In Ketchikan, Alaska a group of 18 students (aged 12 to 13 years) attending Schoenbar Middle School were able to hack into various computers after exploiting teachers to gain admin access. After taking control of various computers remotely, the hackers played pranks on other students.
Teachers were alerted about the issue when classmates complained that their computers were not working properly.
How did the students go about getting admin access? It’s pretty clever actually.
Naturally, computer software needs updating. If you’ve ever updated software in Windows then you know the system asks for admin rights (and associated password) to alter important files, specifically through the UAC. Students basically took advantage of the process. They tricked their teachers into entering the admin passwords by running a program that made the teachers think the computer needed updating; the teachers happily supplied the required password which gave the students the required login credentials. In other words, they used phishing to gain the passwords.
Once the students had the password, they didn’t need it again. “And it only took one time,” said the Principal of Schoenbar, Casey Robinson.
According to the school district’s technical supervisor, Jurgen Johansen students used the exploit to “spy” on each other and control classmate’s computers remotely.
“I don’t believe any hardware issues were compromised. No software issues were compromised. I don’t think there was any personal information compromised. Now that we have all the machines back in our control, nothing new can happen.”
Apparently 300 computers were seized by technicians so that they can analyze what the students were doing with them. They’re also going to use the machines to figure out who was responsible, and who participated in the hacking scheme.
Obviously, disciplinary measures are planned for the students involved, although Robinson says the district will take a peek at the computer-use agreements that students and parents signed before being issued a laptop. It’s likely that the participants will no longer have access to computers during their time with the school.
I’m not saying it’s the teachers fault at all here, but don’t you think they should take at least a little responsibility for not double checking before they offered login credentials? Hopefully the parents of these children will also understand the implications of their actions and discipline them accordingly.
As for the security protocols at Schoenbar, and how teachers handle software updates, Robinson says the process must change.
“How we do business is definitely going to have to change when it comes to updating programs and resources on the machines. Yes, something new is going to have to happen.”
What do you think? Although I find this story slightly amusing, I also think it shows something about a lot of our youth today who were raised around such technology. I suspect this won’t be the last time we hear a story like this. Share your thoughts on this story in the comments below.
[via KRBD, BBC News, image via Kelly Fraas]