According to local media reports, students at at a Florida high school successfully hacked into computer system in order to send an email about a mandatory medical examination.
And what was the nature of the examination described by the bogus email sent to all males students and staff at Labelle Senior High School in Hendry County? A “mandatory penis inspection”.
Part of the message, which purported to come from teachers and claimed students would not graduate unless their penises had been inspected, read as follows:
Attention All Students and Faculty
Mandatory Penis Inspection
Female students are to disregard this message
TO ALL MALE STUDENTS, STAFF AND FACULTY OF LABELLE HIGH SCHOOL
The district is required to conduct a mandatory penis inspection of all male Labelle High School students in accordance with the Florida Penal Health Code 69.
End of the year penis inspections will occur in RTC.
The mandatory health inspection will be conducted on Wednesday, May 7, 2019, at 7:35pm.
There will be ONE make up day, May, 2019, beginning at 11:00am. All students who have not completed an inspection MUST attend one of these two mandatory sessions. Students will be excused if they miss any classes as a result of the inspection.
Seniors who do not pass an inspection will not be allowed to graduate.
The school’s dean sent an email to parents apologising for what had happened:
We would like to apologize for an email you may have recently received. Unfortunately, someone used LHS mailing lists to send out an email that was inappropriate. This did not come from LaBelle High School and we do not condone this type of behaviour. We are working diligently with IT to resolve this issue and apprehend the guilty individual(s).
I’m sure the pranksters didn’t have malice in mind when they sent the unauthorised message, but it has highlighted that security was not as tight as it should have been.
No details have been shared of how tricksters gained access to the mailing list, but it’s clear that there was a security failure. Either the mailing list contains a vulnerability, or has not been configured to only allow authorised users to post messages to students and staff, or that the account of a user who was authorised to post to the mailing list was not itself properly protected.
Strong, unique passwords and multi-factor authentication would most likely have prevented the student hackers from spreading their cock-and-bull story about a mandatory penis inspection. Other schools might do well to harden their own defences to prevent something similarly unpleasant popping up in their inboxes.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Students pull off below-the-belt mailing list prank”
Bad passwords were unlikely at issue. My high school used mailing lists per graduating year (ie [email protected], [email protected], etc…) and any email sent to those addresses would go to all students within that graduating year. No authentication, nothing. I mentioned this problem to them, and how it could be abused, and they threatened to suspend me for telling them this. Low-and-behold, a couple years after I graduated, someone else realized this and created a fake email address at gmail that looked like one of the teachers at the school, and sent a link to a 'summer reading' list. Which was a bit.ly link to tub girl.
It's a shame your high school responded to you like that, as their mailing list security was atrocious, and ripe for abuse – not just by kids larking about, by potentially by criminals spreading spam, malicious links, ransomware, and the like.
Unless you actively *want* any Tom, Dick or Harry to be able to spam your entire mailing list then you need some kind of authentication in place, or a moderator to approve posts before they are sent to the masses. Simply checking the "from:" address, of course, may not be sufficient as that's so easy to spoof.
I'd like to think people were getting wiser about how to set up secure mailing lists, but perhaps I'm wrong. In fairness to some schools they may be under-resourced and not have the expertise in-house to understand the risks let alone know how to setup a system which can prevent unauthorised posts.
A somewhat prickly subject…