-
Reddit’s r_k12sysadmin Credits: @r_channels @reddit2telegram
Bringing data to a knife fight
Sup. I think I am about done with the K12 IT gig. Its the worst.
A few years ago we moved to ISE self-enrollment for staff BYOD that uses a lobby page and AD credentials to join to a WPA2 Enterprise SSID that is bandwidth shaped. Similarly, we created sponsor pages for building office staff to allow them create individual and event credentials for the same SSID. This system has worked for 3 years without significant issue.
A couple of months ago, a WPA2 Personal (PSK) unshaped SSID was brought to my attention when 700 unauthorized users jumped on and crashed the network. I immediately changed the PSK and hid the SSID only to discover that among the 700 students, I had a High School Principal.
When he reached out to me about getting back on wifi, I directed him to the self enrollment portal and was met with immediate resistance. When I attempted to work to identify his reported issues of slowness on the proper network, he was insistent that he had no time to answer my questions and needed to be put back on the PSK network immediately.
He began engaging in some fire starting, finding unrelated and vague issues in his building and emailing me while CCing multiple directors and the superintendent, only to ignore my requests for more information so I can resolve the issue. Two Saturdays ago while I was cooking breakfast at home he called me from the superintendent's cell phone to chew my ear off about slow wifi at his basketball tournament.
Fast forward to yesterday: I met with him and the superintendent and tried to explain the security concerns surrounding his request only to end up agreeing to turn the Personal network back on for him and his guests. It became clear he was going to make my life hell and/or get me fired and I gave in. Honestly, Its kind of wrecked my weekend. Am I making this a bigger deal than it needs to be? WPA2 Personal is for home use only right? At best it is for large events and then shut off when they are over with frequent password changes. Am I wrong? Too serious? Naive?
https://redd.it/17yrfh0
@r_k12sysadmin
Cyber Threat Actor “SingularityMD” Targeting K-12 Google Workspace Environments
Not sure how many of you are subscribed to the MS-ISAC cybersecurity feed, but apparently there has been an extortion group keying in on Google Workspace in the K12 space - in particular, student accounts and gathering sensitive data. The MS-ISAC doesn't publish their documentation online, but I'll copy/paste the gist of it below. To be honest, I'm surprised it has taken this long for something like this to catch hold.
We require two factor for staff, but it's practically impossible to do so for students. What are you guys/gals planning on doing to try and get a handle on this?
​
*Executive Summary*
*The MS-ISAC Cyber Threat Intelligence (CTI) team has recently observed the cyber threat actor (CTA) "SingularityMD” compromising K-12 student Google Workspace accounts for initial access. The CTA then leverages the compromised account and the environment’s configurations to access and exfiltrate data to demand a ransom.*
*The MS-ISAC CTI team assesses with moderate to high confidence that SingularityMD is likely to continue targeting K-12 organizations that use weak passwords and vulnerable configurations for Google Drive and Google Group.*
*Please refer to the recommendations at the end of this report for further guidance.*
*Substantive Analysis*
*A trusted third party provided the MS-ISAC with an analysis of SingularityMD threat activity, showing that the CTA has been actively claiming access and threatening to leak sensitive public K-12 student data from at least four entities since October 2023.*
*In an interview with* [*DataBreaches.net*](https://DataBreaches.net)*, SingularityMD explained their attacks, “We compromised a student account, then accessed information available to any student to escalate from there to teacher to systems level access for one or two systems. This was not a fancy high tech operation.”1 The CTA reportedly performs reconnaissance on social media and other public facing websites to collect personally identifiable information (PII) and email addresses for students. SingularityMD then uses that information to brute force weak student passwords that are based on PII, such as date of birth. A successive brute force compromise provides the CTA with initial access to K-12 school district Google Drive and Google Group accounts.*
*Once a student’s account is compromised, the CTA leverages Google Workspace configurations to attempt to join Google Groups that allow access to material shared in Google Drives. The third-party analysis found that a school’s Google Workspace configurations are sometimes set to allow a user to self-add themselves to another group by default. SingularityMD uses the compromised accounts to access and exfiltrate sensitive data including:*
*• Student and parent/guardian PII (first name, last name, student ID, home address, phone number, email address, race, and ethnicity)*
*• Student Photographs*
*• Data from Individualized Educational Programs (IEPs) and other Special Education (SPED) documents*
*• Person Summary Report*
*• Student incident reports*
*• Medical information*
*SingularityMD does not encrypt files during its intrusions. Instead, they exfiltrate sensitive victim data and request a ransom in exchange for destroying the stolen data. 3 School districts have reported that the CTA has emailed parents directly, threatening to leak the data to coerce school districts to meet the ransom demand. As with other CTAs, it is important to note that there is no guarantee that SingularityMD’s will delete the stolen data if they receive a ransom payment.*
*SingularityMD’s use of data exfiltration and extortion follows a trend the CTI team analyzed in SFAR 2023-04, highlighting ransomware groups’ shift towards data extortion without encryption, enabling a growing contingent of CTAs to evade detection and increase the agility of their operations. In a recent post on BreachForums, SingularityMD expressed intentions to sell exfiltrated data as a service on the Dark Web which would
Chromebooks for teachers
Revisiting a topic that was posted here about a year ago.
Our teachers are due for a laptop refresh, and am pretty set on replacing them with chromebooks. In the past few years, the only thing I have installed for teachers on their Windows laptops is printers, so I know there is little, if any, Windows software being used in the classroom. With that being said, does anyone have a brand/model that they have been happy with? I've also heard mixed feelings about touch and stylus too, so Im not sure about needing that feature. All classrooms have a Newline panel with a chromebox attached, so ChromeOS on the panels is already being heavily used. We are also 1:1 K-12
https://redd.it/17xpbl4
@r_k12sysadmin
User Chromebooks/Laptops Survey
I'm gathering some data to help everyone with purchasing in the new year.
Click here for the survey.
Click here for results.
Thanks for your input! I'll make pretty pie charts when there's more responses.
https://redd.it/17xhi26
@r_k12sysadmin
BigTeams/ ScheduleStar video issues?
Just wanted to see if anyone else out that used BigTeams/Schedulestar and is having issues with Add event or other CSS modal windows not displaying on some machines?
* Not Browser Related - Chrome, Firefox, Edge all have the same error.
* Not Driver/Patch revision specific - Testing machines of the same model with the same patch/driver revisions--some work, some don't.
* What seems to fix the issue is to turn video performance to optimal and then back to Let Windows Manage and then do something that causes a video reset (e.g. change resolution). Not sure if this is a permanent fix.
I know some other districts are having the issue--BigTeams acknowledged that and I know of some others in our area. Just wanted throw it out there to see if anyone had done any other debugging to further refine the issue.
​
https://redd.it/17xg7hl
@r_k12sysadmin
Kiosk mode
My goal is to create an environment where the computer will only run the DaVinci Video editing software.
Our primary objectives include:
* Security Measures:
1. Restrict access to any other applications or system settings.
2. Implement measures to prevent unauthorized changes or tampering.
* Exclusive Use of DaVinci Resolve:
1. Configure the system to launch DaVinci Resolve exclusively during user logon.
* User-Specific Restrictions:
1. Apply these restrictions only to specific user accounts, ensuring that other users have unrestricted access.
When I set the local standard user account to kiosk mode, Davinici is not available to select as an application.
An acquaintance of mine has suggested using a Shell launcher, but I am unable to find examples of how to make this work. I have enabled this option but I have not found instructions on how to go any further on this path. That being said, it still does not solve the issue of the system being locked to the student beyond Davinci.
Given the sensitive nature of the environment, ensuring a controlled and secure computing environment is of utmost importance. If you have experience or insights into setting up such locked-down systems, I would greatly appreciate any guidance, tips, or recommendations you can provide.
I have been experimenting with Powershell to accomplish this by creating a kiosk, but I have been unsuccessful.
https://redd.it/17x0bzt
@r_k12sysadmin
Mac Sonoma: How do I get mailto: links to open Gmail.com?
User auto updated to Sonoma, and the mailto: href links all open in Mail app. Don't seem to see a setting. There is a default mail provider in Mail Preferences, but if you set Safari/Chrome nothing happens.
https://redd.it/17wxcfp
@r_k12sysadmin
Use Printer Offline - issues
We have a user who randomly stops being able to print, when checking their device the Use Printer Offline is check marked. Unchecking it lets it work again. Is there anything that would cause this to automatically get checked?
https://redd.it/17wuvrd
@r_k12sysadmin
Outgoing messages reportedly going to users' spam
I can't think of any changes we've made, but we're getting more and more reports that emails sent from our domain are ending up in parents/vendors spam box. I've had a few send them back to me so I can check headers but I'm a little out of my element here. What is causing this? Where do I even start troubleshooting it?
SPF, DKIM, DMARC all pass on the returned email, but I'm not sure if that shows me the message we sent out or just the message they forwarded back to me?
https://redd.it/17wrx1f
@r_k12sysadmin
Touch Screen Chromebooks (Acer Spin 511)
Hey all
anyone know of a way to disable touchscreen on chromebooks for a select group of people/one OU in google admin?
devices are enrolled into enterprise etc etc
https://redd.it/17wcoq8
@r_k12sysadmin
External media access for student photography/video editing class
One of our teachers wants to start a Photography/Video editing class using Microsoft Surface Studios. They have requested external media access for students. We of course can't allow domain joined PC's to have USB access especially for students. Our compromise is to only give USB access to the teacher's PC that is secured in their office, then they can download the files off of the SD cards and upload them to OneDrive or to a network shared drive. That PC will also have our MDR agent installed on it.
Just curious what are other districts are doing in these situations?
https://redd.it/17w2z28
@r_k12sysadmin
Do you have a policy or procedure for approving apps and websites in lieu of the Google Admin app access control changes?
We probably did this backwards, but with the new age restrictions and security tightening Google added last month our approach was "Do nothing until someone notices something is broken and we can look at them as the requests come in." We are getting through the majority of them now but we really need something on paper saying how we handle these so we can have some backbone to tell people yes or no on apps and websites they have been using for years. Do you use a Google Form? just make them put in a work order as if it was anything else? Who determines if you allow an app or not? Is there a committee with weekly/monthly/9 weeks meetings?
https://redd.it/17w1zow
@r_k12sysadmin
QUIC in BYOD
We're rolling out 1:1, but upperclassmen are still on a BYOD system to access digital material, LMS, etc. How do we all feel about QUIC/UDP 443 traffic and the lack of visibility by firewalls and filters?
I would block traffic on our appropriate vlans and touch nothing on the devices.
https://redd.it/17vwoyp
@r_k12sysadmin
Syncing Multiple ICS files into a singular Google Calendar?
Hey all! One of our admins has this terrible calendar setup, where they have one main Google Calendar that syncs all events to the school website, and about twenty smaller calendars on Microsoft Outlook for a specific sport that sync to the service SportsYou. Each event they add do the main calendar has to be duplicated manually to the smaller calendar for each individual sport. This makes their calendar very cluttered, and this particular admin is already, how do I put it, not computer literate, so this has introduced a lot of human error.
I'm wondering if it would be possible for me to set up a Google Calendar which syncs with many different ICS files? The one main Google Calendar is unfortunately a must-have for them, so I'm at a loss here. Thanks!
https://redd.it/17q22la
@r_k12sysadmin
Apple TV stuck on last image sent from airplay 17.0 and 17.1
I have Apple TVs in about 30 classrooms all managed by Mosyle. They are all in conference room mode to avoid distractions in an elementary setting. Since tvOS 17 I have been having a lot of issues with AppleTVs frozen on the last image from an airplay session. Witnessed one that seemed to have cached the last 5 seconds of what the person did and it replayed that then froze.
Only solution is to reboot the apple TV by unplugging it and plugging it back in again. Remotes are useless in conference room mode and remote management commands to reboot are ignored or unsuccessful.
This issue seems to be AppleTV / tvOS not handling Airplay sessions that are not ended before the laptop sleeps or is closed. I've asked users to make sure to disconnect sessions rather than just close the lid. Seems to help, but can't be sure.
Is anyone else seeing this? Any fixes?
These are all 4th Gen (HD) Apple TVs so my guess is Apple is going to say buy new ones if I call for support.
https://redd.it/17umelb
@r_k12sysadmin
offer an alternative revenue source from the ransom demands. Notably, according to third party analysis, in several instances SingularityMD was able to use the compromised accounts to move from a Google cloud space to the local network system and exploit on-premise resources. Additionally, SingularityMD is known to use the compromised accounts to send phishing emails.*
*In a recent report, cybersecurity vendor Bitdefender highlighted similar threat activity where CTAs move laterally onto a local network and then abuse Google’s Credential Provider for Windows (GCPW) to exfiltrate data from education institutions. According to the report, CTAs leverage the GCPW vulnerability to access “Google Classroom data, including classes, coursework, and student submissions, \[that\] could be exploited to manipulate educational data, impersonate students or teachers, or gain unauthorized access to educational resources."4 The MS-ISAC CTI team cannot confirm whether SingularityMD was leveraging these tactics, techniques, and procedures (TTPs), but the parallels between their tactics and the malicious activity BitDefender described in their report are notable.*
https://redd.it/17xwei4
@r_k12sysadmin
Changing student emails
Hi Everyone,
We are a K-12 School planning to change the structure of our student's email addresses. Students will be changing from a named email to a numerical email.
Can anyone advise me on the least disruptive way to achieve this? We currently use Google for emails, so I was planning on keeping the student's old email as an alias for a period of time. However, I am open to any and all suggestions.
https://redd.it/17xvtvn
@r_k12sysadmin
Disable Student Chromebooks from Turning off Wifi
We have had an increase of students finding ways to access game websites, and immediately turning off wifi when it loads so our GoGuardian can't see what they're doing. I've been asked to try and find a solution for this but I can't seem to find what I'm looking for in Google Admin. I have tried removing Chrome OS Setting Editing, but the device can still turn off wifi in the system tray.
https://redd.it/17xkqoa
@r_k12sysadmin
DMARC Google Groups Loophole
Just received this article in my inbox - apparently you can send email from a personal email/domain to a mailing list on your DMARC protected domain and it will rewrite the from header and pass it along as legitimate email.
https://easydmarc.com/blog/unveiling-the-security-risks-google-groups-and-dmarc-exploit/?utmcampaign=SupportNewsletterNovember2023&utmmedium=newsletter&utmsource=email
https://redd.it/17xg6u5
@r_k12sysadmin
Google and 3rd party apps
With the recent changes on how google is dealing with 3rd party apps. (The 3rd party apps not in workspace) Does anyone know if I can control access via group and not by OU? Ideally we set the trust level all students and then allow logins for certain group members. Students where signing into tools like Book Creator as an example were it clearly says in the terms of service says that they need parents consent.
https://redd.it/17x1406
@r_k12sysadmin
Shared google drives for OU only
Is it possible to turn on a shared google drive for one OU and not have it show up for others?
I have set up a shared google drive, with a folder for sub plans for our teachers. It is working fine, but I want to turn off the shared google drive with out students. Or at least make it read only.
Hope this is a quick fix, but google didn't help.
Thanks,
Jay
https://redd.it/17wutss
@r_k12sysadmin
Staff Laptop Question
We have Dell Inspiron staff computers. Warranties are out on them, so no help from Dell.
I've had an issue with a few of them this year having a black screen, keys are still backlit, and the charging light showing charging. Screen won't ever come on. Disconnecting the battery, totally draining it, then reconnecting has it working again. I just did this and then the computer comes back on as being 75%.
​
I've had two computers do this- one did it once in August and then has been good to go ever since. Another one did it in September and then did it again today. Any guidance on what I should replace to try to stop this from happening again? It's easy to take it down and then put back together, I just don't want teachers to feel like I'm not giving it back to them fixed.
https://redd.it/17wvzyi
@r_k12sysadmin
Teachers haven't been able to create classes in Google Classroom for the last two days
Hello, everybody.
We've been using Google Classroom seamlessly for the last five years. Our institution utilizes Google Workspace for Education Fundamentals.
However, over the past two days, we've encountered a significant issue. Several teachers have reported their inability to create new classes. When they click on the + sign in the upper right corner, they are redirected to the "Join a class" screen and asked for the class code. To my knowledge, no system changes have occurred recently.
Here are the steps we've tried:
All teachers are members of the Teachers group. Removing and adding them back to the group hasn't resolved the issue.
Even a newly created teacher account, added to the Teachers group, faces the same problem.
As the admin, I don't encounter this issue; I see both "Join class" and "Create class" options when I tap the + sign.
We've used incognito windows to login to make sure that no extension is messing up with the process. We've also tried several different browsers (Chrome, Safari, Firefox).
I've attempted to find solutions online, but the common advice—to ensure teachers are in the Teachers group—is already in place. As of this Monday, teachers were able to create classes without any issues.
Does anyone have any ideas or suggestions?
https://redd.it/17wt22g
@r_k12sysadmin
Skype not seeing Outlook as default mail client
Just wondering if anyone has run into this yet. We are in the process of moving to Teams, but in the meantime some users are still using Skype for Business. One teacher (on a laptop with Windows 11, 22h2) keeps getting a pop-up that Outlook is not the default mail client. I can figure out how to get it to pick up Outlook as the default mail client. Already tried setting all the default app settings under Outlook to Outlook, but no luck. I also don't see any button in Outlook to set it as the default mail client. Anyone know how to resolve this? I'm slowly tearing out my hair.
https://redd.it/17wqq1r
@r_k12sysadmin
GAM bulk deletion - 1 stubborn account?
Good evening all, I am using GAM to bulk delete 10,000+ suspended accounts this evening. Easy peasy except for 1 account that doesn't seem to want to get deleted (see screenshot). Since my criteria was for suspended accounts last logged on through 2016 and earlier, it shouldn't be terribly difficult to track down the offending account, but my question is should I let this process keep going or should I end the process (assuming CTRL-C) and just track down the account and delete it manually?
How long should I let this keep going? Will the 10427 account eventually be deleted or am I waiting for nothing?
https://redd.it/17wae2w
@r_k12sysadmin
Pinning the native Chromebook Camera app to the taskbar
Has anyone figured out how to pin the native Camera app on Chromebooks to the taskbar from the admin console? Pinning the camera app: hfhhnacclhffhdffklopdkcgdhifgngh in the web store no longer works.
The reason why I ask is I have teachers wanting to use QR Codes with their students and while most students are savvy to go into the app drawer, they still want the app pinned to make it easier.
Since the native Camera app has a QR Scan feature, this is what they want to use because some QR codes were no longer being read by the old QR-Scan app that we did have pushing to all devices.
Curious if anyone has run into this issue yet.
Thank you
https://redd.it/17w45nx
@r_k12sysadmin
Chrome extensions - students can install allowed extensions but they won't turn on
I'm pulling my hair out trying to figure out what is causing this.
We block all extensions except an allow list, which used to work fine quite a while ago. Now, however, any extension that is allowed can be installed by students, but it won't turn on.
In the extension list it shows it installed, but trying to toggle it on does nothing (other than the toggle going to "on" and then immediately back to "off").
The only way I can get extensions to work for students now is to force install them, which can be fine for a lot of things, but I'm running up against things in the high school level that I'd really rather let the students choose to install or not if their class needs it.
I'm sure it is a setting somewhere, because I have a test OU that I use, under the same student OU that is having this issue, that is working as I would expect if I put a student account in it. But for the life of me cannot find a setting difference that would be causing this to happen.
Does anyone have any insight or ideas that could push me in the right direction?
https://redd.it/17vya61
@r_k12sysadmin
GAM help!
I have been using the GAM tool (always latest version) for bulk operations in our google domain for a while (moving chromebooks to different OUs, bulk deprovisioning, etc..) but I am seeing an issue recently.
I wrote a PowerShell script to prompt for a CSV file and use that CSV file for this command:
gam csv $CSV gam update cros query id:\~\~serialNumber\~\~ ou $ou
​
The CSV file is set up with the header "serialNumber" and then (obviously) a list of serial numbers to move to the specified OU- one SN per line. This works, however, I am receiving reports from building techs that some chromebooks that were NOT on the list I ran the script against had gotten moved to the OU. In the Google Admin logs, I can see the serial numbers they are sending me as examples- and they are being moved at the same time my script was running (by my account that GAM is using). The examples they are sending are a different model than the ones I'm moving, so they have completely different serial number formats.
​
I'm hoping it is something stupid that I am just missing with the GAM command- as I am 100% certain the problem CBs were NOT on the CSV I used. Anyone have ideas or experienced this before?
https://redd.it/17vufuf
@r_k12sysadmin
AirServer displays black screen
We use AirServer for teachers to cast from Chromebooks to Windows 10 desktops which utilize TVs as a 2nd monitor. A couple of weeks ago we started having an issue with it only displaying a black/empty screen. Everything looks fine on the Chromebook and an AirServer window opens on the desktop as if it's connecting. But then nothing ever loads into that window and it just stays blank. We have updated Chrome, Windows, and AirServer. We've run repairs on AirServer. I tried disabling Miracast and AirPlay so only Google Cast is enabled. So far nothing has worked. Has anyone else encountered this and if so did you find a way to resolve it?
https://redd.it/17uibf7
@r_k12sysadmin
Long Shot: EasyIEP and Duo
Hi,
This is a long shot. We use EasyIEP for our special ed documents. We use Duo for MFA. We have to transition to the new hosted Duo, which means a new SAML configuration. EasyIEP has all but given up trying to get the configuration to work on their end. I was hoping someone had a similar setup and could share their setup with me. It has been months and I am not sure what to do next.
Edit: the error is: Unable to verify SAML response.
https://redd.it/17vijf1
@r_k12sysadmin
