Slashdot Mirror
UCSB Student Engineers Grade Hack
An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"
I know the term has been bastardized and now encompasses a wide range of activities. However, this seems more like fraud than hacking to me. The term social engineering should be applied to obtaining information that deals with technology, not having someone change a grade. You could 'social engineer' clearing out your school by calling in a bomb threat, but that's hardly hacking...
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
She was caught because the university had a feedback system. The professors whose grades were changed were notified when the grades were changed. It didn't matter where she changed the grades from, the change would still have been noticed. Given the way she did it, she would still have been the prime suspect.
So, she wouldn't have got to keep the forged grades but she might have avoided a criminal record. Maybe.
Not that I'd condone this, but it actually is that easy. You change the reported MAC address. Not a big deal at all. They'll have a really hard time tracking down who bought the card with the MAC of "FEEDDEADBEEF".
The reported MAC can be changed at the OS level, and there is no need to alter the card in any way.
That is not a Hack but a fraud, felony, break-in ! /. moderators should know the meaning a of a hack.
"Between strong and weak, between rich and poor [...], it is freedom which oppresses and the law which sets free"
i suppose i shouldn't be too surprised that a slashdot editor didn't bother to read the article they're posting, but i'd like to point out that in this case the problem was *not* a university being careless about data. the problem is that a student, by abusing her access to confidential data, was able to gain access to the same shared secrets that were used to authenticate network users. to the university's credit, they had an audit system in place which caught the problem.
we're talking about a command on your machine, to change your MAC address, so as to make you unidentifiable (not that a MAC does identify anyone anyways). Do you know anything about this? better check the back of your computer, it might have a serial connection to a machine off the web! fuckwit....
Ok I was sorta right:
:
:)
"How can a school use my Social Security number?
Publicly-funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act in order to retain their funding (FERPA, also known as the "Buckley Amendment," enacted in 1974, 20 USC 1232g). One of FERPA's provisions requires written consent for the release of educational records or personally identifiable information, with some exceptions. The courts have stated that Social Security numbers fall within this provision.
FERPA applies to state colleges, universities and technical schools that receive federal funding. An argument can be made that if such a school displays students' SSNs on identification cards or distributes class rosters or grades listings containing SSNs, it would be a release of personally identifiable information, violating FERPA. However, many schools and universities have not interpreted the law this way and continue to use SSNs as a student identifier. To succeed in obtaining an alternate number to the SSN, you will probably need to be persistent and cite the law. Social Security numbers may be obtained by colleges and universities for students who have university jobs and/or receive federal financial aid. In Krebs v. Rutgers, the court ruled that SSNs are "educational records" under FERPA (Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)).
The FERPA text can be found at the web, www.cpsr.org/cpsr/privacy/ssn/ferpa.buckley.html. For the U.S. Department of Education's web site on FERPA, see www.ed.gov/offices/OM/fpco/ferpa/index.html.
Public schools, colleges and universities that ask for your SSN fall within the provisions of another federal law, the Privacy Act of 1974. This act requires such schools to provide a disclosure statement telling students how the Social Security number is used. If you are required to provide your SSN, be sure to look for the school's disclosure statement. If one is not offered, you may want to file a complaint with the school, citing the Privacy Act.
When the school is a private institution, your only recourse is to work with the administration to change the policy or at least to let you use an alternate identification number as your student ID."
You can find other info at
http://www.privacyrights.org/fs/fs10-ssn.htm
Hope this helps.
"There is no real right or wrong, just what the majority accepts at the time."
SSL is insecure if the key exchange is sniffed.
Huh?
There are two SSL key exchange methods which are mostly used: (1) RSA and (2) ephemeral Diffie Hellman.
With (1), the client (browser) picks a random 48-byte key k, PKCS1 pads this, then raises it to the server's public exponent (e) mod N and sends that.
With (2), the client and server do a diffie hellman key exchange with the addition of the server signing his (so that the client can be sure he's talking to the server) with his RSA private key.
In neither case can the pre-master secret be obtained by a sniffer. In case (1), obtaining the pre-master secret from C = PKCS1( k )^e mod N implies being able to find e'th roots mod N (good luck with that). With the latter, the sniffer has: g^a mod p and g^b mod p, finding g^ab mod p is exactly the diffie hellman problem, good luck with that, too.
The problem is not breaking SSL. The problem is that tools like ettercap and CAIN (for Windows) can perform a Man In the Middle attack, where they use ARP cache poisoning to interpose themselves between the SSL client and SSL server BEFORE the session is established. Then, when the client tries to connect to the server, the MITM will fetch the client information, and use it to establish its own session to the server -- then quickly fake a certificate which it feedback back to the client.
Admittedly, most browsers will detect this, and throw up a dialogue box -- but due to poor training or understanding of security, 99% of users will simply click away the warning to get their application, and will happily login and access information, while the MITM steals all packets without having to attack the encryption.
SSL and SSHv1 are both vulnerable to this type of attack. SSHv2 and IPSEC will resist it, and fail the connection, which is correct behaviour.
Paul Gillingwater
MBA, CISSP, CISM
802.1x with EAP-TLS or PEAP prevents this kind of "attack", by requiring the client to present a certificate to the switch before it is permitted onto the network. Primarly used in wireless networks, it is now gaining ground in wired networks, especially in academic networks where there is the problem of having network ports accessible to all and sundry.
University networks are wide open, first there are computer labs where any one can sit down and pop in a knoppix std cd...
Well, here's one solution - set the BIOS not to boot from CD. Set a sensible BIOS password. That's that problem sorted.
Seriously, I don't know why so many people bang on about Linux-on-a-CD being dangerous; it's like ActiveX - it's only dangerous if your computer setup allows it to be.
== Jez ==
Do you miss Firefox? Try Pale Moon.
oh, and she knew how to use google also. http://www.google.com/search?q=university%20califo rnia%20santa%20barbara%20egrades
http://en.wikipedia.org/wiki/Three_strikes_law
"Three strikes laws are a category of statutes enacted by state governments in the United States, beginning in the 1990s, to mandate long periods of imprisonment for persons convicted of a felony on three (or more) separate occasions."
If you're going to use Wikipedia as a source on Three Strikes laws, you could, at least, read the Wikipedia entry on Three Strikes laws.
"You're never ready, just less unprepared."
You have a girl who worked at a company on the side where she had access to sensitive information about professors (and many other individuals). She steals that sensitive information and uses it to reset the password of the professors.
She then logs in to the grading system and changes her grades.
And the computer system worked like a charm. Any grade change resulted in a departmental notification. The professor, realizing that he did not make the change and could not log into the account any more, notified the appropriate authorities.
An investigation occurred and this criminal was discovered. Sounds like an open and shut case to me.
SSL and SSHv1 are both vulnerable to this type of attack. SSHv2 and IPSEC will resist it, and fail the connection, which is correct behaviour.
Ettercap can also detect an SSH connection going out and respond to the client saying that the server only allows SSHv1. The default client behavior is to initiate the connection over SSHv1 (this is wrong). Ettercap then sniffs the key exchange and forwards the connection (over SSHv2 this time) to the remote server. The server thinks you're connecting through SSHv2, from your machine. The only real workaround is to ABSOLUTELY disable client support for SSHv1.
I mod down pyramid schemes in sigs.