Sophos Cloud Optix
A former student of Purdue University in Indiana has been sentenced to 90 days in jail for his part in hacking into college computer systems and changing grades.
Roy C. Sun is one of three former Purdue students thought to have been involved in the incident, which occurred between 2008 and 2010 when they were students at the university. The incident came to light in June 2013 after initial arrests were made.
The three men are thought to have broken into staff offices and attached keyloggers to computers operated by class professors, possibly by replacing the keyboards with doctored versions.
They then harvested login information, which they used to access university computer systems and alter their grades.
Electrical engineering student Sun is thought to have adjusted grades he received between December 2008 and May 2010, changing eight “F” grades and a “D” into straight As.
He left Purdue in 2010, spending a brief time as a graduate student at Boston University. Police investigating the case found keylogging kit and lockpicks in Sun’s home.
One of the two others involved, nuclear engineering major Sujay Sharma, was arrested at the same time as Sun and pleaded guilty in December to “Conspiracy to Commit Computer Tampering”, a class D felony under Indiana law as long as no terrorism is involved.
Sharma was sentenced earlier this week to 18 months’ probation and 200 hours of community service.
His lighter sentence reflects slightly lesser crimes, with only one of his grades changed, although he may also have acted as a lookout while the others were accessing systems illegally. Sharma’s plea included giving testimony against his fellow conspirators.
The third man, Mitsutoshi Shirasaki, traveled to Japan shortly after the incident came to light and has yet to be formally arrested or tried, but is believed to have changed 24 of his grades using the stolen login information.
He is also reported to have changed one of the grades of a girlfriend, from an “A” to an “A+”.
The changes apparently came to light in January 2013 (late 2012 in some reports) when one of the professors involved complained to IT staff that his login passwords and security questions had been changed, and subsequent investigations revealed the tweaks to grades.
The entire story is very similar to a recent case in California, which also involved the use of keyloggers to change grades, although in that case the perpetrators were considerably younger and their punishment distinctly lighter, mainly consisting of exclusion from a local school district.
Sun’s 90-day jail term is accompanied by 100 hours of community service.
The fairly strong sentence handed down makes clear the seriousness of Sun’s offences, as an adult at a university rather than a minor still at school.
Both universities and schools deal with large numbers of students each year. But it seems like we’re in danger of putting too much trust in computer data to replace personal knowledge and relationships, and computer data has a tendency to find itself open to unwarranted alteration, removal and of course leakage.
Humans are also vulnerable to tricks and scams of course, but in different ways from computers, so a combination of the two, overlapping to make up for each others’ deficiencies, seems the best course.
Even if we could ensure their safety from hackers and other miscreants, relying solely on computers as our source of all wisdom and decision-making would surely be a big mistake.
A secured audit trail might have helped detect the suspicious activity in real time, and would certainly have shown exactly what had been modified after the fact.
Typically there are audit trails in place. The timing must had to be just right. At least at my University, CU, grades changed after the fact are flagged. The absolute one thing that I am always concerned about is physical keyloggers. They are undetectable unless you physically look at the cable. Most professors don’t know this however.
In my networking class at a University in Florida in the early 2000s, our professor told us if we could figure out a way to break into the system and change our grade for the class, that he would allow it.
You’ll probably find things a little less cavalier at your alma mater these days 🙂
And your Professor didn’t IMO behave professionally. I can understand his attitude – probably seemed like harmless fun back then – but I don’t think teachers should openly condone and even implicitly encourage criminal behaviour as a means to academic success. Anyway, networking isn’t only about security, and security isn’t merely about finding a way to break in.
Passing a networking course by hacking the server and editing your marks is about as intellectually (and morally) relevant to your networking skills as passing, say, an art class by stealing someone else’s work and submitting it as your own.
The grades that were changed, should they have prevented the engineering student and others from passing on to graduation, should be changed back and the degree revoked. Now we have engineers in the field that are not only incompetent, but willing to cut corners and deceive. I really wish the would of stated if the degree would be pulled, this is grave concern, if the University can’t stand behind them to be competent, then pull the degree.
They did revoke the degree, according to the local newspaper.
I graduated from Purdue with an engineering degree. Grades are not necessarily a true test of competency, let me tell you.
And that’s why you’re now a ‘Pastor’ ?
I’m pretty sure this could have been avoided if there were a university wide two-factor authentication system in place. In fact, if they were using Toopher which is what I use with my LastPass account, it would’ve sent a notification to the app on professor’s smart phone and they’d be able to tell exactly what IP address is trying to log on immediately. I know this occurred several years ago and a lot of authentication software wasn’t around yet, but it might be something for universities to consider now. I agree though, that their degrees should be revoked. What ever happened to the guy in Japan?
Doubtful they will worry about extradited a minor criminal to give him community service.
I wonder if the security practices of the university included requiring passwords every 90 days. Such a requirement would have required that the hackers re-attach to the keylogger 4 times a year, which might have resulted in being caught earlier.