Incident: Security Vulnerabilities in Raz-Kids.com Data Storage Practices

Published Date: 2015-02-08

Postmortem Analysis
Timeline 1. The software failure incident mentioned in Article 33830 happened more than a year before the article was published on February 8, 2015. Therefore, the software failure incident likely occurred in late 2013 or early 2014.
System 1. Raz-Kids.com 2. Educational websites and apps [33830]
Responsible Organization 1. The software company behind Raz-Kids.com, Cambium Learning Group, was responsible for causing the software failure incident by not encrypting data and storing passwords in plain text, leading to potential security vulnerabilities [33830].
Impacted Organization 1. Students using the Raz-Kids.com reading assessment site [33830]
Software Causes 1. Lack of encryption and storing passwords in plain text on the Raz-Kids.com reading assessment site [33830].
Non-software Causes 1. Lack of encryption and storing passwords in plain text on the Raz-Kids.com reading assessment site [33830].
Impacts 1. The software failure incident led to potential security risks for students using the Raz-Kids.com reading assessment site, as passwords were stored in plain text, leaving room for unauthorized access to sensitive information [33830].
Preventions 1. Implementing encryption for sensitive data storage and transmission could have prevented the software failure incident by protecting passwords and other personal details from unauthorized access [33830].
Fixes 1. Implementing encryption for sensitive data storage to prevent unauthorized access [33830]. 2. Updating the software to securely store passwords, such as using hashed passwords instead of plain text [33830]. 3. Conducting regular security audits and assessments to identify and address potential vulnerabilities in the software [33830].
References 1. Tony Porterfield 2. John Campbell

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident of storing passwords in plain text and having unencrypted data was reported at Raz-Kids.com, which is operated by the Cambium Learning Group [33830]. The article mentions that the principal engineer, Tony Porterfield, found similar security weaknesses in nearly 20 other digital education products used by millions of teachers and students. This indicates that the software failure incident has happened again within the same organization or with its products and services. (b) The article [33830] also highlights that Tony Porterfield identified potential security problems in various other educational products apart from Raz-Kids.com. These products included school-districtwide social networks, classroom assessment programs, and learning apps. This suggests that similar incidents have occurred at multiple organizations or with their products and services.
Phase (Design/Operation) design (a) The article highlights a software failure incident related to the design phase. Tony Porterfield, a software engineer, discovered security weaknesses in the Raz-Kids.com reading assessment site, such as storing passwords in plain text and being unencrypted, which could potentially allow unauthorized access to sensitive student data [33830]. This failure can be attributed to contributing factors introduced during the system development and design phase of the educational website.
Boundary (Internal/External) within_system (a) The software failure incident described in the article is primarily within the system. The failure was due to security weaknesses within the Raz-Kids.com website, such as storing passwords in plain text and lacking encryption, which could potentially allow unauthorized access to sensitive student data [33830]. The article highlights how the principal engineer, Tony Porterfield, discovered these vulnerabilities within the system and alerted the company behind the website about the security concerns.
Nature (Human/Non-human) human_actions (a) The software failure incident in the article is related to human_actions. The failure was due to the site Raz-Kids.com having security weaknesses such as storing passwords in plain text and being unencrypted, which could potentially allow unauthorized users to access sensitive information like students' names and voice recordings. The principal engineer, Tony Porterfield, discovered these vulnerabilities and alerted the company behind the site, but the issues remained unresolved for over a year [33830].
Dimension (Hardware/Software) software (a) The article does not mention any software failure incident related to hardware issues. (b) The software failure incident mentioned in the article is related to security weaknesses in the Raz-Kids.com reading assessment site, such as storing passwords in plain text and lacking encryption, which could potentially allow unauthorized access to sensitive student data [33830].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident described in the article is non-malicious. The failure was due to security weaknesses such as unencrypted data and storing passwords in plain text, which could potentially allow unauthorized users to access sensitive information. The principal engineer who discovered these vulnerabilities alerted the company behind the website, but the vulnerabilities remained unresolved for over a year [33830].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident described in the article highlights poor decisions made regarding data security practices. The article mentions that the reading assessment site Raz-Kids.com had security weaknesses such as being unencrypted and storing passwords in plain text, which could potentially allow unauthorized access to sensitive student information [33830]. Additionally, the principal engineer who discovered these vulnerabilities pointed out that there is a lack of consensus on what constitutes 'good security' for educational websites or apps, indicating a lack of proper decision-making in ensuring data security [33830].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident in the article can be attributed to development incompetence. The article highlights how the reading assessment site Raz-Kids.com had security weaknesses such as storing passwords in plain text and being unencrypted, which could potentially allow unauthorized access to sensitive student data. Despite being alerted to these vulnerabilities by a software engineer, the company behind the site did not address the issues even after more than a year, indicating a lack of professional competence in addressing security concerns [33830]. (b) Additionally, the article does not mention any accidental factors contributing to the software failure incident.
Duration permanent (a) The software failure incident in the article seems to be more of a permanent nature. The article mentions that Tony Porterfield discovered security weaknesses in the Raz-Kids.com site, such as storing passwords in plain text and being unencrypted, more than a year before the article was published. Despite his alerting the site to these concerns, the vulnerabilities remained unresolved at the time of reporting [33830]. This indicates a long-standing issue that has not been addressed, suggesting a permanent failure due to contributing factors introduced by all circumstances.
Behaviour omission, value, other (a) crash: The article does not mention a crash incident where the system loses state and does not perform any of its intended functions. (b) omission: The software failure incident mentioned in the article is related to omission. The article discusses security weaknesses in the Raz-Kids.com website, such as storing passwords in plain text, which could potentially allow unauthorized users to gain access to sensitive details like students' names, voice recordings, or skill levels [33830]. (c) timing: The article does not mention a timing-related failure where the system performs its intended functions correctly but too late or too early. (d) value: The software failure incident mentioned in the article is related to a value failure. The system was performing its intended functions incorrectly by storing passwords in plain text, leading to potential security risks [33830]. (e) byzantine: The article does not mention a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: The other behavior described in the article is the lack of proper data security practices in educational websites and apps, leading to potential vulnerabilities and security risks [33830].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence The consequence of the software failure incident discussed in the article [33830] primarily revolves around potential security risks due to the lack of encryption and storing passwords in plain text on the Raz-Kids.com reading assessment site. The article mentions that unauthorized users could potentially gain access to details like students' names, voice recordings, or skill levels due to these security weaknesses. The article also highlights that the principal engineer, Tony Porterfield, found similar potential security problems in other digital education products he examined, raising concerns about the security practices of educational websites and apps. The consequence discussed in the article falls under the category of "theoretical_consequence" as there were potential risks and vulnerabilities identified, but there is no specific mention of actual harm or incidents resulting from these security weaknesses.
Domain knowledge (a) The failed system was related to the education industry, specifically digital education products used by teachers and students [33830].

Sources

Back to List