Recently the case of a grad student expelled for hacking their university with the intent to change grades made headlines. While this is not a Canadian case, it certainly warrants a closer examination look. Here’s a summary of the public facts:
The grad student earned cumulative grade point averages of 3.9 during their masters and 3.5 during their doctorate up to the date of the alleged hack. The student’s field of study is medicine not computer science.
A librarian had a domain administrator account. Their password was shoulder surfed and used to create a highly privileged user account with access to highly secure records servers.
The school’s two-factor authentication system was bypassed by exploiting a loophole that sidestepped the second security check. This loophole has since been fixed.
Logs show the MAC address of the student’s computer was used to hack the school’s system.
The student's password was pinned to a corkboard in her room. Her computer didn’t have antivirus and was infected in several ways.
The IT department claimed with a “high degree of certainty” that it was “highly unlikely” that the grade changes were “performed by malicious software or persons without detailed and extensive hacking ability.”
Many accounts were breached as part of this elaborate scheme to alter grades but independent forensic experts were not called in to investigate.
There are several important details listed above, starting with #2. The allegation that a librarian’s account was shoulder surfed and used to gain access to secure systems is suspect. Librarians should have neither the access nor ability to do this.
Furthermore, bypassing two factor authentication either by discovering a zero day or exploiting a publicly listed CVE requires a high degree of skill. Being able to defeat a fundamental security mechanism like two factor authentication sets the bar very high and indicates the hacker is highly skilled.
The skill level needed for #5 invalidates the allegation in #6. You can change the MAC address on your computer very easily so the fact that the student’s MAC address was used is not a smoking gun .
Ultimately the most important detail is #7. No forensic experts were hired to investigate an incident where a librarian with domain administrator access allegedly created another domain administrator account that was then used to execute this hack. If true it reflects terribly on the university's network security. If false then we are missing some vital information pertaining to how the attack was perpetrated. In the absence of a proper investigation we will never know. Then there's the matter of how vulnerable security systems like the two-factor authentication loophole, librarians with domain administrator accounts, and the lack of awareness about basic password protection (both in the shoulder surfing instance and the corkboard instance), were exploited by a student with limited technical expertise. All of this evidence points to a highly skilled hacker recognizing this systemic deficiencies and perpetrating this attack.
The allegations made by the university's IT team are used as evidence of the student’s guilt despite also being evidence of her innocence.
This case is the perfect example of why independent forensics experts are needed to provide a proper analysis of attacks. The IT team dismissed this attack's complexity and likely did not engage an external investigator to avoid negative feedback about their internal investigation and lax security.