CyberSecurity Part 1: Social Engineering


By Tony DePrato | Follow Me on LinkedIn

I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.

Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.

Social Engineering

Even if you’ve got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. ~

Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.

Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.

Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.

Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.

It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.

Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.

Defending Against Social Engineering in a Friendly Manner

Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:

  1. Let everyone know, they are free to call security and report anyone or anything they see that seems “off.” This means, not punishing people if they misidentify someone. Make the process easy, and make certain security personnel follow through and keep records. Social engineering often requires a few visits to a campus, and studying reports could identify a pattern.
  2. Lunchtime is always important on a school campus. Set a simple policy for business and operational offices to either rotate their lunchtimes and /or lock their offices. Lunchtime rotation is an excellent countermeasure. It ensures that every day, a few people are always in an office, the offices are open so people can access services, and the schedule of activity is difficult to predict.

    An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM.

    Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.

  3. Any closet or room containing computer network equipment, phone system equipment, etc. should not be used for storage. Why is this important? Because the moment a room or closet is accessible for storage, the number of people who will be opening the door becomes unpredictable. The equipment in that space would allow easy access to all the data that flows through the school.

    A common mistake schools make, is to use these network/electrical closets to store cleaning supplies.  Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb.

    The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.

  4. Guests/Parents should have their own network. It goes without saying that allowing anyone aside from students and employees on the academic network is risky. A guest network SSID is highly recommended if the public or parents are allowed to use the WiFi. The more I consider this, the more I believe that a better policy is to simply improve the mobile network reception, and direct people to use their own data.

    A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust.

    Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.

  5. Encourage and incentivize teachers to work outside their offices, in higher traffic areas. Teachers know each other, they know parents, and they know students. Teachers also have good instincts for spotting odd behavior. These statements are from anecdotal evidence, but if you have worked at a school for a long enough time, then you realize teachers are truly on the pulse of the organization.

    Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices.

    Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus.

    Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.

  6. Assume a good Social Engineer can get on-campus with an ID check, and plan accordingly. The core group defending against social engineering would most likely be the security team, operations team, and technology team. They should work together to plan scenarios and action plans. School leadership needs to make certain that those teams are focusing on those individuals who have enough skills to get through the external layer of security.

    Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.

  7. Work with parents to test your security and access. Parents want what is best for the school and their children. Parents also have come from a variety of backgrounds. They are a trusted group that will be honest and help measure improvements.
  8. Educate yourself first, and seek outside advice second. There is a massive amount of information about social engineering. It is worth educating a core group of people on security topics so they can inform practice and direct consultants. Remember, consults will only be useful until they leave. Build your team, and give them the time they need to learn. Much of what people need to know is free, time is the only factor.

I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.

I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at




  1. DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)-
  2. I’ll Let Myself In: Tactics of Physical Pen Testers-

  3. What is Social Engineering:
  4. Passwords are Still a Problem:
  5. Cybersecurity Stats:




Episode 167 – Scheduling Advice

We are back! I know that 166 is not published yet but we are working on some sound issues. In this episode, we tackle scheduling advice, we also talk about the SIM card swap nightmare a journalist had, ambient privacy (neat concept) and finally about the fad of being depressed online. Check out the show notes below and as always subscribe to us on iTunes or your favorite podcasting app.

  1. Scheduling Online
    1. Tony’s thoughts – Be organized and plan it out
    2. Print them all out
      1. Normal pile
      2. OK pile
      3. No way pile
      4. Talk to stake holders
  2. Sim Card Swap Nightmare
  3. Ambient Privacy
  4. Depressed Online

Download the episode HERE″

Understanding Ransomeware









                   By: Tony DePrato | Follow me on Twitter @tdeprato

On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. This type of malicious attack is classified as ransomeware.

The ransomeware concept is fairly simple. Once the package infects a system, it begins to encrypt all the data. The data is still on the machine, but it is not accessible unless the user enters a decryption key. In order to obtain the key, money must be sent to the “owner” of the ransomeware. Usually this money is requested in the form of cryptocurrency, to make it difficult (if not impossible) to trace the payment.

Ransomeware Targets Everyone

Schools often believe that certain security measures and protocols followed in the corporate world do not apply to them. There is often a consensus on-campus that technology needs to be friendly and open. Because of this cultural approach to planning technology many rules and regulations are simply not followed, especially if those rules and regulations are designed for extreme scenarios.

For example, it would be odd to find a school that did not have user managed passwords for email. When users get their email account, they change and manage their own password. However, if someone recommends that school personnel setup multistep authentication, that expires every thirty days, that recommendation is probably going to be rejected. Any multistep authentication process requires that users learn more about security and manage security more regularly. If a user makes a mistake, the delay for resetting their services is often considered unacceptable.

IT policies and procedures that would prevent a school from being a victim of ransomeware, or other sophisticated attacks, are going to be policies that create barriers and limits. These measures would slow people down at times, and restrict certain types of technology from being used on-campus.

Read More @The International Educator

Your School’s Wikipedia…Did you write it? Are you sure?

We have all been there. Normal day at work. Focusing on something we feel is important. Then, the call comes in. Something has been, or is in the process of being, hacked.

What? You haven’t been there? Well there is no better way to waste an afternoon and fully test the responsiveness of your IT team.

In this case, students thought it would be awesome to re-write the school’s Wikipedia Page. Now this is not really hack, and actually, it is not even illegal. In fact, if they did not do it on-campus, it would be a hard battle to win with parents, aside from giving them a day of detention.

They cleverly said the school was located in North Korea, and that the cafeteria was ground-zero for typhoid a few other delicious conditions (Level 4 Radiation Zone was one of the best).

They actually did not write anything defaming, libelous, or slanderous. Bad language was also avoided. Overall, a pretty mild annoyance.

Not thinking, as the school changed the content back, some kids tried to change it. They did this on-campus while logged into the network. So I had the joy of searching through logs to find them. I am pretty sure the original rewrite happened in the summer, and off-campus. That was safe. The later move…no so much.

Understanding Your Wikipedia

If your school has anything official on Wikipedia, a person needs to be appointed to manage it. This requires reading it once a week. Nothing else is required unless updates are made.

Whomever does this needs to be a registered user with a school email account. If they find a mistake, added by someone else, they should not delete it. Instead, they should flag it, and contact Wikipedia.

There are clear instructions for doing both of these things here:

Wikipedia is very quick to reply, and they will revert the page and then set it for approvals. Once a page is in approval mode, nothing will post automatically. So checking it every week should then resolve any issues.

There is Always an Opportunity to Learn Something

If your school has an internet filter or firewall, you ( a normal person) can request to see all the Wikipedia searches students are executing (maybe students and staff). This is very interesting.

I was expecting to see searches about Batman Vs Spiderman, or Kim Kardashian. Instead, I found that students were looking up math topics, complex biology subjects, controversial historical figures, and mostly good academic content.

Now I am going to work on a monthly report that captures what the students are searching, and compare that to curriculum topics. I am curious about this question: Are the students interested in these topics, or are they being prescribed? 

This is why it is called Educational Technology, and not just Technology.

Tony DePrato

Am I Too Old or is This Actually Better

In 2001 I was at a conference. One of the presenters showed both Apple and Microsoft operating systems on his screen. He said, and I am paraphrasing from memory, “Apple stole their OS from Xerox. Microsoft stole their OS from Apple. What if Xerox got it wrong?” I was very thought provoking. I flashed back to all the science-fiction I had seen and read. I realized in everyones view of the future, the mouse just wasn’t really part of the equation.

It is now 2014, and I have to say, I think OS’s are worse than they use to be. At work I use Apple and Windows. At home I am devoted Linux User. I often switch versions when one takes bad turn. I work in the terminal often. I prefer to do updates, configuration, etc. via the command line or through text files. I like to see the errors, and I like to know that I can force remove problems and reset things.

In 2002 I had a big Apple tower running OS X server. It was about 1000 USD for the license. The server software was great though. Last month I bought OS X server for Mavericks. It is horrible. It doesn’t do very much at all, and what it does, it does badly.
Why is a company which is producing a massive number of clients, killing the services we all need to really make them work seamlessly?

I use cron jobs all the time on Linux. Cron jobs let you run programs on a schedule. Normally I use them to make little utility programs. Apple used to have a normal cron setup, now, it is bloated and strange. Almost as if, they are discouraging people from using cron.

Windows 2000 and later versions of Windows NT were good operating systems. I did thousands of hours of video editing and compositing on a dual pentium 3 windows NT machine. It was far more efficient and reliable that any current Dell or Lenovo desktop running in my school. How is that possible?

I realize that with mobile markets growing, things have to change for mobile devices. However, laptops and desktops are not mobile devices. Being portable should not impact the operating system standards. The use or potential use of the machine should dictate the operating system scope.

I worry about students depending so much on following pre-defined gestures and patterns. Students love using iPads, as I have stated before, this is a good way to engage them. At what point should we be concerned that students often choose a path that works on the iPad but is actually poor practice rendering bad results?

Recently I have been working with one of the biggest school management systems in use today in K-12 education. My school is going through the initial implementation. I have stopped trying to go through the hundreds of screens and slow web-forms. I immediately realized that if I wanted to get work done, and do it quickly, I needed direct database access. The best part about this, the direct database access is not even part of the menu. You have to know a secret URL to pull up the interface.

Doesn’t this means that the creators of this system have hidden the most powerful feature because they do not believe people can learn use to use a database properly? Should we be promoting a culture of dumbing-down systems or should we be prompting the training and development of competent users?

My final thought on this concerns the term hacking, which is changing for the worseStudents are very curious. Many go through a phase of experimenting with school laptops or their own laptops. They attempt to use command line, or various other non-traditional pieces of software (many hidden but already inside the OS). This leads them to detect certain features of the OS that are not secure. From there they often branch out and find security issues on the network. Often these issues are on printers and other devices that were never secure. Lately, people have termed this hacking, after a student has reported what they found. Is it hacking? Or is it learning?  What is this teaching them?

Maybe I am too old to appreciate all the swiping and tapping. But, I do think being able to control my system is actually important. I like being able to work quickly and not waiting on screens to change. I feel empowered knowing I can sit down and do something new, without a visual guide to help me. I also believe that these are the topics we stress to students all the time in virtually every subject taught. Why are we [educators] not talking about changing the way technology comes together to improve learning first and access to materials and media later? Why are we choosing technology based on ease of this or that, instead of its potential to improve a student’s ability to master their environment and customize their experience?

Do you believe in the no-win scenario? Do you believe the box when it says “NO. YOU CAN’T?”

Kirk: I reprogrammed the simulation so it was possible to rescue the ship.
Saavik: What?
David Marcus: He cheated.
Kirk: I changed the conditions of the test; got a commendation for original thinking. I don’t like to lose. ~ The Wrath of Khan

1D0n7 :).

Tony DePrato

The BBC has no idea what Facebook, bad language, or hacking is, but they do know how to get PWND.

I posted the video separately so it would be easy for mobile users.  If you have not watched it, watch it here.

Who is Jeff Jarvis? Well he is a professor at a major university, an author, a blogger, and someone who believes that being PUBLIC is better than being PRIVATE. I know this because every week, for about 2 years, I have been listening to him on an awesome podcast called, This Week in Google.

The BBC, very stupidly, did not research Jeff. They must have Google’d him and found his name under “respected internet blogger” or something. Maybe they read that he has a book called What Would Google Do and another one called Public Parts? Who knows what they did, but whatever they did to decide to interview him was a MISTAKE. He is vocally against scare-mongering.

The BBC, like other major news outlets, only seem to report stories that reinforce techno-fear. It is clear that they have no idea how the internet works, social networks function, or people communicate. They apparently do not even know what improper language is. I have many friends from the UK, and with all due respect to them, they make my attempt at bad language sound like a Disney song. I am certain this BBC reporter, and the viewers, were in no way shocked at Jeff’s harsh words.

We call them major media outlets, or mainstream media, but the fact is they have grown all but useless. If they focused on better research, in-depth stories not motivated and controlled by advertisements, and translating true expert testimony then they would be a significant force against all the bloggers and reddit fans. Instead, the public, at least the people I interact with, seem to always confirm the NEWS by reading a blog. If they cannot confirm it on a blog, then they assume the NEWS is just wrong or on-the-take.

I read sites like Slashdot everyday, because it is timely and balanced. I it is written by amateur writers, who are professionals in other areas. Yes they have grammar issues, but who cares, their reporting is at least summarized enough so that a normal person can consider the story and do further research.

@BCC – distorting stories to scare people is only going to make them numb when something really bad happens. I believe you are being paid with public funds, so this should be considered gross negligence.

@Jeff Jarvis – Thank you for not even allowing them to proceed. You shut them down, and made them look like fools. They had no information or research, and clearly no where to go but to commercial.

Tony DePrato