topic Re: Problematic students and malicious intents in Peer-Peer Topics

Problematic students and malicious intents

dhalvorsen — Fri, 21 Feb 2025 20:18:32 GMT

I am looking for suggestions as I'm sure basically every K12 administrator has their share of students who have malicious intents. I found a user recently who has been trying to use Parrotsec, Kali, and Tails (that I'm aware of). This student utilized proxmox from a Chromebook to a local IP that isn't ours (192.168.1.7:8006). I'm assuming that this is a Pi or similar device that may be wired directly to the Chromebook as he apparently used it during school hours in a class discretely. I'm not sure if his intent is to find a way around the internet filter, try to snoop for passwords, or some other means to compromise the network.

Are there certain settings in Google that I should be checking or changing to try and help prevent these situations? There are students who do need access to the USB port for flash drives with images, so I can't just block all USB devices.

Re: Problematic students and malicious intents

ddelboccio — Fri, 21 Feb 2025 20:24:28 GMT

What the heck is promox? And for that matter, Parrotsec, Kali, and Tails?

Re: Problematic students and malicious intents

MarkLoundy — Fri, 21 Feb 2025 20:26:51 GMT

Not every problem has a technical solution. Send out a communication to all parents telling them that hacking into a network or defeating security measures is a federal crime and that both the families and, if of age, the students risk going to prison.

Re: Problematic students and malicious intents

9330cashmore — Fri, 21 Feb 2025 20:51:27 GMT

That student, I would get to know them and help them figure out what they wanted. Sometimes the best tool is the student that wants to learn.

Re: Problematic students and malicious intents

icrew — Fri, 21 Feb 2025 20:58:37 GMT

Story time: >25 years ago, one of our students found it rather, um, educational to return to their dorm room after class to find a couple of FBI agents waiting for them there....as far as I know, there wasn't an arrest made, but the message was pretty clearly sent!

Re: Problematic students and malicious intents

npl — Mon, 24 Feb 2025 09:42:39 GMT

if they are using a device like a PI to bypass the network filters they must be connecting to the internet via your network. If they have access to the wifi they probably are using a VPN.

You can setup a ethernet connection for the Chromebooks ( see https://support.google.com/a/answer/2634553?hl=en&sjid=2568261543070865853-EU ). Set the proxy to some non network ip eg ( 10.10.10.1 ) and a non standard port ( eg 9900 ). Set the DNS to a network ip's that are NOT DNS server eg ( 192.168.1.1, 192.168.200,1 ). Have the proxy and DNS set to different networks.

This will make it a bit more difficult but not impossible to do what they are doing.

Re: Problematic students and malicious intents

kaned — Mon, 24 Feb 2025 14:02:44 GMT

The question is how is the pi connecting to your network, and is your network appropriately segmented to reduce risk in the event someone can do this exact thing? We are doing penetration testing on our networks to help us keep all of these networks as secure as possible.

Is the student connecting through a USB or Bluetooth connection to your Chromebook, or is it directly connecting to your network?

1. This is likely a clear violation of the AUP/Handbook and should be addressed.
2. Once the means of connectivity is discovered, you can take action to prevent further access.

Without ANY research into this, I'd start looking into Android debugging protocol or sharing internet over USB. Not sure off hand if the Chromebook can share internet through Bluetooth. I wonder if there are new methods now with USB-C that I am unaware of!

If the pi is connecting directly to the network, then you have some other work to do. Were they Able to get the WPA key and how? This used to be done through the network tools in Chrome://, not sure if you are blocking any of those setting pages.

IF this was my building, I would make sure the student understands the weight of the situation, but also recruit them. If the kid is working with/for you, there is an opportunity for growth for the student and a way to further protect your district. This also depends on the personality and intent of the student and would need to be weighed by administration, etc.

Re: Problematic students and malicious intents

dhalvorsen — Mon, 24 Feb 2025 15:02:44 GMT

I am still fairly new to my role and have been ambitious to try and lock things down from how my predecessor ran things. Sadly, I do not have the option of a NAC due to budget constraints. The network that students connect to does not have internal access. A lot, if not all, of the Chrome:// pages are blocked. Administration is looking into this situation, but I'm not sure how many answers that will provide. I don't foresee this student being one of those situations. I look to this group for insight from other people who may be in similar situations, have far more knowledge in different areas, and I'm sure plenty of people in this group like to tinker who would have further insight yet. Thank you for giving me some things to look in to.

Re: Problematic students and malicious intents

kaned — Mon, 24 Feb 2025 17:25:25 GMT

Feel free to respond back with any info. It would be nice for the rest of us to be proactive about a similar situation!

Re: Problematic students and malicious intents

MattDPenn — Mon, 24 Feb 2025 18:50:48 GMT

Can you elaborate on those network tools under Chrome:// for chromebooks? Trying to look up/poke around to see if I can manage pulling the key on my districts devices and either I'm looking at the wrong topics or we've already toggled on whatever would prevent that. I know you used to be able to basically toggle show password in Windows that I think was finally (or at least the easy way) taken away. I know Android (and I think iPhone now?) has the share wifi QR code that basically has the password in plain text.

Re: Problematic students and malicious intents

kaned — Tue, 25 Feb 2025 13:56:16 GMT

This was a conversation on the previous platform (now unavailable), so I cannot reference conversations/issues. The WPA key was shown in plain text in the Chrome://policy and Chrome://network.

"WiFi": { "AutoConnect": true, "HiddenSSID": false, "Passphrase": "********", "SSID": "MySSID", "Security": "WPA-PSK" }

Google fixed those and then it was available in the downloadable network logs for a short period.

This was all at least 12+ months ago, posibly 24+ months ago.

It seems like for a good year, we kept seeing the WPA key popping up in several Chrome:// pages for students. We have resorted to blocking Chrome://* and specifically allowing certain pages as needed.

To be clear, I do not know of any current ways to do this, but we've blocked almost all of Chrome:// so I'm not in there tinkering much anymore.

Re: Problematic students and malicious intents

Kim_Nilsson — Wed, 07 May 2025 10:01:09 GMT

Yeah, back then I added a few addresses to make it harder to get the wifi info out of the device.