Technology
Episode 234 - What happens when a student account is compromised?
In Episode 234, the hosts delve into the alarming trend of compromised student accounts, discussing the implications and offering mitigation strategies. They also cover recent news in tech and cyberse...
Episode 234 - What happens when a student account is compromised?
Technology •
0:00 / 0:00
Interactive Transcript
spk_0
television
spk_0
and
spk_0
wasn't
spk_0
TikTok podcast. This is episode 234 with you.
spk_0
Wrong day, guys.
spk_0
Am I? I'm not in it.
spk_0
You started with a lot of gusto.
spk_0
Yeah, a lot of excitement.
spk_0
Yeah. And then I stumbled.
spk_0
A long Chris and yeah, that's Chris.
spk_0
My friend Mark is here.
spk_0
I'm going to silly Boston.
spk_0
Han. I'm here to mate.
spk_0
I'm here to cheer you up today, Josh.
spk_0
I was fine until about three o'clock.
spk_0
And then it just kind of fell apart, but it's fine. If you want to talk about it, you can if you don't want to talk about it
spk_0
That's completely fine too. No, I'm tired of fighting accounts
spk_0
Which we're gonna make that the main segment. Yeah, that's gonna be the primary topic tonight is
spk_0
There seems to be a trend going around of student accounts getting compromised and those accounts sending out
spk_0
spam phishing emails
spk_0
promising $400 a week for a part-time job which
spk_0
Sign me up man sounds good when I was a kid
spk_0
I worked at my parents they own a laundromat and I worked for $5 an hour. That's pretty good 40 hours
spk_0
Not very much money. I think my
spk_0
First job and not first job when I was lifeguarding the last couple of years in high school
spk_0
I think I was making $7.11 sets as a lifeguard. Did you rough this save anybody?
spk_0
No, I didn't came close a couple times yelled at a lot of kids and I mean it's weird that translates my current job
spk_0
Did you save anybody? No, I just yelled at them. Yeah, stop drowning. No, no more. Put spitting water
spk_0
Last me you're gonna sit out use your words. I can't hear you throw that bubbling
spk_0
I
spk_0
Listen if you are ever at a pool and you look up and Josh is the lifeguard I would I would turn around I would now wait
spk_0
Are you if if if we're talking about today? I agree with your statement
spk_0
25 years ago. No, man. No. Oh, yeah. No, no, I'm saying today. I'm saying today
spk_0
Yeah, if if I'm 25 Josh was your lifeguard you were going to drown
spk_0
Yeah, cuz I'm not putting that much effort into it. I'm not getting I'm not getting hurt
spk_0
It could be a hot tub and Josh will still drown you somehow but for 7.11 an hour. That's pretty sweet
spk_0
Yeah, yeah, depending on who you are I might drown you or just let you drown Wow
spk_0
Neither of you to of course and how is your day going Josh?
spk_0
It's better now that I'm with you to crazy people
spk_0
So yeah, we're gonna talk about student account compromise
spk_0
What to do to kind of mitigate it if it's happened the trend that we're seeing some of the hallmarks
spk_0
So if this sounds like an
spk_0
episode that you or your friends need to hear
spk_0
Send this episode to your friends and let's let's spread this word in these mitigation tactics. Let's educate
spk_0
Unmitigate who that kind of hit you just break it up. I did on the fly
spk_0
Yeah, I'm drinking fresco tonight. So I'm on it with a little grenadine no energy drink
spk_0
Can you throw in recessive tape into that my lifeguard? Yeah
spk_0
Anyway, Mark you got some news you make it sound like I actually have new this is just the news segment
spk_0
Oh, yeah a new story that we have touched upon we've hypothesized
spk_0
But Google has finally confirmed that Android and Chrome OS will be emerging next year
spk_0
One of the engineers from Google has confirmed this at a Qualcomm conference and
spk_0
I'll read the quote so basically what we're doing is taking the Chrome OS experience and re-based lining the technology underneath it on Android
spk_0
So it looks like they're moving Chrome OS into the Android operating system although
spk_0
If I could read through the lines on this one it sounds like you're not really gonna notice a
spk_0
Significant difference it's gonna look like Chrome OS, but the the back end system will be Android
spk_0
So look for those updates and and that's that's next year. So
spk_0
It'll be really interesting to see how this plays out
spk_0
With the school years and everything so yeah, I'll be interesting to see that hit beta
spk_0
It can and I might out throw a couple devices on beta channel. We haven't gone out of our way to test that
spk_0
But that's something we we would totally do to stay on top of this. Yeah
spk_0
Next up now we are recording this episode a little bit early this week
spk_0
So by the time this airs the vote will have been actually finalized the FCC is voting on Tuesday of this week
spk_0
Sometime in the morning on whether or not to revoke the recent expansions the e-ray program for a school bus Wi-Fi and hot spots
spk_0
Now this was a bill that was religion passed through the Senate by Ted Cruz in May is now going to be voted on by the FCC
spk_0
I think all indications are that the FCC will revoke this one
spk_0
That's a total of about 15.3 million in in e-rate funds this year requested to pay for school bus Wi-Fi and
spk_0
50.2 million for hot spots because I like a lot of relief
spk_0
The people are still spending on hot spots and and
spk_0
So we'll see what the vote looks like by the time you are listening to this that vote will will have already been what you guys
spk_0
Thanks gonna happen. It's gotten some pretty bad press like I
spk_0
As with the next article the the writings kind of been on the wall here
spk_0
I don't know that it's really gonna be a surprise what that outcome is gonna be yeah
spk_0
And I think what Josh is looking to is its budget season and so we're starting to see quite a lot of
spk_0
proposals and cuts the again by the time this episode is aired either the government will be open or closed who knows and
spk_0
And we're starting to see a budget proposal for next year with massive cuts to education related services
spk_0
Josh why don't you share the news that was released this week regarding MSI sack the Center for Internet Security and MSI sack received word
spk_0
that the nofo
spk_0
Notice a funding opportunity for the cooperative agreement agreement that funds the center or funds MSI sack
spk_0
Will not be taking place come October first. So that was up for renewal
spk_0
Again, the writing had kind of been on the wall because no actions were being taken place to try and get that nofo out and
spk_0
Preped and ready to go
spk_0
So we were just kind of
spk_0
guessing this was going to be the outcome
spk_0
Regardless of that it is still a disappointment and I think it is interesting mark that the 15 million dollars of
spk_0
School Wi-Fi or bus Wi-Fi
spk_0
That was requested and is likely getting pulled back from e-rate
spk_0
Is more than the total budget that seat that Sisa was giving to the MSI sack on a yearly basis
spk_0
It's unfortunate if you were one of the smart entities that joined the MSI sack as a paying member
spk_0
during that
spk_0
Lead-in time where you could get 18 months and get the price lock in you won't be affected by this change
spk_0
But if you waited and you either haven't joined or joined after that introductory pricing was available
spk_0
Now that higher pricing tier is in effect because they no longer have any funding
spk_0
So that that higher pricing structure will be in effect going forward
spk_0
So yeah, it is what it is Josh. Let me let me read and I want I want you to say what you want to say
spk_0
Or I'm not gonna end up on a list where we're gonna
spk_0
So this article so the couple of things that stick out to me that I want to know more about sure
spk_0
So it says Sisa and it has in quotation marks that it will continue to collaborate with MSI sack on
spk_0
Quote information sharing and joint products consistent with its engagement yada yada sure
spk_0
How will do you and maybe not just necessarily you Josh of course, but how's that going to happen?
spk_0
That was one of the things that was like on the chopping block and certain it right
spk_0
How would this that sit and still happen?
spk_0
Quite frankly, I don't have any inside information as an executive committee member my personal opinion there is I don't know how
spk_0
Because if if they're removing all funding and and expecting CIS Center for Internet Security and MSI sack to fund all of that threat until on its own
spk_0
Logic would dictate that's going to be a diminished thing going forward. I don't know how Sisa expects the same continued
spk_0
Varacity and
spk_0
Really really really good job that Randy Rosen his team do over there on threat hunting and threat intel
spk_0
So yeah, I don't know what that looks like going forward what that what that
spk_0
Information sharing collaboration. I don't know I don't know we haven't we haven't been told yet what that looks like because I get
spk_0
You know, I understand the membership piece and I understand I'm gonna get different things as a member
spk_0
But one of the big things always stuck out to me was that collaboration agree agree and you know whether
spk_0
Whether or not the membership realizes that or not, but there is a or has been historically a
spk_0
Huge amount of collaboration that takes place between
spk_0
Thread intel groups from both entities from Sisa and the Center for Internet Security
spk_0
Hand in hand and glove kind of relationship their threat or intel sharing back and forth
spk_0
I don't know what that looks like going forward. We'll we'll have to wait and see what comes out of the center center for Internet security
spk_0
As far as what that looks like going forward now
spk_0
Here's my last question I think with it. Yeah, so the article talks about
spk_0
Sisa
spk_0
Explaining or making sure the word is out about their free offerings their cyber hygiene scans
spk_0
It says fishing assessments vulnerability management tools regional advisors by monthly security operations
spk_0
Center calls. Yes, Sisa
spk_0
so then
spk_0
Remind me and tell me
spk_0
MSI sec membership gives me what?
spk_0
So MSI sec membership gives you you know if you're now that paid member
spk_0
Mdbr their protective DNS service which you could argue says it has a protective DNS service as well
spk_0
When I was last using it it was in beta it wasn't a wide open thing
spk_0
MSI sec has a sock 24 seven sock that you can call the NCSR report which it's up on the year whether or not that that's continuing
spk_0
Other threat services. I think one of the important things to remember about MSI sec's offerings to was they had those
spk_0
Indic I'll say industry even though it's kind of not the right term industry specific
spk_0
All-hands calls like once a month there'd be the K-12 call
spk_0
There would be whether you guys know it or not there there's the state Sisa call
spk_0
There's the water and wastewater call there's the county government call all of those industry specific or vertical
spk_0
Specific group calls were taking place on a monthly basis from my understanding
spk_0
The sock call that Sisa is coming out with is just a sock call
spk_0
Plain and simple. It's one call one size fits all for everybody at once
spk_0
I think there is going to be some things lost in translation there
spk_0
because
spk_0
Things that apply to us and K-12 don't necessarily apply to other critical infrastructure that Sisa covers
spk_0
so
spk_0
It's going to be interesting
spk_0
You know they say that they're going to continue to support SLTTs and the story has been in you know recent history has been pushing some of that to the state
spk_0
My my couple comments on that and the last couple interviews I've given has been the that's fine and dandy
spk_0
but without a
spk_0
a central
spk_0
Guide post there
spk_0
Setting priority or setting standard you're going to have 50 different states
spk_0
Doing 50 different cyber security programs
spk_0
50 different ways and there are some states that are super super good at what they do Iowa comes to mind
spk_0
Fantastic Texas. They've done some great like they've spun up new offices recently from governor Greg Abbott
spk_0
It's in the really good job down there. I win, Texas are two like almost gold standard examples of what state cyber security programs look like
spk_0
But then you have other states that that just don't have that leadership and don't have those programs built out
spk_0
Yet not to say they can't they're just not built out yet
spk_0
So immediately if you're pushing this back to the state you have some real high flyers
spk_0
And you have some states that are really struggling
spk_0
So all those SLTTs and those struggling states are immediately behind the curve
spk_0
Endless protected because of it
spk_0
Not calling out anybody specific and not saying it's anyone's fault
spk_0
It's just the nature of the beast
spk_0
It's to where if those if those local entities didn't happen to join MSI sack
spk_0
they've lost some resources there so
spk_0
To me that's the unfortunate part about it. It's it's not you know
spk_0
It was great when MSI sack was free everybody could join get good information
spk_0
It's about protecting the local entities, you know
spk_0
The cities that are under staff because we all know there's school districts under staff that don't have full-time IT staff
spk_0
There are cities counties in the same entity, you know when when paint had that story
spk_0
County down by him was hit with ransomware
spk_0
And he said their IT guy comes in every other every other Wednesday for the afternoon
spk_0
So you have you have counties that don't have full-time IT staff and
spk_0
You know they were relying on some of these services from the MSI sack and if they didn't join now it's gone
spk_0
um
spk_0
That's the unfortunate part of whole of this I think
spk_0
But anyway you want to hit a sponsor real quick? Oh sure check out light speed light speed systems.com
spk_0
They have a new product called signal and I demoed signal
spk_0
In wrote a review about it. So if you go to katoltechpro.com
spk_0
It's it's on the homepage there check out light speed but check out their signal product
spk_0
If you want to know all about signal. I did a demo. I wrote a review
spk_0
They can help you track devices and speed and all kinds of things within signals
spk_0
So check it out
spk_0
So
spk_0
The main topic if you are a katoltech pro member
spk_0
It is no secret the number of schools
spk_0
Recently have been seeing student account compromise and have been trying to mitigate that risk after it has happened
spk_0
So I guess we kind of hit a threshold mark. I think it was you that had the idea that we needed to kind of do a deep dive on this
spk_0
On an episode and it just happened that we're gonna do it tonight
spk_0
Yeah, so
spk_0
We'll kind of take this into a few different parts the first is well, what's the risk?
spk_0
What's the the the major problem with a student account getting compromised?
spk_0
We'll kind of talk about some examples of that go into what should you do when a student account gets compromised
spk_0
But then the bulk of our conversation is gonna be well, how do we prevent this kind of stuff or or at least mitigate
spk_0
And and reduce the risk of accounts being compromised knowing that MFA has some technical challenges in a classroom environment. So
spk_0
Let's start off with well, what's the risk? What's the problem? I think a lot of people take that approach of
spk_0
You know an account a student account doesn't have access to a lot of things. It can't really do much
spk_0
But as we've seen in recent weeks the student accounts a compromise student account does have a lot of risk to it
spk_0
So Josh, do you want to kind of go over what what what are you seeing on k12 tech pro that people are talking about right now?
spk_0
Yeah, so we're not gonna attribute any of these findings specific to district
spk_0
Because they all
spk_0
Everything that we're seeing over on pro are they're all very similar in in what is transpired in the threat and stuff like that
spk_0
so the way I guess the symptoms the way it's found is
spk_0
A student account sends out a bunch of spam and we're talking
spk_0
One district said 2700 messages and other districts said over 3000 messages
spk_0
It turns out I think Google rate limits an account at 4000 messages
spk_0
So they the bad guys the threat actors have figured that out so they're keeping that number low so they don't get rate limited the fish
spk_0
slash spam that gets that sent out from the student account is
spk_0
Some language around hey, I've got a part-time job opportunity. You can earn up the $450 working less than three days a week
spk_0
Click this link to fill out an application. Well it takes you to a Google form
spk_0
That asks for some PII of whoever's filling it out and then get submitted one district said they had a handphone
spk_0
Staff that received the thread email and click the link and fill it out
spk_0
And one yeah crazy and one staff member reported immediately receiving text messages from the threat actor
spk_0
Saying hey, what's what bank account information but we need to figure out direct deposit and stuff like that
spk_0
So so it's a very real threat
spk_0
Hopefully no one clicks it, but they end up doing it
spk_0
so
spk_0
By by that point that's typically when you the director or the IT IT department are end up getting notified
spk_0
About this event taking place
spk_0
They logged in one district said for up to six hours before sending the messages out and the messages were sent at about two in the morning
spk_0
So that district then went through audit logs to see if anything was downloaded from drive
spk_0
Because that's the other mark what that was a singular singularity mds
spk_0
Right like they were logging in to students and then downloading a bunch of stuff from Google drive shares, right
spk_0
That's one of the important things to look for here
spk_0
Yeah, those are the two main things that we've seen so far is either internal spam to staff and spam can be
spk_0
Anything as as
spk_0
Nefarious as phishing attempts or it can just be you know
spk_0
Get someone to get people to click on link and go somewhere else data
spk_0
Explatration as you just mentioned with singular DMD. They were the threat actor that
spk_0
Compromised a few major districts and used student accounts to download data from drive that was
spk_0
misconfigured and shared
spk_0
And then the third one an account that's been compromised you have the risk of it being escalated in and going from a student account to something more serious
spk_0
So for those three reasons it's why you need to take this kind of stuff seriously
spk_0
I'd love to go through all the different steps of things to do
spk_0
But luckily our friends over at k126 have come up with a really good guide for google and microsoft
spk_0
If you go to k126.org forward slash compromise
spk_0
You'll see a great guide of all those things that Josh just mentioned what you can do to search for it mitigate it
spk_0
And and clean that account up before before resorring to the student
spk_0
so
spk_0
Prevention kind of one once the cats out of the bag on this. It's a little bit too late
spk_0
But in that cleanup phase after you've done your investigation
spk_0
And more importantly on the front side if you have not had this happen yet
spk_0
What are some things that you can do to I guess
spk_0
Reduce your risk as much as possible. I would just say MFA and then we're done conversation over
spk_0
student MFA for everyone. Yes
spk_0
Yeah
spk_0
Okay, full transparency. I'm still dimmowing student MFA and I'm kind of loving it. So
spk_0
Well before we get to that like we've all rolled out traditional MFA to staff
spk_0
And I'm gonna assume Chris that was your grown. There's a lot
spk_0
I guess one of the things that I've asked myself is why hasn't google
spk_0
Come up with student MFA that is wrapped into our current license model rather than me going out to a third party and buying it
spk_0
I don't know if that's on the road map. I sure hope it is. Well, it begs the question like what is a student friendly MFA and I think if you're a
spk_0
Microsoft Google kind of security engineer security expert you're probably saying we can't compromise our own security
spk_0
There are traditional things like UB keys that still could use if they wanted to but like my opinion
spk_0
It's unrealistic to think that school districts are gonna put 25 to $50
spk_0
UB keys in the kids hands and keep that up
spk_0
It's interesting. I was at a meeting Friday. No Thursday and the local junior college
spk_0
Just told me he bought 250 UB keys for their dual enrollment kids
spk_0
So we're already seeing college do it for high school kids due to self-loan bands
spk_0
I think one one trend that we might see take off more is there is an MFA function in
spk_0
Google that can that will support a
spk_0
Touch power button on a Chromebook
spk_0
Hopefully that becomes more widespread in
spk_0
student level
spk_0
Chromebooks and not a higher end like the Chromebook Plus. Hopefully that's not just an option in the Chromebook Plus market that comes down lower
spk_0
That could be an easy solution
spk_0
But you have vendors out there that are doing you know pick pick a animal pick a fruit
spk_0
So yeah, there are a couple of
spk_0
Products in the market clever Josh is your demo in that one right now. I'm eager to hear how that works out
spk_0
Classling has their option. I would say
spk_0
The very first thing if you're interested in securing student accounts is to look at what your
spk_0
SSO portal provider has for MFA options if you're clever check out their MFA if you're clasping look at their MFA
spk_0
See what that looks like because you can switch over
spk_0
Microsoft and Google's
spk_0
IDP to the third party and use that as an MFA for students
spk_0
It's definitely more student friendly. It has options that are geared for
spk_0
Teacher and district administration
spk_0
And it's it's a kind of product that kind of fits at sweet spot in between a something like a pasky or a cell phone MFA and nothing
spk_0
But
spk_0
You know as we we talked about these things do cost right now and in lieu of Google and Microsoft coming out with their product
spk_0
This is the only option for MFA
spk_0
What if that's not in your budget? What are the other options that you could do to at least reduce the risk
spk_0
Of a compromise or at least reduce the impact of a compromise account Josh you've done a few of these things yourself
spk_0
Yeah
spk_0
The the biggest one and we've had this one in place for a couple years now where students can't
spk_0
Email insider outside or I'm sorry. Can't email outside the domain and can't receive messages in from outside the domain
spk_0
So just inside mail so that that mitigates a threat actor from sending spam fish as the original injury point we did that for
spk_0
K5 or okay grades K5 K6 really
spk_0
And then you're K12 right yeah
spk_0
Um then we also have the Gmail app or the mail app turned off. I think it's K through three
spk_0
So K through three kids don't even have email as an option like send messages back and forth to each other
spk_0
Right that's just been that way since we started with Google. I don't know that that's really been talked about since
spk_0
A change that I made recently was limiting the number of addresses in the two field
spk_0
And that's done through a compliance setting with a rejects command or rejects query that looks at the number of
spk_0
addresses in the two field and the header just said I love that
spk_0
There are ways around it like all the threat actor has to do is figure out oh the limits 30 okay
spk_0
I'm gonna send instead of sending you know 10 messages
spk_0
I'll just send a hundred messages and if they've got a script doing it it's still pretty quick and easy
spk_0
But still
spk_0
It's it's another hoop. It's another hurdle they have to get around and hopefully by then something is catching the activity and you can act and disable the account
spk_0
Josh what what did you put in or what do you think a best practice would be for that?
spk_0
I did 30. I mean yeah, it's same
spk_0
It's limited, you know relatively class size-ish
spk_0
Yeah, I don't know yeah, I would I would say don't go below your class size max
spk_0
Yeah, just give the kids the ability to email to their class
spk_0
And then offer you know a group or a list or if you need to have a
spk_0
Sports or an athletics club or sports or activity club to email larger groups. So yeah, so we did the same thing we we limited
spk_0
elementary
spk_0
To internal only I wish we had turned off the app for kindergarten
spk_0
There's no really no need for our kindergartners to actually log into email and then yeah, we did a recipients
spk_0
recipients cap for k12
spk_0
What else could you do?
spk_0
You could set up a header rule
spk_0
That looks at messages that are trying to transverse buildings
spk_0
So if you took the stance that there's really no reason that
spk_0
A middle school kid should be emailing a high school kid and vice versa
spk_0
That's a relatively easy compliance rule to set up that adds you what you do is you end up adding a header field
spk_0
On the on the center side and then checking for
spk_0
That header field on the recipient side and then it denies it based on true false
spk_0
um
spk_0
That's a little bit more involved than the number of recipient rule
spk_0
But still a great rule
spk_0
We started out using that for kids that lost the right to email other students
spk_0
They were only allowed to email their teachers, but it works
spk_0
Transversing buildings as well. We have that on for our elementaries
spk_0
And we have Gmail on for our elementaries and we try to teach them Gmail
spk_0
And I could easily start to sway towards like let's just turn that thing off because they don't I mean they've hardly ever email
spk_0
Um, but we added the thing to if a elementary kid sends an email
spk_0
We added to like the subject line it literally says something about this as an elementary kid email
spk_0
And I would hope like with this form thing that the it would trigger in the teacher's mind like oh, that's a
spk_0
Elementary kid asking me something about four hundred dollar part-time job
spk_0
You know that they connect those things together and not
spk_0
You know let their mind go and click the link, but
spk_0
And it it doesn't have to be anything as a
spk_0
Abtrusive as a subject
spk_0
Perpend it literally you can make that setting be a header. Yeah information that isn't seen by anyone
spk_0
All those things can prevent
spk_0
Spam and fishing emails or at least limit them. Is there anything you can do to prevent or at least lower the risk of somebody getting into the account in the first place
spk_0
Context to where rules are very good at that however
spk_0
Thread actors have figured that out like that that's what one district reported seeing
spk_0
Context to where rule kicked in
spk_0
Prevented it because it was logging in from an IP address geo located to Africa the threat actor then quickly pivoted over probably a VPN
spk_0
To an IP address that was geo-gocated to the US
spk_0
Super easy way to get around that rule
spk_0
But again, it's another hurdle. It's another jump that they have to do
spk_0
You're kind of hoping they just kind of give up at that point, but they didn't yeah
spk_0
I think Google's context though were aware stuff makes me feel a little better
spk_0
agree
spk_0
Whether or not it has heavy heavy impact and I wish and I think it would be hard and there's probably reasons
spk_0
Around this I wish we could break down the USA into some regions
spk_0
We're like you know again my elementary kids if I could
spk_0
Try to make it or I'm from Missouri if if it only works in Missouri
spk_0
I don't think it's gonna work like that with how ISPs tend to work but exactly
spk_0
Yeah, especially once they go home like you're right you're your IP for your school
spk_0
Yes, it's probably registered to the right loads somewhat right location
spk_0
Once they hop on cell data or they go home all bets are off on whether or not those like most of ours
spk_0
In this area where I live or are geo located to Chicago for some reason
spk_0
So yeah, those geo locates really once you're inside the country. Yeah, they lose all validity
spk_0
The other thing to outside of of adding these kinds of rules is to
spk_0
Really look at your password policies. Yeah, password reset policies
spk_0
I know it's very hard to apply missed recommendations to younger students
spk_0
But I think if you look at some of the things we just talked about the mitigation efforts
spk_0
combined with strengthening your password policies and
spk_0
Even though for adults you don't necessarily need to do
spk_0
regular password resets because they have something like MFA enough 15 character password
spk_0
You you may need to consider
spk_0
Rotating passwords on a more regular basis for students and seeing if you can get that character limit as high as you can
spk_0
Honestly, I think eight characters is is kind of the the minimum for school districts, but it really
spk_0
A bad guy can get three characters pretty quickly. You really need to get to 12 to 15
spk_0
Yeah, minimum for for that password to be
spk_0
Hackproof
spk_0
Well that phrase lately and and to be
spk_0
Just blunt about it making students aware of not sharing their passwords with their friends needs to be a topic
spk_0
One of the districts that talked about their issue over on pro
spk_0
Said that a student was contacted by a threat actor on Instagram the threat actor had had spoofed another student's account and
spk_0
Message this student on Instagram said hey man my my account got locked out. I need your credentials to help unlock mine
spk_0
student handed him over
spk_0
Account was compromised within minutes
spk_0
So there's a little bit of education that needs to take place here too and we get that
spk_0
I mean we get that all the time
spk_0
Boyfriend girlfriend stuff where you know the password is given out
spk_0
We have an alternative school and I've had you know sibling that's not an alternative school
spk_0
You know they feed that password over so they can try to get around some stuff
spk_0
um
spk_0
I've had kids, you know
spk_0
Literally just watch the other kid type it in because we have one the one right yeah, and I
spk_0
We like to use the word malicious and I don't think the kid always has in his mind that he's being malicious
spk_0
When he's using a lunch pen or whatever that password is he's just being a middle school or a high school or
spk_0
And given his friend the hookup to to do whatever
spk_0
To collaborate that we do encourage
spk_0
So that's a little bit hard funny story. I had a student
spk_0
I was called to a school years ago
spk_0
This is before we had staff MFA
spk_0
But the school was concerned that the student was
spk_0
hacking into
spk_0
Teachers and principles accounts
spk_0
So I sat down with a student and I knew him at the time and it's like hey, you know were you did you
spk_0
Log into the principle account. No, no, no, I wouldn't do that. Okay
spk_0
Um, I'm just curious if you were to do that
spk_0
How would you go about finding the principles password? Oh, she keeps on a post a note on her lap. Oh sure
spk_0
Ha ha ha
spk_0
For sure. Okay. All right. I'm I'm really glad that you didn't even though you know exactly what the path is and you know where to find it
spk_0
So I made sure that I posted no was gone before I left the school. I like it
spk_0
Hey, by the way check out Arista our friend Aaron over there at Arista e vonder e v oh and the er at arista.com
spk_0
They can do your networking they can do your switches. They simplify management
spk_0
They have AI driven management. They can do AI and machine learning
spk_0
For you as a network admin
spk_0
And they have what they call zero touch configuration
spk_0
And they can help you provision out your switches and your things quickly
spk_0
So check out Arista at arista.com
spk_0
All right well Josh you're just going through the demo of clever mf a
spk_0
When will you be able to come back and talk to us about we won't results
spk_0
We won't say I would say mid to late October
spk_0
Our trial goes mid October okay, buddy
spk_0
Well our trial goes until
spk_0
Like the
spk_0
I don't know 23rd or something of October
spk_0
So we'll have to have a decision by then
spk_0
I can tell you we are we expanded our trial to another 15 kids on friday
spk_0
Um, I have had zero complaints all
spk_0
My biggest fear was the stuff that we had set up
spk_0
With samel authentication, you know the login with google buttons
spk_0
My fear was that stuff would not work and that fear was completely unfounded
spk_0
all the way to
spk_0
We use the google authentication
spk_0
For windows in a lab
spk_0
That still works
spk_0
Wow
spk_0
Yeah, I I was like okay if anything is going to break it's going to be that nope
spk_0
Chugging right along
spk_0
So you got mf a protecting clever protecting google
spk_0
Yeah, protecting the windows pc. Yeah
spk_0
That's a lot of chain
spk_0
Yeah, that's that's quite the chain
spk_0
Yeah, so it'll be interesting to see how this roll up roll out goes if we end up expanding it more before we make the decision
spk_0
I told the kids I've had a couple different meetings with a couple different groups of them and I'm like
spk_0
I want you to break this like I want you to find something that does not work now because we're doing this
spk_0
And so far they haven't
spk_0
So I need to touch base of them again tomorrow to see
spk_0
What the what the story is I wasn't able to touch base with anybody today
spk_0
You know, I said it earlier and I think I think it's worth saying again if you feel like
spk_0
Something we said was valuable tonight and you think a friend needs to hear it
spk_0
Share share this episode with that friend with that neighboring school district that just went through a student compromise
spk_0
Make sure they're covering all their boxes are checking all their boxes
spk_0
Because I I think this
spk_0
particular threat this student compromise sending out this part-time job thing
spk_0
Is happening way more than most realize because we've had what
spk_0
3 4 5 districts over on pro complaint about it in the last 10 days
spk_0
I think this whatever this trend is whatever this threat vector is
spk_0
I'm still really curious is it all related to that story that we heard that it was a kid being contacted on Instagram being asked for
spk_0
Credentials is that really it now what the the the form
spk_0
Okay, the one where they they the teacher did put stuff in yeah
spk_0
They got reached out to about
spk_0
Banking information correct like that so that ends up being the the bit like they want to try to transfer some money or take some money or whatever
spk_0
Right and under the guys of setting up direct deposit. Okay
spk_0
Yeah
spk_0
Yeah, it's it was barely reminding me of like back in the day
spk_0
Lots of schools had email servers that you know you had your email server sitting within your school and
spk_0
I remember like
spk_0
Neighbor school that email server sending out spam and you're just like oh that school spamming us again
spk_0
You know that was before the days of spf and dkim and and and and d mark but
spk_0
This feels like that like oh these student accounts have been hacked and
spk_0
The bag I sat on it. I'll just send it out stupid forums about part-time jobs like
spk_0
It's not like they're going I mean they're going after money
spk_0
Uh, but they're not necessarily so far trying to
spk_0
Get student data or get employee data. It feels more like the old school scam
spk_0
I'm money grab again
spk_0
But it would be super easy for them just to pivot to drive sure see what files are shared
spk_0
I mean it wouldn't take anything
spk_0
Yeah
spk_0
Yeah, I still would like to get to the route the route vector of this like what
spk_0
Where are these passwords coming from is it is it a new is it a new password dump that we don't know about?
spk_0
Is it really all related to this Instagram social engineering thing?
spk_0
I don't know sure. I'm sure they're they're just taking one compromise website and
spk_0
Using those credentials on on Gmail and you're in a sure like yeah, it's not that hard question
spk_0
Is it if it's targeted or if this is just a random student that's you know left for the I like how the targets have been like
spk_0
Josh, you know like let's just focus attention on
spk_0
Not me
spk_0
Is what is what I prefer it's coming. Yeah
spk_0
Whether you wanted to or not it's
spk_0
You're right there with me buddy
spk_0
Hey, I know we mentioned it, but the K126 slash compromise that that whole bit is just very good like
spk_0
Check yourself on these items
spk_0
Roll through this thing
spk_0
Uh, you might know what you always do when you have an account get compromised
spk_0
But to chug through that I mean it's it's good. It's good reminder stuff
spk_0
Yeah, well linked in the show notes, but that address is k126 dot
spk_0
ORG forward slash
spk_0
And it's also for our microsoft 365 friends because we show love to all yes
spk_0
Or the least the person who wrote this did
spk_0
Chris any final sponsors or fortinet
spk_0
Fortinet podcast at fortinet.com
spk_0
They can help you with with making yourself feel secure as well. All right. I feel like we're warm boys
spk_0
Yeah, it's only Monday. Just recording this on Monday. I'll be right down
spk_0
Mark and I we were here like 20 minutes before you jump in and we were
spk_0
Actually, we were solving the world's problems with smiles on our faces and then you can and as a standard
spk_0
Let me just say as a standard we typically operate off of central time because Chris and I are both in central time
spk_0
Yes, correct. Yes, Mark said we'll go at seven. Okay. Great. I'm sitting on my time right. It was six o'clock
spk_0
Yeah, six 17 when cricks when Chris text me and said where are you
spk_0
That is true
spk_0
Just just to barely get there and this doesn't necessarily have to be on the episode
spk_0
But when mark said seven
spk_0
I actually turned to stefner. I said
spk_0
He never speaks in eastern time right. I think I'm gonna go ahead and join it six
spk_0
But it was a real conversation Josh you lean towards seven central
spk_0
Yeah, cuz that's what we always do but yes, he did he did say a different text than what is normal
spk_0
Yep, that's fine. Yeah
spk_0
We're just blaming it all on one. It's fine. He's looking at his phone to see what he does. He is too
spk_0
He's fact checking us
spk_0
Listen if two people are in the right place and one person is not
spk_0
That's true. I did and it's it
spk_0
I kind of complicated the whole thing because I did show up on time you broke norms
spk_0
And I always feel a little weird that we get to make mark go by our time too
spk_0
I feel bad because we go late sometimes Josh
spk_0
Not everybody goes to bed as early as you
spk_0
When you're my age. Yeah, everybody does
spk_0
We'll see we'll see about that
spk_0
Bill listener bill knows he goes to bed early all right
spk_0
Well, like I said share this episode with your friends shoot us an email over at k12 tech talk at gmail.com
spk_0
Have you have you seen this compromise with
spk_0
Google form spam fish going out? Let us know if you figured out the threat vector and how they got it originally
spk_0
I'd love to hear some supporting information of of what you think that looks like we will see you next week
spk_0
See you
spk_0
We might not be the same
spk_0
The views and opinions expressed on the k12 tech talk podcast are the personal opinions of Josh, Chris and Mark
spk_0
And do not represent the views or opinions of our sponsors or other organizations that we're affiliated with
spk_0
The material and information presented here is for general information and entertainment purposes only
spk_0
Thanks for listening and we'll see you next week
spk_0
By the phrase
Topics Covered
TikTok podcast
student account compromise
spam phishing emails
part-time job scams
school bus Wi-Fi
FCC vote e-rate
Center for Internet Security
MSI SAC membership
cyber hygiene scans
threat intelligence sharing
cybersecurity programs
local entities protection
education funding cuts
Android and Chrome OS integration
budget proposals for education