Not that bright
They got caught
Students busted for hacking computers, changing grades
Three high school juniors have been arrested after they devised a sophisticated hacking scheme to up their grades and make money selling quiz answers to their classmates. The students are accused of breaking into the janitor’s office of California's Palos Verdes High School and making a copy of the master key, giving them …
-
-
-
Monday 30th January 2012 10:23 GMT Ken Hagan
Re: they got greedy
Indeed. It was a brilliant plan right up to the point where they told everyone in the school that they'd done it and that unless these other students gave them cash (to buy a set of answers) they'd get worse grades than their classmates.
The surprise here is that it took them so long to find a classmate who realised that the cheap way out of this dilemma was to shop the idiots. How many people paid up?
-
-
-
-
-
-
Monday 30th January 2012 10:37 GMT Marvin the Martian
This brings back memories.
Specifically the time we stole a history exam from the teacher's bag while he was standing next to it. Photocopied it all and stressed (especially to the more moronic ones) to not answer much more correctly than normal --- that way, it frees up their time, takes away their stress and makes them some more marks than expected.
But oh no. One of them actually took the photocopied original into the exam room and made up his almost-correct paraphrasing there, sitting in his unfeasibly large heap of papers (two sets of questions, plus copied plus handwritten answers).
But that was not in the UK, with teacher-set instead of central examinationg --- in the UK that sort of thing only happens by paying the boss of the Edexcel exam board who also runs a private business coaching for edexcel exam taking.
-
-
-
-
This post has been deleted by its author
-
-
Saturday 28th January 2012 01:50 GMT ElReg!comments!Pierre
*hardware* is for SpecOps
OK kids, hacking 101: planting hardware is for when you have physical backup (and I don't mean TimeCapsule; I mean jocks in skymasks with assault rifles).
What is wrong with a simple keylogging trojan reporting to, say, Usenet -or twitter, to be modern, introduced together with a "kim K nude" screensaver to make sure evidence will be wiped before LE is called? Hardware is the ultimate evidence. That means BAD, in case you wondered. Do not use it. Not feeling so bright now, heh?
-
Saturday 28th January 2012 17:18 GMT Crazy Operations Guy
Actually hardware is king
With software you need administrative access on the systems in question, which I am sure they did not have. Second, you actually get in less trouble with hardware than you do with software (HW keyloggers are not illegal to own, where a piece of malware is). Third, hardware is much harder to detect, yes you have an object on the aback of the system, but many if the HW keyloggers I have seen are pretty small and some look just like those PS/2 to USB adapters, so they would assume it belongs there even if they were looking right at it; whereas a software keylogger can be detected in mere seconds by the antivirus software.
-
-
-
Saturday 28th January 2012 05:42 GMT Kevin 6
School I worked at once 98% of the teachers had 12345 as their password till we forced them to change then they went 123456.... the principal had the never to be guessed 54321.... that account also had full access to the boards network...
Me and my boss quit due to the security nightmare that place was cause no one would listen to us... Our higher up even made us make the admin password abc123, on the server, and routers cause the ones we originally had (it was a randomly generated password) were too hard to type in(I kid you not that was the reasoning)
-
Saturday 28th January 2012 12:30 GMT Anonymous Coward
They may have had enforced password changes. In this situation, enforced password changes don't make a difference as they had key loggers attached and could just take the new password once changed.
Once the key loggers were removed, then it's a good time to change your already compromised password. Which is what they were advising.
-
Monday 30th January 2012 15:21 GMT Anonymous Coward
I work for a school district so I feel fairly safe in answering this. Of the many times one or another of us in the IT department has suggested some sort of password policy we have had success exactly once. That one time the only effect was to enforce a six character minimum.
I kid you not: we have everthing from 123456 to the users first name as passwords here and they never expire. The only time anyone's ever been forced to change a password (to my knowledge) has been when they were foolish enough to give me thier password, and I had to defend that the first time I checked the 'force user to change password' box. Fortunately my boss had the sense to go along with my refusal to know anyone's password but my own. The complaining party had suggested that I just forget it.
-
-
-
This post has been deleted by its author
-
Saturday 28th January 2012 08:23 GMT Anonymous Coward
Government departments and corporate boardrooms [especially in the UK] are filled with more than their fair share of people who can barely tell the time of day, yet sport impressive qualifications from prestigeous schools and universities.
Stealing is wrong. If these kids were thick but wanted better grades, they should have paid for them, like our leaders had to do.
-
Monday 30th January 2012 10:08 GMT Danny 14
nah
it wouldnt have worked i the UK. Teachers cant be bothered to put their grades in until the final deadline dates so any grades that were in early would be instantly suspicious. Plus the MIS would fall over if too many grades were put in. And the USB ports are all falling to bits due to chewing gum so even the students wouldnt have been able to use the USB ports.
They would have given up long before and simply bribed the teachers with fags and booze.
-
-
-
-
Saturday 28th January 2012 14:33 GMT Anonymous Coward
no they haven't launched that false flag yet
"terrorists" use military grade explosives to destroy school records, presumably because they hate our school records? Government announces that going forward school records will be kept by the police but dont worry its not a police state its just to protect you.
-
-
Saturday 28th January 2012 17:47 GMT Anonymous Coward
Password
I still remember our CS teacher's password for the entire network - "rem". Didn't require any super-sleuthing techniques, just watched him pigeon-type the password in one day. Never figured out if it was a throw-back to the BASIC comment command, or a fan of Michael Stipe et al... I suspect the latter.
I'm hoping he's changed it if he hasn't retired already..
-
Monday 30th January 2012 03:28 GMT Paul 129
Cleaners
Always had the best access, in my day I simply asked them to open the door. As if I was allowed to go where I was. I didn't cheat grades. I just wanted to play games, so I needed to own the network.
If you have physical access....
Oooo Weird.... 25 years on and I repair PC's. Given physical access, I can still make them do anything, (have yet to run up against bitlocker)
-
Monday 30th January 2012 10:12 GMT Danny 14
indeed
first thing I did when I started rolling out W7 - bitlocker. AD password complexity still doesnt stop a teacher with Qwertyuiop1. Add "password history" and I shit you not they will change the password X times only to change it back to Qwertyuiop1 again. And teachers wonder why I have to add them to an "allowed OWA" firewall group/remote access/webdav etc.
Get decent passwords and i'll let you use the system remotely.
-
-
-
Saturday 28th January 2012 20:14 GMT Anonymous Coward
only a few years ago
Only a few years ago this would be deemed one of the best qualifications to get into the security industry. Though personaly why they recruit people who got caught is beyond me. Maybe next time somebody will get replica keyboards, add the keylogger inside the keyboard with remote bluetooth control to get the illgoten typings and ship the keyboards to the school as replacements under health and safty waffle and be safer :).
That all said, there are alot of people in schools who could of executed such a plan of there's, indeed making your own master key from scratch in metalwork classes would of been more the standard. It gets down to mentality. Anybody can say hand over the cash in a bank, remarkably few people try it, go figure.
-
Sunday 29th January 2012 01:56 GMT Local Group
"When I was a lad, I served a term..."
in Juvenile Hall.
I went to a private high school in the '50s. Everyone had to take the Stanford-Binet IQ test to get admitted. In my sophomore year a colleague stole the list of the IQs for everyone in our class. How happy we 15 year olds were to have that information!
Any fool can turn an 'B' into an 'A'. But to be able to look at the class athlete or stud and think: "heh, heh, only 108."
In the middle of the 20th century, we had very simple desires. Oh, and no one tried to change his IQ score.
-
Sunday 29th January 2012 09:46 GMT Anonymous Coward
lmao
LOL. I like how the author uses the word sophisticated when all the kids were script kiddies. Only having to download a keylogger, buy a decent crypter to remain undetected by antiviruses and gain access to the teacher's computers. Use usb spread if os is vista or xp or simply execute the file if windows 7. Then receive reports via either ftp or email. They are so stupid they didn't even chose the melt option or hide process via rootkit or attributes. I managed to hack 30+ accounts when i was 11 including hotmail twitter etc by making my own video.... Do I think they are smart? of course not.
-
Sunday 29th January 2012 20:16 GMT Local Group
Isn't this why we have cliches?
Like "separate the men from the boys?" To tell us that some people in a group can do something difficult (commit crimes and not get caught) and some people cannot.
That our very own manly masterminds like AC are separated from the legions of incompetent high school bat boys in the league of Ali Baba and the Forty Theives.
-
Monday 30th January 2012 10:20 GMT Danny 14
wow
cool story bro.
Must have been one helluva badly run network to A) allow FTP B) let staff/pupils have install rights C) let their mailserver act as an internal open relay, D) allow access to hotmail and twitter on a school network, E) not have central mandatory profiles to stop people injecting startups or other oddities.
Bread and butter things in schools really. Expect the kids to try and break the system, even down to learning japanese to beat the filters and screen readers....
-
Sunday 29th January 2012 15:47 GMT b166er
Did the grass get a thorough beating?
I was suspended from school for shoulder-surfing the teacher's password.
It was 'clowne' from the fictitious Clowne Industries used in the training literature for our BBC B micros.
Our Computer Studies teacher, was, shall we say, blessed with some enormous norks, so I did what any self-respecting geek would in that situation, send a network message to all the screens in the computer room 'Miss Low is a top heavy fraction'
Some punk-ass little kid from the second year grassed me up. I got suspended for the rest of my school career because, apparently, I corrupted the platter-based storage system!
<remembers fondly trying to un-crease my 5 1/4 floppy>
Bring on the Raspberry Pi
-
Monday 30th January 2012 00:55 GMT Matt Bryant
Ah, the good ol' days!
Reminds me of when USB 1.0 came out, shortly followed by the first scare stories of USB hardware exploits and keyloggers. The government agency I was working at had just gone through a consulting exercise around centralised printing, with only the senior managers' PAs getting personal USB printers to replace their old serial-port ones. They'd just about got all the PAs' new printers in when we heard they were going to disable all the USB ports on all desktops! One of the unwanted USB printers promptly found its way to my home office.....
-
Monday 30th January 2012 18:44 GMT Alan Brown
As I once told a school secretary.....
.. "When - not if - the students hack this system, I hope you're very lucky and they only alter their grades. They can do a LOT more damage if they start circulating sensitive personal information."
The response was to tell me my services were no longer needed. 6 months later the inevitable happened and having shown their insurers proof of the warning their public liability cover was voided.
$2 million in payouts later, that school has a half decent security system which DOESN'T have staff and student machines on the same physical network.
-
Monday 30th January 2012 19:51 GMT This Side Up
@Danny 14
No, forcing people to change their passwords every n days is a bad idea. You either have to use a fairly weak password or write it down, otherwise you'll never remember. Stick to one strong password and don't change it unless it's compromised. Also the more rules you put on what can be in a password - e.g. dictionary words - the easier you make it to hack the password (because rules exclude whole rafts of possibilities).
-
Monday 30th January 2012 20:13 GMT Anonymous Coward
Halcyon days and the impetuousness of youth
My hearty congratulations to anyone who hasn't tried to gain a competitive edge over their classmates through subterfuge. My personal experience was this: When I was studying 3 languages at GCSE level you could take an extended written examination or choose coursework which involved recalling from memory (under exam conditions) two A4 pages of text you had written yourself a week before. You were allowed dictionaries and could use anything printed inside them. So I would type up my essay and reduce it to a tiny font then flip the image and change the settings on the printer so the ink was quite wet. I could then carefully "print" this onto a blank page in the dictionary. I was careful to make a couple of deliberate mistakes when copying out so as not to be rumbled. This assured me 25% of my grade at A standard in these 3 subjects. What did I do with the time I should have been committing this to memory? I was studying for the other 9 GCSEs I had to pass. I'm talking Maths, Science, English and the like not Drama and Art.
Bottom line is there is so much pressure on kids to do well that this sort of thing is bound to become commonplace. I ended up with 11 A* and 1 A. I'm no idiot by any stretch of the imagination and everything else I got honestly, but my other grades would've suffered had I not exploited a loophole. When you’re pitted against a kid with photographic memory who only has to read the relevant info several times 2 hours before the exam and then regurgitate it, you appreciate how unfair life can be. A simple fluke of in built ability can affect your chances of doing well in exams. He wasn’t the brightest kid but could reproduce a piece of text he’d seen verbatim.
Sometimes you feel the need to even the odds in your favour. I'm not saying I condone what these kids did, but I understand. Yes, if they’d been smarter (and less greedy) they would’ve kept this to themselves and given themselves a chance at an excellent college. I suppose that’s filthy capitalists for you, they couldn’t see the long term investment and bigger payoff down the road.
-
Monday 30th January 2012 20:34 GMT Jerren
If they where smart....
1) They would not have done it at all, agreed. And this is the MOST important point!
2) They would have written their own software key-logger vrs a hardware one to make it harder to detect and hopefully harder to trace back to them. (kids and credit cards these days, way too lazy!)
3) They would have retrieved the hardware devices after they had captured the needed passwords to avoid detection. (Granted there is a risk of detection on re-entry but it appears these guys where rather proficient at infiltration of the school...)
4) And this is the big one.... they should have never tried to profit and never told anyone, ever!!!
Like most criminals it's the greed that gets them every time! But will they learn their lesson?
Now that they are expelled they have plenty of time to learn how to use metasploit and SET to do it from the outside (Just what we all need...).
School or not Security needs to be baked in to everything you do these days, and expulsion alone is not harsh enough to prevent the students from continuing down a rather dark and dangerous path.... lets hope their parents straighten them out before the courts have to!
-
Tuesday 31st January 2012 00:40 GMT Marty McFly
School system
The school system failed to keep smart kids occupied & challenged. Classes are taught to the speed of the slowest student. These kids needed a challenge and they found one. Their teachers should be punished for not keeping the smart students intellectually engaged.
Now about the endpoint security technology which failed to detect a keylogger..... Probably should punish the IT department too.
-
Tuesday 31st January 2012 22:03 GMT Jerren
They apparently used hardware based keyloggers, which are virtually impossible to detect by software as they plug inline with the keyboard cable out of the back of the PC. More of a physical security issue. Besides almost every company I hear about being hacked all act dumbfounded at the breaches because they all had "AV and Firewalls" The biggest threats are from within, and AV can only stop what it knows about if ti's something new or just newly encrypted in low volumes it's not a priority and often times will slip right though most AV...
I don't think this was a case of a lack of being stimulated or engaged here, they used COTS hardware, a copied key from the janitor, it was fairly low tech breach overall. This is simply a case of B&E, academic fraud, and being greedy.
This topic is closed for new posts.
Biting the hand that feeds IT
