-
Share
Share with others...
- Bookmark and share this item
-
Digg
-
del.icio.us -
Facebook -
reddit -
StumbleUpon
- Print article
- Save to favourites
2 average rating | Outmoded software leaves search engines vulnerable to ‘spam bot’ attacks
Primaries in England have been targeted by online hackers, leading to hardcore pornography being shown on education web pages with the schools’ logos on them.
It has raised fears that primary pupils may be able to gain access to explicit pornographic imagery just by looking for their school on an internet search engine because of the “spam bot” attacks.
The TES understands that up to 20 schools around the country could have been attacked, although it is thought the material is unlikely to be accessible from inside schools because of security firewalls.
Tony Kenny, head of St Dunstan’s Primary in Birmingham, one of the schools targeted, said he was “shocked”. The school’s name appears on a website displaying hardcore gay pornography.
Mr Kenny said he would launch an investigation.
“Clearly, both I and the govenors are shocked that this type of site has been linked in any way to our school,” he said. “I am very glad our school firewall is working and so material like this cannot be seen. Once we knew about it, we immediately did everything in our power to find out how it happened and we are now looking at getting the site removed from the public domain.”
It is believed the problem stems from local authorities, schools, or individual users working with outdated versions of the software Moodle, a free “open source” online package used by 27 million people worldwide. It enables teachers and pupils to create interactive websites and communicate with each other.
Moodle.com, the firm that produces the software, said an earlier version of it had been attacked by “malicious spammers”, but insisted updates had been released to fix it.
Founder Martin Dougiamas said:
“All known vulnerabilites have been fixed and we’ve released lots of new versions of Moodle. But that doesn’t mean schools have upgraded to the latest versions.
“Schools often don’t have very good IT support and neglect this kind of vital maintenance, even though we try to notify them.”
Schools affected include seven or eight in Birmingham alone. Some, including Wylde Green Primary, have had their sites designed by WebAnywhere, which claims to be the UK’s biggest school website developer.
Sean Gilligan, managing director of WebAnywhere, said: “In the last five years we have provided more than 2,000 schools with a website. In that time, less than 1 per cent have been victims of malicious targeting by external hackers.”
A Birmingham council spokesman the problem was being treated as a “matter of urgency”.
“None of the material is specifically connected with the schools, but some pornographic material has been mixed with a link to them on websites that may be being used to develop web content for the school.
“There is no indication yet who put it there (or) if it has any link to the genuine use of the site or has been put on maliciously.”
Essential steps for internet security
Becta, the schools technology agency, says schools should:
Develop an e-safety policy detailing the ways staff, pupils and all network users (including parents) can and cannot use ICT facilities.
Check infrastructure and buy internet services from accredited suppliers.
Teach e-safety to students, parents and staff.
Monitor: misuse can still occur even with these measures, so ensure you have the right strategies in place to respond to these circumstances.
Comment (15)
It is most likely that the problems noted here are what is called profile spam, which can result from Moodle administrators failing to to bar e-mail based self registration. This was widely discussed for MONTHS on a site now gone, moodleus.org and was discussed in the moodle.org forums as well (see, e.g. http://moodle.org/mod/forum/discuss.php?d=111181&parent=488092). Interestingly enough, many Moodle Developers and Partners argued that this was not a security issue, and from the narrow standpoint that Moodle code has or will be changed to prohibit such a situation, they are correct; code has NOT been "fixed" to keep this from happening (though changes in default behavior were implemented.) One of the most intriguing aspects of this plague of profile spam was its presence on Moodles managed by Moodle Partners. Fact of the matter is that Becta's recommendations are totally inappropriate to the issues involved.
Unsuitable or offensive? Report this comment
Rating:
17:50
2 February, 2009
net_buoy
The previous commenter is absolutely correct. This vulnerability has not been fixed in Moodle and it is completely dishonest and disingenuous for Martin Dougiamas to claim that it has been fixed. It is also appalling that he would blame this on poor school IT support when some of the most disgusting porn was, as still is, found on sites hosted by, and administered by his own business partner Mr Bryan Williams of remote-learner.net. I would post links to some of the disgusting stuff remote-learner (and other Moodle Partners are hosting), but it would not be appropriate to post on this site. If you would like to be sent those links, just comment here and post your email and I'll be happy to send you the search phrase so you can see for yourself. Is this the kind of software you want in your schools? It's not the kind I want in schools my kids attend.
Unsuitable or offensive? Report this comment
21:11
2 February, 2009
moodle
Oh dear! It appears that schoolanywhere not only built the St. Dunstan Moodle site but published their responsibility for designing it.... and schoolanywhere are, yes, you guessed it, Moodle Partners. Sounds like someone at St. D's needs to ask some tough questions of schoolanywhere!
Unsuitable or offensive? Report this comment
Rating:
22:05
2 February, 2009
net_buoy
I'm actually quite reassured that this is down to admin error rather than a bug in the Moodle code, having been very impressed by Moodle's approach to security in the past. I am, to say the least, surprised that any school would allow open enrollment to it's VLE, a direct analogue of doing away with all the doors, locks and gates to the physical site, especially when Moodle offers a whole range of authentication options, from manual account creation by admins through to authentication against Active Directory or other LDAP servers.
Unsuitable or offensive? Report this comment
13:11
3 February, 2009
mberry
Many fixes have been made to Moodle in the past year that close all known vulnerabilities that could allow spammers to post their nasty wares. They are listed here: http://moodle.org/security/ See also this page which details what admins should do to keep their sites safe: http://docs.moodle.org/en/Reducing_spam_in_Moodle It's not even clear that the spammers even used any of these vulnerabilities, they may have broken in to the server via vulnerabilities in the operating system or any other software on the server. Once they were in the machine they could obviously alter or replace any file they liked. In the end security for any server comes down to keeping all software updated and enabling just the features you really need.
Unsuitable or offensive? Report this comment
4:55
4 February, 2009
dougiamas
"It's not even clear that the spammers even used any of these vulnerabilities, they may have broken in to the server via vulnerabilities in the operating system or any other software on the server." ----------------------- This is blatantly misleading and dishonest. Blaming the server, your IT people, and other software is a common practice by moodle.com. Just another example of their dishonesty. Everyone who is familiar with this problem knows it is a Moodle vulnerability. You will notice the lead developer did not address the fact that his own business partners have been hosting this porn on their own Moodle installs for a very long time and evidently they, nor their customers are aware of it. In fact, once his business partners were made aware of it, they denied it was a problem and stated that protecting users from this type attack was not part of their responsibilities. I believe the editors here have received information to show exactly where the problem is...if you follow up on the information you receive, you will notice one common element in the tens of thousands of links you see...that common element is Moodle. Are you really going to subject your kids to technology developed by people who will not take responsibility for their own software flaws and who will try to shift this blame off on your school IT people, your server, and other software? It is clear moodle.com doesn't have the best interest of your kids at heart...if so, they would own up to these problems and be proactive at addressing them instead of shifting blame. Just something to think about tonight when your school kids are logging into Moodle in your schools.
Unsuitable or offensive? Report this comment
13:35
4 February, 2009
moodle
Martin, Martin, Martin..... These sites were all managed by a Moodle Partner! Dance about all you like but the fact of the matter is that members of the community warned that this was an issue and your cadre largely blamed the Moodle Partners' clients and DENIED that this was a security issue because the issue did not fit into your view of what a security issue is..... I would think St. Dunstan's et al would feel more reassured if you suspended the Moodle Partner in issue pending confirmation that either the Moodle Partner was in charge of the sites or had failed to advise the clients of the issue, at which point the Partner will be publicly terminated as having disgraced themselves and the community.... but we won't hold our breath...... Moodle can be a wonderful tool, but the current conduct of Moodle HQ and the Moodle Partner appears to be indefensible......
Unsuitable or offensive? Report this comment
Rating:
16:50
4 February, 2009
net_buoy
I think that the point is when Head Teachers try and be cheap then this is what happens. Pay for experts to do a proper job, if you do it on the cheap then you will always get hacked!
Unsuitable or offensive? Report this comment
20:03
5 February, 2009
orion
This is all very interesting but perhaps it raises a slightly larger issue? I heard of a similar incident in a school using Uniservity in which the school front page of their web site was replaced with pornographic images. I have no idea if the issue was an security issue with Uniservity or an administration error, either way it's concerning. I wonder how secure other VLEs are? What is Becta doing to ensure that VLEs and learning platforms are secure?
Unsuitable or offensive? Report this comment
20:09
5 February, 2009
AdamCraig
Hang on, Orion! Are you suggesting that the Head at St. Dunstan's is cheap? And, if so, is this necessarily a bad thing? If you have information that suggests that St. Dunstan's DID NOT pay for expert s, please provide same, as I have been waiting on details and have no such data. What I have been able to determine is that webanywhere et al took credit for St. Dunstan's and quite a few other sites, that webanywhere et al are identified by Moodle.com as experts and that Moodle.com as an expert should have certasinly been aware of the downsides of e-mail enrollment. I am also willing to assume subject to being proved wrong, that none of the Head's in question had the skills necessary to change e-mail enrollment if webanywhere had turned it down (let alone had the temerity to change this had they been warned of the consequences!) I have to conclude until I learn more than if there is anyone at fault it is Moodle.com for identifying webanywhere as expert. Since Moodle.com is described as a benevolent dictatorship presided over by the enlightened despot, Mr. Dougiamas, the fault would appear to lie "down under"....
Unsuitable or offensive? Report this comment
Rating:
22:41
5 February, 2009
net_buoy
To add to net_bouy's observations, the enlightened "experts" at moodle.com, knew of this problem for well over a year, they were repeatedly warned about it and shown specific examples of porn on their own "expert" Moodle Partner sites for months. One of the largest Moodle partners of the entire bunch, US Moodle Partner MoodleRooms, was shown porn on one of their sites (the same site) on three different occasions within a two week period and still didn't get it all cleaned off the site. Moodle HQ were repeatedly asked to be proactive about correcting this problem and to be proactive about warning Moodle users of this problem--they refused to do either, stating it was not a security issue and wasn't part of their service. One Moodle business partner, Mr.Bryan Williams of remote-learner.net, went so far as to deny this problem even existed, even after he was shown gay porn on one of his own sites where he was a site administrator. They were repeatedly asked to create a security forum on Moodle.org so people could discuss these issues in the open and they continually refused. And even now, the enlightened Mr. Dougiamas, still refuses to accept responsibility for the problem insisting on blaming school IT people, server, and other software. Today Mr. Dougiamas, in an effort to cover some of his incompetence and indifference, created a security forum on moodle.org and populated it with posts dated from as far back as 2005 giving the impression that this forum has existed for a very long time. Mr. Dougiamas blames Poor school IT support for this Moodle pron problem while refusing to acknowledge that the porn reported about in this very article, seems to have been hosted by his own business partners, who by the way, kick back 10% of their earnings to Mr. Dougiamas. The incompetence and hypocrisy exhibited by moodle.com here is simply amazing. Are you really going to trust the safety of your kids to people with this type of integrity? Any educator who defends this behavior is not the kind of educator I want to entrust with my children's safety. I challenge Mr. Dougiamas to post a reply in this thread (a place where he can't edit and delete posts) and deny anything I, or net_buoy, have written here.
Unsuitable or offensive? Report this comment
2:25
6 February, 2009
moodle
Sure, I will reply to your rather offensive, miscast and slanderous rants just once: 1) It's a fact that all complex software has vulnerabilities - see Secunia.com. And spammers exploit vulnerabilities. The porn does not come from the software, it comes from the spammers. So it comes down to how this situation is addressed. 2) If you always run the very latest versions of Moodle with recommended settings then you *are* one step ahead of the spammers. Many developers are constantly working on fixing reported problems, which are published on http://moodle.org/security and by direct mail to all known Moodle administrators, plus there is a new security report that helps admins by analysing their configurations and recommending changes. 3) If admins don't follow these recommendations we can't force them (some of these sites were installed years ago and never updated). And yes, in the past some Moodle Partners (who do support core Moodle development via royalties) have indeed failed to update sites in a timely fashion (no one has ever denied that) and as a result even had some sites attacked by spammers. This is obviously not something ANYONE ever wants to happen, and these events lead to serious reviews and ultimately improvements in their update processes. I am committed to improving quality in our project in a culture of respect and understanding, and those are also the sort of people I prefer we associate with.
Unsuitable or offensive? Report this comment
10:32
6 February, 2009
dougiamas
But Martin, you did not dispute the truth of anything you so broadly identify as offensive, miscast and slanderous rants......And, it is a fact that virtually all of the profile spam could have been avoided by turning e-mail enrollment down, but Moodle Partners installed the software for schools without taking appropriate measures to lock the sites down, knowing that their clients did not have the wherewithall to do that themselves, or the Moodle Parters having the contractual responsibility to maintain the sites and having simply been grossly negligent.Unfortunately, the conduct of some taints the reputations of responsible Moodle Partners and other members of the community, and the litigation apparently threatened by Mr. D. above is most unfortunate, for instead of attacking the problem, he is attacking those who have been diligently trying to call attention to the issues.Remember, this is not a code issue, this is an issue of trust in certified expertise, implicitly guaranteed by Moodle.com.
Unsuitable or offensive? Report this comment
Rating:
20:37
6 February, 2009
net_buoy
When I first started using Moodle I used open email enrollment to get my students into the site. When I started deploying Moodle for my entire school I realized that email enrollment would open up my site to strangers (this was before the Spam attacks), so I changed the enrollment options. That simple. If people are using Moodle (or any web software) without thinking and monitoring, then they are asking for trouble. I agree the community should have been louder with its warning. Official Moodle partners should have sent an email to their clients telling them to turn off email enrollment. That was bad business if those companies did not take that precaution. That is the only real issue here. That and the fact that the internet is getting scarier even as it gets better.
While the hosting companies might have had implied some sense of expertise and trust, schools should not provide a service to students without constant in house monitoring. I can't imagine a Moodle site that was actively used having spam up for more than 1 day. Then the enrollment option is changed and the problem is solved. Maybe too many folks had wayward sites just sitting uncared for.
Maybe Moodle.org and all official providers should have sent an email blast to all known sites telling them to take of email enrollment and/or add captcha.
However, this is just a small blip in the amazing record of Moodle allowing schools to get online without paying extortion prices. 1 day of spam versus $100,000 a year. I'll take Moodle every time.
Unsuitable or offensive? Report this comment
2:41
11 February, 2009
cytochromec
Seems like there's far too much at stake for certain contributors to this argument! I have had responsibility for introducing two different LPs to staff and students at my school and also have admin. I can vouch for the simple truth that regardless of any small print it has to be immoral for pseudo providers attaching themselves to moodle (open source!) to give what appears to be a false sense of security to school leaders who will ultimately have to take responsibility for the protection of children. How can anyone making money out of moodle justify this? In my experience it is almost impossible for technical / business experts to understand how things work in education; even when working with education advisors as part of their team. You cannot expect schools to anticipate the implications of a settings or version upgrade issue - both technical issues in my book. Remember that moodle "experts / partners" will have been immersed in the product long before schools have to face implementation of a product / concept that many, many educationalists were not in a position to comprehend - bombarded by sales presentations and feeling under pressure to impliment to a deadline. Isn't that why we have BECTA!? Isn't that why only a dozen or so providers mae it through initial compliancy and only after much major development, of both product and service, to meet the standards?
Unsuitable or offensive? Report this comment
0:03
16 February, 2009
Andrew Richardson