Alaskan Middle Schoolers Phish Their Teachers 215
lukej writes "In Ketchikan, Alaska a small group of unidentified students gained access to school owned computers by using phishing techniques on their teachers. The then used the elevated access to remotely control their peers computers. Fortunately the school administrators seem to have a taken a realistic and pragmatic viewpoint of the situation, although no official punishment has yet been determined. '"Kids are being kids," (Principal) Robinson said, adding that he was surprised something like this had not already occurred. "They're going to try to do what they try to do. This time we found out about it."'" And no one got arrested.
Re:Good thing this wasn't in Florida..... (Score:0, Interesting)
Serious question: How many of these alaskan kids are black?
"Exactly like" (Score:5, Interesting)
Reading in between the lines I suspect it could have looked wildly different, but the teachers were trained to look for some specific text string which the students got to appear in the elevation dialog.
The UAC dialog is designed to look different if a executable is digitally signed to prevent just this sort of phishing attack. Either the school IT screwed up by not using signed tools, or the teachers were not trained on the differences between the dialogs for signed and unsigned elevations.
Re:"Exactly like" (Score:4, Interesting)
If it is the attacker that presents the dialog, they have full control. It's probably not a real UAC dialog (i.e. produced by the UAC process) of course, just an exact copy of it. So they can have it look just like the "digital signed" version or the "unsigned" version or whatever version.
Re:Good thing... (Score:5, Interesting)
The last high school I supported, they had the brilliant (BRILLIANT!) idea of teaching programming using Turbo Pascal. And they included the network libraries in it.
Using Novell, the school suffered an escalating fight with the kids. First they faked a login screen. then they hacked the GINA and got it installed on all the machines in the lab. Then they ran a password sniffer at boot.
Then I convinced the administration to let me use the same techniques. Installed some boot time code to catch these nasties, searched and found the source code, and identified the miscreants. We applauded their efforts, hired one on as a part-time assistant, and warned the others that future incidents would result in escalating punishments. One did get back into school, but the others were banned from the lab for their junior year.
Next semester we deployed ZenWorks, images, and a lot of policies. No matter how they tried, if a station was logged in with a staff ID, the screen bakcground was red. Easy to spot.
Pretty talented kids. Their escapades getting browser access kept me busy for a few weeks. Fun times.