01:22 PM
Connect Directly

Former College Kid's Guilty Plea To Hacking Highlights Low-Tech DB Theft

Defendants targeted university's databases of faculty, staff, alumni, and student information, and financial accounts with a social engineering scheme that used poisoned USBs, phishing emails

A former University of Central Missouri (UCM) student this week copped a guilty plea to computer hacking and fraud charges in a case that security experts believe stands as a testament to how low the barrier to entry has fallen for stealing database information and committing financial fraud.

Daniel Fowler admitted to a U.S. magistrate judge to a scheme in which he and alleged co-conspirator Joseph Camp used the SpectorPro and Poison Ivy keylogger malware kits to help infect machines across the UCM campus in 2009. Under federal statutes, Fowler is subject to a sentence of up to 15 years in federal prison without parole, plus a fine of up to $500,000 and an order of restitution. Camp is still awaiting trial.

"The defendants obtained, or attempted to obtain, access to portions of the computer network which would allow them to change grades, view and download large databases of faculty, staff, alumni and student information, and transfer money to their student accounts," read the indictment against Fowler and Camp. "The defendants additionally sought to profit from these computer intrusions."

Investigators reported that Fowler used a number of different methods to get his hands on sensitive data and accounts capable of adding cash to his student account. In some cases, he and Camp would offer to show vacation photos to fellow students using a USB drive laden with malware. They also manually installed malware on public computers in the library and computer labs. Additionally, the suspects sent email messages promising vacation photos with the malware embedded in attachments. The malware would then give them access to files on victims' computers and keystroke information to gather credentials to more sensitive systems within the university's network.

"This is a very straightforward hacking process -- there is nothing horrendously sophisticated about it," says Rob Rachwald, director of security strategy at Imperva. "It follows the standard procedure of spreading some malware, getting the credentials, and then stealing the goods. It's what happens on the black market every day. It is just a new innovation because it is a way of taking the cookie-cutter template to a different target."

While the scheme does involve the infiltration of expensive university systems, security expert Mike Murray, managing partner at MAD Security, says that Fowler hardly deserves any props as a master hacker. He says this is where common crime is trending these days as the prevalence of hacking software floods the black market.

"It's funny that this is a 'hacking' story because really it is just an opportunity story. It's not like the kid had any skills from what I can tell," Murray says. "He used an off-the-shelf rootkit and walked around with a USB key."

According to Murray, there are no endpoint protections that can ultimately solve the social engineering problems posed by criminals like Fowler. As a society, we just have to get used to this new era of computer-based crime by getting street smart about these issues.

There is hope, though: Even within this case, there are signs that some people's thinking is starting to evolve. At one point, Fowler tried to get the university president's secretary to plug in a USB device into the president's computer with the pretext that Fowler's lawyer needed the president to look at some documents on the USB stick. She was spooked and refused to do so.

"Long-term, it's not a technology issue. The technology just enables the criminal in the same way that a crowbar enables a criminal breaking into your car," Murray says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.