Timothy Lai, a private tutor who used keyloggers to break into computer systems at a school in Orange County, California, and adjust the grades of several students, has been sentenced to spend 12 months in jail followed by five years on probation.
The case first came to light in February 2014, when a group of 11 students at the Corona Del Mar High School in the Newport Beach area were expelled from school following accusations of improper alterations to their grades.
Lai was quickly linked to the case, but had fled the country and wasn’t caught until he returned to the US from South Korea in October 2014.
Initially he had faced five felony counts, one of burglary and four of computer access fraud, with a potential sentence of just over five years in prison. As the case developed a further 16 computer access counts were added to the indictment, bringing the maximum available sentence to over 16 years.
The burglary count referred to Lai’s breaking into school buildings to plant hardware keyloggers on teachers’ machines – at least three were compromised in this way.
With the keyloggers in place, Lai was then able to pick up teacher passwords as they were entered and used them to gain access to the grade systems and make adjustments to selected grades.
Having evaded capture for several months, Lai initially pleaded not guilty to the charges levelled against him, but later accepted responsibility for his crimes in return for a lenient sentence.
At least one attorney on the prosecution side stood up against the plea deal, arguing for three years remand. Lai’s own lawyers claimed that his guilty plea was in part due to reluctance to inflict the stresses of a trial on school workers and students.
The high school’s principal described the ordeal as “devastating” for the students, staff and local community.
As with anything of value stored and managed digitally, there is always a temptation, and often a way, for unscrupulous people to alter the data in their favour.
Often such efforts are fairly obvious, particularly when a single student’s marks suddenly improve dramatically.
We’ve even seen a mother accused of hacking a school where she formerly worked to adjust grades given to her children.
Keylogging hardware is a popular choice for such scams, being relatively simple to operate and hard to detect. Similar methods were used by the British university student recently jailed for three months for fiddling his university exam results.
Schools, and other organisations where computers on sensitive networks can easily be accessed physically, should at least consider locking down their ports and cables, as general users are unlikely to need access to them.
Another option, which would have provided far better security in most of the incidents mentioned here, is to protect access to important accounts with something rather stronger than just passwords – two-factor authentication (2FA) would have made it much more difficult to hijack teacher accounts just by snooping on their login process.
Naked Security experts Paul Ducklin and Chester Wisniewski explain how 2FA helps you to better protect your online accounts – from social media to webmail, cloud storage and online banking – in the Techknow podcast below.