Student Expelled After Using Hardware Keylogger to Hack School, Change Grades (bleepingcomputer.com) 136
Catalin Cimpanu, writing for BleepingComputer: Kansas University (KU) officials have expelled a student for installing a hardware keylogger and using the data acquired from the device to hack into the school's grading system and chang his grades. KU did not release the student's name to the public, but they said the keystroke logging device had been installed on one of the computers in its lecture halls. The student used data collected from the device to change F grades into A grades. Professors said the incident would not have been noticed if the student didn't get greedy about modifications. The hardware device the student used was a run-of-the-mill hardware keylogger that anyone can buy on Amazon or eBay for prices as low as $20. Speaking to local media, various KU professors said they hope not to see any copycats in the near future.
Surprised? (Score:3)
Re:Surprised? (Score:5, Insightful)
nope, and he fits the stereotype of "stupid greedy crims get collared".
what we didn't hear about is the other student that changed all his grades up by one point. He's passing now, and no one bats an eye because it doesn't stand out.
Re:Surprised? (Score:4, Interesting)
Pretty much yes. It's like stealing a motorcycle: if you grab a unique sports bike and ride it like all hell to the chop shop, the police are coming to get you; if you grab a Kawasaki 650, there's thousands of them out on the street, and nobody notices unless you drive like a nut.
I'm not worried about anyone stealing my Zero SR when I get it.
Re: (Score:1, Funny)
nobody asked how you're compensating for your sex life.
Re:Surprised? (Score:5, Funny)
Bart: Well, Dad, here's my report card. I think you'll be pleasantly surprised.
Homer: 'A+'!? You don't think much of me, do you, boy?
Bart: No, sir.
Homer: You know a 'D' turns into a 'B' so easily. You just got greedy.
Re:Surprised? (Score:4, Interesting)
Or what we didn't hear about is the other student who framed him. Changing your own grade is very risky. Changing someone's grades you don't like. That's not risky at all.
Re: (Score:2)
indeed.
So 80's (Score:2)
Changing your grades is so unoriginal. Did he think this was the 80's and he was hacking into WOPPER?
Re:Surprised? (Score:4, Insightful)
what we didn't hear about is the other student that changed all his grades up by one point. He's passing now, and no one bats an eye because it doesn't stand out.
That's because clever criminals usually don't get caught until they over-reach. Look at your local police force/service and you'll see how happy they are over social media. In my small community, clearences are up 30% because stupid criminals brag, get caught and sometimes will even claim to have done more. Which is good. There's a two fold effect to this though, the smarter criminals will cool it for a bit because they think they're more likely to get caught. And that actually does lower crime.
Re:Surprised? (Score:4, Insightful)
A professor getting to the lecture hall early, decides to use his time to do some grading. Also he will normally need to log in (most places have single sign on or they will use the same password) to get into the network to show his presentation.
The system may had a change date, next to the grade, making it easy to spot. or just the professors knows the grades he gives. Such student who had to raise their grades may have been noticed as an under performer.
Schools are notorious for poor IT Security practices. Being that the student actually went out of his way to do this, pre-planned... The school will probably get more credits for being hard on POS student like that. Then having a security flaw with all the bigger names having huge hacks it no big deal anymore.
Re:Surprised? (Score:4, Interesting)
It wasn't necessarily a professor's account that got compromised from the lecture hall.
If it's like most places, there's a computer at the lectern in the lecture hall that is used to drive a large display/projector screen. Those things require constant support, and a keylogger would soon pick up the login of some IT support person. And even if that support person had no access to the grading system servers, the account could be used to compromise other computers of people with higher access.
It's a classic move. Put a keylogger on a user's PC, then damage it in some way that will require a visit from desktop support who will no doubt have local admin access. In many places, once you have an account and password with local admin rights for one desktop computer, you have access to them all.
Re:Surprised? (Score:5, Interesting)
You'd be how easy it can be to get a teacher's password.
Back when I lived in the US and was in high school, the school offered an introductory course to programming in Basic. I already knew how to program, so I spent the course primarily either writing games or espionage tools ;) One of my favourite was a program that mimicked the DOS prompt (including most common commands), waited for them to run what they thought was the logon program, wrote out the username and password to a file, reported that the password was wrong, logged out of my account and put them back in the real DOS shell - wherein they'd log in normally and everything was fine. I'd usually leave it running on a couple random classroom computers whenever I left. By the end of the year, not only did I have most student passwords, but the password of my teacher and a different one.
Did I use it to change assignments? Alter grades? Vandalize the network? No no no, of course not. Rather, my final project was an overly elaborate demo, which had many different scenes (things like me walking around shooting lightning bolts and other similar nonsense). One scene was a stereogram generator. The hidden image in the stereogram? The teacher's username and password ;)
Thankfully she found it amusing rather than disciplining me ;) I got a perfect score. Looking back at it, I could imagine a teacher with a lesser sense of humor having me suspended or even calling the police.
Re: Surprised? (Score:1)
WAY too much work.
When I was in Middle School, I failed most of my classes. My ace in the hole? All my teachers kept their work on floppy disks and zip disks. A few weeks before the end of the semester I set a very powerful magnet down on their disk for a few seconds, and got an automatic pass like everyone else because the grades couldn't be verified.
I thought it might work on one or two teachers, but lo-and-behold, nobody had a backup copy. Everyone was editing straight from the disk.
There were accusation
Re:Surprised? (Score:5, Insightful)
Is anyone surprised that a student tried this? Got caught? Got expelled?
Not totally surprised, but he got caught because he got greedy, and in my experience most cheaters are not greedy, they just want a passing grade. When I was in college I earned money by writing programs for other students, and when I would ask them what grade they wanted on the assignment, the most common request was for a "B", and even "C" was more requested than "A". They may be dumb, but they are smart enough to know they are dumb, and an "A" will bring suspicion.
Re: (Score:2)
Considering how smart the people running schools are, the "got caught" part is the only one that really surprised me.
Re: (Score:3)
Well, he only got caught because he got greedy. Had he just changed his grades by a few points, no one would've noticed.
Every knows if the D student started getting As. But if you change it from D to D+ or C-, not so much. Even a B could be plausible if the kid has been getting some tutoring
I can see why he got an F (Score:1)
clearly wasn't paying attention in his statistics class....
Re: (Score:2)
What a dumbass... if he changed his grades from F's to C's, he probably would have got away with it. But, no... he got greedy and got himself easily caught.
Re:I can see why he got an F (Score:5, Insightful)
Re: I can see why he got an F (Score:3, Funny)
Why not just give yourself tenured professor status at the school? That way you are protected from scrutiny.
Re: (Score:2)
I guess you missed the part that said he was greedy.
Computer says HE should be the valedictorian? (Score:3)
Professors said the incident would not have been noticed if the student didn't get greedy about modifications.
"And I'd have gotten away with it, too, if it weren't for that meddling me!"
A+ summary (Score:1)
Re: (Score:2)
Re: (Score:2)
Well played :)
Kids these days... (Score:3)
...are even lazy at hacking.
Re:Kids these days... (Score:5, Interesting)
I went to college in the late 1980's
I was going for a CS degree but had to take electives. One elective class I took was chemistry. To make a long story short, I was going to school in the day and had a full time job in the evening. I let the chemistry class slide as I concentrated on programming classes.
At the end of the semester 50% of the grade for the chemistry class was based off of the final exam which was to be taken on the schools computer in the computer lab, where I spent most of my weekends anyway. The test was on Commodore 64's.
The test was 200 multiple choice questions and timed for only 2 hours. I fumbled around on the first 50 question for the first hour. Knowing I would never complete the test in time, I decided to cheat. I knew the break sequence of the commodore and set about to change the basic program. Well, in commodores you could lock the execution memory from any change.
So, I found where the memory location was for the number correct and the number of the next question. I changed the memory location for number correct to 198 and the number of the next question to 200. I hung out reading my chemistry notes for the next 50 minutes and then typed in "run" and pressed enter.
A screen popped up saying that I had completed the test in 1 hour and 50 some odd minutes with 198 correct out of 200.
I passed the class with a 70.
Armatures these days....
Nathan
Re: Kids these days... (Score:3, Funny)
What does an armature have to do with your story?
Re: (Score:3)
What does an armature have to do with your story?
Judging by his post, I would say he was really tightly wound...
Re: (Score:3)
You guys all were way more involved than I was. My simple hack was to change the DOS prompt on one PC in a lab to some ANSI escape codes to save the current cursor position, move to the top of the screen, print out "You have been stoned", and return the cursor to its original location, and complete the prompt as normal. I then moved to another PC in the lab, watched a student boot up the "infected" PC, get concerned, talk to one of the sysadmins, a small team of admins come in and try to virus scan the hel
Re:Kids these days... (Score:5, Interesting)
I was right there with you until this part:
Well, in commodores you could lock the execution memory from any change.
Plausibility went rapidly downhill from there.
Re: (Score:2)
I didn't have a C64 but I do have extensive experience (and published programs in the type-in magazines of the era) with a similar 8-bit computer, the Atari 800.
Same here.
So it's conceivable that the original poster may be referring to a similar technique on the C64 that prevents straightforward modification of the program source.
That's not what he said -- he said he prevented the BASIC program from altering its own data. That's an entirely different issue.
It seems plausible that you could conceivably find the proper memory location storing the current score (surely only a single byte), change the value with POKE, then esume execution with a "RUN xxx"
He didn't say "RUN xxx" -- he said he "typed in 'run'."
I think you're trying too hard to try to fix his fanciful story.
Re: (Score:2)
Armatures these days....
Tell me about it. You'd think they'd never generated power from a changing magnetic flux before.
Re: (Score:2)
He obviously did the same for his English test.
Re: (Score:2)
When the C-64 was around in significant numbers, all my exams were ink-on-paper in a supervised classroom. A couple of minutes before the start time, after everyone was seated, the papers were handed out ; if you left early you clear your desk and hand the completed paper to the invigilator. Same for essays or multiple choices.
Computing changed slightly through the course from dumb terminals to the mainframe (initially paper tel
Re: (Score:1)
More than a few $ per student for the chipped card. There are necessarily infrastructure, support and training changes above simply trusting the CA in active directory and turning on a checkbox for smart card login (at least if you're doing it right). New processes often requiring staff assistance include issuance, unlocking cards and PIN resets, revocation, and key recovery for lost/revoked cards so you can access your old emails or data. There are numerous other roles, as well as websites and applications
Re: (Score:1)
I attended KU a long time ago, and what's really funny about this is 18 years ago they had chipped student IDs that were used for identification and stored value all over campus. Then some brilliant bureaucrat administrator came along in 2003 and said "we don't need that."
Ads are getting smarter... (Score:2)
Sounds like an event that hardware keylogger manufacturer(s) were looking forward to.
Re: (Score:2)
/should have been held/
Sorry, there's no edit button for comments on /.
Re: (Score:2)
Was there any financial harm?
Yes, this was an attempt to diminish the value of what the actually-achieving students have been spending tens of thousands of dollars for. No, it's not the security department's fault. Just like it wouldn't be their fault if he was willing to smash a window.
Re: (Score:2)
I hope we have not reached the state where something isn't harmful if it isn't financially harmful. The kid cheated. It's morally wrong.
College degree: Reputation people pay for (Score:2)
I'm about to start working on my masters degree from Harvard, after finishing my bachelor's at WGU. You know why I'm doing my masters at Harvard instead of staying at WGU? Because a Harvard degree is more likely to get me offers at a higher salary. Why? Because Harvard grads have a reputation for knowing their shit.
Of course Harvard charges students more than WGU or UNT. They need to in order to pay top-tier faculty and they can because of their reputation - Harvard's reputation for excellent education bri
A 'F' changes to a 'B' so easily (Score:1)
An A? You just got greedy boy.
Chang His Grades (Score:2, Funny)
hack into the school's grading system and chang his grades
Positive discrimination against Asians is bad, mmmkay?
Re: (Score:2)
Re: (Score:2)
Nope
Re: (Score:2)
Only the ones that don't get caught.
Or like an ex-boss of mine (never ever, of course) said about his IT security people: What I care about is whether they have a police record. If they can't keep their fingers at bay, at least they should be good enough to not get caught and smart enough to keep their mouth shut.
Re: (Score:2)
Until they need to demonstrate some of the skills they supposedly posses. Then they hurriedly have to move into management and basically have wasted this life.
Profs using public terminals and No surprise here (Score:3)
I'm wondering why professors / administrators would be using the public terminals to work on student records. In my small university, I eventually earned the privilege of being a student system administrator but I knew with all the viruses and issues that happen on a public access computer that I wouldn't trust sensitive data on it. Even the floppy drives of the day were so screwed up that they would randomly destroy disks because people misused them all the time.
I have little sympathy for the student. If not caught this bad behaviour becomes a disaster in the workplace. It's like the expression play with fire, expect to get burned sometimes.
Re:Profs using public terminals and No surprise he (Score:5, Insightful)
Re: (Score:3)
Then the security issue is in not sensibly shutting sensitive parts of their IT infrastructure off from public access.
Re: (Score:2)
or with U2F being so easy these days (Authy, Google Authenticator, Yubikey, etc. or even SMS if needs be) why not require it on sensitive portions of the system.
Re: (Score:2)
Aha!
Re: (Score:2)
There is this newfangled thing called VPN. Try it some time, it's really amazing.
Re: (Score:3)
Exactly right. At the university I attended for grad school, there was a single sign on that was used across virtually all university systems, including the public terminals in each classroom that were used to display slides. If a student had a professor's login info from that terminal, they'd be able to login to the grading system, time sheets, class registrations, room reservations, etc., depending on the parts of the system to which the professor had been granted access. And even if it hadn't been a sing
Re: (Score:2, Insightful)
Probably because they used the same usernames and passwords to access the class material as they did to access the grade system. Or they used different usernames and passwords but over time accidentally used the wrong set out of habit when logging in to the public system. It is not uncommon to accidentally type the password into a username field, either. Usernames frequently appear unobscured in system log files. Studying log files for a few weeks will reveal a few passwords mistakenly entered as a user
Re: (Score:2)
Even the floppy drives of the day were so screwed up that they would randomly destroy disks because people misused them all the time.
I have little sympathy for the student.
That takes me back... When I was in college the closest computer lab with a printer to my dorm was general access. Anyone with a school ID could access it. I would finish up a paper, throw it on a floppy disk, and walk a block to the lab to print it out. Every floppy drive was broken! I talked to one of the students in charge of the lab. He told me people kept putting disks in backwards or upside-down.
After that, I started walking the extra two blocks to the engineering building. All of their flopp
Re: (Score:3)
Computer hacking and penetration is a complex activity involving data collection and active compromise. Nobody gets points for being super-cool about it; you use DNS look-ups, interesting Google queries, and implied facts from public job postings to work out what questions to ask and even who to call if you want to do some direct data gathering.
Once, one of my biggest-balls-on-the-palm-tree coworkers walked through the front door of a big utility company by showing a fake badge and wearing a suit. The
Re: (Score:3)
Pretty much this. Even though the days are over when a bunch of flowers on Valentine's Day and a coverall from the local flower shop opened every security door, A UPS uniform and an unwieldy box did still work a few years back. Plus such boxes are great for getting shit out of a building again, too.
Funny enough, it's the simple things that work best. Look like you belong there and you're in. A cleaning-crew outfit and a cleaning cart open more doors than any sophisticated door hack tool ever could.
And NO se
Re: (Score:2)
The cleaning crew and receptionist are dangerous. This is known and ignored.
Looking like you belong there--particularly, like you're in charge of the immediate situation--is called a Bavarian Fire Drill.
Re: (Score:3)
Well it depends. I wrote a compact keylogger in assembly once to run on an MSDOS PC running Novell Netware (not password to catch otherwise). The fun thing was not coding it but how to hide it and its activity. It was loaded from AUTOEXEC.BAT IIRC but looked like (and replaced a) blank line by using character 255(?) which looks like but aren't treated like a blank space. It attached to the MSDOS routines so that it would only save the passwords when some other disk activity happened, it manipulated memory s
Re: (Score:2)
Re: (Score:2)
The TSA, perhaps...
Re: (Score:2)
Apply to Star Fleet Academy (Score:5, Funny)
Last I heard, cheating at Star Fleet Academy is rewarded.
Stronger security (Score:3)
Students have a STRONG motivation to cheat and little in the way of consequences of getting caught.
Expelled? So what? They didn't go to jail. Probably for every 1 expelled 1000 got away with it.
I would suggest educators (1) Use a set of paper records (assignment grade journal) to keep track of
student grades during term -- as the definitive record to fall back on, in addition to keeping a computer record,
and (2) Reconcile any digital summary record at end of term against the paper records ---
if two versions disagree for a student, then check individual papers..
Finally, the grade reports from educator to school should be a signed scan or technology such as an Adobe AcroForm signed PDF using
a signing device from an AATL listed [adobe.com] certificate authority.
PDF Digital signature as an example requires Two-Factor Authentication to create: PIN + Physical token specific to a certain person.
Thus keylogging doesn't allow a student to forge a PDF grade report document. The university's "Grade Entry" system,
whatever it is, should then simply be designed to accept the signed PDF form and verify the digital signature before gathering data
into a record together with the PDF attachment; Once data is in a record, there should be no means of editing it other than a professor submitting a signed PDF revising the report.
Re: (Score:2)
Username AND password
Duh.
Re: (Score:2)
Yup. Same for higher-up in management and politics.
Obviously an idiot (Score:2)
So being expelled was exactly the right thing to do. I mean changing Fs into As? Somebody has not thought things trough one bit. Bad at studying, bad at crime and unaware of both.
What I do wonder, however, how many do this just a bit smarter and get away with it. Probably should check the grades of my students a few months after exams again to see if they are unchanged...
I changed my grades (Score:4, Funny)
I changed all my A's into B's. I didn't want to seem cocky.
Ferris Bueller found the PW (Score:2)
Re: (Score:2)
You're close. Ferris Bueller was a 1980s movie with Matthew Broderick. Another 1980s movie with Matthew Broderick was WarGames (1983) which contains the scene you describe. https://en.wikipedia.org/wiki/... [wikipedia.org]
Re:Ferris Bueller found the PW (Score:5, Informative)
There was hacking in Ferris as well: Ferris changed his absentee record from his bedroom while Principal Rooney watched, dumbfounded, in his office. Ferris then complains that his parents gave his sister a car, but all he got was a computer.
Re: (Score:3)
There was hacking in Ferris as well: Ferris changed his absentee record from his bedroom while Principal Rooney watched, dumbfounded, in his office. Ferris then complains that his parents gave his sister a car, but all he got was a computer.
You can watch it here... https://www.youtube.com/watch?... [youtube.com]
Why have USB enabled? (Score:2)
Re: (Score:2)
Re: (Score:2)
The password ... (Score:3)
... was "pencil."
Re: (Score:2)
... was "pencil."
And was kept in a little pull-out tray above the top-most drawer of the skleketary's desk?
er... (Score:3)
"Professors said the incident would not have been noticed if the student didn't get greedy about modifications... Various KU professors said they hope not to see any copycats in the near future."
Pro tio: If that's what you want, don't tell them how to avoid getting caught. The public statement should have been, "Our rigorous monitoring processes instantly detected the abnormal activity which was confirmed to be fraudulent after a thorough investigation."
They're thrashing the flow of data! (Score:2)
And as he was hauled away to finish out the rest of his education in a local remedial school, he was heard to shout, "HACK THE PLANET! HACK THE PLANET!"
It was bound to happen... (Score:2)
WTH? (Score:5, Interesting)
What is going on here? He was only expelled? A college student?!
Didn't we have a middle school student charged with a felony for changing a desktop wallpaper a couple years ago?
https://yro.slashdot.org/story... [slashdot.org]
A college student pays $$$$$ for education and loses that for doing something he ought to have known better than do and was planned out ahead of time.
A highschool student gets a felony destroying many of their job prospects for their entire life for a prank.
How is this remotely fair? It's not even !@#$%^& consistent!
Re: WTH? (Score:1)
deserved an F (Score:3)
Chose a cheating method easy to detect (Score:2)
... if they noticed it. Then cheated so blatantly they were certain to notice.
Sounds like somebody flunked cheating too.
In my case (Score:2)
So we wrote a chat program, a password snarfer etc. One night the process blew up. Next morning I'm in the I.T. Directors office. They revoked my access. I left the school. Went to another school and all was well.
"Kansas University" (Score:2)
Re: (Score:2)
2FA, or even just smart cards alone would protect against all forms of password stealing. Logging a smart card transaction doesn't get you a replayable password, it only gets you a token that's already been consumed by the legitimate user. Plus, smart cards are a lot easier to use than passwords, so your users would love you for it. (Most users, anyway; some will inevitably complain that they can't use an app on their phone.)
Convenience has its price, however -- without 2FA, a smart card is susceptible t