Thanks to a trained police dog sniffing out a thumb drive hidden inside a box of tissues, a high schooler in a San Francisco Bay area suburb has been accused of hacking grades: some students’ grades got bumped up, and some got elbowed down.
Local TV station KPIX reports that police in Concord – the eighth largest city in the area – say that the hack started with a phishing email.
The mail went out to teachers at Ygnacio Valley High School and linked to a website disguised to look like a Mount Diablo School District site. Concord Police Sergeant Carl Cruz told KPIX that the message prompted recipients to go to the bogus site and then…
…to log in to refresh your password or reset something.
…which one teacher did, thereby handing the hacker their login credentials,
Police aren’t releasing the name of the suspect, since he’s underage. They’re accusing him of using the teacher’s login to get into the electronic grading system and boost or lower 16 students’ grades. That includes his own grades, which he raised, police claim.
KPIX say that police traced an “electronic trail” – an IP address, one assumes – to the suspect’s house and searched it last Wednesday.
That’s where Doug the Dog and a USB drive tucked into a box of tissues comes in. The K-9 is one of the few police dogs trained to sniff out electronic devices, and “that’s what he did,” Sergeant Cruz said.
We’ve previously written about another electronics-sniffing dog named Thoreau who helped to catch an alleged paedophile by sniffing out hidden hard drives.
At the time, a good amount of readers were taken aback by that one, wondering if the search that led to the arrest of the alleged paedophile was warranted and whether it might lead to scenarios such as police dogs randomly sniffing out hard drives “hidden” in their luggage. Would that make the luggage owner a suspect, given that “it ‘could’ or ‘might’ contain child abuse materials?”
One reader pondered:
The existence of a thumbdrive or external USB hard drive hardly seems sufficient to warrant accusations of this sort.
That’s an unlikely event, fortunately. Such searches require warrants.
As the Electronic Frontier Foundation (EFF) explains in its guide to police searches of computers or electronic media, the police can’t simply enter your home to search it or any electronic device inside, like a laptop or mobile phone, without a warrant.
The Law Enforcement Cyber Center (LECC) explains that warrants to seize or search digital devices or media require probable cause that they contain, or are, contraband, evidence of a crime, fruits of crime, or a tool to commit a crime.
Search warrants also require particularity: they have to describe the particular place to be searched and the specific items that police will seize. In the case of thumb drives, that means the content of the drive must be specified in the warrant as opposed to just referring to the drive itself. The LECC refers to US guidelines on searching and seizing computers and obtaining evidence in criminal investigations, which stipulate that…
When electronic storage media are to be searched because they store information that is evidence of a crime, the items to be seized under the warrant should usually focus on the content of the relevant files rather than the physical storage media…
[One approach] is to begin with an ‘all records’ description; add limiting language stating the crime, the suspects, and relevant time period, if applicable; include explicit examples of the records to be seized; and then indicate that the records may be seized in any form, whether electronic or non-electronic.
In some jurisdictions, judges or magistrates may impose specific conditions on how the search is to be executed or require police to explain how they plan to limit the search before the warrant may be granted.
At any rate, the high schooler’s dad told police that his son wasn’t up to no good. He was just poking around in the school systems to see what he could do.
That, however, is no defense.
Curiosity in the young is generally considered a healthy trait but parents be warned: “poking around” is illegal without authorization. That, in fact, is encapsulated in a law known as the Computer Fraud and Abuse Act (CFAA).
Source : Naked Security