According to the Student Examination Board, contacting young “white hat hackers” is one important route to find security vulnerabilities hidden in other tests.

High school students The security holes found by “white hat hackers” about the Abitti system used in student writing have sparked a debate about the security practices of the Student Examination Board (YTL) among security professionals and enthusiasts.

Two security vulnerabilities in the Abitti system were fixed in the spring.

YTL said in its blog that the more serious of the holes allowed the attacker to break into the server used in the high school test room and access, for example, the candidates’ personal information and test results.

In addition, another lesser vulnerability was found in the system, which allowed the experimenter to gain administrator privileges on their own computer and access, for example, data stored on the machine’s hard drive or the Internet during the experiment.

In particular, milder vulnerabilities have sparked debate on social media. Namely, the security vulnerability has been found to be similar to the vulnerability already reported in 2013.

This is a security hole found in the Hackabi hacking competition held in 2013, which made it possible, among other things, to utilize the data stored on the machine’s hard drive during the experiment. The competition looked at a demo version of Abit, as student transcripts were not yet available electronically at the time.

YTL specialist in software development Matti Lattu confirms that this is indeed the same security vulnerability as in 2013.

However, this gap has been closed until the end of 2020, ie it has not been possible to use it in pilot situations. Last fall, however, the situation changed when the system was upgraded.

“That’s when we got an error because the configuration files that were blocking the hole fell out of the candidate’s machine. After all, no bug was found in the security tests of the new system version. The feature originally found in the new version in 2013 burst open again without being noticed, ”says Lattu.

He said the gap could have been exploited in the spring 2021 yo writings. The gap was closed in April when information was obtained from a white hat hacker.

“After all, we also monitor the operation of the machines during the yo-yo tests, so if in the spring test a candidate had taken advantage of the gap and, for example, managed to use the data on his own hard drive, we would probably have noticed it.”

In general According to Latu, when discussing Abit’s security, it should be remembered that in a system like Abit, the most important thing is not always to prevent fraud.

“The most important thing is that the monitoring system detects if any candidate is trying to use a computer to cheat. The protection of the system does not therefore have to be completely seamless in the first place. ”

YTL strives to improve its information security, for example through automatic testing of systems. In addition, the security partner tests the system with each major system version change.

“We do not report these findings publicly, and therefore it may seem that we live only on the basis of public tips,” Lattu explains.

Tips from volunteer white hat hackers are also important. For example, the vulnerabilities found this spring had not been identified in YTL’s own security tests or in security tests conducted by security partners.

Young The know-how of white-hat hackers could be utilized even more in Finland, says the leading security consultant Iiro Uusitalo security company Fraktal.

Uusitalo has helped many young white hat hackers report security holes to organizations. In the case of YTL, Uusitalo was not directly involved, but he has helped young people who have found vulnerabilities in Abit in other cases.

The young people told experts about their finding on the Generation Z Hack white hat challenge campaign discussion channel.

This is a campaign aimed at young people, which includes, among others, the Digital and Population Information Agency, the Central Criminal Police and Uusitalo’s employer Fraktal.

“With such campaigns, we experts can help our networks help young people find the right channels to report security vulnerabilities. Young people are not always heard alone in these situations. Sometimes it is also difficult for young people to find the right person in organizations who listens and understands what it is all about, ”says Uusitalo.

Also The YTL has noted the abilities of young white hat hackers.

Many of the contacts YTL receives are from high school-aged young people who are interested in the system during their studies.

Lattu believes that it is also quite easy to contact a smaller organization like YTL.

“We have the advantage that new qualified young people will use the Abitti system every year. When they get excited to study the system, they can also make new discoveries about it, ”Lattu says.