Slashdot Mirror
Student Expelled After Using Hardware Keylogger to Hack School, Change Grades (bleepingcomputer.com)
Catalin Cimpanu, writing for BleepingComputer: Kansas University (KU) officials have expelled a student for installing a hardware keylogger and using the data acquired from the device to hack into the school's grading system and chang his grades. KU did not release the student's name to the public, but they said the keystroke logging device had been installed on one of the computers in its lecture halls. The student used data collected from the device to change F grades into A grades. Professors said the incident would not have been noticed if the student didn't get greedy about modifications. The hardware device the student used was a run-of-the-mill hardware keylogger that anyone can buy on Amazon or eBay for prices as low as $20. Speaking to local media, various KU professors said they hope not to see any copycats in the near future.
Is anyone surprised that a student tried this? Got caught? Got expelled?
clearly wasn't paying attention in his statistics class....
Professors said the incident would not have been noticed if the student didn't get greedy about modifications.
"And I'd have gotten away with it, too, if it weren't for that meddling me!"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Brilliant putting the ease and accessibility of the tool immediately before their plea for no copycats.
...are even lazy at hacking.
I used to do this with ps2 keyloggers way back in the late 90's (when I was in 5 & 6th grade.) I too got greedy and started charging kids to change their grades and was found out, but they were impressed with my 'technological skills' and didn't really punish me. I didn't realize they made USB versions of this.
Using Smart Cards for Windows login would have thwarted this. Would cost at most a few $ more per student (chipped student ID)
Sounds like an event that hardware keylogger manufacturer(s) were looking forward to.
Was there any financial harm? Or it's just someone's reputation and pride were wounded? This incident surely looks like the latter which means that the security department should have held responsible and the student should have gotten an oral reprimand, but not, "[Professors] also hope the university presses charges with local police to deter similar cases".
An A? You just got greedy boy.
hack into the school's grading system and chang his grades
Positive discrimination against Asians is bad, mmmkay?
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Cheaters always win.
I'm wondering why professors / administrators would be using the public terminals to work on student records. In my small university, I eventually earned the privilege of being a student system administrator but I knew with all the viruses and issues that happen on a public access computer that I wouldn't trust sensitive data on it. Even the floppy drives of the day were so screwed up that they would randomly destroy disks because people misused them all the time.
I have little sympathy for the student. If not caught this bad behaviour becomes a disaster in the workplace. It's like the expression play with fire, expect to get burned sometimes.
is putting a keylogger in a computer.
THANKS, bleepingcomputer and msmash. Your brilliance never fails to shine through.
I like that new racist slang. He chang'd up his grades tho.
I'm curious how he got into college to begin with. It's quite obvious he lacks intelligence of any sort. F to an A? Get real man. Maybe F to a D or C, but an A. He better start practicing "would you like fries with that?" or "welcome to walmart" as those are about the only jobs he's qualified for.
At this point toss him into jail for hacking don't just expel him. This is a mistake that needs to follow him for the rest of his life.
Last I heard, cheating at Star Fleet Academy is rewarded.
Students have a STRONG motivation to cheat and little in the way of consequences of getting caught.
Expelled? So what? They didn't go to jail. Probably for every 1 expelled 1000 got away with it.
I would suggest educators (1) Use a set of paper records (assignment grade journal) to keep track of
student grades during term -- as the definitive record to fall back on, in addition to keeping a computer record,
and (2) Reconcile any digital summary record at end of term against the paper records ---
if two versions disagree for a student, then check individual papers..
Finally, the grade reports from educator to school should be a signed scan or technology such as an Adobe AcroForm signed PDF using
a signing device from an AATL listed certificate authority.
PDF Digital signature as an example requires Two-Factor Authentication to create: PIN + Physical token specific to a certain person.
Thus keylogging doesn't allow a student to forge a PDF grade report document. The university's "Grade Entry" system,
whatever it is, should then simply be designed to accept the signed PDF form and verify the digital signature before gathering data
into a record together with the PDF attachment; Once data is in a record, there should be no means of editing it other than a professor submitting a signed PDF revising the report.
Oh, yeah.... what two factor authentication method?!
I doubt the professor used a public terminal to work on student records. More likely, the professor logged into his account from a computer in a lecture hall to pull up a presentation, and with one username/password for all activities, that gave the student access to what the professor did in the grading system as well.
Probably because they used the same usernames and passwords to access the class material as they did to access the grade system. Or they used different usernames and passwords but over time accidentally used the wrong set out of habit when logging in to the public system. It is not uncommon to accidentally type the password into a username field, either. Usernames frequently appear unobscured in system log files. Studying log files for a few weeks will reveal a few passwords mistakenly entered as a username and it isn't that hard to then match them with the username entered nearby.
Is two step authentication so difficult to implement at the University level? Oh wait, professors have to figure out how to use it. Never mind.
Then the security issue is in not sensibly shutting sensitive parts of their IT infrastructure off from public access.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ms. Tables was not pleased.
So being expelled was exactly the right thing to do. I mean changing Fs into As? Somebody has not thought things trough one bit. Bad at studying, bad at crime and unaware of both.
What I do wonder, however, how many do this just a bit smarter and get away with it. Probably should check the grades of my students a few months after exams again to see if they are unchanged...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
To make a long story short
Try again.
I changed all my A's into B's. I didn't want to seem cocky.
“Common sense is not so common.” — Voltaire
"Mrs. Bueller, did you know that Ferris has been absent from school 9 times this year?"
"9 times?"
"9 Times."
Exactly right. At the university I attended for grad school, there was a single sign on that was used across virtually all university systems, including the public terminals in each classroom that were used to display slides. If a student had a professor's login info from that terminal, they'd be able to login to the grading system, time sheets, class registrations, room reservations, etc., depending on the parts of the system to which the professor had been granted access. And even if it hadn't been a single sign on, odds are decent that any given person will be using the same username and password across many of those systems anyway, so the problem doesn't go away by breaking them apart.
Change your passwords weekly. Keep the current password in a secure location such as a draw in the principals office.
I had to hack Novell Netware.
IIRC, Ferris Bueller found the password to the school's server hosting grades on the pull out board of a school secretary's desk. I use the word "server" advisedly as Ferris and the school used dial up connections. Maybe the grades were kept on a Tandy (aka, RadioShack) TRS80, though the movie came out in 1986, and the IBM PC was introduced August 12, 1981.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
Absurd. How did this get modded up? Do you have any experience in IT at all? How are you going to sell limiting access from professors to the grading system?
Some will work on it from home. Some will work on it from their office. Some will work on it during a business trip from Hong Kong.
If professors can't access everything they need from any computer, say goodbye to any professor worth employing.
If you want to protect endpoints, you disabled USB and other external ports. There is no reason to have them enabled, as they just present an attack vector, so really the school allowed the attack and they should use it as a learning moment.
... was "pencil."
It little behooves the best of us to comment on the rest of us.
or with U2F being so easy these days (Authy, Google Authenticator, Yubikey, etc. or even SMS if needs be) why not require it on sensitive portions of the system.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Use a laptop and take it home every day or bring your own keyboard to work every day and boot off a USB device you also take home. (And then also have to trust the BIOS isn't hacked.) Bringing a laptop to work seems the easier solution.
How about turn it off so you can't change grades without 2fa. There. Slight inconvenience to the user, but go anywhere portability. Normal AD accounts used for login to "lecture halls" or other places with limited access.
cmon. Think outside the box you walled yourself into.
Or - certs on devices for "awesome" access, you must be on a device with a known cert to be able to do certain functions... i.e. professors laptop can only be used to change grades, anywhere else - no access to that system.
Makes sense, even with the slight inconvenience of a "broken" device.
"Professors said the incident would not have been noticed if the student didn't get greedy about modifications... Various KU professors said they hope not to see any copycats in the near future."
Pro tio: If that's what you want, don't tell them how to avoid getting caught. The public statement should have been, "Our rigorous monitoring processes instantly detected the abnormal activity which was confirmed to be fraudulent after a thorough investigation."
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Changing your grades is so unoriginal. Did he think this was the 80's and he was hacking into WOPPER?
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
And as he was hauled away to finish out the rest of his education in a local remedial school, he was heard to shout, "HACK THE PLANET! HACK THE PLANET!"
Breakfast served all day!
Aha!
I tend to rant.
The future Captain Kirk has been expelled. Now he'll end up a mixed martial arts fighter, or maybe an actor.
E Proelio Veritas.
What is going on here? He was only expelled? A college student?!
Didn't we have a middle school student charged with a felony for changing a desktop wallpaper a couple years ago?
https://yro.slashdot.org/story...
A college student pays $$$$$ for education and loses that for doing something he ought to have known better than do and was planned out ahead of time.
A highschool student gets a felony destroying many of their job prospects for their entire life for a prank.
How is this remotely fair? It's not even !@#$%^& consistent!
Minimum threshold fixed. Thanks!
I'm about to start working on my masters degree from Harvard, after finishing my bachelor's at WGU. You know why I'm doing my masters at Harvard instead of staying at WGU? Because a Harvard degree is more likely to get me offers at a higher salary. Why? Because Harvard grads have a reputation for knowing their shit.
Of course Harvard charges students more than WGU or UNT. They need to in order to pay top-tier faculty and they can because of their reputation - Harvard's reputation for excellent education brings them money.
> Was there any financial harm? Or it's just someone's reputation
Reputational harm IS financial harm in this case. The value of a degree, the amount of money employers and therefore students will pay for a degree from that school is directly related to the school's reputation. If the school gives out degrees to people who don't have a clue, but cheated to get a good grade, degrees from that school eventually become worthless. If they don't strongly enforce an academic honestly policy, that causes financial harm to everyone who went to school there, because their degrees would no longer represent knowledge.
Definitely deserving of the F, for fucks sake any person with half a brain would have only raised their score to just passing grades to avoid obvious detection. I can only assume you used the same genius to achieve the F in the first place.
I'm the sysadmin for an academic department at a large state university, and this sort of thing makes my skin crawl. My building had 10 computer-on-the-lectern classrooms, of which 5 are supported by the university's central classroom support group, and the other 5 are supported by me. I've thought about this at length.
I manage four classrooms where the lectern has two racks under the countertop: one with a locked door containing all the Extron AV equipment; the other has an open front, and houses a Dell OptiPlex SFF and Mac mini clamped in a rackshelf. This sort of arrangement is extremely common in university classrooms.
The keyboard cable actually goes into the locked side--it goes into an Extron USB switcher, so when the lecturer touches "PC" or "Mac" on the touch-screen controller, the HDMI switcher changes the source going to the lectern-top monitor, and the keyboard is directed appropriately. This means that, without a key to the lectern cabinet, you can't tamper with the plug end of the keyboard unless you can cut the cord and splice a new USB plug onto it.
Except the lectern cabinet doors have typical wafer-tumbler lock that I could pick in seconds with two paper clips. I'd have to upgrade to pin-tumbler cabinet locks.
Kensington, of laptop cable lock fame, makes USB port locks (https://www.kensington.com/us/us/7334/usb-port-locks) that look like they could help out. But you're still plugging a tiny hole among hundreds of holes.
Even discounting classrooms, someone could sneak into the building after hours, enter a professor's office with an under-the-door lever tool, install the keylogger, and be gone. Even though the building perimeter is locked after hours, a stay-behind is way too easy--not to mention the time I found a panic bar taped down at 11pm, most likely a grad student who didn't want to go downstairs to let the pizza guy in.
So what _is_ the solution? 2FA for everything?
This article is boring for two reasons:
1. No ingenuity. The guy just used an off-the-shelf hardware keylogger for the (hopefully) sole purpose of cheating.
2. Reasonable punishment. Nowadays we hear about children's lives being ruined for harmless shit. This was clearly malicious and the punishment actually fit the crime. I suppose it renews some faith in humanity, but as such is not newsworthy.
I may have known someone in high school who wrote a keylogger and did the same sort of thing. They didn't do anything malicious, merely changed the "immutable" student passwords to the online grade reporting system so parents couldn't access their children's grades in real time. They never got caught. This sort of parental hyper-control was really cutting into the important parts of childhood: video games and socializing. In the long run, these sort of activities proved more useful than balancing redox reactions.
... if they noticed it. Then cheated so blatantly they were certain to notice.
Sounds like somebody flunked cheating too.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
There is this newfangled thing called VPN. Try it some time, it's really amazing.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
In college they had a DEC PDP-11/70 that students could use. Now prior I learned RSTS/E from my aunt who had all the manuals. And I'm a voracious reader. I realize that allocate command is quite useful on RSTS/E - in essence you could take control of another terminal.
So we wrote a chat program, a password snarfer etc. One night the process blew up. Next morning I'm in the I.T. Directors office. They revoked my access. I left the school. Went to another school and all was well.
KU is usually called the University of Kansas. They abbreviate it KU so as not to cause confusion with the United Kingdom.
But copying school's Administrator's key is enough for me.
-8th grader in Estonia (in school aka Hacker - since I used a saved password in chrome. Not saying I am now on teachers wifi and have Admin on every computer. It's fun to see how far you can go. Sadly I am too good student, to have to change them. Hardware keyloggers are boring, you insert wait remove and get.
Even the floppy drives of the day were so screwed up that they would randomly destroy disks because people misused them all the time.
I have little sympathy for the student.
That takes me back... When I was in college the closest computer lab with a printer to my dorm was general access. Anyone with a school ID could access it. I would finish up a paper, throw it on a floppy disk, and walk a block to the lab to print it out. Every floppy drive was broken! I talked to one of the students in charge of the lab. He told me people kept putting disks in backwards or upside-down.
After that, I started walking the extra two blocks to the engineering building. All of their floppy drives worked! Amazing what happens when you keep out the unwashed masses.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".