wider. XyTech is trying to crowdfund a new mainboard for the 2008 T60/T61 so fans can upgrade the much-loved noughties laptop.

"The goal is to recreate the TP experience as much as possible, while incorporating the latest CPUs and technology," XyTech's Xue Yao writes. "As the motherboard is not from [Lenovo], it will require quite a bit of hands-on from the user to get the best experience out of the machine. It will be as stable as any other computer motherboard but will not have original TP software support and features."

XyTech is not alone. CnMod is another small Chinese business that updates teenaged – and by laptop standards, that's positively geriatric – ThinkPads. The replacement motherboards come from cottage-industry scale manufacturers on the forums at 51NB.com. They offer replacement motherboards for various classic ThinkPads, including the X200, X201 and X62, updating them with modern processors, memory and storage. There's also the X330, which combines the classic keyboard of the X220 with the faster mainboard of an X230.

Continue reading

You forced me to use this fancypants app and now you're asking for a printout?

'Just take the meds, Mr Sloper, and enjoy your holiday'

Something for the Weekend, Sir? I could just do with some popcorn right now.

I am loitering among the sick and deranged. The selfish fools decided to pile into the chemist's at 9am, the very moment I sensibly chose to visit. Half of them seem to be loitering around the entrance, jabbing urgently at their smartphones and muttering to themselves.

The popcorn? It will not cure my ailment but, despite research from the Rotterdam School of Management that claims otherwise, popcorn would enhance my user experience (UX) of waiting in the queue.

Continue reading

<abbr title="Bastard Operator from Hell">BOFH</abbr>: What if International Bad Actors designed the vaccine to make us watch more Steven Seagal movies?

Pipe down – Nicolas Cage could be listening

Episode 21 I've got nothing against conspiracy theories in general because if they didn't exist the PFY would probably have to join a book club or a sewing circle. But even the PFY will admit there's a limit, and at lunch today we think we found it ...

"So let me get this straight," I say. "The vaccine contains tiny … robots …"

"Nanobots," the bloke across the table from me chips in.

Continue reading