Skip to content
Naked Security Naked Security

What a teen grade hacker’s confession can teach us

"We had access to the grade book. Now we could change the grades."

It’s hard to know whether to laugh or cry at a new column that Motherboard’s Vice started earlier this month.

It’s called Scam Academy. Pull up a chair, students: Scam Academy is where you come to read about “schemes and cheats from within the high schools and colleges of America.” The authors are not Vice journalists. No, the authors are the ones who’ve cheated and accepted Vice’s invitation to share how they did it and why.

Presuming that these stories are true confessionals and not just made up for the lulz, the most recent column could have been titled “I made money hacking my teacher’s computer to change grades. It wasn’t particularly legal, but it was fun.”

Actually, forget about laughing or crying. Instead, if you’re anybody who works in education, be it teaching or in school IT administration, you need to grab a notepad and jot down what this anonymous kid had to say, because he or she described security holes big enough to drive a school bus through.

Can’t log in? No problemo!

It all started in freshman year of high school, the grade-hacker reminisced, when they got handed an administrator’s credentials to log in.

When I couldn’t log on to my computer during class my freshman year of high school, my teacher came over and gave me the administrator login and password. I thought, Maybe we could use that somewhere else. I started looking and found out that it worked across every computer on the network.

Lesson learned: don’t share your password. Everyone should have their own account and set their own password.

Smile, you’re on school security cam

Next year, the hacker-in-training met a new friend who knew a good amount of coding. The two found the IP addresses of the school security cameras and figured out how to move them around by using a program called NetVu Observer.

It wasn’t necessarily the most legal thing, but something to do that was sort of fun.

Fun, and an excellent way for hackers to spy on a teacher’s movements.

We were still trying to figure out how to get a username and password for the network. So my friend and I positioned the cameras toward one classroom where the teacher was known to walk in and out of the room constantly. We used the cameras to see when she left before the end of school, and we caught the door before she left. She hadn’t logged off, and we got access.

Lesson learned: Always log out when you leave your computer! Failing to log off at the end of the day is the digital equivalent of leaving the door wide open for intruders, as is leaving your webcam unsecured (or behind a default password). We’ve written up numerous stories about about hackers who use the Shodan search engine to find unsecured webcams, and about the dangers of shoulder surfing.

And, while we’re on the subject of doors, leaving the door wide open for intruders is, literally, leaving your door wide open for intruders. An unlocked door can give bad actors free access to what should be physically secured areas.

Access gained, keylogger installed

Once the hackers had access to the teacher’s computer, they plugged in a keylogger that would email them a copy of whatever she typed every half hour. That’s how they got her username and password. After that, getting access to grades was a done deal:

Since we had access to her credentials, we had access to the grade book. Now we could change the grades.

Lesson learned: keyloggers suck – use antivirus.

Keyloggers, which come in either hardware or software form, are notoriously hard to detect unless the (innocent-looking, if visible at all) hardware versions are spotted. That makes them a common tool for everything from snooping on spouses to bank heists to multiple instances of kids doing exactly what this kid said they did: hacking their grades and/or getting their hands on exams and test questions in advance.

In April, we heard about a US senator’s fired sysadmin who snuck back in to his workplace and installed keyloggers so he could rip off his former colleagues’ logins. Then, he used the ripped-off employee credentials to get into senators’ Wikipedia entries so as to dox their contact information … and to steal the employees’ credit card information and taxpayer IDs; the personally identifying information (PII) of hundreds of other people; and tens of thousands of emails and internal documents belonging to the senator’s office.

These keyloggers are literally child’s play to plug in. They’re cheap, they’re easy, and they’re often undetected at the typical targets – schools, universities, libraries – that all too often have paltry budgets for equipment, software and skilled administrators.

How do you protect against keyloggers? As far as the software versions are concerned, use reputable antivirus software to keep them out. But as far as the hardware versions go, there’s no way for an operating system to detect such devices, which are plugged inline between a computer and a keyboard. Some of them are visible if you look at your USB or PS/2 port, though…

…Ever worked somewhere where the policy is to regularly check for keyloggers? Not me!

Anyway, back to the hacker cadet.

Subtle tweaks

S/he goes on to outline the logic behind how much to increase their friends’ (and what would become their clients’) grades.

We would just boost each grade by five points at the most because we didn’t want the teacher to know. If someone gets a zero and we change it to a 100, that’s pretty obvious.

The hackers were generally subtle in their grade boosts, and they were likewise modest in the cost they charged their fellow students, as in, $20. They made between $500 and $600 the first year. The columnist said the hackers “didn’t want to rip people off.”

In a less honor-amongst-thieves vein, a swelling bank account would draw attention, the hacker said:

Both of my parents could see my bank account at the time, so I didn’t want them to question where a ton of money was coming from.

Kids these days

Perhaps the biggest takeaway from this hackers training manual is that people are generally oblivious to what some kids can do, the hacker said:

IT administrators really underestimate what students can actually do.

In fact, the hacker’s coding-adept buddy found, through scanning the network’s computers, that all the schools in the district were on the same network, and that an IT admin from a different school was using a default admin account “to do all his work.” That admin was also running a program that pushed updates “to every single computer across the entire network,” which granted the marauding students access to “everything.”

That admin even had a program running the HVAC system.

Yes, poor security hygiene meant that hacking students could have controlled the temperatures in all the schools.

We were pretty happy with what we found, I’m not gonna lie.

And rest assured the kids at the school aren’t the only ones looking to profit from the alleged security holes. If they could find their way in and around the school network, what chance somebody from outside the school could too?

11 Comments

Many years ago, I worked at a military academy on the academic support staff.
Some of our students manipulated the student record system similarly. S/he was discovered, booted from the academy, and finished their unillustrious military as an unpopular regular.

May I suggest a couple of alternative actions?

The first story happened because a student’s unique account was failing, which means the unique login that **was** assigned to the user wasn’t working. I also wouldn’t be surprised if gaining access to these resources was time sensitive – for students, EVERYTHING is. A guest account with minimal privileges would have been a better fallback than the administrator account, since the account wouldn’t have admin privelages.

Logging out can also be a bad idea, since that closes all your programs. If you have something that needs to run for a while, like a download, upload, or large save, a logout can do some real damage. Locking the system can have the same effect as logging out, but without stopping the programs you’re running, that way the process can finish safely.

As for the default admin account, I do have to ask: why are those still a thing?

As someone who works is security for education, your article is missing the most important thing you should be saying: Use 2fa for accessing grades. I would also recommend doing log analysis on grade changes to validate unusual entries but though that’s doable it’s actually way harder.

There is no way you are going to stop every vector for students to get teacher grades. For instance, you’re assuming keyloggers are software but I have actually seen hardware keyloggers used by student grade changers more often. They’re readily available, require no knowledge of the underlying OS or endpoint protection, and virtually every classroom computer is using USB-A/B keyboards. Also don’t rule out phishing as a vector for getting teacher passwords.

There is a simple way to prevent this nonsense with grades: remove teachers from the school network. Have the teachers complete grade reports by hand, scanned into the administrator’s computer, then send it over to be printed in mass. Teachers don’t have time, training, or a reason to be on a secure network. Giving them access to a secure network where grades are stored/updated is the height of idiocy. They lack the training and intelligence to detect and prevent problems, as this article illustrated in four separate instances.

Why not just put teachers on a special VLAN instead of rendering them unable to do their jobs efficiently? The entire reason we use computers is because they do stuff for us, and taking that from teachers seems needlessly cruel. It would mean manually writing out every assignment up to 150 (30 students *5 periods) times instead of printing the copies or providing digital ones, expecting not to transpose numbers when given even more opportunities (one for each problem they grade), and take away electronic slides as a presentation tool.

I’m talking about the network on which grades and registrar information is kept. That should be secure and access should be limited to a few select employees in each school. If teachers want to complete their grade reports on a separate computer, that’s OK. Let them print it when done, then hand it to an administrator to be reviewed and scanned in. The secure network should be air-gapped from any computers accessible to students and teachers. Teachers can use a guest network, along with students, to do tasks, work on cloud documents, and prepare assignments. But they absolutely shouldn’t have access to anything that can cause real damage or expose the district/school to liability.

See comments above for: No budget, Minimally paid administrators, No budget, Lack of 2FA, No separation of VLAN’s, No budget, etc., etc. I know 16 yr. olds that could pencil draw a secure network for a school, but getting senior administration to buy off on it is next to impossible in most cases because it’s “Too hard to have two logins/passwords.”

Good point on the 2FA omission, thank you. As for keyloggers, the article was clear that there are both software and hardware versions, and I pointed to at least one recent story about the use of hardware keyloggers. :-)

Actually, basic cybersecurity steps and awareness ( 2FA, proper infosec & password policy, timed screen lock, USB blocking & control, antivirus, OS patching, PC or network firewall port restrictions, LAN segregation, etc) , can easily stop most of these teen grade hackers. They can be done with minimum cost, or using open source software. If IT admin do not apply all this, they cannot call themselves IT admin. That’s my opinion.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?