3

While at school I stumbled upon a folder that holds a program that can control the schools computers, such as shutting them down, logging everybody off, controlling what files they can access.

How should I approach my School Board / School about the problem? Because I do want to report it to them.

At the start of the year everybody had to sign a contract not to "hack" or "exploit" the computers. Yet, this vulnerability is very dangerous if it gets into the hands of the wrong person.

Tobi Nary
  • 14,417
  • 8
  • 45
  • 58
jon k
  • 33
  • 3
  • It was an intrusiv or non-intrusiv scan? – Lucian Nitescu Apr 01 '16 at 13:09
  • 1
    Assuming you didn't try to use them (which is good) you have to consider the possibility that the apps/scripts/whatever only run successfully if you are an admin, and are useless to normal users. Unless inside the files are hardcoded logons, certificates, or other items that could actually be used to escalate privileges, it could be perfectly harmless. – Jeff Meden Apr 01 '16 at 13:22
  • 1
    @JeffMeden Still, it's hardly good practice to allow end users to even have access to directories like that. – WorseDoughnut Apr 01 '16 at 13:26
  • 1
    It's the matter of knowing how your school staff work together, seems to be a bit offtopic. – Rápli András Apr 01 '16 at 13:34
  • 2
    I think it's worth noting that you may want your report to be anonymous. – KnightHawk Apr 01 '16 at 13:58
  • @WorseDoughnut sure it should be protected if no normal users have any use for it, but its as much of a vulnerability as saying "hey the shutdown -m command is here, imagine what I could do with that!" – Jeff Meden Apr 01 '16 at 14:01
  • @JeffMeden Yeah I'm not saying it's a risk per say, I just mean that whoever set it up might have glossed over other more-important security settings if they just casually left that folder accessible to all users. It would be a red flag in my book if I found something like that while auditing a client. – WorseDoughnut Apr 01 '16 at 14:08

3 Answers3

5

In that order, the first hit solves it:

  1. If your school has a bug bounty program, report it there
  2. If your school has a sysadmin, report it there
  3. If your school has an IT board, report it there
  4. If your school has an IT teacher, report it there
  5. Report it to the principal.

From the wording of your question, it seems you didn't intrude the systems or otherwise circumvent security policies.

If you did though, you'd be better off suggesting that (what you did) could maybe be done and they should check for themselves or give you permission to check.

Tobi Nary
  • 14,417
  • 8
  • 45
  • 58
1

OP has probably made a decision by know, but for future readers, I'd add my opinion. Since you mentioned a "school board" I am assuming this is a high school, and I am assuming they don't have a bug bounty program either. In order of preference.

  1. If you know who, report it to the actual IT person who maintains the system, probably not your school's helpdesk. I would do it anonymously if you don't personally know them.
  2. Report it to someone who is very tech-savvy and knows you well (ex. a CS or another teacher who just really happens to get technology and will not for a minute suspect you of any wrongdoing). Ask that they keep the info anonymous.
  3. Report it anonymously to the most relevant person by email, from an email/remailer that cannot be traced to you. Try not to make the email look to suspicious though.

The thing is this: If the school district actually told student not to "hack" the computers, what you want to make sure not to do is say this to the kind of people that wrote that document. You will be a "hacker sent from Russia" in their minds, they will inevitably misunderstand you, accuse you of hacking something, get you in trouble.

Second thing is if the school board / school admins either find out for real that it is or more likely misunderstand that it would have compromised student data, they will really like for their superiors not to know. You do not want to get involved with the school politics. Again, you best bet is a quiet, anonymous report to the lowest-level person who has the most direct control over the system and will fix it quickly, quietly, and competently.

Never forget to consider how a white-hat report might hurt you before you send it.

Aidan
  • 131
  • 3
0

Usually each school has an admin for it's local server. Most likely it's one of the IT-teachers, if that subject is taught at your school. It should be pretty simple to find out who that admin is. That'd be the person in charge in this case.

WorseDoughnut
  • 759
  • 5
  • 18