Chromebook – Sign into two accounts at the same time

I was working on a review when this came across my desk. Here is the short story. A teacher noticed that a student had another person’s email open while on their Chromebook. At first, the thinking was that they had signed into that Chromebook as that person (which is not a great idea). Upon further investigation, it turns out that the student in question was properly signed into their own Chromebook but somehow was able to open up someone else’s Gmail next to their own.

Before I go and detail how this happened, this is simply wrong. I cannot think of having a student log into another student’s email account as a good thing. Whether they’re friends and share passwords (another bad idea) or not that should be squashed.

I am going to detail how this works and what you or your Google Admin needs to do to fix it.

How it works

I’m going to have some detailed screenshots to walk you through it. In these screenshots I will be signed into the Chromebook and will sign into a test account at the same time. Let’s get it on!

Once someone is signed on, they need to go to Chromebook settings (click on the time in the bottom right hand corner) and select Accounts (I’ve seen it as People as well). Then click on your account.

From here click on the + Add Google Account button.

A screen will pop up and ask you to sign into that account. It will want the username and password. We have restricted our Chromebooks so only students can sign into it. Despite that restriction, this would allow a student to sign into any Google account, even a personal account.

After that is done it will not open a new window or anything. You need to go to a Google service. In this example, I headed over to Google Classroom. Here it is with my one class. Click on your account icon in the top right hand corner. Then select the second account

A new tab will open and that person’s Google Classroom will be loaded. So I have two tabs of Google Classroom. One for me and one for the testing account.

Yeah – this is no good at all, but there is a way to plug this hole.

This will work for any Google service, Gmail, Drive, Classroom, Photos, Sites, etc.

The Fix

It didn’t take too long to find and test. The reason why it worked for this blog post is because I am in the admin organizational unit (OU) and it does not have these restrictions. If I was trying to do it from a student account, it would fail as I will show you.

First head to the Google Admin control panel (admin.google.com). If you’re not an admin for your school or district then your journey ends here. Alert someone who has this access and let them know what the hole is and how to fix it.

If you do have this level of access you are going to want to get to the User & Browser Settings for your Chromebooks. To get there I go from Home —> Devices —> Settings —> User & browsers. Now find the OU with your students and select it.

Then scroll down to the section titled User experience.

Scroll down a little further until you see Sign-in to secondary accounts. You want this disabled!

Then save those settings and that problem (if it’s not it would have been) will be fixed.

Once the fix is in place, when a student tries to do this here is what they will see when they try to add the second account.

It’s tough to see but the + Add Google Account is greyed out (it is normally blue).

Conclusion

Kids are smart and curious and with enough time and motivation they can find ways around, certain security procedures, but this is bad. A student could send horrible emails to another student and start all sorts of problems. Maybe their parent has a Gmail account and they log into it and send/reply to emails from the school.

This just isn’t wrong, it is illegal (in most cases). Protect yourself, protect your students and be vigilant people.

To filter or not to filter?

There is a debate out there and it has been going on for quite some time. The debate is whether schools should filter content on student devices. This is a bit more complicated than saying yes or no. For example is the school using a BYOD approach, should schools filter content at school level but not at home should schools monitor but not filter and it can go on and on and on.

I admit, I have flip-flopped on this issue more than once. Usually experience and reflection cause these changes of thoughts, but before we get into all of that let’s talk about what I mean when I say filter.

Continue reading “To filter or not to filter?”

CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

simplepen
By Tony DePrato | Follow Me on LinkedIn

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline.

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops.

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable.

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc.

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources.

Test Definition
Subscription and Services Discovery Can your subscriptions and services be easily discovered?
Files Exposed to the Public Are there files publicly available that supposed to be private?
Calendars Exposed to the Public Is calendar data that should be private, private?
Staff and/or Student Email Harvesting Can your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SIS Are your portals and SIS properly secured and difficult to brute force attack?
Websites and Social Media Are websites and social media properly secured; is the media being used legally and correctly?
Cloud Services Have cloud services been properly secured?
Third-Party Sharing Is anyone sharing your content and do they have permission?
FTP, SSH, and Telnet Are any of these protocols a threat to your school via publically accessible information?
Email Blacklist Is your email domain blacklisted?
Email Header Check Is there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent Emails Is your email set up to catch any email that does not exist and alert someone?
SMTP Relay Is your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error Check Do the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML Forms Are any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents.

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous.

These recommended tests are not very difficult, but if you want to outsource this, email me at: tony.deprato@gmail.com  .  I thoroughly enjoy doing this kind of work and have automated many of these processes with scripts and services.

 

 

 

 

Going Phishing with Finalsite

phishing

By Tony DePrato | Follow Me on LinkedIn

This video reviews a method to extract staff email and names from the popular Finalsite CMS used by K12 schools.

Disclaimer: This video is not documenting any known bugs or issues with Finalsite. This video is demonstrating how Personal Information can be harvested using options end-users select. Solutions to this problem are available by adjusting the options in any existing Finalsite implementation. Specific tools and process will not be fully revealed in the video. Anyone wishing to learn more must arrange for a private demonstration.

References:

https://www.proofpoint.com/sites/default/files/gtd-pfpt-us-tr-human-factor-2019.pdf

CyberSecurity Part 1: Social Engineering

Lock

Lock
Source: https://www.youtube.com/watch?v=JsVtHqICeKE

By Tony DePrato | Follow Me on LinkedIn

I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.

Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.

Social Engineering

Even if you’ve got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. ~ https://www.csoonline.com/article/2124681/what-is-social-engineering.html

Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.

Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.

Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.

Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.

It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.

Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.

Defending Against Social Engineering in a Friendly Manner

Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:

  1. Let everyone know, they are free to call security and report anyone or anything they see that seems “off.” This means, not punishing people if they misidentify someone. Make the process easy, and make certain security personnel follow through and keep records. Social engineering often requires a few visits to a campus, and studying reports could identify a pattern.
  2. Lunchtime is always important on a school campus. Set a simple policy for business and operational offices to either rotate their lunchtimes and /or lock their offices. Lunchtime rotation is an excellent countermeasure. It ensures that every day, a few people are always in an office, the offices are open so people can access services, and the schedule of activity is difficult to predict.

    An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM.

    Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.

  3. Any closet or room containing computer network equipment, phone system equipment, etc. should not be used for storage. Why is this important? Because the moment a room or closet is accessible for storage, the number of people who will be opening the door becomes unpredictable. The equipment in that space would allow easy access to all the data that flows through the school.

    A common mistake schools make, is to use these network/electrical closets to store cleaning supplies.  Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb.

    The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.

  4. Guests/Parents should have their own network. It goes without saying that allowing anyone aside from students and employees on the academic network is risky. A guest network SSID is highly recommended if the public or parents are allowed to use the WiFi. The more I consider this, the more I believe that a better policy is to simply improve the mobile network reception, and direct people to use their own data.

    A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust.

    Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.

  5. Encourage and incentivize teachers to work outside their offices, in higher traffic areas. Teachers know each other, they know parents, and they know students. Teachers also have good instincts for spotting odd behavior. These statements are from anecdotal evidence, but if you have worked at a school for a long enough time, then you realize teachers are truly on the pulse of the organization.

    Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices.

    Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus.

    Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.

  6. Assume a good Social Engineer can get on-campus with an ID check, and plan accordingly. The core group defending against social engineering would most likely be the security team, operations team, and technology team. They should work together to plan scenarios and action plans. School leadership needs to make certain that those teams are focusing on those individuals who have enough skills to get through the external layer of security.

    Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.

  7. Work with parents to test your security and access. Parents want what is best for the school and their children. Parents also have come from a variety of backgrounds. They are a trusted group that will be honest and help measure improvements.
  8. Educate yourself first, and seek outside advice second. There is a massive amount of information about social engineering. It is worth educating a core group of people on security topics so they can inform practice and direct consultants. Remember, consults will only be useful until they leave. Build your team, and give them the time they need to learn. Much of what people need to know is free, time is the only factor.

I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.

I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at tonydeprato@gmail.com

 

Resources

 

  1. DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)- https://www.youtube.com/watch?v=JsVtHqICeKE
  2. I’ll Let Myself In: Tactics of Physical Pen Testers- https://www.youtube.com/watch?v=rnmcRTnTNC8

  3. What is Social Engineering: https://www.csoonline.com/article/2124681/what-is-social-engineering.html
  4. Passwords are Still a Problem: https://www.nextgov.com/cybersecurity/2019/01/why-computer-passwords-are-still-problem-2019/154086/
  5. Cybersecurity Stats: https://www.varonis.com/blog/cybersecurity-statistics/

 

 

 

Scan Your School for Unsecured Public Documents

Screen Shot 2019-08-08 at 1.10.41 PM

By: Tony DePrato | Follow me on LinkedIn

How many documents do you have open to the public? When was the last time you checked to see what anyone with internet access could download from your school website, your PowerSchool or SIS public folder, or even your various cloud services?

Before you think I am wasting your time, here is a quick glimpse of a simple public search for budgets people have not secured:

Budget_Search

 

If the above animation is not clear, don’t worry. I will show you how to do it.

INURL and FileType

Google has some cool advanced search features. To scan your public files, the two I recommend are “inurl:” and “filetype:” .

For example when copying and pasting the following string into Google, inurl:saschina.org filetype:pdf , the results are all public PDF files that exist with any url that contains saschina.org.

Screen Shot 2019-08-08 at 1.20.38 PM

Keeping the url simple often yields more results. For example, using saschina would look at other domains. If you add the .org, then the search will be limited to the .org domain only.

When to Worry about Public Documents

First off, many documents are supposed to be public. Seeing documents in this type of search is normal and excepted. What is not usually expected are documents that contain:

  • Name associated with contact information
  • Medical information
  • Names of parents, donors, etc.
  • Special codes use to tell vendors/suppliers who has organizational authority to place orders
  • Bank information
  • Payment information
  • Usernames and Passwords
  • Etc

Documents with information similar to the above should be secured, unless required to be public for legal reasons.

I would suggest having document ID numbers in the footer that indicated a document should be public. This simple practice would allow everyone in the organization to report documents that should not be public.

The link below will take you to a page that will help you begin checking your online resources.

Want to Jump In and Start Scanning? Get Started Here

If you want more information on data security, privacy, and data auditing for your school, please contact me using the form below.

 

Controlling What Students Can Access

By: Tony DePrato | Follow me on Twitter @tdeprato

Recently I have been discussing multiple new security measures for academic networks. From these discussions with other schools, engineers, and suppliers, I have created set of goals to help keep the development of network security on track and within budget.

Physical Access

Physical access can be managed without a great deal of expense. The goals to reach for are:

  • We allow only the devices we have confirmed and labeled
  • We can control the number of concurrent devices a user is using on the network
  • We can identify by IP, Serial Number, or MAC Address (or a combination of the three) the owner of a device
  • We can remove a user from network access, and restrict their devices, with minimal effort
  • We have processes and procedures to register devices; users can switch devices through these processes
  • Users can only circumvent the processes by giving their login IDs, passwords, and hardware to another person

These goals do not imply the direct management of equipment; nor do they capture user data. These goals ensure that devices on the network are approved, registered, and can be clearly identified.

Achieving these goals is the first step towards the concept that accessing the network is a privilege not a right. Privileges can be revoked. If revocation is not possible, then the concept/policy cannot be enforced.

 

Read More @ The International Educator

Understanding Ransomeware

 

 

 

 

 

 

 

 

                   By: Tony DePrato | Follow me on Twitter @tdeprato

On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. This type of malicious attack is classified as ransomeware.

The ransomeware concept is fairly simple. Once the package infects a system, it begins to encrypt all the data. The data is still on the machine, but it is not accessible unless the user enters a decryption key. In order to obtain the key, money must be sent to the “owner” of the ransomeware. Usually this money is requested in the form of cryptocurrency, to make it difficult (if not impossible) to trace the payment.

Ransomeware Targets Everyone

Schools often believe that certain security measures and protocols followed in the corporate world do not apply to them. There is often a consensus on-campus that technology needs to be friendly and open. Because of this cultural approach to planning technology many rules and regulations are simply not followed, especially if those rules and regulations are designed for extreme scenarios.

For example, it would be odd to find a school that did not have user managed passwords for email. When users get their email account, they change and manage their own password. However, if someone recommends that school personnel setup multistep authentication, that expires every thirty days, that recommendation is probably going to be rejected. Any multistep authentication process requires that users learn more about security and manage security more regularly. If a user makes a mistake, the delay for resetting their services is often considered unacceptable.

IT policies and procedures that would prevent a school from being a victim of ransomeware, or other sophisticated attacks, are going to be policies that create barriers and limits. These measures would slow people down at times, and restrict certain types of technology from being used on-campus.

Read More @The International Educator

Stopping Entitlement & The Arbitrary Security

fist-pump-baby-lets

This is one of those posts that I may regret writing in a few months. It is more of a plan than a post, and a plan I intend to sell with significant confidence.

Starting in the fall, when students roll out of the bus and into the boarding school I work for, they are going to find that technology is simply not available (unless they are in the IB program which will be less than 80 students).

Students in years 6-10 are going to have to wait and to earn their technology. For some, for a few weeks, they will be taken back to into the past, where “always on” was only in science fiction movies, and only Michael Knight could use a smart watch.

Here is the plan to stop the initial entitlement of technology and access to the internet:

Years 9-10, and the IGCSE Program

These students are in a BYOD program. They will not have their devices activated on the network for at least two full weeks. During this time they have to settle into the board school routine. Their network activation and device privileges will be based on reports from their house masters, their joining of at least one sport and one club, and their completing of a one hour seminar on digital citizenship. During the seminar the AUP will be fully reviewed and signed by all of them.

Once all these steps are completed, they will have a weekend to activate their email, join the school LMS, post a reply confirming they are connected, use their cloud and share a file, and finally access a flipped classroom lesson set.

Unless all these steps are completed, week three will be technology free for them; but teachers will be allowed to start requiring technology. Weeks one and two are designated as technology free in all lessons, however, once week three begins some work will require the use of a laptop.

Years 6-7-8, Custom Bilingual Curriculum

Year 6-7 use school own devices. Year 8 is on BYOD, but their laptops are not allowed to be stored in their rooms. This is the introductory point to the BYOD program.

These students will not have their one-to-one devices for 4 weeks. I know, how can they live? How can they be people? How can they traverse the world without mindless games and WeChat?

These students will have to achieve points to get their devices. The campus will turn into one massive game board. Points can be earned by helping people, earning effort grades by the end of week 4, and completing a series tasks. This group also has to join a sport and club, have good dorm behaviour, attend a workshop to review the AUP, and eventually activate their email, cloud storage, etc.

Because the Year 6 students do use iPads, an additional task will face them during their first week of having the device. They will need to demonstrate competence in the APP CYCLE. That is what I call the insane series of apps needed to complete mundane tasks.

I am not pro-iPad, but I am working with a pro-iPad group so I have to make sure the devices are as effective as possible, yet, I like mocking them whenever possible :).

That summarises the removal of the device entitlement, the next part of this plan is eliminating arbitrary security. In a school tightly managing devices and internet access normally results in students waiting to get home to work on their own equipment.

In a boarding school there is no home to run to for technology freedom. Since the students need to feel at home, locking them down like a Denver Boot is not fair and does not help them develop responsible technology habits.

The plan is fairly straight forward. Students in years 8-11, who come out of week two with shining reviews from their house masters, will only be restricted via out network policies. Students who have poor reviews will have their BYOD machines bound to our hardware management system (this includes a firmware lock and removal of all boot options). This binding will be review at the beginning of semester 2, and if the student is doing well, the binding will be removed.

By all current estimates, this will be about 30-40 students by the end of the second month of school. That leaves around 320-330 students free to work and manage their own technology. This will not increase our staffing requirements, nor will it affect our budget.

This plan only impacts students who are negatively impacting their whole community. Students who are working in class, staying within normal teenage boundaries in the residences, and who are participating in the community will have freedom to be on their devices and use all the other technology resources the school offers.

As the new year approaches, the IT department is acquiring new devices which connect to laptops. These devices, all of them, require administrative rights to use. Without a BYOD program in place, we would not be able to effectively connect all the students to these resources without adding more people to the staff headcount. I prefer to spend money on resources, than security, whenever possible.

If anyone is interested in running a program like this, please comment. I need ideas for the year 6-8 group. I really want to build a game like atmosphere that has multiple paths to success. I would love it if a student could earn their device in a week instead of four weeks by beating the system.

Tony DePrato
www.tonydeprato.com