Grade Hacking

There is a grade changing scandal over at Walt Whitman High School locally in Montgomery County Maryland. A teacher noticed that the grades in the system did not match what he or she entered. Investigation has found 54 changes.
Montgomery County Schools CTO Sherwin Collette said they believe teacher’s passwords were obtained through the use of hardware keystroke logging.
Hardware keystroke loggers are readily available online. Check out this video from irongeek if you aren’t familiar with hardware keystroke loggers. Basically its just like it sounds. A transparent USB or PS2 device that sits between the keyboard and the computer port.
Remember Microsoft’s Immutable Laws of Security number 3. If a bad guy has unrestricted physical access to your computer, then its not your computer anymore.
The best solution to this sort of problem is multifactor authentication. The thinking is that if the password is stolen then it cant be used again later. Of course some systems will allow concurrent logons allowing an attacker to immediately use the learned password. (That wouldn’t work with this device, but keystroke loggers can also use wireless/bluetooth to send the learned information immediately.
People who don’t use multifactor authentication always thinks it costs too much. I wonder how much Montgomery County has spent on this incident. The cost of securing the data should have been part of the original decision to put the grade system online.
Even without strong authentication, other things could be done to protect against this sort of attack. Its not clear if the attackers used the teachers computer. If they didn’t that might get flagged in anomaly detection. Noting that the account was normally used during the day from location A but suddenly was also used from location B at another time.
Displaying last logon and location to the user might have helped. If someone was unusually observant they might notice they didn’t use the account then.
The Post reports that Montgomery County Schools will now have a 120 day password expiration policy. That indicates before they didn’t expire passwords at all. This means a stolen password is only good for one school year. Still a long time.
Some people are taking a “boys will be boys” attitude about this. They dont understand why the police are investigating this as a criminal matter. If they’d stolen a facebook password and vandalized the teachers Facebook page, I might be laughing. With grades they had to know they were doing wrong. And worse yet these false grades were likely used to fraudulently gain admission to college potentially depriving a more deserving person.
Right now all we can do is speculate based on media reports. And worry about whether the businesses we deal with are ready for 21st century attacks.

One Comment

  1. This kid fucked up in a few places. For one if you’re going to do this, don’t change just your grade. Make it appear as if there was something wrong with the system especially if you are already known for “hacking/cracking” in your school. Also take advantage of the physical situation. I considered doing this and if the teacher did notice (being as I have already been suspended for hacking 2 years ago) I would be an obvious suspect so I thought of loop holes. Her office is open 24/7 and someone with basic computer skills would be able to get in, along with my grade not being the only changed one and there being no proof I would be in the clear. I wouldn’t even have to code anything, hardware key logger would do the trick. Or stage your attack remotely form another teachers/students account on the network. Also if its an all online grade system and you got the password, for god sakes don’t change it from your house. I don’t care how many proxies you are behind. Rent out a server in europe from someone who doesn’t ask for personal information (Think torrent seedboxes with vnc access) or change it from a clean laptop on public wifi, where there are no cameras. Even if you cant eliminate yourself from being a suspect at least leave no proof. If they get crazy on you they might confiscate your gear at home. Hide external drives and use a laptop with nothing incriminating against you. And for god sakes dont talk about it. I dont care if you have OTR in your chat client, you most likely wouldn’t be encrypting your chats if you didnt have anything to hide. I’m just saying think of every angle, pretend you’re in a movie, you know the lengths they go to get “hackers/crackers” in the movies.

Comments are closed.