Zeroday 01100100011010010

A student from UCSB is charged with 4
felony counts in a “Ferris Buller’s Day Off” enactment. 
Ramirez used some crude tactics to change the password of some
professors and then change her grades and the grades of several
others.

A few things here that bother me about using the word
hacking.  She didn’t use any sophisticated means to penetrate
the eGrades system.  She didn’t have the foresight to actually
mask her IP by using a proxy or anonymous WiFi.  Ramirez worked
for AllState insurance and the professors were listed in her
database.  With access to AllState information she was able to
flesh out the DOB and SSN.  This would have been the case if she
had worked at the professors cell phone provider too. 

“Knowing what information you need in order to do the
password reset and gathering that information and then going and
submitting the grade changes — you don’t just trip and
accidentally fall into that,” Schmidt said. “That requires some
specific planning and effort to do that.”

This clearly
shows malicious intent.  The act was planned out and she (and
any accomplices) knew what they were doing.  I imagine that she
was sitting at work and looking up random people that she knew. 
I imagine this is something that is common among ALL workers who have
this type of access.  One has to wonder when companies will be
held responsible for the sloppy dissemination of personal
information.  When she got a hit on her professors information
the idea probably clicked in her mind.  This seems like the most
logical scenario since she actually logged into the eGrades system
from work.  Although there is a feedback system that is supposed
to catch these types of acts I wonder just how well it would have
worked if the two had not gone so far. 

“Ramirez,
who could not be reached for comment after repeated phone calls
Tuesday evening, changed her grade in one class from a B to an A,
Signa said. She also altered the grades of her roommate from an F to
a B+ in one class and from a B to an A+ in another class, Signa said.
Further details about other changes Ramirez made were not available
at press time.”

Had Ramirez left the other grades
alone and changed the F to a D- (which is still passing) it might
have gone unnoticed.  In this type of flagging system I would
imagine that the system notices grade changes that are greater then 1
or 2 points.  So an F to a B+, which is a 3.5 jump, should and
did trigger an alarm.  I am totally speculating at this point so
please let me know if I am way off base here. 

More
importantly, and something I alluded to earlier, is that information
workers have much more access then I think is warranted.  As an
exercise go to your cell phone providers local presence and talk to
the folks at the counter about your account.  The terminals at
their locations are capable of looking up any account, pulling up the
full details of your call history, not to mention all of your
personal details.  With the companies all merging having an
entry level job at one of these stores means you have a one in three
shot at any single persons personal information.  I have a
feeling AllState had no clue that an employee was abusing her system
access until the police came in with a warrant.  This problem is
likely far more pervasive then they would like to admit.