Are Your Files Public? The Edlio Example

one

By Tony DePrato | Follow Me on LinkedIn

I have written before about cloud security and file security. I was doing a simple pentesting job for a school recently and found a service they were using called: Edlio.

I cannot say if Edlio has a security issue, or if what I found was simply based-on clients not following procedures, or if all these schools marked their documents as public.

However, I can say it is generally bad practice for:

  1. Personal information to be public and openly searchable
  2. Budget information to be public and openly searchable (aside from summaries and annual reports)
  3. Versions of documents, that are not the final version, to be public and openly searchable
  4. Calendars and other data about large group events to be enabled without security

Schools using Edlio, or other services, need to audit their public content. Here is what is accessible on Edlio with a compound search:

one

two

I then noticed that the documents seem to be organized by date, and mixed. Meaning, different schools appear to be storing documents in a “common” directory, and then their files are further organized.

three

four

Using a search based on the date, I was able to further sort documents from different schools:

five

six

Again, there is no evidence this is an issue with the Edlio service. These documents could be available due to schools simply not managing their permission options, or because the schools believed these documents needed to be public.

The takeaway here is that school senior leadership should be aware this information is public, how it can be searched, and there should be some minor threat assessment done to determine if these documents (and posting policies) are creating more risk than reward.

If you want more information on how to do this type of testing and analysis, please email me: tony.deprato@gmail.com

 

 

Scan Your School for Unsecured Public Documents

Screen Shot 2019-08-08 at 1.10.41 PM

By: Tony DePrato | Follow me on LinkedIn

How many documents do you have open to the public? When was the last time you checked to see what anyone with internet access could download from your school website, your PowerSchool or SIS public folder, or even your various cloud services?

Before you think I am wasting your time, here is a quick glimpse of a simple public search for budgets people have not secured:

Budget_Search

 

If the above animation is not clear, don’t worry. I will show you how to do it.

INURL and FileType

Google has some cool advanced search features. To scan your public files, the two I recommend are “inurl:” and “filetype:” .

For example when copying and pasting the following string into Google, inurl:saschina.org filetype:pdf , the results are all public PDF files that exist with any url that contains saschina.org.

Screen Shot 2019-08-08 at 1.20.38 PM

Keeping the url simple often yields more results. For example, using saschina would look at other domains. If you add the .org, then the search will be limited to the .org domain only.

When to Worry about Public Documents

First off, many documents are supposed to be public. Seeing documents in this type of search is normal and excepted. What is not usually expected are documents that contain:

  • Name associated with contact information
  • Medical information
  • Names of parents, donors, etc.
  • Special codes use to tell vendors/suppliers who has organizational authority to place orders
  • Bank information
  • Payment information
  • Usernames and Passwords
  • Etc

Documents with information similar to the above should be secured, unless required to be public for legal reasons.

I would suggest having document ID numbers in the footer that indicated a document should be public. This simple practice would allow everyone in the organization to report documents that should not be public.

The link below will take you to a page that will help you begin checking your online resources.

Want to Jump In and Start Scanning? Get Started Here

If you want more information on data security, privacy, and data auditing for your school, please contact me using the form below.

 

Don’t copy and paste that image yet!

Most teachers I know (this includes me) often break the law. No we aren’t knocking over banks, stealing cars or performing identity theft. No, we are strictly small time crooks. What we do, is steal images that have been copyrighted. Yep, we are a truly nefarious bunch but it is nonetheless the law we are breaking and we are supposed to be a good model for our students.

The problem is most teachers have no idea what they’re doing is wrong. They search for images on Google, find one, copy and paste it into their document and have no idea if they are allowed to use it or not. Just because it’s there doesn’t mean it’s there for you.

So how do you know? You want that cute kitten in your newsletter, homework assignment, rubric or class blog but now you’re worried the FBI will swoop down and lock you away for 25 years.

Fear not my fellow educators. I saw this flow chart the other day on Lifehacker that will help you answer your questions.

The flow chart was created by Curtis Newbold at The Visual Communication Guy. It pretty much covers it all, but if for some reason you are still unsure then the safe bet is to not use it and make your own from scratch.

For the actual link to the original post on the Visual Communication Guy click here.

Copyright and Fair use – Part 2 – Where to find media

wpid-copyrightthinking-2013-04-12-10-10.pngImage courtesy of David Castillo Dominici/ FreeDigitalPhotos.net
 

Howdy once again, friendly Internet visitor. Last time I talked about what copyright is and what fair use is and provided a handy-dandy chart to help you determine if you’ve violated copyright or not. This time we will talk about where to find royalty free images, sounds and videos that you and your students can freely use without the guilt of breaking the law.

To get the whole list click past the break below.

Continue reading “Copyright and Fair use – Part 2 – Where to find media”