February 15, 2009

Student Breaks Into Registrar's Office, Changes Grades

I’ve used the same headline as the Student for this bit of news, which was originally announced through a notice posted by the administration last Friday. An unidentified student was able to access email accounts of five “members of the College community”, change their grades in Blackboard, and “broke in to the Registrar’s office” to change grades.

The original notice was probably mandated by federal privacy laws, because of the presumed access to other student records, and consequently most of the information bears on the two computer-related incidents. (The IT context of the notice makes it unclear whether the student actually gained physical access to the Registrar’s office in Converse, or merely accessed computer records—in that context, “breaking in” has both meanings—but the former is most likely.)

Using Blackboard, or any other “off-the-shelf” courseware system, involves security trade-offs for the College; it’s impossible for IT to know and mitigate all the potential routes by which a user of the system might achieve “elevated privileges,” but that risk may have been outweighed by other advantages offered by a widely-used courseware system such as Blackboard. It’s also possible that the email account compromises led to the student achieving elevated privileges in Blackboard; the notice doesn’t explain whether the email accounts belonged to students, faculty, or administrators. Email account compromises, unfortunately for security administrators, are relatively easy and may not even require significant skill on the part of the attacker—passwords might be learned by simple snooping or from a sticky-note on someone’s monitor. (A story about a College email account compromise by a student appeared in Prism magazine when I was still a student.) IT underlined this by urging students to follow their posted security best practices.

The other reason we believe the “break in” at the Registrar’s office to have been a physical break-in is the bare paragraph in the notice which indicates the (appropriate, we think) actions being taken by the College:

The student is no longer at the College. The College will pursue criminal and disciplinary actions against the student.

Parker Morse '96 | February 15, 2009 10:16 PM | Campus

Name:

Email Address:

URL:
Remember Me? YesNo

Comments:

TrackBack URL for this entry:
http://www.amerst.com/cgi-bin/mt/mt-tb.cgi/340

Select --- Administration Alumni Amherstiana Athletics Campus Faculty History Publications Student Life Town --- Complete Archives