Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:22 PM

Former College Kid's Guilty Plea To Hacking Highlights Low-Tech DB Theft

Defendants targeted university's databases of faculty, staff, alumni, and student information, and financial accounts with a social engineering scheme that used poisoned USBs, phishing emails

A former University of Central Missouri (UCM) student this week copped a guilty plea to computer hacking and fraud charges in a case that security experts believe stands as a testament to how low the barrier to entry has fallen for stealing database information and committing financial fraud.

Daniel Fowler admitted to a U.S. magistrate judge to a scheme in which he and alleged co-conspirator Joseph Camp used the SpectorPro and Poison Ivy keylogger malware kits to help infect machines across the UCM campus in 2009. Under federal statutes, Fowler is subject to a sentence of up to 15 years in federal prison without parole, plus a fine of up to $500,000 and an order of restitution. Camp is still awaiting trial.

"The defendants obtained, or attempted to obtain, access to portions of the computer network which would allow them to change grades, view and download large databases of faculty, staff, alumni and student information, and transfer money to their student accounts," read the indictment against Fowler and Camp. "The defendants additionally sought to profit from these computer intrusions."

Investigators reported that Fowler used a number of different methods to get his hands on sensitive data and accounts capable of adding cash to his student account. In some cases, he and Camp would offer to show vacation photos to fellow students using a USB drive laden with malware. They also manually installed malware on public computers in the library and computer labs. Additionally, the suspects sent email messages promising vacation photos with the malware embedded in attachments. The malware would then give them access to files on victims' computers and keystroke information to gather credentials to more sensitive systems within the university's network.

"This is a very straightforward hacking process -- there is nothing horrendously sophisticated about it," says Rob Rachwald, director of security strategy at Imperva. "It follows the standard procedure of spreading some malware, getting the credentials, and then stealing the goods. It's what happens on the black market every day. It is just a new innovation because it is a way of taking the cookie-cutter template to a different target."

While the scheme does involve the infiltration of expensive university systems, security expert Mike Murray, managing partner at MAD Security, says that Fowler hardly deserves any props as a master hacker. He says this is where common crime is trending these days as the prevalence of hacking software floods the black market.

"It's funny that this is a 'hacking' story because really it is just an opportunity story. It's not like the kid had any skills from what I can tell," Murray says. "He used an off-the-shelf rootkit and walked around with a USB key."

According to Murray, there are no endpoint protections that can ultimately solve the social engineering problems posed by criminals like Fowler. As a society, we just have to get used to this new era of computer-based crime by getting street smart about these issues.

There is hope, though: Even within this case, there are signs that some people's thinking is starting to evolve. At one point, Fowler tried to get the university president's secretary to plug in a USB device into the president's computer with the pretext that Fowler's lawyer needed the president to look at some documents on the USB stick. She was spooked and refused to do so.

"Long-term, it's not a technology issue. The technology just enables the criminal in the same way that a crowbar enables a criminal breaking into your car," Murray says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.