From: InfoSec News (alertsinfosecnews.org)
Date: Tue Nov 06 2007 - 05:04:36 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9045585

By Gregg Keizer
November 05, 2007
Computerworld

Two former Fresno State students were charged last week by a federal
grand jury with hacking into the university's computer network as part
of a grade-changing scheme.

John Escalera, 29, of Fresno, Calif., and Gustavo Razo Jr., 28, of
Pasadena, Calif., were charged with multiple counts of conspiracy, wire
fraud, identity theft and unauthorized computer access, according to an
indictment unsealed last Wednesday. The men face up to 20 years in
prison and fines of up to $250,000 if convicted.

According to the indictment, Escalera worked at Fresno State's computer
help desk and used his access to a PeopleSoft management system program
to hack the password of a supervisor, then used that to obtain full
administrative privileges. Armed with root rights, Escalera was able to
access the usernames and passwords of several people authorized to
change student grades, including the school's registrar and its academic
records coordinator.

"Using this access, the defendant made grade changes from lower grades
to higher grades for himself and later for his friend, Gustavo Razo
Jr.," the indictment said. Several changes were made to both men's
grades in the first half of 2004, but the discrepancies were not noticed
until a routine audit uncovered them in January 2005.

Both Escalera and Razo pleaded not guilty last week, and were released
pending a hearing Nov. 16.

In a memo that went out to all Fresno State faculty and staff last
Thursday, the university's provost spelled out changes that had been
made to prevent a repeat. Among them, said Jeri Echeverria, provost and
vice president for academic affairs, included upgrading overall system
security and creating an automated e-mail notification system that pings
faculty when a grade change is posted to one of their students'
transcripts.

"I would like to assure you that accurate maintenance of grade records
is of utmost importance to all members of the university," said
Echeverria in the Nov. 1 memo. "Proper measures have been taken to both
rectify the situation and deal with the offenders."

Echeverria's memo indicated that Escalera and Razo were not the only
students or ex-students involved in grade changes during the first six
months of 2005. "A small number of students were found to have made
unauthorized changes to their own grades and the grades of a few other
students," Echeverria said. "Because some of the participants were found
to have engaged in potential criminal violations, the discovery was
referred to the Federal Bureau of Investigation and subsequently to the
United States Attorney's Office for prosecution."

When asked today about the extent of the grade changing, university
spokeswoman Shirley Armbruster declined to comment.

__________________________________________________________________
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]