Andy Lombardo - Malicious Links, Student Hackers, & a Handful of Solutions: Real K-12 Cyber Attacks

Okay. Uh, like Joe mentioned, my name is Andy Lombardo. I'm the tech director for a public school in East Tennessee. Uh, and a couple of just fun keynote thing or notes to make note of. Uh, notice the Italian last name and I have a uh clicker and a microphone. So, I'm just going to be like trying to talk and gesture at the same time and it's I I'll try my best. Um, so I apologize if I accidentally throw something towards the audience because I'm a hand talker. I'm also a pacer, so I apologize. Um so basically the idea today uh wanted to talk about a little bit of our experience in K12 uh with cyber attacks

and we're going to look at some things internally and externally. So kind of cover the whole gamut but a little bit about oh man I didn't want to see my face that big. Um a little bit on my background. Um, I was a classroom English teacher for 10 years, teaching middle school English, which is the natural path to technology for most people. It's that standard pathway. Um, so did that for 10 years teaching middle school grammar. And I was always kind of that school technologist person that if something broke, they were pulling me out of class to fix it. And I realized after several years of doing that that that's actually a job that you can do uh

instead of it being something that you're pulled to do. So, I transitioned into a role where I was doing uh instructional coaching, which is kind of like where you're doing technology integrations for new platforms, you're doing PD for teachers, you're doing tech support, I was running a studentr run help desk. Um, all those kinds of jobs. The more I did that kind of stuff, the more I fell in love with the infrastructure side and the technical side. Um, so went back to school, got a bunch of searchs, beefed up my home lab, uh, just killed all that kind of stuff and I just love the infrastructure side. So move now I'd say about 90% of my job

is infrastructure and about 10% instructional. So uh that's been my path about the past eight years uh being in that role. Another note on this is I'm not an expert. So I say that for a couple of reasons. First because there are a lot of experts in the audience and so I want to defer and say if I say something during this presentation and you're like oh man you could do this so much better than that. Please find me. Hit me up. Uh this is a low ego presentation uh because at the root I'm showing you things from the past eight years some of which are a result of things that I didn't configure correctly or that we

didn't think about or we didn't consider. So low ego please give me feedback. Um I included socials and stuff on all this. Um you know reach out uh reach out to your local schools. So schools are very resource constrained when it comes to cyber security. Uh, most schools I I could I've not I've not checked in a few months, but the last time I checked, the only two school districts in the state of Tennessee that have a dedicated person on staff who does something with cyber security in their title were Memphis and Nashville. Uh, it's possible Knoxville does, but at the time that I checked last, just those two school systems. So, very resource constraint. Uh along those lines,

73% of educational technology leadership staff who are responsible for student data privacy or student data security do not have that role listed in their job description. So if that tells you kind of how big that gap is, you know, uh you can only improve what you measure. Most school systems don't even include that as a measurement in their job descriptions for technology roles. Um and that's from a national survey. uh 17% of edtech leadership staff have never received any privacy training. Of the ones who have, 25% had to pay for that training out of their own pocket. So that kind of sets the stage for where security is prioritized when it comes to K12. And unfortunately, one of the

attitudes that kind of feeds into that. Uh I've talked to superintendents before who've kind of this especially after the uh Colonial Pipeline ransomware attack a few years ago. Uh I heard from several superintendents who said basically well if a multi-billion dollar company can fall victim to something like this then why should we even try? And so that's kind of the attitude they're trying to combat. Um so another part of this is that that leads to people in these technology leadership roles uh gathering up security as other duties as assigned. So depending on the day I may be doing something that's more of a security analyst role. So like I usually start the day um investigating similar later

in the day I might be writing policy. I may be sitting in on a disciplinary meeting. I may be uh doing life cycle renewal. um you know there I'm literally maybe on a ladder pulling structured cabling. So any given day that's what the life of an educational technologist looks like. Okay, a little bit about my environment uh before we get going with the specific attacks. Uh where I'm at, we have about 6,500 end users. That's about 5,500 students and about a thousand teachers and staff. uh 8,000 devices on prim um 60 on-pre servers uh all virtualized so really just one big server but you know what I mean uh we have more than 50 SAS

providers with data and I put an asterric because that's one that we don't know because teachers are very creative when trying to find tools to meet their students needs and so we have a plethora of shadow IT going on where a teacher may have just found a site that looks like it could teach a standard and then it's autom automatically they take it and integrate it into what they're doing. And so we're also trying to control that flow and where we're sending data and what those vendors are doing with the data. So that's another one of our challenges. Uh but we have at least 50 that we authorize sending data to and then countless others. Uh we

field about 9,000 support tickets a year, support about a million square feet of Wi-Fi, have about 40,000 malicious Microsoft 365 login attempts a day every day. Um, that's one that very consistently that is always going on. We're going to talk about that uh later in the presentation. And then we manage all of this uh with a staff of seven full-time people. Uh, which is awesome compared to our full-time staff of two people when I moved into this role eight years ago. So, um, I just want that to kind of paint a picture for you of what things are like in schools. And my school is one of the better funded school districts uh, in the area. So,

it's a problem with everybody. Um, but the the more need there is in a school, uh, the less resources they have. Uh, just a couple of national kind of, uh, more statistics to back this up. If we look at Microsoft, I don't know if they still release this, but they used to do like a monthly report about what industries had the most types of attacks, and education was always at the top of malware incidents, and it was always a margin like this. So education is that key target sector that people are going after. Uh on the upper right that's a cyber incident map. There's a group called the K12 6 security information exchange and they

basically they one of the things they do aside from information sharing is they track reported cyber incidents in schools. And so that's just a snapshot map of last year's activity um from K126. Um this one these are just ransomware specific incidents. Uh so again just showing that K12 school districts are the leading industry in ransomware attacks in 2023. Uh followed by um governments, hospital oros governments, colleges and hospitals. Um and so why why are schools a target? Um we have a lot of data, tons and tons of data that can be monetized. There aren't a lot of regulations for how data is kept and shared. uh the main uh legislation that govern governs what we

do with data uh came out during uh the Watergate era. So it it's been a minute. Um, we have few people on staff to protect the data as we talked about and we can also serve as a pivot point for attackers because we schools generally have robust infrastructure and robust bandwidth. And so we can we see a lot of fishing prot fishing attacks in particular that are launched from other schools that have been compromised. And so we're constantly having to flag and worry about being fished by people that have been compromised in other districts. So, um, a couple other things that make us an attractive target, uh, talked about the lack of funding, uh, irregular monitoring. Most school

districts, so I mentioned that I start my day with SIM alerts. Uh, most school districts don't have any kind of log aggregation or alerting or EDR or MDR or any of those kinds of things. So, we used to be lucky to have Microsoft Defender running. That was kind of the baseline we started with. So, um, irregular monitoring, minimal network segmentation. A lot of school districts still have flat networks using pre-shared keys. Um, that's probably the majority of districts. I don't have a good statistic on it, but most network administrators I talked to, especially in smaller districts, are running a flat network. Um, we have attractive stores of data. I'm going to stop stepping on this one.

Um, and then poor device hygiene. And we'll talk about poor device hygiene as we get to some specifics. So, um, I've always been a kind of an academic guy and I've always been like, I really want to like come up with a framework someday that someone's like, "Oh, the Lombardo framework or whatever." And so, this is the best I've come up with so far. And that's the student hacker triad. So, we've been a one to one school district for about 10 to 11 years now, meaning that every student in our district has an electronic device they're issued. Uh, in grades 4 through 12, they get to take those home. In K3, they stay at school

on those fourth through 12th grade devices. Uh students are constantly trying to get to porn, games, and YouTube. Uh that's the triad. And if you want to be stereotypical, what gender do you think this is? Usually, it's usually usually I taught seventh grade for 10 years. It's usually seventh grade boys. But what one of the things weird side note that we've noticed over the past few years uh especially postcoid is there's a fourth kind of factor fitting in and those are AI chat bots but not like chat GPT chat bots like the your AI simulated girlfriend boyfriend chat bots. Uh that's become the new biggest category and that's been most common with middle school and high

school girls. Um and so that's something that we've started seeing that we're having to lock down against more and more. Um, these areas really concern us because if you're wanting to go out and find malware, the sites that have these unblocked for schools are the places where you're going to find the malware. And so we really have to worry about student device hygiene and student device security and the fact that we've got basically 3,500 kids at any given point actively trying to circumvent the defenses that we put in place. So, um, that's our student hacker tribe. That's kind of what we're going to look at the lens of the next like 10 or so slides

for. Um the things that they're trying to beat that we've got in place primarily are content filter uh which is something that that is one of the things that's legislated. We have to provide filtered network connectivity for students if we allow them to access the internet. So everything has to be filtered. They're trying to get past classroom management software. So that would be software where like a teacher can pull up a website and they can see a thumbnail of all of the students screens uh on their screen and then it'll also record uh their activity. So at the end of a lesson a teacher can go to their uh console and say okay during class this

kid went to this site, this site, this site, this site. Um and then they're trying to get past our app locker uh deployment which is where we've basically said okay you can only install these apps uh on your Windows device. And so, uh, that's kind of what they're trying to get past to access pornography, games, and YouTube. Um, and we're unique. Not all schools block YouTube, and not all of the schools in our district block YouTube. So, that makes it really difficult to shut it down because we have to allow for certain schools. We have to allow for staff, but not other schools. And so, it gets complicated as we're trying to, uh, chart those things out.

Um, we'll start with some of the easy ones. Uh we see this one relatively frequently. Um and this is where kids are the best script kitties. And so there are tons of GitHub projects where basically you can have a site where you can spin up something generic like a travel blog like Pilgrim Pete. And so I kept getting reports from teachers from that uh monitoring software saying, "Hey, my kids are off task going to Pilgrim Pete." I'm like, "What the crap is Pilgrim Pete?" And so go to Pilgrim Pete. I'm like, "Okay, cool. It's a travel blog. They want to learn about Patagonia. Way to go, kids. And uh start clicking around and it's really a blank

website. But if you go to the blank page tab, uh oh, if you go to the blank page tab, it takes you to a subdirectory where there are games that aren't blocked. And the games aren't blocked because this is a domain that someone spun up bespoke pretty much for this project. And so the kids went to GitHub, downloaded this package, got a domain name, put it up, now they've got Unblock Games on a site that previously wasn't on our content filters radar. The way we found out about it, aside from the teachers reporting it, is we have Microsoft Defender. A lot of times the links that kids make for these sites are the cheap free kind of domains that usually

trigger an alert saying, "Hey, someone was sending potentially malicious links through your email." And then we'll go, we'll see the link. We'll see who all was doing it and we can kind of track down and see which students were doing it, what domains are involved, what we need to block, um who we need to talk to about discipline, reminding them not to try to get to porn and games and everything else. Um and so we we kind of because we have that visibility, we can kind of nip those new things in the bud as they spin up. Um, but this would be like a sample email that they would send back and forth whenever they spin up a new one

like, "Hey, usually it's them finding it that another person has done in another district." Um, occasionally we'll have one who will do their own. Uh, but as soon as they find one, it's like wildfire. Like they'll just they'll send the links around until they've all got access and then we block it. Um, and then another fun side effect is that when you've got those kids you've picked out, you kind of just start watching them. And a lot of times I'll check their internet activity reports and I'll block it before they've sent the link. So that's just it's ultimate whack-a-ole and not very effective, but really fun and satisfying. So, uh, one that really gave us headaches

this year, and again, this isn't like, you know, we've got an AP attacking our devices. It's kids finding weird sites where they can do stuff and usually those sites have malware attached to them in some way. And one we found recently is where they are downloading HTML HTML files that have games embedded in them. And so we can't just block that in the content filter because it's a locally saved file. And so we had to leverage our mobile device management to say you can't open anything that's not um a website in our in our uh web browser. And so that cuts out things like being able to open PDFs. And so now we can't open PDF in our web browser

because we had to block it so students wouldn't download HTML games and run them like this. Um, and it's a really kind of organized affair. So like whenever they'll spin one of those up, you can see where it's kind of ground zero going to all these different student email boxes. And we can watch it spread from school to school. So you can see like you know a kid at school A is the one that originally sends it out and then they have a sibling at school B and then you watch it spread there. It's like some kind of like epidemiology like virus tracking kind of thing. Uh again kind of satisfying especially once you watch it blocked and see the kids go ah

um but very organized. So, this last one with the HTML files, uh, basically there's a Google doc that was circulating online for free and it's it was just a compiled document of liter it was 38 pages of links to HTML games. And we we initially started and we were like, okay, how are we going to combat this? We initially blocked the document. We initially blocked the domain that a lot of the games were to, but with 38 pages that was thousands of things uh that we had to explicitly uh deny list. And notice this is fun too that they put this is a completely free document. If you paid money for this, demand a refund

to the person selling it to you. Um because we have seen kids do subscriptionbased access to these kinds of tools. Um, yes, both at a very sophisticated level like taking Stripe payments, but also we've seen some like school specific ones where it'll be like amongst their friends where they'll email all their friends and say, "Hey, I found this new site. Give me $5 at lunch and I'll give you the link." So, uh, I mean, I used to sell like gumballs at lunch. And I thought I was hot stuff, but they they got it going on. Um, another uh recent one that's kind of fun, um, GitHub is where most most of the stuff is coming from. Um, but

there's a tool called High Packle, uh, that does a lot of things, but one is it will do tab cloaking. And what that means is generally the way a teacher when they're doing that management software they the way they see something is they'll look at the browser tabs or the software will tell them the student has these tabs open and so they just glance they see the name of the tab they see it's Google they see it's power school they see it's whatever and so hackle let you take a game site or something and give it a different tab and so they're the masters of obfiscation and so if you ever want to see someone able to switch windows as

fast as humanly possible, go into a middle school classroom and walk behind a student. Like they know all the hot keys, they know all the gestures, they can do it very quickly. And so that's why it's a losing battle. So I'll have administrators say like, you know, should we get rid of this um uh monitoring software because it encourages teachers to just watch the screen and not watch the kids. And I'm like, no, because there is literally not a human way that they can monitor it without some technical solution. So, this is a fun one. Uh, but as a GitHub project, we usually see that the kids will take it something like Lenode, some kind of virtual private server that's $5

a month or that they have a $100 credit for for free from watching Network Chuck videos. Um, and they'll spin up their own VPS. They'll host it there till it gets blocked. They'll move it somewhere else, do it again. Um, and a lot of times they'll be on domains like, uh, CDN networks like cloudfront.net. And so we can't just block cloudfront.net. So, um, they kind of use that against us. So, we set up things like custom indicators that if we detect them going to this site, then it will will alert us. So, we just kind of add that to our our alerting. Um, web proxies are a big one and very difficult. um this one, Rammerhead in

particular, it's one that they can subscribe to. Uh there's a free version, but if you want faster speed, you have to subscribe. And so it's basically just a a very simple web proxy where you can just open a browser in a browser uh and go to it. So there are a lot of tools like that exist, legitimate tools like I use uh Chasm Workspaces a lot for uh kind of remote access or containerized access to things. Um, but they there's really there's a defined market for where they make it as easy for students as possible. And usually I've not done like in-depth demographic studies or anything, but the people making this, they're usually college computer science

students who grew up in schools where the games were blocked and they're doing this for fun. So, um, it it's a difficult audience to try to to try to cut off. So, uh, Rammerhead is one. It's basically it's just like that. That's just a browser and a browser. And if you couple this with something like hypacle, the teacher will see that they're in this education platform instead of Rammerhead. Uh, another thing about this, this is one that a lot of different people spin up and on a lot of different domains. And so there, this has its own support discord. And so kids will go to the support discord and see which ones are active now. And so like there's a

network of them actively trying to um like communally work together nationally. It's like an underground web. It's like some apocalypse show or something. Um so Chasm, like I said, is one that I use. I've not seen students using it, but if it were me and I wanted to do it, it's one that I would use. Or uh something like Apache Guacamole, that's like a remote desktop um open source project to let you get that remote access. Um, the hardest ones for us to find are the smart kids that will like open ports on their router at home and just connect to their home computer. Uh, those are probably the most difficult. They're also the most savvy

because they rarely tell people what they're doing. The only reason we catch 90% of these is because they're emailing each other and saying, "Hey, I found this." The ones that are just like, "I just want to play games at school." And they figure it out for themselves and they do it themselves, we don't find them. So, uh, they're they're the ones we hire as interns. Uh, one of the things when when we first went onetoone with laptops, the biggest concern we had in the community was that the kids were going to use it to cheat. And really, we've not had that as a big issue until recently. But now, they've turned into cheating as a service with

products that are made. So there's a product an educational product called egeneuity and egeneuity is a platform for self-paced individualized learning. uh it got really big during the pandemic is basically um schools can subscribe to it and it's the entire curriculum, the entire content, all the assessments, everything. And uh this company uh Edgyplug, you can subscribe and it will give basically what it messes with the JavaScript uh based on how the site was designed and it gives you answers to all of the questions and so you just pay a monthly fee and this is used very heavily. We have a virtual school. Uh it's one of their core curriculum components. And so if you've got a kid

that's in a class that uses egeneuity for the primary curriculum and they pay their $3 a or sorry, what is it a month? $20 a month, they can finish a course and get high school credit for the course in that one month because it's self-paced and asynchronous. And so, uh that's kind of an extreme example. Um, but we do see a lot of different uh Chrome plugins and or Chrome extensions where they've been designed to mess with the JavaScript to be able to find the answers that are hidden from the main site. Um, that used to be a problem with our learning management system canvas. Um, they used to have a feature where all of their quizzes you could basically

do one of the thing we have to do very low tech is we block the uh inspect tool and the developer tools because we'd have kids that could go into Canvas and just be like they could see the answers just by doing inspect element. Um and so we had to block that. Um so many things we have to block. >> Yes. >> Right. Yeah. And very easy. And two, so the most uh frantic teacher calls I've ever gotten are when kids would go into and they can't do it now because we block developer tools, but when they would go in and they would edit and they would go into their grades and change their grades. They'd be like, "Look, I'm

hacking my grades." And then all their friends are like, "He hacked his grades." And they'd go home and tell their parents, "I saw so and so hack their grade." and they just changed it in the on the website on the HTML. So, um, but so like I've had phone calls like at 9:00 at night from a teacher that's like, I heard from this parent that they heard from this parent that they heard from this parent that their kid hacked P school. And that's not a lot to go on when you're like, okay, how do I start this investigation? That's where we we do a lot of uh in-person interrogation. Uh, so that's usually usually how we

find a lot of information when there's something new coming around. Um probably the one that vexed me the most recently is we have we we don't allow um students to connect BYOD devices to our Wi-Fi. Um, so even though even though we're maybe because we're a district that has laptops with every student, we want to minimize the time the students are spending on electronic devices. We think they should spend less time during the day instead of more time on a device. And so, um, we don't want to encourage them to be on the phone, in the hallways, during breaks, at lunch, things like that. So, we don't allow personal devices. And if you've ever been in a modern school, most of them

are large concrete Faraday Faraday cages. Um, so if you get past the windows, there's no network connectivity. Uh, no Wi-Fi, no 5G, uh, none of that. So if there's one thing that if you don't know anything about teenagers, Wi-Fi is a requirement for life. So um they take it very seriously when they can't connect to Wi-Fi. And so students, some students also are lucky enough to have parents who live in the school district. Those parents who live in the school district sometimes want to be able to communicate with their student over the phone through text messages during the day. And if the student doesn't have Wi-Fi and they're part of the building that doesn't have Wi-Fi,

then it's hard for them to send text messages back and forth and it's inconvenient. And so some of our teachers had the idea, you know, I could just put my username and password in for their Wi-Fi credentials so they can connect to the Wi-Fi at school and we can text back and forth. Awesome idea. So when that happens, here's how it plays out on average day. Say a par, say a parent teacher gives their kid their credentials at 7:30 in the morning. Kid comes in at 7:30. By 8:15, we'll look in the network access controller and have about 900 students signed in as that staff member. If you've never shared credentials with iPhone, it is so fast. So like the kids

would basically be like it would pop up and say, "Do you want to share your credentials with so- and so?" Heck yeah. And so we we could watch that happen during the course of a day just spread. And so our network administrator would be sitting there just staring at the knack going, "Oh, this teacher gave their kid their password." And then we'd go talk to the parent, talk to the kid, u deactivate the account, reset the password, treat it like a compromised account because it is. educate the teacher like, "Hey, you know how we do single sign on and how that single sign on password is your same password and same account for Wi-Fi, for Windows, for

your grade book, for all of your educational applications." That's when you watch the face go, "Oh, I see what I did. I see why you're pissed off." Um, because initially it was always like, "Oh, it's just so get on the Wi-Fi." Oh, with your gradebook password. Great. So, the side effect of this. So, you know, in a healthy environment, if you've got someone who is hammering account trying to get in, you want to close the account down. You want to disable it. You want to lock it out. And so, if you're a teacher who teaches a class, your credentials got out and um the tech department has reset your password because you had 800 kids signed in as

you. Well, after you sign back in with your password, you've got 800 kids who still have your credentials on their phone trying to log in as you. So, we actually had to disable our lockout policies because the kids figured out that they could intentionally dodo teachers by trying to sign into their Wi-Fi as the teacher repeatedly. And so, it would be f it'd be time for a test. And they'd be like, "Okay, everybody sign in as them. Just put a fake password. Doesn't matter what it is." And they figured out they could shut down the teacher, lock out their account, and basically turn off class for the day. Um, that pissed me off. So, um, there were a lot of discussions uh

that week. And so, this is a period we refer to as the Wi-Fi war. Um, it's settled down now. Um, we've talked about doing solutions like having dedicated Wi-Fi spaces, but basically all the solutions to this problem were behavioral in terms of like how do we how do we expect students to use Wi-Fi in the school, where do we expect them to use it, on what devices? Um, and so we we very much try to segment and make sure personal devices or devices with not that aren't compliant or don't have clean posture aren't interacting where it shouldn't. So, um, need to move a little faster. Um, another fun one. This is a really impressive one. This was before my time,

uh, but I was involved in it kind of on the peripheral. And we used to use a password formula that was very formulaic and the pieces to make up that password were on every student's schedule. And so what happens uh if you're not familiar with kids during the summer they get their schedule and everybody wants to see who's in whose class, see who's together in class. And so they instantly go to Instagram, post pictures of their schedule and share that publicly with everybody. And while that's going on, we have another subset of students who were actually very academic and they were very hardcore set on who is going to be validictorian. And they were especially set on that cuz

they were in like seventh, eighth grade. They were young kids. They're they're planning ahead. And so they made a massive spreadsheet where they put credentials for as many students as they could find. And they would go through and they would see what classes those students had registered for for the following year to see what u what amount of quality points were associated with those courses. So they could plan their schedule based on getting maximum points to have the best chance of being validictorian, which on one hand is really impressive, really nerdy, and oh my gosh, get a life. So, but at the end they had a spreadsheet with hundreds of students names and their credentials to log in to

see their grades, their schedule, everything else. Um, so like I said, before my time, but very impressive. The only tools they used were Instagram and Excel. Oh, that was a dangerous one. All right. Um, last thought on the student part before we move to external attackers. Uh, if you've not seen this yet, this is going on in your kids school probably today if you have kids. Uh, there's a new Tik Tok trend called GPA. Oh, cool. It doesn't work. Uh, basically, kids have started um shorting out their Chromebooks and laptops by sticking either paper clips or pencil lead in the USB ports. And they'll do that till it sparks and starts to smoke and they'll add paper.

And there have literally in East Tennessee, there have been students arrested and charged with arson this week because they've set fire in their classroom. So um it's fun. If you if you know an educational technologist, hug them this week. >> Yeah. That's all behavioral. It's all So, My CIS admin's in here and he joked yesterday. He's like, "They're going to be opening tickets saying, "Can you put a technical control in place to stop them from doing this?" It's like, "Can you smack their hand before they set a fire in your room?" >> Uh, yeah.

>> Uh, so not just USB ports, any ports that were on the side. Like there, you can watch the videos. There's some that are opening it up and shorting out the battery contacts. Um, so it it's it's pretty extreme. This started this is a this week issue. Like I just added this slide last night. Um but we we had three students suspended yesterday uh over doing this. Yeah. >> What's that? >> Excellent. So it is going on. It is this isn't one of those like uh fear, uncertainty, and doubt horror stories like it is going on in schools today. Yeah. >> I'm guessing attention doing it for the clout. That's my guess. Or to disrupt

class. Is there another Do you know a better explanation? That's just what I assumed. I've not I've not gotten into the underbelly of it but

All right, a couple other things. Uh, they like to live, they're professionals of living off the land. So, we have some tools. Uh, one's called Showby, another is Seesaw. These are learning management tools meant for younger students. Uh, but they also allow anybody to sign up for a free account. And so, because they're a core educational product that we use and we deploy and we support, um, they are globally unblocked in our network. And so the kids will go and they'll down they'll make accounts for those services and then they can basically be the admin of that service and be the teacher of that class. Add their friends and they have a communication platform that passes all

the test of being able to work on our network but do things that we don't have control of and we don't want them to be doing. Uh Replet, if you're not familiar with Replet, it's a cloud-based IDE. Uh you can copy code from one place paste it in Replet and then play it in Replet. It's used in our computer science classes as the IDE. So, um, they use that against us. Uh, they like to send messages back and forth in email drafts. They'll share credentials. I think it was General Petraeus a few years ago got busted doing something that way. Um, but they'll communicate in email draft so that they don't so their email isn't

traversing email and so that people don't see what's in the messages uh, unless they specifically go looking. And then lockdown browser used for assessments. There's a bug in Canvas, our learning management system. We opened a ticket with them about four years ago where basically if they click the right way, um, in Canvas, they can jailbreak lockdown browser. So, uh, yay. Um, all right. So, moving to external, and I'm probably have to pick up pace a little bit. Yeah. So, um, direct deposit attacks very common in a lot of industries. Um we put a lot of uh personal controls in place where you have to physically go and talk to the person in payroll before we'll change

direct deposit. Um that happened successfully several times about five or six years ago. Um docyign we get a lot of docuign uh scams. Another thing that makes us extra vulnerable is because schools are so f so public and we've got you know we have to have our schoolboard meetings. They're public. We post the meetings minutes everywhere. For someone who's doing OSENT, they can go to a school's schoolboard minutes. They can see what projects you're working on, who the vendors are who are involved, who the project managers are, who the leaders of the project are for the school, the people that are in the conversation in the board meeting, and then they'll target those accounts to compromise um

both with us and with those third party vendors. So, we've had more than one time where we've had a thirdparty contractor we're working with be compromised and communicate directly with the people in our district who are on the project that we're working with or talking about working with. Um, so we have a lot of information out there uh and it has to be publicly available. So, um I just tell people to be mindful, you know, if you get something suspicious, stop and think, uh because it happens all the time. Um we had a fun typo squatting one that wasn't us. Someone got bought a domain that was like one letter off of our domain and used my

name and they ordered several mill million dollars of gaming laptops to be delivered to them and build to us. Um, almost every vendor we work with caught this um and said like this just didn't sound right so I wanted to reach out to you. There was a vendor we hadn't used before who they ended up calling me saying they were on Alcohol Highway and say hey I'm delivering these uh pallets of laptops for you to the U-Haul place. Where do I pull? I was like, you pull back to your dispatcher and go away. So, uh, yeah, classic fishing still exists. We get the Nigerian print scam all the time. That kind of stuff. Um, we get some more sophisticated ones

where, you know, they'll click and it will open up another email and send on a chain that you've already started. Those spread like wildfire. Um, we experience a lot of cookie theft kind of things like, uh, if you're familiar with evil jinx, um, where they can bypass MFA by sending you a link. You click on the link, uh, does man in the middle and you put in your credentials, do the MFA, they capture your session token, and then can sign in as you uh, uh, evil jinx and on it's on the next slide, too. Um, I've got it, so I'm out of time, but on the presentation, there's a demo walkthrough of doing that attack. Uh,

and then there's also on the slide, uh, all the code. So, if you go to the QR code, uh, you can get the walkthrough of me doing an Eagle Jinx attack where you bypass MFA by stealing a cookie. Um, and it's got all the code, all the step through, walk through, all that stuff. Um, so that's a fun one. When we've seen that happen, we've seen it pretty reliably happen to where like when we know there's a malicious link and we'll test it out. It takes about six minutes from the time they click on the link till there's a successful login in our Microsoft 365 environment showing that it had performed in FA. So six minutes is a

pretty quick response. And those messages are targeted. My regular teachers don't get those. Those go to my finance director, my human resources director, my director of schools. Um they're very targeted. Um, do I have about five minutes before? >> Yes. Sweet. All right. So, password spray attacks. Uh, this is what I mentioned at the beginning that we have about 40,000 attempts a day. And if I go back eight years ago, all 40,000 of those attempts could have been successful if they had the right credentials. And so one of the things we do because there's no way for us to stop this. We can't stop them from trying to log in as us. Um, one of the reasons we're a very big

target is schools, one of the things that's usually on a school's improvement plan is improving parent and staff communication and reducing as many barriers to communication as possible. And so a side effect is most schools have every single email address of every single staff member posted publicly on their website along with what department they're in, who they work for, what school they're at, all that kind of information. So, um, we just get hammered with these. And so the best way to attack these is to really kind of filter it down. And so doing things like turning off legacy authentication, um, blocking login from outside the US, um, all kinds of stuff. So we do all

those things and we can actually we can whittle it down from 40,000 to about 600. And so we get about 600 attempts a day where if they had the right credentials and MFA they could get in. So uh we spend a lot of time trying to reduce that attack surface. Um, and one of the things, so when I mention this statistic about 40,000 a day, um, when I'm talking to my stakeholders, almost everyone's kind of universal response is why are people being so persistent to go after us? We're just a school. And so, go back to some of those beginning slides about kind of our resources, lack of resources, easy, soft target. Um, and we've got money, we've got data, we've

got infrastructure. Um, and so that makes us an attractive target for people. And it's also not a heavy lift. And so one of the things with a password spray attack is it's very easy to conduct a password spray. Uh, especially if you're a district that has all of your email addresses on the website because you can scrape your website, get a huge CSV email addresses really quickly. And so say I've got these four people here. I want to password spray these four accounts. Uh, this makes for a really good easy demo. if you ever want to show somebody, but um pick a common password if you're really really investigating, you know, um we do uh

have I been pawned and so like we see like when our accounts are involved in breaches if someone is correlating that an account has been breached in the past and duh, they can potentially get a list of high higher likelihood passwords that they can attempt or they can just pick the generic passwords like password 24 or whatever and match match it up with our CSV and it's really just a oneline Python command to run a password spray account uh spray attack against Microsoft 365 is all of the users in your CSV. So yes, it's like a why are they attacking us, but the lift of them attacking us is a very low burden for them. It's not difficult to do something

like a password spray attack. um especially if if they got your email addresses as part of a larger breach or a larger data set. They're not doing anything special. They might have a CSV with thousands and thousands of thousands of usernames and they're just trying to hit one uh correctly. So, uh it's a simple oneliner. Uh one thing I forgot to mention at the beginning, uh I forgot to shamelessly self-promote myself. Um, I have a blog called EdTech IRL, which is most of the links in here are going back to my blog, and most of these have step-by-step walkthrough instructions on how to do like the password spray or the evil jinx attack. Um, so we run that command and basically

we can now put like this where it says, okay, this one invalid, invalid, invalid. Oh, Kim Deal has password 24 is her password. So, uh, very simple, not intensive. uh easy to pull off. Um shift gears a little bit and one that's really kind of heavily in the news right now. Um you may or may not be aware of but P school is the largest student information system provider in the US. They roughly 24% of students in the US have their information in P school somewhere. Um the way power school works, some districts are self-hosted, some are cloud hosted. Um it's a mixed bag, but roughly one/4 of students in the country uh are in power school. Um

back in December uh late December December 23rd 24th um bad actor had compromised an account of a contractor third party who had credentials to log into P school support platform and um they logged in logged in support platform. MFA was not enabled as a requirement for people to log into that support platform. Um, couple that with this awesome fact that there was an a remote access feature in the remote, sorry, in the support platform that allowed Power School to remotely access district data even if they were a self-hosted onprim school district. And so um no MFA person signs in they have access to a remote access tool um that can connect to those school um data

tables and uh they Xfilled all day tons and tons and tons of stuff. Um not every school district in the country was impacted. Uh I don't know if I can say most, but most basically uh virtually every power I've talked to maybe like two dozen power school districts and two weren't impacted. So lots of people impacted. Uh and what was impacted? They dumped the contents of the entire students table and the entire staff table for the entire retention that is in P school. And so for most districts that goes back to the day they signed on with P school. So, um, Power School's been around since 97, I think. And so, there are districts that had data on

previous students, pre previous staff members, everybody going back, uh, more than 25 years. Uh, it's suspected that this was a ransomware as a service attack because there had been an initial compromise back in August and then no activity till December. And so, kind of the speculation was someone got the creds as an initial access broker, sold the creds, and then someone exfiltrated. Um and then two days ago, okay, so this was in December, January, P school pays the ransom for them to not release the information. And their respon their rationale was they said that this attacker group, which is shiny hunters, their attack model is um depends on trust. if they're going to be ransoming people

in the future, they want to be able to point to us and say, "Hey, we did this to them and we didn't double charge them so you can pay us the ransom and feel good about it." And so that was in January. Uh earlier this week, Shiny Hunter started sending out notifications uh to individual school districts saying, "Please give us 25 Bitcoin or we will release all of your data that we breach from Power School." Um and so that's kind of going on right now uh and being sorted out. They've also not sent that to all of the schools yet. They're kind of doing a rolling release. I don't know if they're seeing how it goes or

beta testing it or what. Uh so far they've only sent it to North Carolina schools. Uh but there are schools all over the country impacted. Um and now that that ring of double extortion is starting to starting to roll. Um so that's been why I've not been sleeping this week. But um yeah, so basically third-party risk is kind of that new new frontier for us. So as we every time, you know, being in the security field, you know that there's always another door. And so we're constantly trying to figure out, you know, here's here's where we are today. What can we do to be better? And for schools, it's difficult, but we're always looking for resources.

We're looking for people. We're looking for information, relationships, community. Um, there aren't many security tools or programs that are made specifically for K12. Like I could probably count them on one hand. Everything is usually an enterprise product that they do EDU pricing for. Um, there are very few that are made and tailored to EDU. So, uh, we're constantly trying to build relationships. We're trying to collaborate with each other, collaborate with people in industry. Uh so like I said if you have a specialty in cyber security or an interest you have kids in school uh you know you think about volunteering is for a school is like going and cutting out cardboard or whatever. Uh I mean maybe hit somebody

up and say hey do you need some help with uh security awareness training? Do you need help with XYZ? I have the specialty. I could help you. Uh I'm sure that would be welcome in many many school districts. Uh I'm going to skip ahead because it's how are we on time? This is this is a 70 slide presentation. Uh we're at 40. So, I figured this would be how far we would make it. So, oh no. Um, but if you want to get the presentation, the QRS is in the upper right hand. The rest of the slides are based on basically the things that we do for defenses or the things that we suggest to people to do for defenses.

Um, and that's an area that I would like to do like a part two where I get feedback from is this a good idea, is this not a good idea, do you have a better idea, how could I do this more effectively? So, um, feel free grab the presentation. Um, I do that blog, edtechirl.com. Um, it's basically geared on K12 security, infrastructure, uh, that kind of vein. Um, and then I co-host a podcast called the Zerbach Zone that's specifically geared towards K12 cyber security. So, uh, feel free anywhere that you can consume podcast, I would love for you to listen. Um, and that's me. Thanks. [Applause] We've got some time for questions. So, okay, I saw your hand first.

>> So, going back to the Wi-Fi war section, have you had any of the little evil geniuses set up a rogue AP? >> No, we have not. >> Grab creds. >> So, we do have u some AP rogue detection. We've not seen that yet. I've got a Wi-Fi pine pineapple in my office, so I keep waiting uh for a chance to get to test it and play with it. Uh but we've not we've not caught it yet. >> So it's still in dwell time. Yeah. Now we have seen I hadn't thought about this one. We do have kids you know how in your hotspot on your phone they'll make a network with the name of our

school network and that way if they are within Windows then they'll people will think they're connected to our network. Then they on the flip side more nefarious they will use u curse words or slurs as the Wi-Fi names and then it becomes a dis like we've gone through with like the Wi-Fi antenna to see what networks are like going up to kids and being like who's broadcasting you know whatever. Um they do that. What's that? Yes. Thank you. >> Um I've been out of education for a bit. Is it too late to go back to pencil and paper? So there not so laughter yes but there is a movement in education of schools swinging back um partly due to

money because when co came around uh there was just buckets of money for schools for technology. Now that that's dried up most schools that got went onetoone devices during that period don't have a recurring funding source to fund continued device usage. So a lot of schools are investigating how they're going to swing back a different way. And I saw I went to a conference uh a couple weeks ago. Uh there was an AI conference. The whole thing was AI. Every stupid session was on AI. And um there was one company who was a paper pencil company about how to use AI for paper pencil assignments. So but yes that that is a very it is a

hot topic in education right now. >> Yeah.

code. >> So, >> yeah, >> I'm waiting for that because teachers post QR codes everywhere. And I almost put a Rick roll QR instead of the slides and was going to have like a slide one is Rick roll, slide two is the actual presentation. Um, but yeah. Um, I think that's going to be a soon. >> Yeah. >> Uh, as a parent, uh, this is sort of scary, but as a hacker, this is sort of hopeful for the future of humanity, I think. Uh, in ways hearing about how creative all the kids are. My question is uh do you ever have any very intelligent students that you bring in to help any guys that are local that are

your students that you're you know >> Yeah. >> help you? >> Yeah. Short answer is yes. But the the discouraging part is the longer we've So people talk about digital natives with kids and technology and the way I look at it is yes they are accustomed to using technology but they're accustomed to using a phone. And so we've actually seen a decline in kids with those really high skills. There are a lot of kids who are good at doing the replication script kitty kind of like I saw a YouTube video and I did this but for most of them that's where they stop. Uh we have hired interns before who have you know I had a

kid who was bypassing our content filter by doing HTTP over DNS. So he's a kid we put in our department. He made our uh inventory tracking software for laptop deployment. So that's what we used him for that. Uh we had other kids that um whenever we buy a new device or use a new platform, a lot of times we'll give them to kids and say, "Hey, can you get to the dark web with this, bring it back to us tomorrow and see if they can or not." So, um we we do try to harness some of that for for good. Uh especially when they're with the kids that have the combination of high aptitude and they're

not malicious. Um those two things don't usually it's usually the lack of the high aptitude, unfortunately. So, or I'm not seeing those kids because they're so dang good. That's the other part. Yeah. Okay. So, that's hard. So, right this minute, I am not vetting third party apps. We have done it in the past. We're in the middle of a transition. We're doing some staff changes where the person who's responsible for that is leaving. And so, we've not sorted out what the process is going to be. Um because we're waiting on uh legislation. Well, not waiting, but there's going to be legislation coming soon about student data privacy agreements and us having to maintain those with vendors, and it's

hard to get vendors to agree to do those agreements with us. Um, and so we're kind of waiting for some of that to shake down before we finalize what we're doing. But yeah, that's a hot topic conversation weekly. >> Sorry. Uh you said that a lot of schools that you work with are kind of like large Faraday cages and you also said that um you don't want the students connecting to the Wi-Fi networks from their personal devices. Yep. So how do you implement MFA in that environment? >> Okay. So um we have we have not enabled MFA for students. Uh we have for teachers. So all of our teachers, all of our staff are MFA. Uh they also faculty

and staff are allowed to um connect to Wi-Fi. Um, when we MFA for students is a hot topic because I could see doing MFA with a phone for upper grades, but we we have kids with devices down to kindergarten. And so we've looked at some products. We we have one that we use for single sign on that does a pinbased MFA. And so we're talking about rolling that one out. Um, that's a place the lower grades is a place where it's ripe for a product to be made uh to assist with MFA for younger kids because until we figure out probably like the K through fourth grade, I'm not going to be able to get traction on K12 uh to do

MFA. And I was just able to get staff to MFA. This is our third year of MFA for staff. And that that was an uphill battle. All right, let's give it up for Andy.