Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Technology

Student Charged By FBI For Hacking His Grades More Than 90 times (sophos.com) 142

An anonymous reader shares a report: In college, you can use your time to study. Or then again, you could perhaps rely on the Hand of God. And when I say "Hand of God," what I really mean is "keylogger." Think of it like the "Nimble Fingers of God." "Hand of God" (that makes sense) and "pineapple" (???) are two of the nicknames allegedly used to refer to keyloggers used by a former University of Iowa wrestler and student who was arrested last week on federal computer-hacking charges in a high-tech cheating scheme. According to the New York Times, Trevor Graves, 22, is accused in an FBI affidavit of working with an unnamed accomplice to secretly plug keyloggers into university computers in classrooms and in labs. The FBI says keyloggers allowed Graves to record whatever his professors typed, including credentials to log into university grading and email systems. Court documents allege that Graves intercepted exams and test questions in advance and repeatedly changed grades on tests, quizzes and homework assignments. This went on for 21 months -- between March 2015 and December 2016. The scheme was discovered when a professor noticed that a number of Graves' grades had been changed without her authorization. She reported it to campus IT security officials.
This discussion has been archived. No new comments can be posted.

Student Charged By FBI For Hacking His Grades More Than 90 times

Comments Filter:
  • At least he cares about grades. Most student athletes dont.

    • They care, their scholarships usually need a minimum GPA. If they don't care it's because someone is fixing it for them, or the prof makes sure the team doesn't lose its star because he couldn't quite add a couple numbers.

      • He would have been far better off spending the time and energy to study and improve himself not only to do better in academia but concordantly in business. In the amount of time he spent hacking, he could have aced everything. Instead, he fails miserably, demonstrates his moral fibre, and shows that he will excel at nothing but politics.

        Sad.
        • by queazocotal ( 915608 ) on Wednesday November 01, 2017 @01:40PM (#55470997)
          The amount of learning needed is fairly minimal.
          You buy a keylogger for $30 or so.
          You plug it in between the keyboard and the PC.
          Later, you unplug it from the keyboard and the PC, and look for passwords and userIDs. (easy to spot as they're the first after several hours idle).
          Now, you simply type in the username and password, or use remote access if that's an option, to access the software in the same way the teacher would enter your grades.
          This is not a complex attack.
          • It's not like the classes jocks take are difficult either.

            Bet he was a communications major.

            • by blindseer ( 891256 ) <blindseer@noSPAm.earthlink.net> on Wednesday November 01, 2017 @02:48PM (#55471477)

              It's not like the classes jocks take are difficult either.

              Bet he was a communications major.

              The article did state that grades were changed in business, engineering and chemistry classes. There may have been grades changed in Earth Science 101: "Rocks for Jocks" too. It sounds like he was selling his services to other students, which is just asking to get caught.

              Changing grades on the computer is just stupid, IMHO, since it's not like the instructors don't keep paper records. Had he stuck to copying exams and answer keys then he might have gotten away with it, at least long enough to graduate. Or at least add enough doubt as to who did what when that no one would call the FBI on him. But then people that resort to cheating on exams aren't typically that bright.

              What I have to ponder is why the FBI was involved. This was a state facility, not a federal one. Doesn't every state have their own investigation service? As a state university they'll have their own police force, with a direct line to said state investigation office. What federal law was broken? Not that this seems to matter any more, I remember an assault case that made national news. The FBI got involved for some reason. When asked why the FBI was there the answer floored me, the scissors used to cut the victim's hair came from out of state so this was an investigation of "interstate commerce" as defined in the US Constitution. If that's the bar that has to be hurdled then everything is a federal case. Some kid steals a candy bar and the FBI is there because he was wearing shoes made in China.

              • Re: (Score:2, Funny)

                by Anonymous Coward

                Some kid steals a candy bar and the FBI is there because he was wearing shoes made in China.

                That should require Interpol

              • The FBI got involved for some reason. When asked why the FBI was there the answer floored me, the scissors used to cut the victim's hair came from out of state so this was an investigation of "interstate commerce" as defined in the US Constitution. If that's the bar that has to be hurdled then everything is a federal case. Some kid steals a candy bar and the FBI is there because he was wearing shoes made in China.

                https://www.fbi.gov/investigat... [fbi.gov]

                As I understand it, certain crimes mandate an FBI investigation even if it's within a single state.

              • Selling the service was dumb. Sell the test questions, maybe...

                When I was an undergrad, I taught someone how to make fake IDs (back when it was a little bit challenging, not illegal to teach someone how BTW). Moron put a sign in his dorm room window advertising fake IDs. You know how it turned out.

                • As an undergrad I also knew someone that made fake IDs. Very convincing ones too, especially since the guy had got his hands on the state ID laminates with the watermark on them. I recall he said that he bought them off someone that stole them from a DMV office. I didn't want to ask any questions, the less I knew the better. He said he'd make me one with the clear laminate for free but if I wanted the laminate with the state watermark that I'd have to pay for that. Most people don't think to look for t

                  • Forgery is a felony.

                    • No Stupid Laws (Score:4, Insightful)

                      by ghoul ( 157158 ) on Wednesday November 01, 2017 @06:24PM (#55472957)

                      There is a saying in the Army - never give an Order that will not be obeyed. It just breaks down the respect for Authority which is needed for soldiers to take an order which will mean risking their life but will probably save lives during battles.
                      A similar principle should apply to laws - dont pass laws that will not be obeyed. The 21 yr drinking age is a stupid law. If someone is old enough to fuck, go to war, get married and be executed for a capital crime they very well should be old enough to drink.
                      Once you pass laws that are stupid people feel no guilt breaking them and breaking other laws like forgery laws to get around the stupid law.

                    • the 55 speed limit needs to be on that list.

                    • Laws are not orders. They have different purposes. You want orders to be obeyed. But that's not necessarily the goal of laws. Sometimes they are there to produce revenue.

                    • The best way to end a bad law is strict enforcement. If not enforced, like say a speeding limit, then people learn that there is no punishment for breaking the law. If caught then you get people that are indignant on being picked out from the crowd. If the police stop everyone that speeds, then you run the risk of a bunch of angry citizens at the next town hall meeting complaining about the stupid speed limit.

                      If you want revenue from speeding then you have to enforce it. If enforced consistently then pe

                    • Selective enforcement works almost as well as (sometimes better than) being consistent, and it's cheaper.

                    • Selective enforcement just means picking out the worst offenders for punishment. That's still a mockery of the law, as evidenced by my interstate commutes. The posted speed limit is 70 but unless you are going 75-80 you will be passed by other travelers regularly. The law is not the law at that point. Either post a reasonable speed limit, and enforce it rigorously, or allow the mockery of law to continue.

                      That applies to all laws. If the federal government wants to claim that marijuana possession is a f

                    • Selective enforcement just means picking out the worst offenders for punishment.

                      No, it does not. It means picking them out psuedorandomly. You ideally select the worst offenders, not least because they are worth the most money, but that's not the only criterion commonly used.

                      If the federal government wants to claim that marijuana possession is a felony then it needs to be enforced. Not enforcing the law on marijuana possession but enforcing it on other drugs starts to put in the minds of people the idea that maybe possessing heroin and MDMA aren't so bad after all.

                      Except the government already showed that their laws are bullshit with their ridiculous scheduling of cannabis, which doesn't meet their own standards.

              • But then people that resort to cheating on exams aren't typically that bright.

                Depends doesn't it? Is it smarter to put in a lot of effort, study hard and hope you pass, or fuck around all semester and party, then get your mate who's a year ahead to sit your exams for you?
                Smart isn't about cheating or not cheating, smart is whether you get caught or not.

                • Depends. Is the class a required waste of time? Then cheat your ass off.

                  Put in other words: Study math and science, cheat in the indoctrinations.

        • 'He would have been far better off spending the time and energy to study'

          Study? Why? The idiot got the questions in advance and still was too dumb to get the right answers.
          If he had opened the book and take a few notes, he wouldn't have needed to up his grades.

          "Court documents allege that Graves intercepted exams and test questions in advance...."

      • They care, their scholarships usually need a minimum GPA. If they don't care it's because someone is fixing it for them, or the prof makes sure the team doesn't lose its star because he couldn't quite add a couple numbers.

        Years ago, my wife taught math at Division I football and basketball powerhouse in Indiana. There was a great deal of pressure put on her to change grades for the players.

        I don't want to say which school, but let's just say it was a Catholic school with a French name. In South Bend.

    • What is this? War Games?

  • He should change his major to "Hacking"; problem solved!

    • by plover ( 150551 )

      He should change his major to "Hacking"; problem solved!

      And he can hand out copies of his verdict when asked for his "Certified Unethical Hacker" (CUH) credentials.

      I just hope some of the classes he faked his grades in were Comp Sci so when he gets out of prison he can go to work for a spammer.

  • by xxxJonBoyxxx ( 565205 ) on Wednesday November 01, 2017 @01:08PM (#55470743)
    >> when I say "Hand of God," what I really mean is "keylogger." Think of it like the "Nimble Fingers of God." "Hand of God" (that makes sense)

    Hey, um, "Nimble Fingers" is a dangerous thing to type into a search bar. And no one has used that phrase in a SFW setting since 1978.

    >> and "pineapple" (???)

    Prolly this: https://www.wifipineapple.com/
    • almost certainly.
      Beautiful tool that thing...

    • Hey, um, "Nimble Fingers" is a dangerous thing to type into a search bar.

      Depends on how your search bar is setup. You really need to duckduckgo with SafeSearch turned off to get anything NSFW. Even google with SafeSearch off doesn't show much beyond a child toy store, a music shop, references to a WoW achievement, and a typing skill trainer.

      What actually impressed me is the choice weird porn search engine bing.com didn't produce anything either with Safe Search turned off.

  • Seems like smart would have been to either obtain the quiz questions OR to change your grades only once every semester. Attacking both sides of the system makes way too much noise.

    --
    "What's up doc?!" - B. Bunny

    • Smart would have been to subtly modify other peoples's grades just a tad before totals are tallied. Too much noise to identify the signal.

      • by Austerity Empowers ( 669817 ) on Wednesday November 01, 2017 @01:19PM (#55470823)

        Smart would have been to study, do the homework and pay attention.

        • The summary says he "intercepted exams and test questions in advance", so I guess that guy really sucks at learning.

        • That assumes the goal was to learn the material, not simply to pass the class. We're operating in the scope of how to cheat effectively.

          Besides, I've got a computer security background; discussing how to effectively penetrate a system without getting caught is in my scope of professional interest. (Imagine that: someone who's actually looked inside a computer trying to get a Congressional seat.)

        • Brainy would have been to study, do the homework and pay attention.

          Smart would have been to study with a friend and finish the homework together as quick as possible, then do something else better with their time.

      • No, that would have guaranteed the teacher would have known something was up. As soon as a good student noticed a grade change the audit would have been on.

        Smart would have been to study the test questions he downloaded and not share with class/team mates.

        Even smarter would have been to actually attempt to get an education while in college. It's not like there's a great future for greco-roman wrestlers.

        • Shrug. That's not the problem that was posed. An alternate strategy may prove better but, hey, information warfare is a thing.

    • by Agripa ( 139780 )

      Seems like smart would have been to either obtain the quiz questions ...

      I have seen that movie. They stole the wrong test.

  • Why is USB device plug can read keyboard input without installation or authorization from the computer? Is plugin a mouse or keyboard really have the feedback of each key pressed? I know they need to know when caplock is on but what about all normal keys?".
    • by Anonymous Coward on Wednesday November 01, 2017 @01:16PM (#55470805)

      Not sure what you're trying to say here. Looks like you're assuming that keypresses are broadcast to all USB devices, which is, of course, nonsese.

      Your run of the mill hardware keylogger is a device that's between the computer and the keyboard. A "man in the middle" attack, only in hardware. There's no software installation, and no way for an OS to detect it.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

      • by pegr ( 46683 )

        "...no way for an OS to detect it."

        It's not easy, but it can be done. The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard. They will have the same USB vendor/device ID across all of the devices. So look for that ID in place of your normal keyboard. Boom, detected in software. ;)

        • The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard.

          A keylogger need not present itself as anything over the USB bus. It can simply monitor the data lines that pass through it, allowing your keyboard to talk to the system. How do you detect that?

          Second, what OS has the 'feature' of locking itself to one specific vendor and device id for its input devices? That 'feature' would be disabled the very first time the keyboard needed to be replaced in a hurry, like "I just showed up to deliver a lecture and the keyboard on the display computer is broken. I'll use

          • It's coming. Lookup 'Rubber ducky'. Essentially a reprogrammed flash storage device that presents itself as a keyboard and runs scripts (typically attack scripts).

            Many places have computers set to call IT if anybody plugs in a USB storage device. Soon it will also call for a keyboard.

            • I wonder how one would protect against keyboard loggers. Since they are totally passive, an ID on a keyboard would do little at all.

              The only way I can really see it happening is with a separate protocol from USB (perhaps fiber optic, a la S/PDIF), where the keyboard and the computer are paired, the keyboard uses epoxy potting and tamper-evident wiring and enclosures, and some form of cryptographic handshaking is done. The instruct users that no "secure" light on the keyboard, no typing.

              Of course, this als

              • It will be whack a mole. Lock the computer to the keyboard model and the keylogger will just get updated to report it is whatever keyboard plugged into it.

                Epoxy is a solution, but not a good one.

                They need to encrypt traffic between the computer and keyboard. Which will add admin overhead.

                • Epoxy is a solution, but not a good one.

                  There is no security without physical security.

                  The computer is in a place that the public can access.

              • I've been to a hospital where all the keyboards have some kind of ID card slot on them. I'll see staff sit down, presumably type in a password, and get their screen. If the keyboard is smart enough, and a matching driver written, then the communication on the USB wire can be encrypted with a key in the ID card. At a minimum the systems on the university could be configured to not allow login without that ID card. I assume that there would have to be a backup plan for cases of broken hardware, lost ID ca

        • by plover ( 150551 )

          "...no way for an OS to detect it."

          It's not easy, but it can be done. The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard. They will have the same USB vendor/device ID across all of the devices. So look for that ID in place of your normal keyboard. Boom, detected in software. ;)

          And Boom, doesn't go the dynamite. Take a look at some of the Hak5 products, like the Bash Bunny or USB Rubber Ducky. They allow the owner of the device to specify whatever VID/PID combination they want; they actually recommend you change it from their defaults so that scanning for their default VID/PID won't get you caught.

          Besides, you can't simply block alternate keyboard IDs anyway, at least not in America. The Americans With Disabilities Act will quickly be invoked by someone who needs an alternative

    • Why is USB device plug can read keyboard input without installation or authorization from the computer?

      News for nerd: many, if not most, modern keyboards are USB. Plugging a device into the computer and then the keyboard into the device means it looks like a keyboard to the system and there is still only one on the system.

      Is plugin a mouse or keyboard really have the feedback of each key pressed?

      Yes, a keyboard knows what keys have been pressed. That's kinda the whole purpose of a keyboard.

  • Use TFA. Here it is 2017. I'm running low on sympathy for those who get hacked because they didn't use TFA.
    • Most school record keeping is done on systems similar to those still used in finance: ageing mainframes running the same COBOL they have for the past 40+ years. Attempts at modernizing this are money-pits that don't work any better. Emulating the old hardware is the most cost-efficient solution.
  • Is he that bad? (Score:4, Insightful)

    by DontBeAMoran ( 4843879 ) on Wednesday November 01, 2017 @01:26PM (#55470895)

    Court documents allege that Graves intercepted exams and test questions in advance and repeatedly changed grades on tests, quizzes and homework assignments.

    Hey, let's get the exams and test questions in advance so I'll have a good score!

    Fails.

    Hey, let's enter the system and change my grades since I failed even when I had the exams and test questions in advance!

    That guy's C.V. can be resumed in one sentence: Can't even cheat his way out by cheating. I'd never hire that guy in a million years.

    • by jandrese ( 485 )
      And he got caught because he was incredibly stupid about how he did the cheating. He didn't even try to hide what he was doing, just log in and change that 20 to a 100 like the professor won't notice. This guy is a real piece of work.
  • 9 Times.. (Score:4, Funny)

    by sqorbit ( 3387991 ) on Wednesday November 01, 2017 @01:40PM (#55470999)
    "Ferris has been absent 9 times"....."GRACE!"
  • on the football / basketball team then no need to hack to your grades as the school will find away to make you pass.

  • in the 80's just needed to know where they wrote down the password

    https://www.youtube.com/watch?... [youtube.com]
    https://www.youtube.com/watch?... [youtube.com]

  • I noticed a kid (old enough to drive) sneaking out of CiCi's with a plate (a restaurant plate) of pizza.

    Nimble fingers indeed!

    Hey, I brought pizza into the thread....
  • The university told the FBI that the cheating scheme cost the school $68,000 to investigate the breach and to beef up its IT security.

    Maybe they should have thought about IT security from the start.

    I've been to college and I see how "security" is done. The computers the instructors use are just put on a desk or table in the front of the room. To keep it from walking away there will be a flimsy cable attaching the parts to the desk or wall. Even basic security, like setting BIOS passwords, will not be done. This can allow spying on the computer with software keyloggers and such, or simply vandalizing it so it's unbootable. The install

    • Had the school thought of security from the start then this would not have happened and the costs would have been minimal. For example, when installing the podium use one with a locking door to the space for the computer. This would make installing a keylogger, hardware or software, much more difficult. It would also add some inconvenience for the IT support and the instructors, which is likely why it wasn't considered until something like this happened.

      and when it get's to hot and the door needs to be open

      • and when it get's to hot and the door needs to be open all the time?

        Use a screened door, add a ventilation fan, etc. I did IT support for a prison and I got to see how they locked down the systems to keep the prisoners (and some of the staff) from messing with the hardware. There are standard electronics cases that were nice looking, very solid, and easy to lock/unlock on three or four sides for access. Most have screened sides for airflow, and all of them have the option for ventilation fans. This university is a state facility and so, like the software issues, have ac

  • This seems like simple criminal trespass, fraud and larceny. The local or state PD can handle this.
    • by Anonymous Coward

      Because it's under federal jurisdiction [cornell.edu] as well as possible state and local entities.

      • by schwit1 ( 797399 )
        My point is the FBI's computer crimes folks should be working on major league crimes that are too big for state and local law enforcement.
  • Silly Mistakes (Score:5, Interesting)

    by DatbeDank ( 4580343 ) on Wednesday November 01, 2017 @02:45PM (#55471467)

    Silly mistakes are silly. Kid had access to the test banks and answers. He could have easily memorized the correct answers.

    Even if he failed the test, he could have corrupted everyone else's grades to obscure the fact that he was doing it.

    If you're going to commit any sort of computer forgery, make sure you spread the love far and wide so even unrelated students in completely different classes have their grades changed. There would be absolutely no way they would be able to find him in this instance.

    Only the stupid get caught.

    • Some of us are crap at memorization. In the real world you can look stuff up, unless maybe you're an ER doctor, so this is not as much of an impediment as you might imagine.

      I don't recall ever cheating on a test. Not so much because I am unwilling, but because I'm unable. I'm a big galoot and I've never been sneaky. I have to actually understand the material to do well because I'm poor at just memorizing things.

    • the obvious next step is to change his court or conviction file . . .

      "Hey, Sarge! someone screwed up and put this idiot in a cell for jaywalking.'

      And off he goes, free again . . . :)

      hawk

  • Display the exam questions on captcha banners that protect pr0n sites from bots, and sit back and watch how the whole world passes your exams.

  • Security 101... Would you log in to a sensitive account by typing your password over an unknown wifi connection? Hopefully not. A public PC should be considered similarly untrustworthy.

  • I learned two things: 1 - this kid is persistent and someone should hire him as a white hat; 2 - the administrators at this school/school district are really, really unteachable. Public education anyone?

You are always doing something marginal when the boss drops by your desk.

Working...