Preventing Damage by Preventing Grade System Intrusions: Conclusion

Educational institutes such as colleges and schools have understandable reasons to desire use of electronic grading records. Such systems must be recognized for the dangers they pose as lucrative targets for hackers, crackers, and cheaters. The impact from unauthorized intrusions can be significant for the future of the students, even those whose records are not modified, as shown by Tyler Coyner graduating salutatorian. Coyner’s data manipulation stripped another student of their rightful honor as salutatorian (McMillan, 2011).

Defensive efforts must be made to address but the attack vectors to be utilized by intruders and the motivation driving the attack. Whenever possible, it is best to recognize the situations that may lead to an attack and defuse it in advance.

---

McMillan. (March 4, 2011). Top Student Charged With Fixing Grades for Cash. PCWorld. Retrieved from: http://www.pcworld.com/article/221442/studentcharged.html

Preventing Damage by Preventing Grade System Intrusions: Attacker Vectors

Social Engineering

Non-technical theft of account information is a people problem and can be solved through policy and enforcement of said policy. Back in the first case study it was discussed that the attacker was alleged to have used the same account information numerous time, 110 times to be exact (Lupkin, 2012), over the course of two years. Such a situation cannot happen if passwords do not stay valid for that long. If the superintendent had updated her password every three months then the attack would have quickly lost access.

Another policy that can prevent such account compromises is strict rules on how to protect account information. Since Lupkin (2012) did not mention any technical tactics used, it is likely that Venusto received the account information in a more direct way, such as the victim having the data written down at her computer or even having handed over the account for some reason. It can be convenient for an upper official to give their information to a secretary, say to schedule meetings, but that should always be considered a critical security violation.

Attack Vector: Malware Infection

Edwin Kim collected his required account information via a software keylogger that he had installed on a shared workstation (Gibbons, 2012). Security policies which required and enforced the principle of least privilege would have prevented this compromise. A common user, as an average student should be at a university, will not have the privilege to install software which runs outside of their own session. Any changes which can impact the running environment of other users should require an administrator to perform. Additionally, high value targets such as professors should avoid sharing hardware with students. A student that exchanges the expected keyboard with a ‘value-added’ look-alike can then log their keystrokes even without installation privileges.

Attack Vector: Physical Security

Palos Verdes High School’s intrusion was the result of poor physical security. Defense in depth should have prevented access. Altman (2012) makes no mention of how the teens entered the grounds or the building, so one has to assume that those steps were fairly trivial. Both should have been secured and surveilled with either recording devices or human guards. Once inside, the intruders collected a master key after picking the lock on the janitors’ office. An object of such value as the master key should not be available just behind a lock that itself can open. Clearly, the protections on the key were significantly lacking.

---

Altman, L. (January 26, 2012). 3 Palos Verdes High students arrested in grade-tampering plot. DailyBreeze.com. Retrieved from: http://www.dailybreeze.com/latestnews/ci_19829634

Gibbons, M. (February 8, 2012). Bucks college student fails in attempt at an easy A. phillyBurbs.com Retrieved from: http://www.phillyburbs.com/news/crime/bucks-college-student-fails-in-attempt-at-an-easy-a/article_175726b7-b2c5-56ce-93ab-bbfb6abddcc4.html

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Preventing Damage by Preventing Grade System Intrusions: Attacker Motivation

the Hack

Intruders that are operating under just pure hacker motivations are the bored, the curious, and those searching for a challenge. Education institutes are uniquely qualified for defusing these intruders, as intellectual challenge and stimulation is the purpose of such bodies. This point is captured explicitly in the mission statement of Harvard University: education “...should liberate students to explore, to create, to challenge...” (Lewis, 1997). Boredom, curiosity, and lack of challenge can all be directly addressed through adjustments to curriculum and individualized development plans.

the Grades

Cheater intruders can be defused by recognizing that the core of what they are doing is not actually changing their grades, they are instead taking control of their grades and future. These intruders can probably be successfully profiled under the hacker motivation of desiring power (Campbell & Kennedy, 2010). For whatever reason, they find themselves without the power to shape their situation through the legitimate channels. Ways to place students in control of their situation and convince them to downplay the grade portion of the grade include engaging them and their interests, challenging them appropriately, empowering them with a voice in directing what they learn, and recognizing their effort and competence (Stephens & Wangaard, nd).

the Money

There is no magic bullet to help reduce this motivation. These attackers are driven by straight criminal mindsets and desires. The solution here is to just address the technical issues to close the attack vectors. They will be back, the defenders just have to be persistent. If a psychological profile was to be considered covering these attackers, it would fall in line with the abnormal psychology of offline criminals (Campbell & Kennedy, 2010). Money as a motivator drives the attacker to get more money.

---

Campbell, Q., & Kennedy, D.M. (2009). The psychology of computer criminals. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Lewis, H. R. (February 23, 1997). What is Harvard’s mission statement? Harvard University. Retrieved from: http://www.harvard.edu/faqs/mission-statement/

Stephens, J. M., & Wangaard, D. B., (nd). Teaching for integrity: Steps to prevent cheating in your classroom. The School for Ethical Education. Retrieved from: http://www.ethicsed.org/programs/integrity-works/pdf/teachingforintegrity.pdf

Selling their skills

Teenage crackers known to be involved in for-profit modification of electronic grade books (McMillan, 2011). McMillan describes Tyler Coyner, a student that inflated his GPA to 4.54 while also selling grade increases to his peers. Until he was arrested, Coyner spent two semesters performing attacks on the grade records in exchange for cash. He even graduated salutatorian based on his manipulations (McMillan, 2011).

Financial gain as a cyber crime motivator is not rare, although the monetization is achieved through other means. Attackers often harvest directly monetizable data such as credit card information and online banking credentials. Another method is extortion, or protection money, where a botnet operator threatens a distributed denial of service attack unless the victim pays the extortion cost (Dittrich & Himma, 2006). Extremely rare, relative to other financial cybercrimes, is mercenary attacks, like the kind Coyner was selling (McMillan, 2011).

---

Dittrich, D., & Himma, K. E. (2006). Hackers, Crackers, and Computer Criminals. Bidgoli, Hossein: Handbook of information security-Information warfare; social, legal and international issues, 154-171.

McMillan. (March 4, 2011). Top Student Charged With Fixing Grades for Cash. PCWorld. Retrieved from: http://www.pcworld.com/article/221442/studentcharged.html

Preventing Damage by Preventing Grade System Intrusions: Case Studies

Case Study: Northwestern Lehigh School District

Catherine Venusto allegedly manipulated the grade records of both her daughter and son while they attended Northwestern Lehigh School District. In 2010, while employed as an administrative office secretary, Venusto allegedly replaced a failing grade with a medical M grade. Access to the online grade book was accomplished by masquerading with the stolen network credentials of the superintendent. After having left her employment had ended, Venusto allegedly continued to utilize the stolen credentials to modify the grade of her son in 2012. The accused modification of the son’s grade could have been prevented through periodic password expiration policies (Lupkin, 2012).

Case Study: Temple University

In a more technically savvy attack, college student Edwin Kim accessed the electronic grade book of Temple University. A keylogger was installed by Kim on administrative office’s university computer to collect the credentials of professors that used the targeted system. Later, the keylogger was removed and cleaned up by Kim who was then left in the possession of his professors account information. Kim’s modifications were caught when his professors noticed the discrepancies by his changes. Kim himself was caught because the grade system logs were used to trace his connection sessions back to his workplace and home (Gibbons, 2012).

Case Study: Palos Verdes High School

Rounding out the vulnerabilities to be addressed, Palos Verdes High School fellow victim to a three student team which targeted the physical security as their main vulnerability. The teenagers, unnamed by Altman (2012), broke into the school under cover of night to steal tests and install hardware keyloggers on their teachers machines. During subsequent break-ins, the keyloggers were collected and analyzed to extract their teachers credentials. This information was used to access the grading system and boost the intruders’ grades (Altman, 2012).

---

Altman, L. (January 26, 2012). 3 Palos Verdes High students arrested in grade-tampering plot. DailyBreeze.com. Retrieved from: http://www.dailybreeze.com/latestnews/ci_19829634

Gibbons, M. (February 8, 2012). Bucks college student fails in attempt at an easy A. phillyBurbs.com Retrieved from: http://www.phillyburbs.com/news/crime/bucks-college-student-fails-in-attempt-at-an-easy-a/article_175726b7-b2c5-56ce-93ab-bbfb6abddcc4.html

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Preventing Damage by Preventing Grade System Intrusions: Introduction

Grades are important and so manipulating grades is valuable. Manual management of the recording, computing, weighting, and totaling of an individual students grades, not to mention an entire course and even an entire semester, is extremely tedious and error prone (Migliorino & Maiden, 2004). Automated grade management systems relieve educators from many of these burdens and can even provide easy access anywhere through powerful web applications (Thinkwave, 2012). Where problems arise is when the electronic grade book falls prey to unauthorized access or, worse, modification.

Being stored electronically on a network leaves the grades subject to remote manipulation. Those manipulable grades become a target to challenge hackers, to tempt cheaters, and to profit crackers. Controlling and shaping the rankings of a class of students feeds directly into the desire for power that is a commonly self-reported motivation to hackers (Campbell & Kennedy, 2010). Cheaters gain direct academic boosts by inflating their own grades, as is covered in case studies below. Grade manipulation is a marketable good, as crackers can be paid to modify the customers’ or a third parties records.

---

Campbell, Q., & Kennedy, D.M. (2009). The psychology of computer criminals. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Migliorino, N. J., & Maiden, J. (2004). Educator Attitudes Toward Electronic Grading Software. Journal Of Research On Technology In Education, 36(3), 193-212.

Thinkwave. (2012). Free Online Gradebook. Retrieved from: http://www.thinkwave.com/educator.html

Preventing Damage by Preventing Grade System Intrusions: Actors

Simplistically, those who would access, without authorization, a grade management system could be labeled as hackers or crackers. These two groups, according to Dittrich and Himma (2006), are computer users who engage in unauthorized system accesses; though they are differentiated by motivation. Where hackers are driven by arguably noble or ethically neutral purposes, crackers are driven by malice or profit. Describing possible manipulators in the introduction, the author separated out a subset of crackers as cheaters. This paper will be discussing crackers as intruders driven by malice or financial profit and cheaters as driven by academic profit.

When the target is an education institution’s grading system, the pool of potential hackers, crackers, and cheaters draws primarily from stakeholders relating to the grades stored in the specific target system. (Altman, 2012; Borja, 2006; Gibbons, 2012; Lupkin, 2012) Stakeholders are not limited to the grade-holding students but also can include relatives or contracted third parties.

---

Altman, L. (January 26, 2012). 3 Palos Verdes High students arrested in grade-tampering plot. DailyBreeze.com. Retrieved from: http://www.dailybreeze.com/latestnews/ci_19829634

Borja, R. R. (2006). Cyber-Security Concerns Mount as Student Hacking Hits Schools: Districts Straining to Safeguard Online Networks. Education Week, 25(19), 1,.

Dittrich, D., & Himma, K. E. (2006). Hackers, Crackers, and Computer Criminals. Bidgoli, Hossein: Handbook of information security-Information warfare; social, legal and international issues, 154-171.

Gibbons, M. (February 8, 2012). Bucks college student fails in attempt at an easy A. phillyBurbs.com Retrieved from: http://www.phillyburbs.com/news/crime/bucks-college-student-fails-in-attempt-at-an-easy-a/article_175726b7-b2c5-56ce-93ab-bbfb6abddcc4.html

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Intruding because they can

Curiosity, intellectual challenge, boredom; these are factors that motivate exceptional technical minds to delve into the ethically grey area of non-malicious cyber intrusions (Dittrich & Himma, 2006). Those exceptional minds tend to fall into the category of gifted students whom schools have difficulties providing appropriate challenges (Gallagher & And, 1997). Stemming from the difficulty of challenging these students is that they, according to Gallagher and And (1997), perceive their courses to be “a crushing bore.”

Combining all three elements, brilliant minds, boredom, and a ready made challenge to puzzle out, provides an ideal situation for student hackers to target the grading system. Behind that technical wall is a collection of information pertaining to their peers, which has the ability to appeal to the bored student’s non-technical curiosity. Just like cyber convict Adrian Lamos attributing his corporate network jaunts to looking for a relief to boredom, the students may try to just look around the grade system (Dittrich & Himma, 2006).

---

Dittrich, D., & Himma, K. E. (2006). Hackers, Crackers, and Computer Criminals. Bidgoli, Hossein: Handbook of information security-Information warfare; social, legal and international issues, 154-171.

Gallagher, J., & And, O. (1997). Challenge or Boredom? Gifted Students' Views on Their Schooling. Roeper Review, 19(3), 132-36.

Just Trying to Get Ahead

Secondary and collegiate schools both have had issues with electronic grade book modifications. The above described cheaters are the intruders which target the systems for academic advancement. Grades to be modified can be their own or their rivals, but the end goal is improvement of their relative standing. Additionally, there are instances of relatives who accessed and modified recorded grades to the benefit of the student whose grades were targeted (Lupkin, 2012).

---

Cheaters motivation to modify, or to have modified, their grades stems from the importance placed on the values and the impact which they have on the participants future. Moore (2006) writes about the weight that high school grade point average (GPA) have on admissions decisions for incoming college freshmen. Thus, but inflating their GPA, cheaters are able to qualify for more desirable post-high school opportunities. Again in 2006, Moore addresses the fact that GPA admission requirements do not always go away in college, but that professional colleges often have GPA standards that must be met to enroll in junior- and senior-level courses.

---

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Moore, W. K. (2006). Advising Students about Required Grade-Point Averages. NACADA Journal, 26(2), 39-47

Preventing Damage by Preventing Grade System Intrusions: Defense

Successful defense against grade book intrusions requires identification of both the motivation of the attackers and the attack vector utilized. Addressing only the motivation results in the exploited vulnerability to still exist for future attackers, whereas addressed only the vulnerability means that the mind which worked out the known attack is just going to keep looking for other ways in.