Slashdot Mirror
UCSB Student Engineers Grade Hack
An anonymous reader writes "The UCSB Daily Nexus reports "A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students' grades, police said." The article goes on to note that, though working a few tricks to get into the system, she was fairly unsophisticated, and in fact failed to conceal her IP address from authorities. With other computing snafus recently making headlines, are universities too careless with their data?"
Blowjob would have done the same without all this popularity. Huh .. kids will never learn.
Mainstream Media could take a lesson from the UCSB guys - nice writeup with some nice details that explain things pretty well - good read.
Hulk SMASH Celiac Disease
I guess it brings a new meaning to not being able to hack it in college.
*ducks*
"I'd be smart if I didn't let thinking get in the way."
I can beat this by a mile. A friend-of-a-friend of mine got busted for changing 3 of her failing grades to A's. How? All the grades are filed electronically. She guessed one professor's password; two other times, she called up campus IT services, claimed to be a professor so-and-so, claimed she should log in, and could they change the password for her? And IT services happily went along. She was busted for (among other things) federal identity theft, which always struck me as odd since it never crossed state lines.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
... when the policy enforced by the program is broken to begin with?
From TFA:
The university's grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students' grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user's identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
This is evil. SSNs and DoBs are far too easy to find. The suspect worked for an insurance agency, but it would not be difficult to find this information through other means.
For more examples of such problems in systems, check out Risks Digest.
unixkb.com -- articles on practical Unix issues.
Back in 1997 I saw my computer science professor log into his sun box, which was being projected onto a screen for everyone to see. He started to login, but didn't realize that he was typing his password into the username field, thus making it visible. I looked around the room to see if anyone was hurriedly writing down his password. Amazingly, nobody was. Or they were being conspicuous about it.
I know the term has been bastardized and now encompasses a wide range of activities. However, this seems more like fraud than hacking to me. The term social engineering should be applied to obtaining information that deals with technology, not having someone change a grade. You could 'social engineer' clearing out your school by calling in a bomb threat, but that's hardly hacking...
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
the only grade that was changed was an F in "Ethics 101".
. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
Signa said Ramirez worked for the Goleta branch of Allstate Insurance, where she had access to the personal information of two UCSB professors who were insured with the company. Ramirez reset their passwords using private information she obtained from her job, Signa said.
SSN stored by University and Insurance company and God knows where else. Yet it is supposed to be a secret between you and the Government.
i would worry about the people that didn't
[*_-]
Ah cheating how it has evolved.
I remember reading awhile ago when a middle school student changed his grade by creating I believe a macro that increased his grade by 10% by every time the class grades were pulled up. Eventually he was caught when he had a percentage far above 100.
another cheating example that comes to mind. Is when a professor decided to check how many papers turned in were plagiarized with http://www.turnitin.com/ and found that a sizable number of students were cheating.
As a university student at a large university, I have noticed that some classes prevent cheating more than others. For example, in my chem class which has over a thousand students four forms are given, empty seats all around you. It is nearly impossible to cheat. My physics class I am taken now there are 2 forms and students are placed directly next to each other. Needless to say after the second midterm a student went from a perfect score to only one out of fifteen correct. But when classes only have 3 exams that make your exam cheating must be delt with extremely harshly. These mild security flaws with technology that keep appearing are usually due to weak passwords anyways. This case a social security number was the lone culprit. I think a levelheaded IT department and some well planned passwords and password recovery processes are what should be focused on now. I feel that cheating is a most urgent program in colleges
When I read the article I kept thinking "Someone had to own her machine." It's the perfect crime. You take control of another student's machine, and you change a lot of people's grades including your own. Now if you're really good, at this point you've changed the backup grades, so that when they find out and knock you back down from the A the "Criminal" gave you in Hyperdimensional Fold Mathematics for Painters to the B they thought you really got, you will be in the clear with their stamp of approval. And someone else takes the fall, case closed.
Sadly, she admitted to the crime. One good theory ruined by bumbling criminals not really being criminal masterminds in disguise.
The ______ Agenda
It wasn't very smart of the UCSB admins to let the grading system access password be reset using common personal information such as ssn and birthdate. Better would have been to send a new password to the users email address or to have him stop by or telephone.
Also, charging the girl with four felonies seems a little over the top, given the nature of the crime. What she did doesn't seem any different than cheating on a final exam but cheating usually calls for expulsion rather than a felony criminal charge. It isn't as if the girl vandalized the system, sold grades to others, or used the professor's info to open credit card accounts or something. Do they really want to send people like this girl to prison for several years? For what reason?
At my University there is a strict honor code. Every Winter semester students must be endorsed, meaning that they have met with an advisor and have committed to abide by the rules of the honor code. There are only about 70 people that can do the endorsements on campus. A failure to get endorsed means that you are no longer a student and you are blocked from registering. For some of my volunteer work, I am the clerk for one of these advisors. One of the things the advisor asked me to do was to enter in endorsements into the computer. We were given a six digit number to sign in, with a ten digit, alpha-numeric, randomly assigned password. The letter with the password did not come with the sign in. Further, the letter stated that the University doesn't even know the password, so it should be kept safe. Advisors were asked to keep the password in strict confidence, and not to disclose them to anyone, under any circumstances. To top it off, the University set it so that there was a narrow time period for the endorsements to be done. So assuming that you managed to find out the user name for you advisor, you would have to brute force the password within time.
Needless to say, I would argue, at least at my school, they are not careless. In fact, I would argue that they are erring on the side that someone will try to hack the system. But the school also takes computer issues seriously. The computer use policy is very strict, and makes it clear that abuse of a computer, on or off campus is grounds for getting expelled.
The views expressed are mine own and do not express the views of my employer.
A friend of mine at university used to have "Tempus Fugit" in his email signature file. This pretentiousness could not go unpunished so we changed it to "I wank daily"
He was sending out emails with it on for a week before a professor wrote to him telling him to change it to something more appropriate.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
true.
You can reset your passwd at my college with SSN and DOB too, the extra securfity being that you have to go to a lab (like the one where I work) and use a specific comp that is always at the admin desk and cannot be used without supervision. When you log in with said info to change your password a big picture of you comes on the screen, if the you on the screen doesnt match the you changing the passwd we boot your sorry ass out of the center.
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
She was caught because the university had a feedback system. The professors whose grades were changed were notified when the grades were changed. It didn't matter where she changed the grades from, the change would still have been noticed. Given the way she did it, she would still have been the prime suspect.
So, she wouldn't have got to keep the forged grades but she might have avoided a criminal record. Maybe.
i suppose i shouldn't be too surprised that a slashdot editor didn't bother to read the article they're posting, but i'd like to point out that in this case the problem was *not* a university being careless about data. the problem is that a student, by abusing her access to confidential data, was able to gain access to the same shared secrets that were used to authenticate network users. to the university's credit, they had an audit system in place which caught the problem.
I don't know where you've been, but (no matter what ESR's jargon file says) there's always been a consistent streak of fairly crude sexism in the computer geek world. I'm sure some sociologist has written about it extensively, but it's the kind of thing I see in any large group of (mostly younger) men who are all in competition for alpha male status. (I've watched the sales guys at work, and it's there too)
Here on slashdot, there's intense competition among the first posts to get something modded up to "funny". I don't know if that's the driver - I'm not a sociologist - but it might have something to do with eliciting this behavior.
Had this student been male, would there have been a gay sex joke made? Probably, given slashdot, eventually (if nothing else, some GNAA troll would show up), but not in the first 100 posts. (Though actually, the original post's text would work just as well if the student were male...)
Since when is a MAC address any useful identifier?
Alone it means little, but along with other information, it can sometimes tell you something. Yesterday I put up a new AP and left it open as a loss leader of sorts as there are other free conections in the area. (The first hit is free) Going through my access logs I came accros a user that used quite a bit of upstream but little downstream bandwidth. I cross checked the MAC with my dhcp server log and came up with 'client-hostname "your-2r8c4odfb2"'. That's an odd thing to name your computer. Thinking that 2r8c4odfb2 might me some wierd 1337 speak, I googled it and found: your-2r8c4odfb2.cpe.ozrk.al.charter.com listed as the hostname for a computer which had sent quite a bit of email (read SPAM). Now I could be way off base here, but the wierd traffic coupled, with the hostname listed as having a high probibility of being a spam server, was enough for me to ban the mac till the AP is added to the authentication and billing system.
So... uh.... wha???
If she captured packets, then yeah, this idiot might have a valid point but what the hell is this guy talking about otherwise?
And this isn't hacking. It isn't even cracking. It's "I guessed a freaking password! But didn't know jack crap about anything else so I got busted. Oh well. At least that Schmidt guy will give me 'Computers for Idiots" when he is done with it."
was 'pencil'. That week. Written down on a piece of paper carefully kept in the drawer.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
A person breaks the law and you offer kudos?
File under 'M' for 'Manic ranting'
SSL is insecure if the key exchange is sniffed.
Huh?
There are two SSL key exchange methods which are mostly used: (1) RSA and (2) ephemeral Diffie Hellman.
With (1), the client (browser) picks a random 48-byte key k, PKCS1 pads this, then raises it to the server's public exponent (e) mod N and sends that.
With (2), the client and server do a diffie hellman key exchange with the addition of the server signing his (so that the client can be sure he's talking to the server) with his RSA private key.
In neither case can the pre-master secret be obtained by a sniffer. In case (1), obtaining the pre-master secret from C = PKCS1( k )^e mod N implies being able to find e'th roots mod N (good luck with that). With the latter, the sniffer has: g^a mod p and g^b mod p, finding g^ab mod p is exactly the diffie hellman problem, good luck with that, too.
Compromising the grade-system destroy's the common-people's faith in "the system", so it has to be punished more.
Beating up old ladies only destorys faith in the person who did it.
It's one reason petty counterfeiters are hit so harder than a petty theft. It's not like the few $100's they make will actually lead to inflation. But if enough people get away with it then it leads to a general lack of faith and confidence in the dollar. That's a bad thing, since the whole economy works on the idea that we all pretty much believe a dollar is worth the same thing.
The problem is not breaking SSL. The problem is that tools like ettercap and CAIN (for Windows) can perform a Man In the Middle attack, where they use ARP cache poisoning to interpose themselves between the SSL client and SSL server BEFORE the session is established. Then, when the client tries to connect to the server, the MITM will fetch the client information, and use it to establish its own session to the server -- then quickly fake a certificate which it feedback back to the client.
Admittedly, most browsers will detect this, and throw up a dialogue box -- but due to poor training or understanding of security, 99% of users will simply click away the warning to get their application, and will happily login and access information, while the MITM steals all packets without having to attack the encryption.
SSL and SSHv1 are both vulnerable to this type of attack. SSHv2 and IPSEC will resist it, and fail the connection, which is correct behaviour.
Paul Gillingwater
MBA, CISSP, CISM
I find it bad, that changing your grade counted as 4 counts felony.
3 Strikes and you can goto prison for life, its no longer just 3 dangerous felonies see http://en.wikipedia.org/wiki/Felony
http://www.facts1.com has some good info on how the law is abused. Then put mandatory sentencing on top, you really get ground up in the system...
She can loose her right to vote, her DNA kept on file as a criminal, she is now considered a dangerous criminal in the eyes of the law.
Hey, she could get busted for smoking a joint, or filling out a DMV record incorrect and serve 25 years in prison. Thanks to 3 strike laws.
But hey, you feel safe now, right?
oh, and she knew how to use google also. http://www.google.com/search?q=university%20califo rnia%20santa%20barbara%20egrades
This reminds me of a little experiment I did with my universities ID card system. When you first enrol they ask you to supply, electronically, an image of your face so they can make you an ID card. I thought it was odd that they would ask for an image and not even check to see if it was of you.
Now I'm white, small and not very built at all so naturally the only real option was for me to submit an image of Mr T. A fortnight passed with anticipation and soon my new ID was ready to be picked up. I had this whole bogus "There must have been some mistake here! This isn't me" speech ready or if I felt funny on the day I had the "This is so me, I pitty the foo who be discriminating against my people" speech. I go to pick up the ID, the lady asks for my student number, name, dob etc. Takes a look at the ID to see the details match and hands it over...
nothing.
She didn't even question the fact that there was a huge black man with bulk bling on my ID and it was clearly not me.
I went home with my new souveneer, resubmitted my real photo and got a replacement ID two weeks later. I still bring the thing out for laughs.
Duh.. and a system where you use social security numbers and birth dates as password hints??? c'mon.. this is silly.. But what a dumb chick eh? As if the professors wouldn't notice the change in passwords let alone a grade from F to B+!!! Unless the original exam material is in the same system it serves no purpose to change grades because they always have the original paperwork and class notes. And in addition to all this stupidity she didn;t even consider concealing the IP address..
This is not a "hack"!!!! She didn't exploit any technological weakness, only stole data giving access to a system.
-if at first you don't succeed, stay the heck away from paragliding.
I didn't have any mod points here, so I just logged in to the UCSB grading system and gave you a 100.
Now accepting PayPal donations!
SSNs are a terrible identifier:
Congress later authorized its use for lots of other identification things (like tax ID).
Congress later authorized its use for one other identification thing (tax ID).
What needs to happen is places like banks, universities, etc need to stop treating it like it's secret.
Until SSNs cannot be used in violation of rule 6 and in spite of rule 5, they must treat it as a secret as important as the combination to your safe.
This is not my sandwich.