Slashdot Mirror
Student Expelled After Using Hardware Keylogger to Hack School, Change Grades (bleepingcomputer.com)
Catalin Cimpanu, writing for BleepingComputer: Kansas University (KU) officials have expelled a student for installing a hardware keylogger and using the data acquired from the device to hack into the school's grading system and chang his grades. KU did not release the student's name to the public, but they said the keystroke logging device had been installed on one of the computers in its lecture halls. The student used data collected from the device to change F grades into A grades. Professors said the incident would not have been noticed if the student didn't get greedy about modifications. The hardware device the student used was a run-of-the-mill hardware keylogger that anyone can buy on Amazon or eBay for prices as low as $20. Speaking to local media, various KU professors said they hope not to see any copycats in the near future.
Is anyone surprised that a student tried this? Got caught? Got expelled?
clearly wasn't paying attention in his statistics class....
Professors said the incident would not have been noticed if the student didn't get greedy about modifications.
"And I'd have gotten away with it, too, if it weren't for that meddling me!"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Brilliant putting the ease and accessibility of the tool immediately before their plea for no copycats.
...are even lazy at hacking.
Sounds like an event that hardware keylogger manufacturer(s) were looking forward to.
An A? You just got greedy boy.
hack into the school's grading system and chang his grades
Positive discrimination against Asians is bad, mmmkay?
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
/should have been held/
Sorry, there's no edit button for comments on /.
I'm wondering why professors / administrators would be using the public terminals to work on student records. In my small university, I eventually earned the privilege of being a student system administrator but I knew with all the viruses and issues that happen on a public access computer that I wouldn't trust sensitive data on it. Even the floppy drives of the day were so screwed up that they would randomly destroy disks because people misused them all the time.
I have little sympathy for the student. If not caught this bad behaviour becomes a disaster in the workplace. It's like the expression play with fire, expect to get burned sometimes.
Last I heard, cheating at Star Fleet Academy is rewarded.
Students have a STRONG motivation to cheat and little in the way of consequences of getting caught.
Expelled? So what? They didn't go to jail. Probably for every 1 expelled 1000 got away with it.
I would suggest educators (1) Use a set of paper records (assignment grade journal) to keep track of
student grades during term -- as the definitive record to fall back on, in addition to keeping a computer record,
and (2) Reconcile any digital summary record at end of term against the paper records ---
if two versions disagree for a student, then check individual papers..
Finally, the grade reports from educator to school should be a signed scan or technology such as an Adobe AcroForm signed PDF using
a signing device from an AATL listed certificate authority.
PDF Digital signature as an example requires Two-Factor Authentication to create: PIN + Physical token specific to a certain person.
Thus keylogging doesn't allow a student to forge a PDF grade report document. The university's "Grade Entry" system,
whatever it is, should then simply be designed to accept the signed PDF form and verify the digital signature before gathering data
into a record together with the PDF attachment; Once data is in a record, there should be no means of editing it other than a professor submitting a signed PDF revising the report.
I doubt the professor used a public terminal to work on student records. More likely, the professor logged into his account from a computer in a lecture hall to pull up a presentation, and with one username/password for all activities, that gave the student access to what the professor did in the grading system as well.
Computer hacking and penetration is a complex activity involving data collection and active compromise. Nobody gets points for being super-cool about it; you use DNS look-ups, interesting Google queries, and implied facts from public job postings to work out what questions to ask and even who to call if you want to do some direct data gathering.
Once, one of my biggest-balls-on-the-palm-tree coworkers walked through the front door of a big utility company by showing a fake badge and wearing a suit. The guards saw he had a badge, and that was good enough; he sat in the employee lounge, hacked their wifi, stole the Active Directory SAM database, stole some Exchange mailboxes, and left. No cantenna involved. If there was a network jack in a discrete location, he wouldn't have bothered hacking their wifi.
Kevin Mitnick said it's surprising what people will give you if you just ask for it like you don't know you shouldn't.
Dropping and then extracting a physical device to compromise the secrecy of the information stream between the keyboard and the motherboard is exactly the kind of thing a hacker would do. It's especially the kind of thing he'd do when nobody's around to see him poke at the back of the computer, while posing as tech support in case anyone catches him scrubbing all the malware from the computer to ensure actual tech support doesn't get called until he retrieves the device. You can make the device perfectly proxy the keyboard behind it and thus invisible to the OS.
Support my political activism on Patreon.
He is probably already getting job offers from some Three Letter Agencies.
Was there any financial harm?
Yes, this was an attempt to diminish the value of what the actually-achieving students have been spending tens of thousands of dollars for. No, it's not the security department's fault. Just like it wouldn't be their fault if he was willing to smash a window.
Don't disappoint your bird dog. Go to the range.
Probably because they used the same usernames and passwords to access the class material as they did to access the grade system. Or they used different usernames and passwords but over time accidentally used the wrong set out of habit when logging in to the public system. It is not uncommon to accidentally type the password into a username field, either. Usernames frequently appear unobscured in system log files. Studying log files for a few weeks will reveal a few passwords mistakenly entered as a username and it isn't that hard to then match them with the username entered nearby.
Only the ones that don't get caught.
Or like an ex-boss of mine (never ever, of course) said about his IT security people: What I care about is whether they have a police record. If they can't keep their fingers at bay, at least they should be good enough to not get caught and smart enough to keep their mouth shut.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Then the security issue is in not sensibly shutting sensitive parts of their IT infrastructure off from public access.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So being expelled was exactly the right thing to do. I mean changing Fs into As? Somebody has not thought things trough one bit. Bad at studying, bad at crime and unaware of both.
What I do wonder, however, how many do this just a bit smarter and get away with it. Probably should check the grades of my students a few months after exams again to see if they are unchanged...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Yup. Same for higher-up in management and politics.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Until they need to demonstrate some of the skills they supposedly posses. Then they hurriedly have to move into management and basically have wasted this life.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I changed all my A's into B's. I didn't want to seem cocky.
“Common sense is not so common.” — Voltaire
Pretty much this. Even though the days are over when a bunch of flowers on Valentine's Day and a coverall from the local flower shop opened every security door, A UPS uniform and an unwieldy box did still work a few years back. Plus such boxes are great for getting shit out of a building again, too.
Funny enough, it's the simple things that work best. Look like you belong there and you're in. A cleaning-crew outfit and a cleaning cart open more doors than any sophisticated door hack tool ever could.
And NO security guard looks into a cleaning cart that is buzzing with flies!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well it depends. I wrote a compact keylogger in assembly once to run on an MSDOS PC running Novell Netware (not password to catch otherwise). The fun thing was not coding it but how to hide it and its activity. It was loaded from AUTOEXEC.BAT IIRC but looked like (and replaced a) blank line by using character 255(?) which looks like but aren't treated like a blank space. It attached to the MSDOS routines so that it would only save the passwords when some other disk activity happened, it manipulated memory so that wouldn't be visible as a TSR when using the utilities of the day etc.
The last change was to detect when the user logged out so it could be reactivated.
I consider that a hack. But not hacking/cracking as I never used it for something other than testing.
The TSA, perhaps...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Exactly right. At the university I attended for grad school, there was a single sign on that was used across virtually all university systems, including the public terminals in each classroom that were used to display slides. If a student had a professor's login info from that terminal, they'd be able to login to the grading system, time sheets, class registrations, room reservations, etc., depending on the parts of the system to which the professor had been granted access. And even if it hadn't been a single sign on, odds are decent that any given person will be using the same username and password across many of those systems anyway, so the problem doesn't go away by breaking them apart.
Username AND password
Duh.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I hope we have not reached the state where something isn't harmful if it isn't financially harmful. The kid cheated. It's morally wrong.
I hope that was a facetious comment... It's not like this was Ethan Hunt dropping out of a ceiling, avoiding the pressure sensitive floor and not tripping the sounds level monitors to steal sensitive information from a highly secure facility. The dude plugged a keylogger into a public terminal at a low-level college in the US Midwest, used the username and password to his advantage, and he couldn't even manage to do it without getting caught. The only three letter agency he's going to get into is at the local McD, getting really good at saying "would you like fries with that".
IIRC, Ferris Bueller found the password to the school's server hosting grades on the pull out board of a school secretary's desk. I use the word "server" advisedly as Ferris and the school used dial up connections. Maybe the grades were kept on a Tandy (aka, RadioShack) TRS80, though the movie came out in 1986, and the IBM PC was introduced August 12, 1981.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
The cleaning crew and receptionist are dangerous. This is known and ignored.
Looking like you belong there--particularly, like you're in charge of the immediate situation--is called a Bavarian Fire Drill.
Support my political activism on Patreon.
If you want to protect endpoints, you disabled USB and other external ports. There is no reason to have them enabled, as they just present an attack vector, so really the school allowed the attack and they should use it as a learning moment.
... was "pencil."
It little behooves the best of us to comment on the rest of us.
or with U2F being so easy these days (Authy, Google Authenticator, Yubikey, etc. or even SMS if needs be) why not require it on sensitive portions of the system.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
"Professors said the incident would not have been noticed if the student didn't get greedy about modifications... Various KU professors said they hope not to see any copycats in the near future."
Pro tio: If that's what you want, don't tell them how to avoid getting caught. The public statement should have been, "Our rigorous monitoring processes instantly detected the abnormal activity which was confirmed to be fraudulent after a thorough investigation."
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
More than a few $ per student for the chipped card. There are necessarily infrastructure, support and training changes above simply trusting the CA in active directory and turning on a checkbox for smart card login (at least if you're doing it right). New processes often requiring staff assistance include issuance, unlocking cards and PIN resets, revocation, and key recovery for lost/revoked cards so you can access your old emails or data. There are numerous other roles, as well as websites and applications to be updated or replaced.
Changing your grades is so unoriginal. Did he think this was the 80's and he was hacking into WOPPER?
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
And as he was hauled away to finish out the rest of his education in a local remedial school, he was heard to shout, "HACK THE PLANET! HACK THE PLANET!"
Breakfast served all day!
I attended KU a long time ago, and what's really funny about this is 18 years ago they had chipped student IDs that were used for identification and stored value all over campus. Then some brilliant bureaucrat administrator came along in 2003 and said "we don't need that."
Aha!
I tend to rant.
The future Captain Kirk has been expelled. Now he'll end up a mixed martial arts fighter, or maybe an actor.
E Proelio Veritas.
What is going on here? He was only expelled? A college student?!
Didn't we have a middle school student charged with a felony for changing a desktop wallpaper a couple years ago?
https://yro.slashdot.org/story...
A college student pays $$$$$ for education and loses that for doing something he ought to have known better than do and was planned out ahead of time.
A highschool student gets a felony destroying many of their job prospects for their entire life for a prank.
How is this remotely fair? It's not even !@#$%^& consistent!
Minimum threshold fixed. Thanks!
I'm about to start working on my masters degree from Harvard, after finishing my bachelor's at WGU. You know why I'm doing my masters at Harvard instead of staying at WGU? Because a Harvard degree is more likely to get me offers at a higher salary. Why? Because Harvard grads have a reputation for knowing their shit.
Of course Harvard charges students more than WGU or UNT. They need to in order to pay top-tier faculty and they can because of their reputation - Harvard's reputation for excellent education brings them money.
> Was there any financial harm? Or it's just someone's reputation
Reputational harm IS financial harm in this case. The value of a degree, the amount of money employers and therefore students will pay for a degree from that school is directly related to the school's reputation. If the school gives out degrees to people who don't have a clue, but cheated to get a good grade, degrees from that school eventually become worthless. If they don't strongly enforce an academic honestly policy, that causes financial harm to everyone who went to school there, because their degrees would no longer represent knowledge.
Definitely deserving of the F, for fucks sake any person with half a brain would have only raised their score to just passing grades to avoid obvious detection. I can only assume you used the same genius to achieve the F in the first place.
... if they noticed it. Then cheated so blatantly they were certain to notice.
Sounds like somebody flunked cheating too.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
2FA, or even just smart cards alone would protect against all forms of password stealing. Logging a smart card transaction doesn't get you a replayable password, it only gets you a token that's already been consumed by the legitimate user. Plus, smart cards are a lot easier to use than passwords, so your users would love you for it. (Most users, anyway; some will inevitably complain that they can't use an app on their phone.)
Convenience has its price, however -- without 2FA, a smart card is susceptible to physical theft. But defending a possession against theft is something most people are already pretty good at. The same can't be said for computer security.
John
There is this newfangled thing called VPN. Try it some time, it's really amazing.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
In college they had a DEC PDP-11/70 that students could use. Now prior I learned RSTS/E from my aunt who had all the manuals. And I'm a voracious reader. I realize that allocate command is quite useful on RSTS/E - in essence you could take control of another terminal.
So we wrote a chat program, a password snarfer etc. One night the process blew up. Next morning I'm in the I.T. Directors office. They revoked my access. I left the school. Went to another school and all was well.
KU is usually called the University of Kansas. They abbreviate it KU so as not to cause confusion with the United Kingdom.
Even the floppy drives of the day were so screwed up that they would randomly destroy disks because people misused them all the time.
I have little sympathy for the student.
That takes me back... When I was in college the closest computer lab with a printer to my dorm was general access. Anyone with a school ID could access it. I would finish up a paper, throw it on a floppy disk, and walk a block to the lab to print it out. Every floppy drive was broken! I talked to one of the students in charge of the lab. He told me people kept putting disks in backwards or upside-down.
After that, I started walking the extra two blocks to the engineering building. All of their floppy drives worked! Amazing what happens when you keep out the unwashed masses.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".