Edutech vs. Cybercrime — how to secure our digital platforms

It’s early 2020, and everyone seems to have gone crazy on the internet. COVID-19 hit the world and education systems are panicking — as a response to the new rules for health and safety, the entire world shifted to the digital realm. Schools switched over to online mediums and continued to deliver content, albeit with more classroom disruptions and noisy classmates who didn’t know about the mute button.
“All is good”, the education sector thought — disaster avoided, it seems.

More than meets the eye

On first glance, everything seems to be fine — students are still learning, education systems are using whatever LMS they find, and realtime feedback applications and startups are gaining recognition. Seems the migration is done, education is now fully digital!

No. Far from done, actually. While students were learning and snacking with their webcams turned off, something malicious was brewing behind the scenes. Cybercrime rates skyrocketed, phishing was on the rise, as if there’s an unstoppable force overtaking the internet. The problem is evident. A majority of education systems missed a crucial step in their migration — responsible cybersecurity practices.

No security.txt to be found, no security directory, and lots of permission misconfigurations. Before the pandemic struck, this would’ve been fine. “It’s just a random school, there won’t be any experienced criminals trying to break their way in and steal our physical documents!” — but now, the students, the teachers, the staff, everyone now has their entire identity on an online system that may not be up to security standards. It’s all online, and in the internet, there are crawlers, scanning the internet every second of the day just waiting to find it’s next victim.

Everyone is affected

I am like that crawler. I am a student using these platforms. My identity is on the brink of being stolen, every single day, because of the carelessness of companies only wanting to exploit the rush of digital platforms that happened 3 years ago. I have found major security flaws on different platforms — with no way to reach out to the admins. You are forcing the hackers hand when you leave no info. You’re forcing them to make it public, make them exploit it, make them do anything to get your company to even acknowledge that maybe, just maybe, there’s a problem.

To digital learning platforms that have not been professionally tested by a cybersecurity expert — open a bug bounty program, open actual support systems to directly contact the security team, really anything to let the hackers know there is a way to get their security concerns heard by the team without exploitation and making their findings public.

If you were to spend just a few minutes looking at past cybersecurity leaks, you will quickly realize that the most dangerous type of hacker is the frustrated hacker with nowhere else to turn. Don’t put the identity of your whole workforce and userbase at stake because of your carelessness. Start pentesting. Invest more money in cybersecurity.

First steps for edutech companies

• Recognize that cybersecurity is directly tied to brand image.
• Acknowledge that it’s not just schools using your software — hackers are everywhere, even students in a school are capable.
• Establish a clear point of access for hackers to reach out and voice their concerns.
• Do not assume that a report is blackmail.
• Take every report seriously. Even the nitpicks. One mans nitpick is another mans exploit.
• Set up a bug bounty if your company can afford it — encourage hackers to do the right thing.

First steps for educational institutions

• Recognize that software can be flawed.
• Avoid digital platforms whenever possible.
• Listen to concerns voiced by students. It takes a courageous student to put in a request for the safety of their school.
• Audit the software you intend on using — does this platform meet security standards?
• Vet the company that you’re going to entrust with your students and workforces data — does this platform want whats best for the end user?
• Set up a point of access for students to be able to voice their concerns without worrying that they’ll be kicked out and slammed with legal mumbo jumbo.

What can we, the end users, do?

• Raise awareness on the low security standards of the edutech sector.
• Check the reviews on the software your school uses — the biggest red flag is a frustrated hacker in the reviews or in the company FaceBook posts.
• If you know how to hack, read up about ethical hacking and make sure you’re on the right side of the law — then get to work and study the platforms used in your educational institution. Stand up for your classmates safety without breaking laws.
• If you find any flaws, voice your concerns to the heads of the educational institution. If they know what’s best for their students, they’ll hold off on using these systems until the problems get addressed.
• Do not jump to leaking! Try to talk it out! You may get ignored the first few times. If it is clear the institution understands the severity of the issue, and they still do nothing, they are knowingly endangering the students and the workforce — you can then escalate your concerns to the higher ups, or even regional authorities. (Do keep trying to talk it out with the institution though, they’ll eventually understand)
• Get your school to spread the word to other schools. Cybersecurity problems are real problems, and they affect more than just the people working there.
• Understand that the most effective way to get a careless company to start caring is the potential to lose a paying customer.

I’m not pretending I haven’t made mistakes. I’ve made mistakes in cybersecurity out of frustration. Leaking is not the way to be heard — by leaking, you become the problem. I wrote this article in the hopes that one day, this cybersecurity frustration does not take over anybody else. Your concerns can be heard. You’ll get there. Don’t rush the process if you know whats best for you, your classmates and your educational institution.

Image of a Laptop with a padlock, beside school textbooks, generated with Clipdrop

Edit — after the release of the Makersuite post, it’s important to clarify what I’m saying. If you know a bug that puts students, staff, even general users at risk, never leak it. Put all your energy towards reporting it properly, and if they repeatedly disregard it in any way, escalate to a higher authority. If you truly care about getting it fixed, don’t get impatient, otherwise you’ll watch yourself become the problem you were trying to solve.