Cathy Bates is featured in an Inside Higher Ed “Hacked From the Inside” where she shares her insights on software and hardware keylogging in higher education. As the pace of technology innovation continues to accelerate, there is a constant arms race on campus to protect students and faculty from new and different threats. Threats from within the campus community can be as hard to detect and defend against as the prying of hackers around the globe. This article was originally published on November 1, 2017 in Inside Higher Ed.
Hacked From the Inside
Cheap devices, known as keyloggers, are being used by students to steal professors’ passwords on campus and to change grades.
Graves is now due to appear in court, but he is certainly not the first student to be caught using a keylogger. Earlier this month it was reported (but not confirmed by the university) that the University of Kansas had expelled a student who used a similar method to change failing grades to A’s. Numerous other universities have also had high-profile keylogging incidents in recent years, including the University of Illinois at Urbana-Champaign, Purdue University and Brigham Young University.
Cathy Bates, a senior consultant at Vantage Technology Consulting Group, explained that there are two approaches to keylogging — one using software, which she classed as an “external threat,” and another using hardware, an “internal threat.” A hardware keylogger can be bought for as little as $40 and is typically placed in the USB port where the keyboard is plugged into the computer. The devices can sometimes be embedded in the keyboard itself, making them harder to spot.
As many campus computers are regularly scanned for external software, Bates said that the threat of keylogging software can be easily be detected and dealt with, but keylogging hardware might go completely unnoticed without thorough physical inspection of the computer and keyboard. Bates noted that it would be easy for students, or anyone with access to campus computers, to install keylogging hardware without attracting much attention.
Andy Weisskopf, director of security operations and chief information security officer at Binghamton University, of the State University of New York, said that it was important for institutions to think about physical attacks to devices, in addition to remote attacks. Both Weisskopf and Bates said they were not aware of any statistics on the frequency of keylogger attacks in higher education, but suggested the threat was a real concern for many institutions, particularly as students with access to grade-management systems could throw the academic integrity of the institution into disrepute.
At the University of Iowa, a number of steps have been taken in the wake of the keylogging incident. A university spokesperson said that all individuals whose accounts were known to be compromised have been required to change the password for their institutional log-in. The university also urged all faculty members, staff and students change their passwords as a precaution. A manual sweep of all computers was conducted to look for suspicious devices, and physical security was improved in classrooms with computers to prevent tampering.
Two longer-term changes are also underway at Iowa. A two-step verification process was introduced earlier this year on an opt-in basis for access to the course management system and the student records system. A new dashboard which will enable instructors to monitor any changes to grades is also in pilot.
Both Weisskopf and Bates agreed that two-step verification processes (also called multifactor authentication) are a good countermeasure to protect against passwords being stolen through keylogging. Bates said that she had seen many institutions introduce such systems recently, but often on an opt-in basis. Not everyone is a fan of the system, which often requires that you keep your mobile phone handy to receive a unique verification code, which is then entered in addition to your password. Though some see the step as a nuisance, Weisskopf noted that the process is becoming more accepted as more and more online services introduce the feature.
Ron Barrett-Gonzalez, professor of aerospace engineering at the University of Kansas and president of the KU chapter of the American Association of University Professors, said that he had not seen any such precautionary security measures taken at his institution. He said he felt frustrated by the institution’s lack of transparency over the keylogging incident, which occurred this spring but was only revealed in passing at a faculty meeting this month.
Barrett-Gonzalez noted that he and a number of colleagues were so concerned about the security of their private information that they had taken to working exclusively on their own laptops on campus. He said he was also concerned that the university’s accreditor would be asking questions about the integrity of the university’s grades, which he said could be easily compromised. “I know several faculty members who will be mentioning this to the accreditor when asked,” said Barrett-Gonzalez.
Erinn Barcomb-Peterson, director for news and media relations at the University of Kansas, said the suggestion that faculty should use laptops instead of campus computers “is without merit,” adding that she had “no reason to believe” that Barrett-Gonzalez “has either complete or direct knowledge of the incident,” which she said was isolated and caught quickly.
Nonetheless, Barrett-Gonzalez said that he would recommend that everyone think twice before using campus computers, or at least educate themselves so that they can physically check the computer for obvious signs of tampering before logging on. Looking out for physical changes to devices is a smart idea, said Weisskopf, adding that it is important for everyone to report any suspicious activity to their information security office. To build relations between faculty and IT staff, Bates suggested that faculty members invite their institution’s information security officials to their faculty meetings to discuss any security concerns.