Slashdot Mirror
Student Expelled After Using Hardware Keylogger to Hack School, Change Grades (bleepingcomputer.com)
Catalin Cimpanu, writing for BleepingComputer: Kansas University (KU) officials have expelled a student for installing a hardware keylogger and using the data acquired from the device to hack into the school's grading system and chang his grades. KU did not release the student's name to the public, but they said the keystroke logging device had been installed on one of the computers in its lecture halls. The student used data collected from the device to change F grades into A grades. Professors said the incident would not have been noticed if the student didn't get greedy about modifications. The hardware device the student used was a run-of-the-mill hardware keylogger that anyone can buy on Amazon or eBay for prices as low as $20. Speaking to local media, various KU professors said they hope not to see any copycats in the near future.
Is anyone surprised that a student tried this? Got caught? Got expelled?
Professors said the incident would not have been noticed if the student didn't get greedy about modifications.
"And I'd have gotten away with it, too, if it weren't for that meddling me!"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
...are even lazy at hacking.
Sounds like an event that hardware keylogger manufacturer(s) were looking forward to.
I'm wondering why professors / administrators would be using the public terminals to work on student records. In my small university, I eventually earned the privilege of being a student system administrator but I knew with all the viruses and issues that happen on a public access computer that I wouldn't trust sensitive data on it. Even the floppy drives of the day were so screwed up that they would randomly destroy disks because people misused them all the time.
I have little sympathy for the student. If not caught this bad behaviour becomes a disaster in the workplace. It's like the expression play with fire, expect to get burned sometimes.
Actually if you're going to do it, go all out: change your status from "enrolled" to "graduated" and see if you get away with it.
Proud neuron in the Slashdot hivemind since 2002.
Last I heard, cheating at Star Fleet Academy is rewarded.
Students have a STRONG motivation to cheat and little in the way of consequences of getting caught.
Expelled? So what? They didn't go to jail. Probably for every 1 expelled 1000 got away with it.
I would suggest educators (1) Use a set of paper records (assignment grade journal) to keep track of
student grades during term -- as the definitive record to fall back on, in addition to keeping a computer record,
and (2) Reconcile any digital summary record at end of term against the paper records ---
if two versions disagree for a student, then check individual papers..
Finally, the grade reports from educator to school should be a signed scan or technology such as an Adobe AcroForm signed PDF using
a signing device from an AATL listed certificate authority.
PDF Digital signature as an example requires Two-Factor Authentication to create: PIN + Physical token specific to a certain person.
Thus keylogging doesn't allow a student to forge a PDF grade report document. The university's "Grade Entry" system,
whatever it is, should then simply be designed to accept the signed PDF form and verify the digital signature before gathering data
into a record together with the PDF attachment; Once data is in a record, there should be no means of editing it other than a professor submitting a signed PDF revising the report.
I doubt the professor used a public terminal to work on student records. More likely, the professor logged into his account from a computer in a lecture hall to pull up a presentation, and with one username/password for all activities, that gave the student access to what the professor did in the grading system as well.
Computer hacking and penetration is a complex activity involving data collection and active compromise. Nobody gets points for being super-cool about it; you use DNS look-ups, interesting Google queries, and implied facts from public job postings to work out what questions to ask and even who to call if you want to do some direct data gathering.
Once, one of my biggest-balls-on-the-palm-tree coworkers walked through the front door of a big utility company by showing a fake badge and wearing a suit. The guards saw he had a badge, and that was good enough; he sat in the employee lounge, hacked their wifi, stole the Active Directory SAM database, stole some Exchange mailboxes, and left. No cantenna involved. If there was a network jack in a discrete location, he wouldn't have bothered hacking their wifi.
Kevin Mitnick said it's surprising what people will give you if you just ask for it like you don't know you shouldn't.
Dropping and then extracting a physical device to compromise the secrecy of the information stream between the keyboard and the motherboard is exactly the kind of thing a hacker would do. It's especially the kind of thing he'd do when nobody's around to see him poke at the back of the computer, while posing as tech support in case anyone catches him scrubbing all the malware from the computer to ensure actual tech support doesn't get called until he retrieves the device. You can make the device perfectly proxy the keyboard behind it and thus invisible to the OS.
Support my political activism on Patreon.
Was there any financial harm?
Yes, this was an attempt to diminish the value of what the actually-achieving students have been spending tens of thousands of dollars for. No, it's not the security department's fault. Just like it wouldn't be their fault if he was willing to smash a window.
Don't disappoint your bird dog. Go to the range.
Probably because they used the same usernames and passwords to access the class material as they did to access the grade system. Or they used different usernames and passwords but over time accidentally used the wrong set out of habit when logging in to the public system. It is not uncommon to accidentally type the password into a username field, either. Usernames frequently appear unobscured in system log files. Studying log files for a few weeks will reveal a few passwords mistakenly entered as a username and it isn't that hard to then match them with the username entered nearby.
Why not just give yourself tenured professor status at the school? That way you are protected from scrutiny.
Then the security issue is in not sensibly shutting sensitive parts of their IT infrastructure off from public access.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I changed all my A's into B's. I didn't want to seem cocky.
“Common sense is not so common.” — Voltaire
Pretty much this. Even though the days are over when a bunch of flowers on Valentine's Day and a coverall from the local flower shop opened every security door, A UPS uniform and an unwieldy box did still work a few years back. Plus such boxes are great for getting shit out of a building again, too.
Funny enough, it's the simple things that work best. Look like you belong there and you're in. A cleaning-crew outfit and a cleaning cart open more doors than any sophisticated door hack tool ever could.
And NO security guard looks into a cleaning cart that is buzzing with flies!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well it depends. I wrote a compact keylogger in assembly once to run on an MSDOS PC running Novell Netware (not password to catch otherwise). The fun thing was not coding it but how to hide it and its activity. It was loaded from AUTOEXEC.BAT IIRC but looked like (and replaced a) blank line by using character 255(?) which looks like but aren't treated like a blank space. It attached to the MSDOS routines so that it would only save the passwords when some other disk activity happened, it manipulated memory so that wouldn't be visible as a TSR when using the utilities of the day etc.
The last change was to detect when the user logged out so it could be reactivated.
I consider that a hack. But not hacking/cracking as I never used it for something other than testing.
Exactly right. At the university I attended for grad school, there was a single sign on that was used across virtually all university systems, including the public terminals in each classroom that were used to display slides. If a student had a professor's login info from that terminal, they'd be able to login to the grading system, time sheets, class registrations, room reservations, etc., depending on the parts of the system to which the professor had been granted access. And even if it hadn't been a single sign on, odds are decent that any given person will be using the same username and password across many of those systems anyway, so the problem doesn't go away by breaking them apart.
... was "pencil."
It little behooves the best of us to comment on the rest of us.
"Professors said the incident would not have been noticed if the student didn't get greedy about modifications... Various KU professors said they hope not to see any copycats in the near future."
Pro tio: If that's what you want, don't tell them how to avoid getting caught. The public statement should have been, "Our rigorous monitoring processes instantly detected the abnormal activity which was confirmed to be fraudulent after a thorough investigation."
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Hey, what the hell?! I thought I gave it an F!
What is going on here? He was only expelled? A college student?!
Didn't we have a middle school student charged with a felony for changing a desktop wallpaper a couple years ago?
https://yro.slashdot.org/story...
A college student pays $$$$$ for education and loses that for doing something he ought to have known better than do and was planned out ahead of time.
A highschool student gets a felony destroying many of their job prospects for their entire life for a prank.
How is this remotely fair? It's not even !@#$%^& consistent!
Minimum threshold fixed. Thanks!
There was hacking in Ferris as well: Ferris changed his absentee record from his bedroom while Principal Rooney watched, dumbfounded, in his office. Ferris then complains that his parents gave his sister a car, but all he got was a computer.
Take it easy, Charlie, I've got an Angle...
Definitely deserving of the F, for fucks sake any person with half a brain would have only raised their score to just passing grades to avoid obvious detection. I can only assume you used the same genius to achieve the F in the first place.
There was hacking in Ferris as well: Ferris changed his absentee record from his bedroom while Principal Rooney watched, dumbfounded, in his office. Ferris then complains that his parents gave his sister a car, but all he got was a computer.
You can watch it here... https://www.youtube.com/watch?...