This is (One of Many Reasons) Why Districts Get Hit with Ransomware – FunnyMonkey

This is (One of Many Reasons) Why Districts Get Hit with Ransomware
by Bill FitzgeraldJune 8, 2022

Even the smallest of school districts are complicated places. Communicating with stakeholders is hard to do well, and getting the details right is imperative. The details become even more important when school boards and superintendents try and communicate about school safety issues.

When communication is done well, is not rushed, and goes above and beyond to be inclusive, the process of addressing complex issues can build cohesion within a district. When communications are rushed, imprecise, and technically unsound, it can cause difficult situations to get harder. Good communication requires humility and openness.

To start, I want to highlight that everything in this email has been reported or brought to the attention of people who can do something about it. Nothing in this post is news, or undisclosed.

Background/Context
A school district is currently planning to deploy armed guards in all school buildings, starting next school year. The superintendent sent a mass email to district stakeholders, pointing them to an online survey to provide feedback to support a decision by the board on a short (under two weeks) time frame.

The problems described in this post are not unique to this school district. My hope is that this district, and other districts, will be able to use the information in this post to implement more secure and more inclusive practices.

Summary
On June 3rd, the district superintendent sent out an email to staff, parents, guardians, and students in the district outlining a plan to bring armed security into all schools, starting in the 2022-23 academic year.

The superintendent shared a link to an online survey tool they are using to gather input. The announcement was sent using the district messaging system, SchoolMessenger.

The superintendent and board’s approach to communication and outreach has multiple problems. Individually, each problem is bad, and collectively, they suggest a lack of awareness of how to use online tools safely and effectively.

As mentioned above, the issues described in this post have all been disclosed to people who could act upon them to improve them. To the best of my knowledge, at this time, no improvements have been made.

This post describes the problems, and defines possible solutions.

The Problems
The district messaging system contains contact information that is exposed when people follow links sent via email.
The survey has design flaws that cause results to be inaccurate, deceptive, and/or unreliable.
Because of how the survey is set up, it can be used to deliver malware, ransomware, and other forms of cyberattacks or harassment against the district community.
To emphasize: all three of these problems have been reported in various forms; as of this writing, to the best of my knowledge, nothing has been addressed. However, I also want to acknowledge one bright spot: the person I spoke with over the phone about issues with the survey platform was great. This person expressed an appropriate level of concern, and sounded motivated to make things better.

Problem 1: The district messaging system contains contact information that is exposed when people follow links sent via email.
Links sent via the school districts messaging system — SchoolMessenger — expose the recipient’s email address. This is a basic privacy issue that affects all communications from the district, including their recent communication about their plan to put more guns in schools.

SchoolMessenger mangles all links in emails, probably to allow SchoolMessenger to track who interacts with emails. However, the end piece of the tracking email is Base64 encoded text that includes the destination url and the email address of the recipient.


The above screencast shows how districts using SchoolMessenger expose contact emails for anyone who clicks a link on a message they receive. I have observed this behavior from multiple districts across the country going back years. It is likely a standard “feature” of the service.

A related problem that also needs to be highlighted: because SchoolMessenger mangles links in their emails into a convoluted string, people sending and receiving emails are getting regular training to trust messy, convoluted urls. This is not good practice; people who click on long, ugly urls are more likely to get phished, more likely be susceptible to ransomware attacks, etc, etc. Because the mangled url is a central part of what SchoolMessenger delivers, people are trained to trust urls that would otherwise be untrustworthy. Abuse of trust is a key part of successful online attacks, and misplaced trust can be exploited via typosquatting. Vendors selling services to schools have an obligation to do better.

But hey – that’s why they say that SchoolMessenger puts the mess in communications.

The solution: Districts should not use services that mangle links in emails, and districts should definitely not use services that leak recipient contact information.

Problem 2: The survey has design flaws that cause results to be inaccurate, deceptive, and/or unreliable.
To describe the problems with the survey tool, I first need to describe how the system works.

The survey is accessible via a single link. The link is the same for all people taking the survey, and anyone with the link to a survey can access it. No login is required to access a survey.

The survey system has two steps. In the first step, people add comments via open text fields. Each comment has two fields: a title, and the text of the comment. Both are limited to 150 characters.


Screenshot of input fields

After a person enters their own comment, they can rate other comments on a scale of 1-5 stars.

The survey is set up using a system called ThoughtExchange. It’s not entirely clear whether the issues discussed here are caused by ThoughtExchange, or by the School Board’s implementation of ThoughtExchange.

Multiple problems exist with survey; in this post I will only address a small subset,

First, because anyone can access the survey with just the link, the survey can be shared anywhere, or highly motivated people can spam the survey, or it could be shared on Twitter, Facebook, Reddit, or worse. The district has no idea who is answering, rating, or responding. The superintendent is on the record saying exactly this:

“(the superintendent) acknowledged that people could potentially ‘game’ the survey, but said it’s a way to gather feedback in a relatively short period as the school district approaches the end of the school year and is not a referendum.”

True outreach would prioritize authentic interactions.

The solution here is both technical and interpersonal. If a school board and superintendent haven’t earned the trust of their full community, online tools won’t work because they will only hear from a small subset of people — the majority of people won’t bother to waste their time participating because they have no faith in the superintendent or the board. Trust is earned through multiple authentic interactions over time — not every interaction needs to be pleasant, but they need to be sincere and honest. Absent this foundation, online tools will be at best, imprecise, and at worst, a blatant misrepresentation of community sentiment, which will further erode trust.

On a technical level, systems need to have a login. This definitely creates a barrier to participation, which isn’t great, but in a functional system with an honest process the barriers to participation could be contextualized as the data was analyzed. This analysis (and ideally, the underlying raw data set) should be as transparent as possible, with as many details as possible shared publicly in a way that does not compromise the privacy of any participants.

These solutions aren’t novel — they are the basics of competent management, yet many boards haven’t created the foundation to make authentic community engagement possible.

Problem 3: Because of how the survey tool is set up, it can be used to deliver malware, ransomware, and other forms of cyberattacks or harassment against the district community.
As described above, the survey tool takes input via open text fields. Open text fields allow anyone to say anything — yay! Free speech!

However, there are no access controls, and the system lets anyone say anything. Because this system goes all in on “free speech” it is wide open to a range of abusive practices. This system could be used to harass people locally, or to spread all types of hateful messages. While the potential for harassment in an open system like ThoughtExchange should not be minimized, the system could also be used to deliver malware, ransomware, other types of cyberattacks, or links to pornography.

This problem is made worse because the system automatically makes all links shared active – so when a person enters https://www.linktobadsite.com it is automatically converted to https://www.linktobadsite.com. The site also converts links from link shorteners, so people entering malicious links can obscure the domain to which they link.

And here, I want to pause and re-emphasize: what I describe here has already been reported to people who can fix it. It’s not news to anyone.

The problem with urls automatically being converted to active links is amplified by the reality that anyone with the link to the survey can add content into the survey. To translate: anyone on the internet can go into the survey and link to anything.

But why would a rando on the internet just go and add Bad Stuff to a survey?

First, this survey is about arming adults in schools. People have strong feelings about this.

Second, have you met randos on the internet? Hearken back to Zoombombing. Now update that image for this survey.

Third, the district where this is happening is a wealthy district, and many people in the district work at entities that are of interest to a range of bad actors, such as General Electric, a Navy base, the Coast Guard Academy, and Pfizer. This survey provides an especially convenient collection point where a bad actor can spend little to no effort on launching an attack and know that a subset of people are potentially high interest or high reward — if the attack doesn’t work, the bad actor has lost five minutes of time. The attack would only need to be successful once for the effort to pay off.

These problems are amplified by the context in which people are getting the survey. Because the survey is sent out from the superintendent and the school board, people are inclined to trust it. Because the topic of the survey is putting more guns in schools, people generally have strong emotions about the topic. The trust in the source, paired with a greater likelihood of an emotional response, can contribute to people clicking on links when they would otherwise know better.

If we think of the analogy of fish in a barrel, the survey put out by the superintendent and the board is the barrel. The people in the district are the fish.

The solution here has multiple components. In the short term, the superintendent and the school board should pull the survey.

The ThoughtExchange platform should do at least two things. First, in the medium term, do not render urls as links. In the longer term, all urls entered into the system should be verified against a service like VirusTotal (which has an API for exactly this use case https://developers.virustotal.com/reference/overview) before they are rendered as links.

The technical components of these suggested solutions are filled with complexities that are outside the scope of this post, but the survey tool in its current form has the potential to do more harm than good.

Note: if you want to check a URL before you follow it, copy the url and scan it using the form here — https://www.virustotal.com/gui/home/url

Conclusion
Each of these problems would be bad in isolation, but collectively they are worse than the sum of their parts.

The district messaging system embeds the recipient email in outgoing links – this is not necessary for people to access the survey, and shouldn’t happen.

The survey is easy to game, thus making it useless as a data point. As reported in a local news outlet, the superintendent and board know this, yet still deployed an unreliable system. At best, this can be interpreted as the board wasting the community’s time. At worst, this could be interpreted as a sign that the board and superintendent don’t understand how to do authentic community outreach, or are not interested in honest community engagement.

Because anyone on the internet can access the survey, and because the survey accepts links from anyone, the survey is easy to weaponize.

Rolling out safe surveys is relatively simple. The failure to get the simple things right does not bode well for the success of more complicated safety measures, especially on a tight timeline.