A number of school websites contain pages which feature links to gambling, counterfeit goods and pornographic material.
In research revealed exclusively to Infosecurity, researcher Terence Eden found a number of academy, secondary and primary school websites which had pages with rogue text and links to suspicious pages.
Eden previously discovered government websites which had been ‘abandoned’ and left to be compromised by spammers and scammers. He said this was part of an ongoing project he is working on regarding the security of government websites.
Eden said: “Finding these was as simple as a Google search. The people running these sites really ought to be closely monitoring them.”
Several schools have been hacked to hide pornographic content on their websites. The Churchfield CE Primary School website contains hidden pages directing users to extreme content, while Portal House School is a small Special School for pupils who experience Social, Emotional and Behavioural Difficulties. Hidden within its pages are reams of sexually explicit content.
Eden explained that hackers link to externally hosted sites which then receive an SEO boost when search engines crawl a "trusted" sch(dot)uk domain.
Bishop Challoner is a Catholic Federation of Schools, and several pages on their website have been redirected to online pharmacies.
“Spam filters are reluctant to block messages which seem to link to legitimate pages” Eden said. “These hacked school sites are an unwitting pawn in the war between pill-pushers and spam software.”
School websites were found to contain gambling, essay writing services and counterfeit goods links. Infosecurity contacted all of the schools detected by Eden, and one who responded was Bristol Metropolitan Academy, who found that the page containing counterfit goods had been taken down.
Eden said: “The Department for Education is particularly inept when it comes to technology which - given that our country's future relies on technological progress - is more than a little depressing.
“The Department for Education have a database called EduBase which lists details about every school under its purview. In a wonderful display of Open Data, anyone can download the database (a 36MB CSV) to investigate.”
He explained that of 43,866 schools with 25,251 websites, only 11,249 using are using the school.uk domain, and said that it is simply not possible for any individual to monitor all those domains.
“Indeed, schools quite often don't have the requisite skills to maintain and protect their websites,” Eden says. “The majority of broken sites I've checked have been run by the private sector - who are apparently not paid enough to secure the sites.”
He stressed the need for central handling of web security, saying it should be the job of the Local Education Authority to set minimum standards for website security (and usability, reliability.
“If individual schools are unable to meet those standards, then the LEA must intervene and directly manage the website,” he said. “If the LEA is incapable or underfunded, the DfE should be ensuring that UK schools' websites are not a total embarrassment.”
In an email to Infosecurity, Wolfgang Kandek, CTO of Qualys, said that school websites are easy targets for exploitation due to the lack of maintenance that many sites exhibit.
He said: “There are problems with vulnerable components at all levels of the website stack: in the Content Management Systems, in the web server software and at the OS level. Most schools do not have the manpower to track updates in the software that they use and so it is easy for them to fall behind.”
He agreed with Eden that a solution is to outsource the running of the website to a known responsible provider which specialises in running the CMS platform and shows an SLA for updates.
He said: “In addition, I would still suggest to monitor the site for new vulnerabilities that can show up at any time. It makes sense to get alerted and follow up with the provider.
“In addition, malware monitoring would make sense, especially if the content on the site is user generated - malware monitoring means that one browses the site with an outdated and vulnerable browser that can detect that the site is serving malware to its users, plus the site is checked against the main malware registries (Google Safebrowsing and others). That way, the site administrators is alert before or at least at the same time that the users are seeing bad behaviour from the site that is being managed.”