In a recent alert, the US Department of Education shared an alarming presentation made available by the Privacy Technical Assistance Center. In Security Threats: Education Systems in the Crosshairs, security advisor Mike Tassey highlights the fact that data breaches, hacks, and privacy spills are extremely common and have affected almost every industry, from NASA, Citigroup, and Sony, to the Clarksville-Montgomery County School System.
It is easier than ever to get involved in the business of stealing information because cyber-theft has become fully commoditized. Not only is there a black market for privacy data but also an underground economy where over two million pieces of malware are built and sold each year.
The focus of this malware is to collect personally identifiable information (PII) including Social Security numbers, addresses, birth dates, and more — the same information that is so often collected, distributed, and stored by most proctoring services. This information is then used to obtain credit, purchase items, and perform other criminal activity. In his report, Tassey specifically indicated that these thieves highly value children’s identities, because they are “fresh”.
The scariest part is that, in the majority of cases, the theft is accomplished through malware that is installed onto devices by the user themselves. These installs are not the result of installing pirated media or poor internet security settings but rather the installation of plugins or extensions into their browsers that provide a backdoor that can be used at any time.
Unfortunately, most proctoring services rely on these plugins or extensions that could contain malware at the point of install or be added with any update, without the permission or knowledge of the user.
If plugins/extensions must be used, the only way for a user to minimize the malware risk is to uninstall it immediately after use. In his report, Tassey cited that on average “there are 1-5 bugs for every 1,000 lines of code”. For this reason, organizations should also complete a code review for both potential malware and errors in code that could allow a hacker the ability to insert malware after the inspection (and repeat this prior to any code update).
If nothing else, organizations should be instructing learners to disable or uninstall proctoring plugins/extensions after use so we don't read about another student who had their device camera enabled remotely.
Visit the US Department of Education website for more information about protecting student privacy.
Integrity Advocate has completely removed the risk of malware by never requiring that learners install a plugin/extension. Unlike other remote proctoring solutions, we collect the bare minimum of information needed to confirm the learner’s identity and compliance with exam rules. Get in touch today to learn more.