KU faculty say student used keystroke logger to hack into university computers

photo by: Sara Shepherd

The School of Engineering complex on the University of Kansas campus is pictured Friday, Feb. 17, 2017.

A recent cybersecurity breach has a University of Kansas faculty group concerned that the incident, if not properly dealt with, could lead to other attacks not just at KU but across higher education.

Ron Barrett-Gonzalez, a professor of aerospace engineering, said the details of the hack, carried out by an apparently disgruntled KU engineering student during the 2016-2017 academic year, were shared publicly at a School of Engineering Senate meeting last week.

The student in question had allegedly used a keystroke logger to obtain faculty members’ login information and passwords and changed his failing grades to As.

“It’s egregious to me that the administration is hiding this. Those things are being sold like hotcakes on the web,” said Barrett-Gonzalez, who serves as president of the KU chapter of the American Association of University Professors.

Keystroke loggers, which start at around $30 and are sometimes made to look like USB drives, are often used by cybercriminals to steal personal information from public computers and keyboards.

University officials, when pressed for details this week, did confirm that an IT security breach had taken place, but said the attack “was minimal and caught quickly.”

KU spokeswoman Erinn Barcomb-Peterson, the official who responded to the Journal-World’s inquiry, wrote in an email that a “disciplinary process is taking place for the person responsible.” No additional details were provided.

Barrett-Gonzalez said he and fellow faculty were told by School of Engineering leadership that the student had since been disciplined and expelled, but he worries about the greater implications of the seemingly one-off incident.

“The big concern among the faculty is that our bank accounts may be drained,” Barrett-Gonzalez said. “If you steal 15 people’s IDs, all of a sudden 20 bucks turns into 200. This is more dangerous than I think people have let on.”

He said School of Engineering administration had assured faculty that the incident was “not a big deal,” but he suspects more incidents have likely gone unreported or unpublicized at other universities.

Suzanne Shontz, an associate professor of electrical engineering and computer science at KU, also attended last week’s School of Engineering Senate meeting. She confirmed the information Barrett-Gonzalez shared about the security breach, and also said faculty was given some advice on guarding against such attacks in the future.

“It doesn’t hurt to check and make sure that you don’t see one of these keystroke loggers inserted before you log in,” Shontz said.

Shontz, who also serves as president of KU’s University Senate, said she was surprised when she learned of the security breach last week. It’s the first she’d heard of such attacks, and she hopes the university doesn’t see any “copycat cases.”

While Shontz said she’s withholding judgment on the university’s response to the incident for now, she said she also understands why administration might want to stay mum.

Telling the faculty is one thing, she said. Telling students on a wide scale, she said, could be quite another. “It’s a fine line,” Shontz said, between keeping people informed and inadvertently inspiring similar attacks.

“I think the concern is not going too far in that direction, because they don’t want to give students any ideas,” Shontz said.

The School of Engineering Senate is expected to release minutes from last week’s public meeting in about a month, Barrett-Gonzalez said. In the meantime, he said, KU’s AAUP chapter is urging administrators to seek legal punishment for the student responsible.

The group is asking all faculty members to make sure paychecks are properly deposited into their bank accounts.