A recent hack of University of Kansas professors’ personal information has faculty worried that an easily accessible hacking tool could have students tampering with private data on campuses everywhere.
The KU hacker was an engineering student who used a keystroke logger to pry into professors’ computers and change all his failing grades to A’s.
“He may never even have gotten caught, but he got greedy,” said Ron Barrett-Gonzalez, a engineering professor at KU. “It does look a little suspicious when you are on academic probation and the dean’s honor roll at the same time.”
A keystroke logger, which can be either a piece of software or a device, logs every key a person presses on a computer keyboard. The logger can capture personal messages, passwords, credit card numbers, Social Security numbers — anything the user types.
University administrators learned about the hack during the 2016-2017 academic year and expelled the student, but they didn’t tell KU faculty about the intrusion. Faculty learned about the incident last week when the dean of the School of Engineering brought it up during a meeting.
“We needed to know about this as quickly as possible so that we could take steps against this,” said Barrett-Gonzalez. “I’m horrified that KU didn’t get the word out to all the faculty and graduate teaching assistants.”
KU officials did not immediately respond to a request for comment.
Barrett-Gonzalez, who chairs the KU chapter of the American Association of University Professors, said he sees the keystroke logger as a potential problem “for every instructor at every college and every teacher in every high school in the country. We have to get the word out to educators everywhere about this.”
It’s not just about grade changing, Barrett-Gonzalez said. Once hackers have an instructor’s login and password, they have access to the human resource website and even a faculty member’s payroll and bank account information.
“A person could change the routing number on payroll direct deposit and have a faculty member’s payroll dumped into a different account,” he said.
What the student did “transcends student conduct violation and goes into criminal,” Barrett-Gonzalez said. He said faculty want to see the student prosecuted for his behavior. “This was a security breach.”
Keystroke loggers are out there and “in high demand,” Barrett-Gonzalez said. For under a hundred bucks, the devices, about the size of a thumb drive, can be purchased online. It can be connected to a computer in an inconspicuous manner, sometimes attached to a cable.
“You wouldn’t even know it was there unless you were looking for it,” Barrett-Gonzalez said.
At most colleges and universities, a school computer is at the podium in most every classroom. A professor or instructor comes into the room and logs into the computer to begin the lecture.
Barrett-Gonzalez said he wanted to see instructors and teachers warned. “Check the keyboard, the cable on the computer before you log on; change your passwords frequently, and monitor grades and bank accounts for any irregularities,” Barrett-Gonzalez said.
“If anything looks suspicious, don’t log in.”