Grand jury indicts ex-Fresno State students in grades-for-cash hack

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9045585

By Gregg Keizer
November 05, 2007
Computerworld

Two former Fresno State students were charged last week by a federal 
grand jury with hacking into the university's computer network as part 
of a grade-changing scheme.

John Escalera, 29, of Fresno, Calif., and Gustavo Razo Jr., 28, of 
Pasadena, Calif., were charged with multiple counts of conspiracy, wire 
fraud, identity theft and unauthorized computer access, according to an 
indictment unsealed last Wednesday. The men face up to 20 years in 
prison and fines of up to $250,000 if convicted.

According to the indictment, Escalera worked at Fresno State's computer 
help desk and used his access to a PeopleSoft management system program 
to hack the password of a supervisor, then used that to obtain full 
administrative privileges. Armed with root rights, Escalera was able to 
access the usernames and passwords of several people authorized to 
change student grades, including the school's registrar and its academic 
records coordinator.

"Using this access, the defendant made grade changes from lower grades 
to higher grades for himself and later for his friend, Gustavo Razo 
Jr.," the indictment said. Several changes were made to both men's 
grades in the first half of 2004, but the discrepancies were not noticed 
until a routine audit uncovered them in January 2005.

Both Escalera and Razo pleaded not guilty last week, and were released 
pending a hearing Nov. 16.

In a memo that went out to all Fresno State faculty and staff last 
Thursday, the university's provost spelled out changes that had been 
made to prevent a repeat. Among them, said Jeri Echeverria, provost and 
vice president for academic affairs, included upgrading overall system 
security and creating an automated e-mail notification system that pings 
faculty when a grade change is posted to one of their students' 
transcripts.

"I would like to assure you that accurate maintenance of grade records 
is of utmost importance to all members of the university," said 
Echeverria in the Nov. 1 memo. "Proper measures have been taken to both 
rectify the situation and deal with the offenders."

Echeverria's memo indicated that Escalera and Razo were not the only 
students or ex-students involved in grade changes during the first six 
months of 2005. "A small number of students were found to have made 
unauthorized changes to their own grades and the grades of a few other 
students," Echeverria said. "Because some of the participants were found 
to have engaged in potential criminal violations, the discovery was 
referred to the Federal Bureau of Investigation and subsequently to the 
United States Attorney's Office for prosecution."

When asked today about the extent of the grade changing, university 
spokeswoman Shirley Armbruster declined to comment.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com