“I got a black-cat bone,
I got a Mojo too,
I got a John-the-cockaroo,
I’m gonna mess with you.”
These are the indomitable words of Muddy Waters’ “Hoochie Coochie Man” that kept running through my head as I rebooted my computer for the fourth time. I had just been hacked – not by a professional, or even someone I would dare give the notorious title of “hacker” to, but by one of my students.
As Waters’ verse swam through my rattled brain, my stomach lurched, half in agony of not knowing the full extent of the damage to the course website or my computer, and half due to the outrage I felt that anyone would do something so unethical as hack a professor’s computer. My computer went dark and refused to reboot. Command prompts rolled across the screen telling me that no hard drive was detected. Then, as I overrode command after command, I realized my student had taken control of my browser. I could not open it for myself, but there it was in the Task Manager, running and running… I shuddered as I remembered the last SQL Injection I caught just in time on a classroom computer that very nearly took out every online course our department offered.
I had just been hacked – not by a professional, or even someone I would dare give the notorious title of “hacker” to, but by one of my students.
Out of curiosity, I decide to walk around the library one day and casually check one terminal after another. No one seemed to notice me or care. I didn’t even have to log in to get into each and every computer’s root menu. Sixteen computers. Sixteen computers in one building were compromised with keystroke loggers. Some more obvious (“What’s that funny little flash drive doing there?”), while others had both a logger and the recording/microphone software that streams every sound within earshot to a dorm room… somewhere. In case you’re wondering, keystroke logging software helps your wanna-be hacker learn passwords, credit card information, personal addresses, bank account information, health records… Now I can’t help wondering how many professors left their office doors open, even if just for one minute, to grab a coffee or use the restroom. How many computers with keystroke loggers would one find there?
As frightening as this experience was for me, the only damage done was that the young man in my class used my access to our online gradebook to insert grades for assignments he did not complete. Thank you very much Kali Linux. He sent me a carefully worded email with a supposed “Provost Excuse” that would explain his missing assignments. Since it is my duty to uphold all Provost Excuses, I foolishly opened it. Kali took care of the rest. My computer was now a “bug” and our Blackboard webpage was his target. With his grades now snuggly changed to much more comforting perfect scores, he went on into the professor’s-only “Files” folder and uploaded three exams to Koofers for 50 Karma points each. After all, Koofers does advertise you can “Get Your Dream Job.” That’s important, right? I mean, Rebeca (only one “c” please) from Twitter even says on the page that “By this point in my school career I owe koofers my entire life and soul and all my hopes and dreams and belongings too.”
As a professor, it’s the “soul” part that bothers me the most.
Is this student a super-genius? No. Should he take over for Rami Malek on Mr. Robot? Dear God, no! (But the student might think so.) No, this student is just your average college student. Programs like those given above make it easy for anyone to gain this type of computer and personal information. He probably spent a few minutes on Google and found this site on how to take over your computer. Or, perhaps this one on secretly installing keystroke recording software. Scared yet? Why not check out this YouTube video? Or how about this one? Here’s a fun one done by an investigative report for NBC news. Scared now? You should be.
Student hacking has been largely overlooked by universities worldwide. According to the Huffington Post’s article “Why Study? College Hackers are Changing F’s to A’s” colleges and universities make for easy hacking targets not because of lack of funds for more sophisticated and safe IT initiatives, but rather due to an open and trusting community culture among students, faculty, staff, and administrators. As a professor working with online learning components and fully-online courses, I have become much less naïve, and so should every instructor, staff member, and administrator. According to Symantec’s Internet Security Threat Report, College and Universities are the third most targeted industry for hacking. Universities need to be aware of the threat from both inside the university, as my student has shown, but also from the outside, as university records contain names, addresses, phone numbers, social security numbers, and even financial information.
University campuses are also prime targets because they host records of a large, transient population – always with fresh personal, medical, and financial information.
University campuses are also prime targets because they host records of a large, transient population – always with fresh personal, medical, and financial information. They also host numerous network and data entry points, meaning many ways to get into and out of a system relatively undetected. Even better, they house on campus a high volume of student users who do not check their credit reports, personal records, or even regularly scan their personal computers for malware. I’ll never forget the young lady with the mascara-streaked face who came into my office one morning with her $2000 MacBook. Screen cracked and keyboard full of… Cheetos? “My computer has issues!” She bellowed as she began to cry. “I can’t do homeworks [sic] anymore because it won’t let me.” After spending twenty minutes with her computer, I could see her computer was loaded with malware. Her browsers were barely usable and full of pop-ups and phishing pages asking for login information. “Your computer has some bad malware on it.” I told her, calmly, “but we can remove it.” But the student took her laptop back and refused. “I have a Mac” she said, as she sniffled, assuredly. “Macs never get viruses.” Even if your student isn’t a hacker-in-training, students like this one may be inadvertently spreading problems even the best IT departments would scramble to fix.
So, I propose a dialogue. IT problems are not just for IT staff. Instructors and Administrators are on the front lines of defense, and need to be in communication with one another to help solve the hacking problems on university campuses.
- Ask your administrators which computers and software you will need to do your job. If they can’t answer that question, try to find an administrator that can. Be aware that many departments may be depending on adjuncts and other non-contingent faculty to use their own computers that must not only be purchased, but also maintained and fixed at the instructor’s own cost.
- Ask your administrators what kinds of safety measures are being taken. Do they run anti-virus and anti-malware programs? On which computers? How often? Can a computer record and store information such as passwords? Or do they have a program like Deep Freeze that can reboot, restore, or erase stored information on a regular basis?
- Which kinds of protection for cloud usage or servers do they use? Does the department have a dedicated server or cloud storage? How is it protected?
- Ask your students how often they check for malware and viruses. I find that casually introducing this question before class works best, as students will not take it as a threat… or a dare.
- Double check your own firewalls, malware protection, scanning programs, and cloud protection. Be sure you are running them often.
- Change your passwords often. This includes personal passwords to banking sites, health care sites, etc.
- Be wary of students sending emails with a threatening tone. I have found that threatening emails often arrive within 48 hours of a student cyber-attack.
- If you see something, say something. Help your colleagues out if they suspect attempts to threaten a computer, server, or internet program.
- Most universities have an Honor Code clause that includes tampering with computers or software as a punishable offense – make use of it!
- Let students know in the first days of class what kinds of behavior are expected when they access a computer system used by that course, and which types of behavior will not be tolerated. Don’t skimp on the details of how much of a punishable offense computer or internet tampering is on your campus.
- Listen to your faculty members concerns and questions. Understand the vulnerabilities that result in a cyber-attack on a University campus. Unless your faculty member is making you a matching tinfoil hat, chances are the danger they fear is very, very real.
- Direct your faculty to the proper personnel for IT requests and questions, online learning, web management, and possibly even student computer use on campus. Cyber-attacks on university campuses are more likely to occur with graver consequences when response time is delayed.
- Invite IT staff to speak with your faculty, even if briefly, at faculty meetings. This should happen at both the university and the departmental level. Each university has its own IT design and protection strategies. Let your faculty help your IT department by becoming familiar with protocol and strategies for cyber-attacks.
- Be an advocate for your faculty members who may have had a computer compromised. Help them with Honor court hearings and other necessary punitive measures. Most students attempt to hack simply because they feel they can get away with it.
- Work with your IT department to have less points of entry into departmental websites, course websites, and university email.
I can happily say that my university has now undertaken all of the points of this dialogue to make our computers, internet, and server safer and more efficient for everyone to use. We can keep our sense of community between faculty, staff, administrators, and students, but with a healthy dose of vigilance. I recommend that every university consider doing the same.