University of Iowa student used keyloggers to change his grades 90 times

[captain_to_fire]

16 minutes ago, System Error Message said:

Besides, knowing the british, their security may not be good, look at what happened with the NHS and wannacry.

I think the NHS attack using wannacry is a state sponsored attack which some reports are linking it to the hermit kingdom DPRK but also the fact that the NHS are not deploying security updates fast enough. Even before the wannacry pandemic happened, Microsoft has already released patches for the Eternal Blue and Eternal Romance exploits. 

20 minutes ago, System Error Message said:

where do i get this sort of stuff, i need to do this for mine too. many UK universities are actually terrible so if your university is not in a major city you are literally helpless when you run into problems as in many cases advice doesnt help.

If you think you’re failing your class, I don’t think hacking through your university’s databases would make you prepared for a real job and as I mentioned in other replies, hacking through grades databases can be traced easily since they log all changes that are happening. 

[System Error Message]

17 minutes ago, hey_yo_ said:

I think the NHS attack using wannacry is a state sponsored attack which some reports are linking it to the hermit kingdom DPRK but also the fact that the NHS are not deploying security updates fast enough. Even before the wannacry pandemic happened, Microsoft has already released patches for the Eternal Blue and Eternal Romance exploits. 

If you think you’re failing your class, I don’t think hacking through your university’s databases would make you prepared for a real job and as I mentioned in other replies, hacking through grades databases can be traced easily since they log all changes that are happening. 

i already have a real job. No rather the hacking is because i dont feel the university's decisions are justified despite submitting appeals and extenuating forms. Getting legal help is an option but for someone like myself i am treated very poorly in the UK. So those who disagree i suggest you go out of london and see for yourself especially if you just so happen to look arab or am brown (despite the fact that i am neither). I lost because of accommodation and the constant threats of local english landlords and tenants with every week forcing me to do the house work or get kicked out, so ofcourse i couldnt do my own degree. English girls are spoilt and fickle, even complaining to the university that i am spying on them with spy camera just because i have a lot of tech.

 

So UK's racism has gotten worse in recent years.

 

You can disagree with me if you like but my experience while in the UK was absolutely terrible. Even the NHS, i had to be re referred multiple times just to get the appointments i needed.

[captain_to_fire]

3 minutes ago, System Error Message said:

So UK's racism has gotten worse in recent years.

-snip-

Edited November 3, 2017 by hey_yo_
Removed the original as that could’ve provoked a conversation against the CS

[System Error Message]

Just now, hey_yo_ said:

So UK has its own Alt-Right? 

its not just the alt-right, but even getting a job in the UK just because your name sounds arabic, because you look arabic even though you totally arent, i got no interviews regardless of the many offers.

[bcguru9384]

3 hours ago, hey_yo_ said:

To the people who would even try to defend those students who cheated and hacked their university's databases, they deserve to be arrested. As I have learned back in college, "If you fail to prepare, you've prepared to fail." 

 agreed

and toast to you

[captain_to_fire]

17 minutes ago, System Error Message said:

You can disagree with me if you like but my experience while in the UK was absolutely terrible

I certainly not from UK so I don’t know how to validate what you’ve said but I’ll take what you said is true. Even if you managed to get keyloggers and hack your university, chances are it’ll be detected and blocked by enterprise grade endpoint security solutions especially the ones with good behavior blocking mechanisms. Also as a word of warning, even if you were able to penetrate your university’s databases, a lot of them are tracking all changes so it can still be traced back to you. 

[System Error Message]

8 minutes ago, hey_yo_ said:

I certainly not from UK so I don’t know how to validate what you’ve said but I’ll take what you said is true. Even if you managed to get keyloggers and hack your university, chances are it’ll be detected and blocked by enterprise grade endpoint security solutions especially the ones with good behavior blocking mechanisms. Also as a word of warning, even if you were able to penetrate your university’s databases, a lot of them are tracking all changes so it can still be traced back to you. 

not so, the point about keyloggers is to get the details of those that have the authorisation. So detection isnt really an issue. But thats not the point. the point is that i feel my university to be unjust. In the case of this thread however its the other way round. I failed not on my own accord, but if i had the chance to do things properly i would've gotten good results. The problem for me is just my university being unjust in their decision and not providing the support they should've to do something about bad landlords.

 

Enough about me and going offtopic, lets get back on topic.

The FBI arrested the guy, so will the guy get jailed or will he be hired like some of the other hackers.

[Uzume]

Lecturers usually use offline files (like an excel doc) to record their marking, then afterwards upload them to the CMS/Student Admin system used. Hacking staff accounts to alter the mark recorded in the CMS/admin system is very risky because it doesn't change the original data, and it only takes one lecturer/tutor to spot the discrepancy and then your toast.

[captain_to_fire]

35 minutes ago, System Error Message said:

The FBI arrested the guy, so will the guy get jailed or will he be hired like some of the other hackers.

He’s currently behind bars and he probably lowered his chances of getting employed unless companies hired him to be white hat hacker for penetration testing in order to prevent APTs which some are getting paid high. 

 

7 minutes ago, zzrhardy said:

Lecturers usually use offline files (like an excel doc) to record their marking, then afterwards upload them to the CMS/Student Admin system used. Hacking staff accounts to alter the mark recorded in the CMS/admin system is very risky because it doesn't change the original data, and it only takes one lecturer/tutor to spot the discrepancy and then your toast.

But in the case of University of Iowa, the hacker changed grades 90 times for a few months before it was noticed and charged were filed against him. 

[System Error Message]

the fact that the FBI arrested that guy is serious but gives bragging rights. While normal criminals get shot and arrested by cops, he can say "i was arrested by the FBI" which is a lot cooler than saying "i was arrested by the cops while robbing a store".

 

In the UK however not many lecturers are happy with their state such as salary for instance. At one point my university had a strike, so whether or not you get caught is highly dependent on the lecturer spotting and reporting it.

[Uzume]

1 minute ago, hey_yo_ said:

 

But in the case of University of Iowa, the hacker changed grades 90 times for a few months before it was noticed and charged were filed against him. 

 

I dealt with a similar case where I used to work: the dude had changed his grades in the CMS grade centre throughout the semester, without realising the instructor graded in excel. At the end of the semester the instructor uploaded his excel data directly to the student admin system and the CMS grade centre data wasn't used. When the student complained he didn't get his inflated grades the discrepancy was passed onto IT to look into... and everything was found.

 

He wasn't some leet hacker, just a script kiddy with a keylogger like the dude in the article.

[Tech_Dreamer]

4 hours ago, hey_yo_ said:

Both charges carry a maximum sentence of 10 years in prison. The cheating scheme lasted from March 2015 until December 2016,

He should be come a politician , then these alleged cheating to get ahead would be deemed acceptable & most probably won't even stand a trial. #FedsPriority

[leadeater]

7 hours ago, hey_yo_ said:

I just hope no college or university or any school in that matter uses Windows Defender or McAfee Anti-Virus as those suck and I think it's time for the IT personnel to have a basic cybersecurity seminar among faculty members (many of which are old people) to educate them like not picking random USB flash drives dropped by students and just stomp on them or teach them how to not recycle passwords.

I tend to not trust the AV test reports from the organisations that put them out, they all claim they are very accurate and represent real world situations but there is far too much variance in the results and rankings for me to have any confidence in them. These tests also do not reflect how they are actually deployed in to a business and the environment around them, Endpoint Security is not the only line of defense yet they ask for disproportionate amounts of money to use them.

 

For email we have dedicated email scanning software, for network storage we have dedicated scanning software that directly ties in with the storage controllers, for internet access we have dedicated firewalls that scan all downloads and content on web pages, then finally we have Endpoint security on the user devices.

 

I've actually deployed Microsoft Forefront Endpoint Protection (same Defender engine) in to a university back around 2010/2011 that is still in use today, adequate product and provided the required protection and there were no major incidents or even medium/small scale multiple device incidents. One of the big positives was that being a university the whole System Center Suite is included in the Campus Agreement, so you're essentially having to justify a very large expenditure to use one of the supposedly better Endpoint Protection tools over a free/no extra cost one supported by Microsoft.

 

Where I currently work (another different university) we use SEPM, not a fan of it at all.

 

Also training and education around cyber security is given to staff, you'll find very few universities that do not do this. There are also tools that are used to reinforce this training by phishing/baiting your own users to see what they do, this is not to shame them in any way it's no different to a fire drill.

 

The rankings however inaccurate/unrealistic are generally safe to use for guidance on home usage, just be aware you are more than likely paying money for something that is likely not providing any extra security over what Defender + Smartscreen or other browser inbuilt protections offer.

 

7 hours ago, hey_yo_ said:

This is why despite the criticisms of many people like former Mozilla engineer Robert O'Callahan against AV companies, they still serve a purpose in deterring many if not all cyber attacks.

The above is why I agree with Robert O'Callahan.

 

Quote

At best, there is negligible evidence that major non-MS AV products give a net improvement in security. More likely, they hurt security significantly; for example, see bugs in AV products listed in Google's Project Zero. These bugs indicate that not only do these products open many attack vectors, but in general their developers do not follow standard security practices. (Microsoft, on the other hand, is generally competent.)

 

Users have been fooled into associating AV vendors with security and you don't want AV vendors bad-mouthing your product. AV software is broadly installed and when it breaks your product, you need the cooperation of AV vendors to fix it. (You can't tell users to turn off AV software because if anything bad were to happen that the AV software might have prevented, you'll catch the blame.) When your product crashes on startup due to AV interference, users blame your product, not AV. Worse still, if they make your product incredibly slow and bloated, users just think that's how your product is.

http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html

 

7 hours ago, hey_yo_ said:

I'm pretty sure even a non-techie old professor can see that the grades have been tampered especially if they have a physical copy of the grades right after encoding and posting them and they're most likely time stamped so even if a hacker managed to change the grades, it's still very easy to spot and most of these databases log IP addresses and usernames (mostly student numbers).

 

7 hours ago, hey_yo_ said:

This is why printed grades still matter even most grades and enrollment are done online. Probably the Iowa hacker used his own login credentials and used a keylogger and hack the grades databases. I don't know about other universities in the world but for us, we can only have one username and that is our student numbers which can't be changed.

 

It's actually scarily easy to get tools that will create the USB attack devices and software for you, a lot will work without even having to log in to the computer at all. You've got ones that can go inline with the USB connector for the keyboard, ones that go inside the keyboard, ones that upon being inserted in to the computer work using malicious drivers that are automatically installed by Windows using system privileges, ones that exploit known privileged access bugs allowing them to be installed and run in the background.

 

The likely reason why this went on for so long without being noticed is how do you actually know a grade has been improperly changed? Once you have a staff members username and password you will be logging in to the computer using that not your student account, so how you do alert on an improperly changed grade? You're correct everything is logged but if there is no cause for suspicion then no one is going to investigate and find the alteration.

 

Likely what is missing that would catch these changes is when a paper/course finishes all grade entries/modifications should be reviewed, hopefully the software being used also requires a justification for the change. A staff member is going to notice during this review that it was not them that made the change.

 

Edit:

Oh and two-factor authentication is a thing, that would help.

 

[captain_to_fire]

9 minutes ago, leadeater said:

The likely reason why this went on for so long without being noticed is how do you actually know a grade has been improperly changed? Once you have a staff members username and password you will be logging in to the computer using that not your student account, so how you do alert on an improperly changed grade? You're correct everything is logged but if there is no cause for suspicion then no one is going to investigate and find the alteration.

I don’t know how they catch the student hacker but in my university, most professors encode grades via Microsoft Excel and it’s stored offline and printed to paper so that in any event that a student complains or if the database got breached, the professor still can show the grades that aren’t tampered. 

 

My initial thoughts is that he slipped flash drives with keyloggers to university computers and they’r sending login credentials to students and he probably just changed his grades from failing to a passing grade and not jack it up to a 4.0 GPA. 

16 minutes ago, leadeater said:

I've actually deployed Microsoft Forefront Endpoint Protection (same Defender engine) in to a university back around 2010/2011 that is still in use today, adequate product

I just have a bad experience with Security Essentials and Windows Defender back in college. It wasn’t able to remove a malware that hid all my school files until I uninstalled Security Essentials and replaced it with something else. Also at the moment, the anti-ransomware component of Fall Creators Update is more of an annoyance because of false positives that it might as well be disabled and I’m glad that it is disabled by default. 

[leadeater]

9 minutes ago, hey_yo_ said:

I don’t know how they catch the student hacker but in my university, most professors encode grades via Microsoft Excel and it’s stored offline and printed to paper so that in any event that a student complains or if the database got breached, the professor still can show the grades that aren’t tampered.

We keep paper copies too for the same reason, we also do nightly full backups of all databases and keep them for <long censored time>. We also backup transaction logs of databases every 30 minutes (basically changes).

 

9 minutes ago, hey_yo_ said:

I just have a bad experience with Security Essentials and Windows Defender back in college.

I think there is always going to be some kind of horror story for all AV products out there. That's why choice can be good, if you're not liking something you can try something else.

[goodtofufriday]

Im just reading all these comments wondering if any if you went to went to an engineering college or university. Cheating vis keylogger is vastly easier than anything else. A keylogger is script kiddies first hack. 

AP calc 4 with no calculators is hell. 

And at the end of the day all that matters is the degree, not what you learned. 

 

Medical field does not apply to last sentence. 

[captain_to_fire]

13 minutes ago, goodtofufriday said:

And at the end of the day all that matters is the degree, not what you learned. 

No, and I disagree and engineering isn’t the only degree that is difficult. So many students are passing subjects like differential and integral calculus without cheating. And as I’ve said in the OP, “If a student failed to prepare, that student prepared to fail.” 

[goodtofufriday]

42 minutes ago, hey_yo_ said:

No, and I disagree and engineering isn’t the only degree that is difficult. So many students are passing subjects like differential and integral calculus without cheating. And as I’ve said in the OP, “If a student failed to prepare, that student prepared to fail.” 

I didn't say it was impossible to pass, just that using a keylogger to cheat is drastically easier. There are users saying it would be easier to just study and that simply isnt true. Using a keylogger is literally the easiest route compared to legitimately taking the classes. 

 

As for whats learned. Most jobs a degree is only good for getting your foot in the door. Ive yet to meet someone ready fir the working world straight outta college. When i look for employees a degree is "neat" to have. 

 

For myself I went to an engineering college and took engineering math and physics, along with the regular slew of classes, and of course computer courses. I cannot say that I learned anything of value when considering what I do for work now. 

 

 

Edited November 3, 2017 by goodtofufriday
Grammar and details

[Brooksie359]

3 hours ago, goodtofufriday said:

I didn't say it was impossible to pass, just that using a keylogger to cheat is drastically easier. There are users saying it would be easier to just study and that simply isnt true. Using a keylogger is literally the easiest route compared to legitimately taking the classes. 

 

As for whats learned. Most jobs a degree is only good for getting your foot in the door. Ive yet to meet someone ready fir the working world straight outta college. When i look for employees a degree is "neat" to have. 

 

For myself I went to an engineering college and took engineering math and physics, along with the regular slew of classes, and of course computer courses. I cannot say that I learned anything of value when considering what I do for work now. 

 

 

If you truly think that way then your college didn't prepare you enough. Most engineers will learn a lot of what you need to know for their first job at their first job but they still are expected to know many of the things they learned from college and be able to apply them. I mean you don't have to remember everything but you don't have time to learn everything from scratch.

[Zodiark1593]

10 hours ago, zzrhardy said:

Lecturers usually use offline files (like an excel doc) to record their marking, then afterwards upload them to the CMS/Student Admin system used. Hacking staff accounts to alter the mark recorded in the CMS/admin system is very risky because it doesn't change the original data, and it only takes one lecturer/tutor to spot the discrepancy and then your toast.

Someone seeking to change grades via hacking would probably do well to change the grades of multiple students to better conceal their identity. Of course, an attentive teacher would probably put a stop to the alterations, though short of questioning everyone that had their grades altered (and is probably a CS student too), it would be difficult to discern the culprit.

 

A pure vandalism approach (altering grades without benefit to self) could leave even fewer means of finding the culprit.

[PlayStation 2]

Fool me once, shame on you.

Fool me twice, shame on me.

Fool me 90 times, your whole staff is fucking stupid.

[AnonymousGuy]

What a dipshit.  If you're going to do something bad, don't do something that can land you in prison and completely fuck your life when they revoke your degree and your name becomes blacklisted with a google search.

[Jito463]

On 11/2/2017 at 10:19 PM, Drak3 said:

I'm sorry for your loss.

As a fellow (albeit former) Idiot Out Wandering Around like @SansVarnic, I must protest that I represent that remark!

 

....

 

Wait, that's not what I meant.....

[brownninja97]

Man some people are extremely desperate with their degree work and grades. Certainly one hell of a risk, no idea why they would take that, massive black flag. Failing a module isnt the end of the world but getting caught doing this is career destroying. 

[vorticalbox]

On ‎03‎/‎11‎/‎2017 at 3:16 AM, hey_yo_ said:

Bill Gates is probably right but I ain't hiring a slacker who just smokes pot or arrives late and drunk at work.

lazy is not the same as an incompetent sack of shit.