Savvy students can bypass school Internet filters to access prohibited info. What can you do? Plenty.

We’ve promoted our SecureSchool Internet filter on Google AdWords, and we’re (perhaps naively) surprised to find that many searchers are looking not for school Internet filters—but for ways to bypass those filters.

Go ahead: Google “how to bypass school Internet filters,” and you’ll find a slew of results devoted to this topic.

With kids so technologically astute nowadays, it’s becoming more and more prevalent. One young bypass “artist” claims, “The days are over when [schools] can stop determined students from using the Internet as they please.” A researcher says, “Kids will always be one step ahead of any filter or software restriction you apply.”

Here are four of the many ways they’re circumventing the filter—and what you can do about it.

1. Proxy Websites
Proxy software running on external web servers allows students to connect anonymously to banned sites through an external web server, which the school filter may not recognize. Users can usually enable encryption as well, so your IT folks can’t see which sites have been accessed.

A popular proxy is Vtunnel, or do a search for “proxy websites 2016” to find a gazillion more. Software like Psiphon allows users to create their own proxies.

Prevention tip: Adding proxy sites to your blocked list is not an effective strategy, as new sites pop up regularly. You’d be hard-pressed to keep up. Your best weapon is true content filtering, which examines a web page and rejects (or allows) it based on its content. Where it comes from—even an anonymous proxy server—doesn’t matter. When dealing with HTTPS sites, be sure your filtering software includes SSL intercept. How it works: grabs encrypted traffic, unencrypts it, examines the content, re-encrypts it—and depending on what’s found—sends the info along or rejects it.

2. Password Pilfering
Students can steal a teacher’s or administrator’s login credentials to access off-limit areas on the LAN or to hop on a less-restricted Wi-Fi SSID reserved for staff. Teachers even leave their passwords lying around—on a Post-It note stuck to their monitors, for example—making it easy (and tempting) for kids to swipe. Or worse, they intentionally share their login credentials with students in the classroom.

Prevention tip: Insist that staff passwords be strong and secure to deter hackers. Multi-factor authentication provides additional armor (but is not always practical). If you assign network passwords, make sure the connection you’re using to send login info is encrypted—or conveyed via a VPN that’s off limits to students. Discourage staff from leaving login info lying around and from sharing their usernames and passwords with students (or anyone). Stress the importance of keeping students out of staff resources—if they access information they shouldn’t see, your school could run into problems with parents and/or law enforcement.

3. Going Cellular
Kids can easily bypass your school’s Wi-Fi—and its filtering and monitoring tools—by using their phones to get online.

Prevention tip: Short of banning mobile devices in school, this is a tough nut to crack. Still, you can curtail activity by restricting when and where students are allowed to use their phones. Cellphone jammers, while available, are illegal. Read the FCC’s warning about buying and selling jammers here.

4. Firefox on a Stick
School browsers like Chrome, Firefox, or Internet Explorer are commonly locked down to restrict students’ access to “cyberslacking” sites (e.g., gaming and social media) and inappropriate content. By setting their group policies or management consoles appropriately, IT departments can direct content through a filter that limits (usually to the students’ dismay) what kids can access. They can also prohibit students from downloading software.

But there’s a hack for that, which allows students to bypass the system entirely and surf freely. At home or elsewhere, they simply download a full version of Firefox that runs on a memory stick (available at PortableApps.com, bring it to school, and away they go—no filters and no barriers, since the portable Firefox is invisible to whatever filters you have in place.

Prevention tip: Keep a watchful eye on students with memory sticks! On a deeper level, choose “deny by default” in your firewall settings, which blocks all ports except those you explicitly allow. That way, when the memory-stick browser uses a non-standard port to get out, it won’t succeed.

Even better: Limit open ports to specific destinations. For example, if port 25 is designated only for outgoing mail to specific destinations—such as Gmail, Microsoft Outlook, or Yahoo Mail— it will be useless for apps like the portable Firefox.

Not just child’s play.

Students may object to your school’s strict filtering policy and consider it a game—or an act of rebellion—to try and work around it. But that leaves you open to web-delivered malware and students vulnerable to inappropriate content.

While you can’t catch everyone in every act, you can discourage such activity by making user education a priority:

• Teach students about Internet safety
• Caution students that using anonymizing proxies and other hacks is a serious (and punishable) offense
• Enforce a web acceptable use policy (AUP), which both students and parents must sign

How do you handle these issues? Let us know in the comments section below.