Impero Education Plus software exposes thousands of school children to hacking

Many schools feel legally or morally obliged to protect pupils from the full range of information, debate, and let's face it, pornography, available on the Internet. A substantial number of schools in the US, the UK and elsewhere use product called Education Plus from Impero Solutions Ltd for this purpose. However, a component of this software gets installed on every computer on the network, and it turns out that rather than protecting the kids using those machines, it has opened them up to hacking and spying. Last month a security researcher called Zammis Clark investigated the the free trial version of the software and with some reverse engineering and packet sniffing, discovered that clients were authenticating using "PASSWORD" as a password, and the private key and initialization vector for the encrypted communications between clients and servers could be determined from the executable code. He wrote and published a simple PHP program which would allow anyone with access to the network to find all the client machines and execute any commands. This could include commands to install spyware to spy on the children using those machines. Impero correctly pointed out that in order to run Clark's software you would have have access to the school's network, which you could not do if they had a properly configured firewall and a password on WiFi connectivity. However, that still leaves the attack open to pupils and recent ex-pupils of the school. It's probably worth pointing out that a lot of members of Lizard Squad are still of school age, and the comments in Clark's code contain a shout out to them:

Instead of being grateful to Clark for revealing these fairly unsophisticated security flaws in their system so they could be fixed, Impero took exactly the wrong approach, and are threatening to sue him for violating their terms and conditions. The letter from Impero's lawyers states, "This has caused direct loss and damage to your clients in terms of the work in terms of the work needed to circumvent this problem..." No, no, no, no, no, Impero. Any security expert will tell you that the cost of not fixing vulnerabilities is far greater than the cost of fixing them. Would you rather this hack is the news because it got published on Github, or because it was used, say, to spy on the private email of a gay teen who was then bullied by his or her schoolmates to the point of suicide? Admittedly, Clark could have been more graceful about disclosing this vulnerability. He could have shared it with Impero and given them a chance to fix it before publishing. However, he did not try to profit from or exploit this vulnerability in any way. He simply published the results of his research with some unkind but arguably deserved commentary on Impero's security measures. In a time when there are professional exploit brokers who will pay hard cash for zero day exploits this counts as white hat in my book. In fact, Impero's security model of installing software on every computer in the network is overkill. As we have seen, it increases the attack surface, and exposes pupils both to external attackers or to overzealous administrators. It's quite possible to protect kids from malicious web sites at the network level by DNS monitoring and other means, without the need to install censorship software on every machine - an approach with breaks down in any case if kids bring their own devices to school and connect them to the school network.