Schooly exposed in Amazon AWS

Today, Haaretz newspaper published my study, about Schooly, a platform, which enable schools to have online system, to support verity of activities related to the schools needs

 There was a huge exposure, included very sensitive information of kids

 

It's all started from a research that's me and Samuel Crdillo were doing, about Amazon AWS, and later a tool has been created which called "Bucket-Hunter"

Before publishing, out work, I was thinking how can I limit the impact on Israeli users

So I went to Google, and made some Google Dorks (strings, which brings you sensitive results).

As more as I checked, Schooly were the main results, all over Google, this while checking for Hebrew words, like ID + s3.amazonaws.com 

The problem went far away, since it was not only Google exposure, but the main bucket were open to anyone

Just before speaking with Schooly, they fixed the ability to see the bucket list. Yet, downloading the files were possible even after few month

In the situation when young kids are being exposed, the government should open protection program.

The problem were in both side, Schooly as well as the schools who publish sensitive information of kids (six years old is too sensitive) 

The files which exposed in the bucket were under schooly care, yet if a school is published something it's different story.

It's time for the ministry of education, to make a change - since this is a big failure of 100,000, kids which have a potential identity and physical reaction to the exposure.

426 Net-Security / ICSfind Another academic tool aim to hunt for ICS&SCADA

ICSfind ( http://icsfind.com/ ) Is A new search engine, which aim to detect exposed ICS (Industrial control system) arrived to the playground, but now it's coming from the academic world China.

Since 2009, we had Shodan (created by JohnMatherly) as an ultimate tool to find critical infrastructure.

This October a new competitor Launched his activity in the west, Censys. Straight from the academic world (University of Michigan and University of Illinois - Urbana Champaign)  lead by ZakirDurumeric and based on ZMap. And now many people are seeing it as the alternative for commercial search engine Shodan, Not anymore a new player arrived, and was there silently since this October.

Yesterday I've found new tool Created in NortheasternUniversity-China, By Professor Yu Yau and his students. The tool called 426Net-Security or ICSfind. 

This  dedicated for ICS/SCADA, I really liked the UI and the simplicity. It's not a perfect tool but I think this is just the beginning. By the way here is no needs for registration, or limitation of uses.

I'm still checking it, and I would like to hear more opinion about it. The tool has only Chinese interface but it's really easy to use.

in my opinion having two new tools in one month, it's the best gift to get for the new year. 

About the change in the academic world, after years of being far away from the field and having academic paper which don't give direct help, or blocked from the public with payment system, or just great tools which never been out of the academic world - those changes makes me really happy.