Cheap, easily accessible device used to hack KU computer raises questions of how university combats future hacks
While news of the Equifax hack still looms large on the national scene, University of Kansas faculty earlier this month raised concerns about a cybersecurity breach much closer to home.
The incident “was minimal and caught quickly,” KU spokeswoman Erinn Barcomb-Peterson said at the time. But Ron Barrett-Gonzalez, a professor of aerospace engineering at the school, has voiced concerns that the university isn’t doing enough to raise awareness of the inconspicuous and surprisingly accessible tool that enabled one student to hack into professors’ computers and change his failing grades to As.
“It’s egregious to me that the administration is hiding this. Those things are being sold like hotcakes on the web,” said Barrett-Gonzalez, who serves as president of the KU chapter of the American Association of University Professors.
The Journal-World multiple times last week sought a response from university officials about whether the security breach had caused the university to do any outreach to faculty, staff or students about the possible dangers of people stealing personal information — or changing grades — via the hundreds of shared public computers that exist on the KU campus.
Barcomb-Peterson declined to give other details about the security breach, and when asked, she could not point to any outreach efforts the university had made to alert faculty and staff to the issue. Barrett-Gonzalez heard of the issue earlier this month when administrators informed faculty members attending a School of Engineering Senate meeting. The hack occurred sometime this spring, although KU officials have not provided more specific details.
The Journal-World talked with several faculty members and students on campus during the past week. None recalled hearing information about the hack until it was reported by the Journal-World earlier this month. Some expressed little concern about the issue, while others said it deserves some discussion.
So, what is a keystroke logger? It is a device that easily plugs into a computer and records every keystroke that you type. If you use a public computer to log onto Facebook, the hacker would have your password to your account. Same goes for a password to a bank account, or in the case of a professor, the password to the grading system.
KU has many shared computers, with most in places like libraries and computer labs. But there are also easily accessible computers that are used by faculty and staff that are located at the front of lecture halls or classrooms.
A quick Google news search for “keystroke logger” digs up very few reports of similar incidents elsewhere around the country, but the devices themselves are inexpensive and easy to find. Run-of-the-mill keyloggers, as they’re also known, can be purchased on Amazon or eBay starting at around $20.
Dave Greenbaum, owner of the Lawrence-based IT-help company Doctor Dave — understands the keystroke loggers well. He likes to use pop culture references when explaining how hacking devices like keystroke loggers might work in the real world.
Keystroking “has been a plot point more than once” on the USA Network psychological thriller “Mr. Robot,” Greenbaum said. The show has garnered praise from tech experts like Greenbaum for its authenticity, including one storyline that sees a main character using a keystroke logger to extract her boss’ password in an effort to expose corporate corruption.
“It looks like a USB thumb drive and she just plugs it in,” Greenbaum said. ” … That can go almost completely undetected, because it’s not anything installed on the computer, software-wise.”
The device does exactly what its name implies, Greenbaum said. Whether in the form of more sophisticated software or cheap USB lookalikes plugged into computers, keystroke loggers capture every keystroke the user types on their computer keyboard.
They’re sometimes used for more legitimate purposes, such as parents monitoring kids’ online activity. But they’re also used by cybercriminals to capture passwords, credit card information, personal messages and photos, and even Social Security numbers.
Try not to let that worry you too much, though, Greenbaum said.
“I think the keystroke logger, for the average user, is not a major concern — unless they’re being targeted somehow,” he said, such as a jealous ex looking for revenge, or, in this case, a disgruntled student trying to change his failing grades.
“It’s going to capture everything that you type,” Greenbaum said of the inconspicuous device. “If you know, for example, that that person walks in and they are going to log in and get everything you need, it would take 30 seconds. More likely they’d plug it in and wait a few days to see what kind of information they get.”
There are hundreds of public computers on the KU campus where a keystroke logger could potentially remain unspotted for days or weeks, or simply be mistaken as a USB drive accidentally left behind.
It helps to know what you’re looking for, Greenbaum said. If you have exclusive control over your computer, you shouldn’t have a hard time spotting an unfamiliar device plugged in.
“Always make sure your antivirus is up to date,” Greenbaum said. “Make sure your security software is up to date. And when something unusual happens, pause and reflect on what that is.”
If you’re using a public computer, such as the ones stationed in classrooms, labs and libraries across the KU campus, exercise a little mindfulness.
“I think people should always be cautious, especially in public,” Greenbaum said. “Remember: Anything that is done in a public environment, whether it’s on a computer or mobile device or anything like that, assume you are being watched.”
Barrett-Gonzalez thinks the issue could be an emerging one for universities to consider.
“This problem is not just a problem for KU. This is a big, bad thing that will affect Ottawa and Baker and Johnson County Community College,” Barrett-Gonzalez said. ” … What I suspect is happening is that the people who are doing this are flying under the radar, and they’re of course not making themselves known.”
Two years ago, at least 45 students at a Louisiana high school were suspended as part of an investigation into another student’s efforts to hack into the school’s grading system. In response to the internal investigation, the district’s IT department reworked online security measures to more quickly detect unauthorized grade changes, according to media reports.
As for avoiding cybersecurity attacks in the future, Greenbaum suggests colleges and universities adopt two-factor authentication — an extra layer of security that requires not only usernames and passwords, but information only the user would know or have on hand — commonly used by banks and smartphone manufacturers like Apple.
Passwords by themselves are “kind of broken” as a security measure, Greenbaum added.
“We need something better. Is face ID the answer? Or thumbprints like Apple uses? Maybe,” he said. “But that will eventually get hacked.”