What a teen grade hacker’s confession can teach us

It’s hard to know whether to laugh or cry at a new column that Motherboard’s Vice started earlier this month.

It’s called Scam Academy. Pull up a chair, students: Scam Academy is where you come to read about “schemes and cheats from within the high schools and colleges of America.” The authors are not Vice journalists. No, the authors are the ones who’ve cheated and accepted Vice’s invitation to share how they did it and why.

Presuming that these stories are true confessionals and not just made up for the lulz, the most recent column could have been titled “I made money hacking my teacher’s computer to change grades. It wasn’t particularly legal, but it was fun.”

Actually, forget about laughing or crying. Instead, if you’re anybody who works in education, be it teaching or in school IT administration, you need to grab a notepad and jot down what this anonymous kid had to say, because he or she described security holes big enough to drive a school bus through.

Can’t log in? No problemo!

It all started in freshman year of high school, the grade-hacker reminisced, when they got handed an administrator’s credentials to log in.

When I couldn’t log on to my computer during class my freshman year of high school, my teacher came over and gave me the administrator login and password. I thought, Maybe we could use that somewhere else. I started looking and found out that it worked across every computer on the network.

Lesson learned: don’t share your password. Everyone should have their own account and set their own password.

Smile, you’re on school security cam

Next year, the hacker-in-training met a new friend who knew a good amount of coding. The two found the IP addresses of the school security cameras and figured out how to move them around by using a program called NetVu Observer.

It wasn’t necessarily the most legal thing, but something to do that was sort of fun.

Fun, and an excellent way for hackers to spy on a teacher’s movements.

We were still trying to figure out how to get a username and password for the network. So my friend and I positioned the cameras toward one classroom where the teacher was known to walk in and out of the room constantly. We used the cameras to see when she left before the end of school, and we caught the door before she left. She hadn’t logged off, and we got access.

Lesson learned: Always log out when you leave your computer! Failing to log off at the end of the day is the digital equivalent of leaving the door wide open for intruders, as is leaving your webcam unsecured (or behind a default password). We’ve written up numerous stories about about hackers who use the Shodan search engine to find unsecured webcams, and about the dangers of shoulder surfing.

And, while we’re on the subject of doors, leaving the door wide open for intruders is, literally, leaving your door wide open for intruders. An unlocked door can give bad actors free access to what should be physically secured areas.

Access gained, keylogger installed

Once the hackers had access to the teacher’s computer, they plugged in a keylogger that would email them a copy of whatever she typed every half hour. That’s how they got her username and password. After that, getting access to grades was a done deal:

Since we had access to her credentials, we had access to the grade book. Now we could change the grades.

Lesson learned: keyloggers suck – use antivirus.

Keyloggers, which come in either hardware or software form, are notoriously hard to detect unless the (innocent-looking, if visible at all) hardware versions are spotted. That makes them a common tool for everything from snooping on spouses to bank heists to multiple instances of kids doing exactly what this kid said they did: hacking their grades and/or getting their hands on exams and test questions in advance.

In April, we heard about a US senator’s fired sysadmin who snuck back in to his workplace and installed keyloggers so he could rip off his former colleagues’ logins. Then, he used the ripped-off employee credentials to get into senators’ Wikipedia entries so as to dox their contact information … and to steal the employees’ credit card information and taxpayer IDs; the personally identifying information (PII) of hundreds of other people; and tens of thousands of emails and internal documents belonging to the senator’s office.

These keyloggers are literally child’s play to plug in. They’re cheap, they’re easy, and they’re often undetected at the typical targets – schools, universities, libraries – that all too often have paltry budgets for equipment, software and skilled administrators.

How do you protect against keyloggers? As far as the software versions are concerned, use reputable antivirus software to keep them out. But as far as the hardware versions go, there’s no way for an operating system to detect such devices, which are plugged inline between a computer and a keyboard. Some of them are visible if you look at your USB or PS/2 port, though…

…Ever worked somewhere where the policy is to regularly check for keyloggers? Not me!

Anyway, back to the hacker cadet.

Subtle tweaks

S/he goes on to outline the logic behind how much to increase their friends’ (and what would become their clients’) grades.

We would just boost each grade by five points at the most because we didn’t want the teacher to know. If someone gets a zero and we change it to a 100, that’s pretty obvious.

The hackers were generally subtle in their grade boosts, and they were likewise modest in the cost they charged their fellow students, as in, $20. They made between $500 and $600 the first year. The columnist said the hackers “didn’t want to rip people off.”

In a less honor-amongst-thieves vein, a swelling bank account would draw attention, the hacker said:

Both of my parents could see my bank account at the time, so I didn’t want them to question where a ton of money was coming from.

Kids these days

Perhaps the biggest takeaway from this hackers training manual is that people are generally oblivious to what some kids can do, the hacker said:

IT administrators really underestimate what students can actually do.

In fact, the hacker’s coding-adept buddy found, through scanning the network’s computers, that all the schools in the district were on the same network, and that an IT admin from a different school was using a default admin account “to do all his work.” That admin was also running a program that pushed updates “to every single computer across the entire network,” which granted the marauding students access to “everything.”

That admin even had a program running the HVAC system.

Yes, poor security hygiene meant that hacking students could have controlled the temperatures in all the schools.

We were pretty happy with what we found, I’m not gonna lie.

And rest assured the kids at the school aren’t the only ones looking to profit from the alleged security holes. If they could find their way in and around the school network, what chance somebody from outside the school could too?