53

I would like to report security weaknesses to my school in UK. I had managed to find security weaknesses without any exploits or other software or hardware.

I had look at similar question however problem is that it is very likely to find out that it was me, even if I would use an anonymous email, like suggested in this question, as IT department know that I have lot of knowledge on computer programming, network, security, and it is (possibly) higher than anyone else's so I assume that I would be called straight away. Teachers also have knowledge that I found other security weakness which did not impacted school policy at all therefor I had no problem with this one. Also security weaknesses require physical access, so I couldn't lie that it was done remotely

Another mentioned answer in already mentioned question, said to just ignore it, however I had found out that one of their computers had been hacked by someone else, and to tell how I found this out I would have to mention security weaknesses, or suggest that I was trying to hack them.

Community
  • 1
vakus
  • 3,743
  • 3
  • 20
  • 32
  • 1
    Also, I'm sure they'll be more than happy to hear some a person well-rounded enough to report this issue and not sell it or exploit it. Although, it's important to remember that not everyone is like this. There's definitely an aspect of risk to this solution – xorist Apr 11 '16 at 18:21
  • 1
    Without more details about your activities and a law degree in the UK, it is hard to be certain, but you may have violated laws. Even if you didn't, there's a long history of white hat hackers being prosecuted. – Neil Smithline Apr 11 '16 at 18:21
  • 41
    @l1thal I'd vote down your comment if I could. In an ideal world that's true, but people tend to "shoot the messenger" when it comes to things they don't understand, and that often includes computer security. –  Apr 11 '16 at 18:21
  • @drewbenn That's why you would tell someone in the IT Department of the school. – xorist Apr 11 '16 at 18:22
  • 1
    I agree @drewbenn. That is very risky advice. – Neil Smithline Apr 11 '16 at 18:22
  • 1
    I guess I'm just a risky person, but I'll go ahead and revise my comment to advise that it's risky. – xorist Apr 11 '16 at 18:23
  • 12
    @l1thal that also assumes the IT dept is as knowledgeable as it should be. Which is sadly not always the case in school districts. – WorseDoughnut Apr 11 '16 at 18:25
  • 1
    @WorseDoughnut That's a good point. Thanks for all of your input, I'll keep this all in mind in case anyone ever confronts me about this – xorist Apr 11 '16 at 18:26
  • 2
    I suggest attempting to do it anonymously, and then completely deny knowledge or involvement if asked in person – Natanael Apr 11 '16 at 18:47
  • 12
    IMHO, If you're gonna go the anonymous route, go full-blown, hardcore, anonymous. Use tails, take a trip to a brand new coffee shop and use it's WiFi, make sure you're on Tor with the Tor Browser with the highest / most strict security settings, and completely destroy the tails USB once you're done. Give yourself as much distance between yourself and the anonymous email as you possibly can. Send it to a dept. head you don't know too well, or even send it to a district head / employee or even a PTA leader(rather than someone from your specific school who could easily single you out). – WorseDoughnut Apr 11 '16 at 19:01
  • 5
    Agree with @WorseDoughnut If you go anonymous go all the way. No half measures. As well, if it were me, I wouldn't say anything at all. I'm in the US and we tend to light this sort of thing on fire and pour a bunch of thermite on it when we pillory good intentions. I know the UK convictions and what not are a lot lighter but still....convictions. Society loves to jump up and down on the perception of bad intentions and any storyline opposed to that idea typically seems to get shuffled off and forgotton. – Citizen Apr 11 '16 at 22:58
  • Why can't you fix it yourself? You don't have to tell anyone. – sacreligious222 Apr 12 '16 at 00:11
  • 5
    @sacreligious222 Finding a hole is much easier than fixing it. Fixing a hole *without anyone noticing you are messing with stuff* just adds a whole other level of difficulty. It's like putting a cookie back in the cookie jar; it's hard to prove that's the reason your hand is in it. – PyRulez Apr 12 '16 at 02:02
  • Can this vulnerability be stumbled upon "accidentally" while doing an assignment or class in the computer lab, or does it take active effort to exploit? – vsz Apr 12 '16 at 06:10
  • 1
    This vulnerability couldn't be found accidentally – vakus Apr 12 '16 at 06:12
  • It sounds like plausible deniability is the bare minimum of what you need. If they check your computers, there better not be traces of anything. (overwrite 12x or so) If they will assume it's you, that doesn't mean that they can prove it. The other suggestions are good, so I won't go into details already covered. Just... Don't retain anything incriminating and don't *say* or admit to such, either. – The Nate Apr 12 '16 at 10:25
  • If someone else already found and is using this vulnerability, doesn't that seem like decent evidence that you aren't the only possible person to be discovering it? Not suggesting you go through with an anonymous report (standards of evidence may be low anyway), just putting it out there. – Paul Apr 12 '16 at 11:17

9 Answers9

76

If there is a teacher or counselor you can trust completely, that you know will keep your name secret even if the school administration starts making threats about firing people, I'd go to them first and talk to them in private. They don't need to understand computers or security (and you don't need to go into detail about the issue), they just need to be trustworthy and good at navigating the administration politics in the school: you need advice about the personalities of the people involved and how dangerous it would be for you to report the issue. If they're at all wary of reporting, then you should keep quiet.

If someone with enough power gets embarrassed, they might start looking for someone to fire or expel (or, in the worst case, to have arrested), to give the illusion that they are in control of the situation. If you're friendly with and trusted by the administration and IT department, and you know they've supported students in the past even when it made them look bad, it may be less risky to share the issue, but I'd still recommend going through a trusted intermediary.

If you can't talk to someone you trust to keep your name anonymous and you can't report the issue anonymously (and it sounds like you can't), it is probably best for you to keep quiet. And that means completely quiet: don't talk about what you found on forums, don't tell your friends what you found, and don't try it out again in a few weeks "to see if it's been fixed:" you don't want to show up in any logs as having anything to do with this, especially if it gets exploited by someone else. It sucks, but start by protecting yourself.

  • 29
    You get a +1 for suggesting to care about one's own security first. – Mindwin Apr 11 '16 at 19:04
  • 4
    If there is an IT security problem at the school, and the OP attends said school, I'd say there's a distinct possibility that keeping quiet and letting someone malicious exploit the vulnerability could easily be harmful to the OP as well. – Ben Apr 11 '16 at 20:02
  • 1
    @Ben Perhaps it should be reported to the school district (superintendent) or police department if OP feels their information or safety is at risk – cat Apr 11 '16 at 20:16
  • 1
    +1. Following this advice, in the worst case it would be as if the OP had never encountered the vulnerability in the first place. – Turion Apr 11 '16 at 20:48
  • 11
    I have done this before when I found my school was vulnerable to something. My teacher calmly called the support desk and told them. Within 2-3 days it was fixed and I was told thank you, but then was politely asked not to test for this again. – Spotlight Apr 11 '16 at 21:51
  • 1
    I've downvoted. This course of action starts with the OP openly stating (to a faculty member who may not know anything about IT) that he's breached the school's IT policy and conducted an unasked-for security test. That seems foolhardy. – Richard Apr 12 '16 at 07:20
  • @Spotlight Politely asked or "politely asked"? – Sebb Apr 12 '16 at 07:29
  • 1
    @Richard not just the school's IT policy, but UK law, punishable by up to six months in prison (gaining unauthorised access to a computer system without intent to commit another crime). – Pete Kirkham Apr 12 '16 at 08:32
  • @Sebb Without quotes. – Spotlight Apr 12 '16 at 12:07
58

Another thought struck me as I re-read your question (emphasis mine):

How should I tell school that they are vulnerable when I wasn't given permission to check?

Could you get permission? Once you have permission, you could "discover" the issue (without telling anyone you'd found it before) and report it without worrying about being blamed for hacking without permission.

It would be easiest if you're already taking a computer class taught by a friendly teacher who would work with IT to give you an extra credit assignment to do a Pen Test. Or if you're friendly with anyone in IT you could approach them directly and suggest you're interested in studying network security and hope to get a job in it someday, and could you get some experience by conducting a Pen Test of the local network. If you already have a reputation for being good at computers and security, and being trustworthy, you may have a decent chance at getting this approach to work.

This will require a lot more work than simply reporting the issue, if you're going to do it right. You'll need to test a lot more things so you can effectively launder your knowledge of the existing security hole (of course you might get lucky and find some more issues!), and you'll need to write up a report detailing everything you did, and why, and what you found. They also might restrict the scope of what you're allowed to test or give you a test system that doesn't expose the issue you already found, which means you'll be stuck doing the work and writing the report without being able to disclose the original issue.

Of course this is a fairly "sneaky" way of reporting the issue. If you get turned down you should probably keep quiet about the original issue, because if you report it or someone else does and it gets traced back to you, people will remember when you asked to conduct a Pen Test and start asking questions about you and how trustworthy you might be. So there is some risk to this approach.

  • I marked this Community Wiki so no one thinks I'm trying to steal extra rep by answering twice; my answers were very different approaches and for OP's sake I think they should be voted on separately. –  Apr 11 '16 at 20:32
  • 3
    you wouldn't be stealing any rep but I understand your point. – Mindwin Apr 11 '16 at 21:18
  • "Hey IT teacher, I read in a magazine you might be able to hack in like this, should I test our system? I confess, I already had a look and I think we may be vulnerable, but I need your permission to try this out..." – RedSonja Apr 12 '16 at 06:16
  • What if the IT department declines OP's request but decides to check it themselves, and OP's name shows up in the logs? (Or other data that can be traced back to OP) – user2428118 Apr 12 '16 at 09:54
8

How should you tell them? You shouldn't.

Let's look at the potential consequences here. Since you were poking around on their network without permission (something which is almost certainly in violation of your student agreement and whatever consent you clicked through in order to gain access to their IT system) the very best outcome you can expect is that they'll fix the issue and you'll get a small pat on the back.

On the other hand, there's at least a reasonable change that they'll get the wrong end of the stick, expel you from the school and may even call the police. Since there have been other instances of hacking, they may jump to the assumption that you were somehow involved with those as well, increasing the chances of legal consequences.

At the very least, and in spite of your good intentions you've almost certainly broken the law. While the school may choose to overlook this, they also might not.

When you weigh the upside against the downside, the choice should be obvious.

Richard
  • 939
  • 6
  • 9
  • 2
    I totally disagree. No matter how you gain these informations, you should expose the information to the sysadmin a trusted third party who has to power to set in motion the needed changes. Knowing something is wrong, and not doing anything about it is the same as waiting for a possible disaster to happen. – Squazz Apr 12 '16 at 07:19
  • 1
    @Squazz - Gotta disagree with you. At the very least he's almost certainly been [breaching the school's own IT policy](https://www.techdirt.com/articles/20090731/0325265727.shtml). What's the upside to disclosing? Is getting a pat on the head worth risking his academic career over? – Richard Apr 12 '16 at 07:28
  • @Squazz - I'm also reasonably sure the OP knows he shouldn't do anything or he wouldn't be asking the question in the first place. If nothing else, the fact that he's not told them yet is almost certainly a further breach of policy which I'd guess includes a "vulnerabilities that are discovered should be notified to the IT dept immediately" clause. – Richard Apr 12 '16 at 07:31
  • 1
    it's not always because you have actively been trying to break the security. I once attended a school where we in programming class found a vulnerability in the PHP server our school had provided us for playing around with PHP. We found the vulnerability by accident, not by actively looking for it. I don't know how OP optained the knowledge he has, but I do think that no matter how the information was obtained, he should disclose it to trusted personal. Passing on the information anonymously or or not, a vulnerability is a vulnerability that should be patched up. – Squazz Apr 12 '16 at 07:41
  • @Squazz - Again, gotta disagree with the analogy. In your case you had a justifiable reason to be poking around on the server. In the OP's case he just seems to be a busybody who's used his privileged (internal) access to conduct an unauthorised pen-test – Richard Apr 12 '16 at 07:48
  • 1
    if it was you who was admin on the network, what would you then prefer? That a (presumably) white-hat student tells you about the vulnerability, or that you find out about it when it's too late and the vulnerability have been abused for something bad? In my world, that answer is simple, I'd like to know about it before it's too late – Squazz Apr 12 '16 at 07:51
  • 2
    @Squazz - If I was the admin, I'd probably start out on the assumption that the OP was involved in the original hacking. Depending on the earlier data loss, I'd probably call the police to update them on the fact that a student has come forward to confess that he's been poking around on the network and that although he claims to be uninvolved, I suspect that he may be trying to [gain some glory](http://www.wsj.com/articles/SB121960882331467103) by highlighting a problem that he may have been involved in causing. At the very least I'd immediately suspend his access pending an investigation. – Richard Apr 12 '16 at 08:01
  • "the school may choose to overlook this, they also might not" -- one thing to look into, is how many children in the UK have ever actually been prosecuted for computer crimes, especially ones in which no damage was done. I don't know for sure but I expect it's a pretty small number. The overwhelming likelihood is that the questioner will not be prosecuted, but I agree that the remaining small risk can't be completely discounted. If the questioner is over 18 and still at school (therefore in their last year) then the odds might shift a little. – Steve Jessop Apr 12 '16 at 12:28
  • @SteveJessop - Let's play a little game called "what's the upside/downside". If he reports it, what's the best thing that you could realistically imagine happening? If he reports it, what's the worst thing that you could realistically imagine happening? Now put those outcomes on a see-saw. Which side is resting on the floor? – Richard Apr 12 '16 at 12:34
  • @Richard: and what's the upside/downside of not reporting it? Main potential downside is that he's already been logged and eventually gets found out when they discover the flaw and do their audit. The worst-case scenario is the same either way, he's accused of hacking them, so we also need to consider what's likely. Now, if the questioner had played "best case / worst case" before deciding to check whether the vulnerability is there in the first place, then it'd be easy to say just to play cautious and do nothing. – Steve Jessop Apr 12 '16 at 12:37
  • @SteveJessop - That's a good point, but openly inviting a discussion of his actions seems far more likely to backfire than imagining that their IT team will ever discover the flaw. It's far more likely that it'll just get patched at some point (at the next systems update) with them being none the wiser. – Richard Apr 12 '16 at 12:42
  • @Richard: ultimately I think it comes down to factors that the questioner (probably wisely) has left out, such as exactly what he did to discover this vulnerability and what his relationship with his teachers is like. If he's run a widely-known shellshock detection script while logged onto a machine he's allowed to use, then he's in a much better place than if he's run extensive fuzz-testing on their payroll system and found an SQL injection. Yes, if he has no reason to think they'll take it well he should assume they'll take it badly. They just won't actually arrest him unless there's damage. – Steve Jessop Apr 12 '16 at 12:46
  • Also, come to think of it, he's found vulnerabilities before and the teachers know it. So he knows what the reaction was before and we don't. If what he was told before was "thanks, that's really useful, we'll patch that right away" then he's in a much better place than if he was told, "this is your first and final warning, if you do anything like this again then you're expelled and we'll inform the police". I guess what actually happened was somewhere in between and less clear, or he wouldn't need to ask this question, but it should help guide him. – Steve Jessop Apr 12 '16 at 12:56
4

"Ma'am, I'd just like to let you know that if you slide a strip of metal in the deadbolt of the door to your garage, you can open it with little effort."

Just don't disclose. Many of us security folk have found vulnerabilities in our universities' computer systems, but there is nothing to be gained by disclosing it. Let someone else find it and disclose it, but don't be the one at risk of accusations of breaking a system that isn't yours. There are many stories at schools I have gone to in which the messenger was punished for attempting to breach the system. I would bet you are much more likely to be punished by disclosing the vulnerability instead of taking advantage of it maliciously yourself.

If you have personal reason for the system to not be breached, contact the system administrator to question the security of the system so that your data is not personally stolen. Ask questions particular to the flaw you have discovered in hopes of the administrator finding the same flaw, but do not suggest you have previously attempted to access the system.

Vortico
  • 141
  • 2
  • For what it's worth, the questioner is in the UK and we don't call universities "schools" here. Still sucks to be expelled of course, even if it's "only" from high school. – Steve Jessop Apr 12 '16 at 12:33
4

Use the Socratic method.

Expose the vulnerability to whoever is in charge of security as a series of questions. If they, for security reasons (or whatever), can't or don't want to answer your questions, propose hypothetical situations and ask about them.

Amani Kilumanga
  • 153
  • 9
1

Can you reveal the vunerability in a permissible way?

You found a the issue in a way that is apparently not allowed. Can you present the issue in a way that you do have permission? If so, trying that might be a good idea. It may not even be the original vulnerability, but a bug that, when being investigated or fixed, reveals the vulnerability.

For example, maybe the vulnerability is that passwords aren't hashed. You found this out by getting into the school's servers. Instead of telling them you got into the school's servers, download a browser extension that checks if passwords are being transmitted as plain-text (which can be seen as a way of protecting your own security in a reasonable non-nosy way), and telling the school that their site is causing red flags on your laptop and that you are worried about your own security. The great thing about is that it is much safer and justifiable to tell people outside the school if they fix it in a reasonable amount of time.

One bonus of this technique is that you do not have to lie most likely.

It is probably best to make sure they do not realize the original way you found out about the vulnerability, even if they fix it, lest they unleash the powers of government against you. (Is your snooping recorded in any logs, for example?)

PyRulez
  • 2,937
  • 4
  • 15
  • 29
0

Tell them anonymously, citing everything you did, e.g the penetration tests, results, etc. so that they can check it for themselves (or hire someone). Make sure the message is sent to everyone who has the authority to delve into the issue(s).

S.E. Foulk
  • 11
  • 1
0

As drewbenn suggested in their second answer, but to put it in a slightly different way, where drewbenn said you can ask for permission, I'm saying you can also “suggest a security check or urge them to do it, with or without your help” with a reason like “I do X or engage in X communities online, and there have been reports or chatter about schools getting hacked in our state/city, and someone was bragging about it.” So you think “we should check if our school was targeted by this any time recently”.

Rok
  • 101
  • 1
0

You shouldn't have been there so it doesn't matter what you found, you are currently in the wrong. Until you get permission to look, you have to stay quiet about it and hope they haven't detected your presence.

Paul Smith
  • 123
  • 2