Student Hacks System to Alter Grades
This is an interesting story:
A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students’ grades, police said.
The Universty of California Santa Barbara has a custom program, eGrades, where faculty can submit and alter grades. It’s password protected, of course. But there’s a backup system, so that faculty who forget their password can reset it using their Social Security number and date of birth.
A student worked for an insurance company, and she was able to obtain SSN and DOB for two faculty members. She used that information to reset their passwords and change grades.
Police, university officials and campus computer specialists said Ramirez’s alleged illegal access to the computer grading system was not the result of a deficiency or flaw in the program.
Sounds like a flaw in the program to me. It’s even one I’ve written about: a primary security mechanism that fails to a less-secure secondary mechanism.
John Ladwig • April 1, 2005 3:00 PM
The system account password management is clearly at fault here, but it’s notable that the modification was caught as part of a normal business process, which involved sending notification back to the faculty member(s) and to the Registrar.
It’s important that the update-notification not only go back to the faculty member, because though the student accessing the faculty account may not have known about the notification (via email, perhaps? seems not-unlikely) she might have known, and thus been able to lower the chance of detection.
Since prevention isn’t foolproof, it’s nice to see that detection was in place and worked here.