[BreachExchange] Former KU student accused of computer hacking faces 18 felony charges

Destry Winant destry at riskbasedsecurity.com
Fri Feb 2 00:49:08 EST 2018


A former University of Kansas freshman, in fear of flunking out,
successfully used a device called a keystroke logger to steal
instructors’ confidential login information, hack into multiple campus
computers and change F’s to A’s, according to an arrest affidavit in
the case.

Although the hacking apparently went unnoticed for most of two
semesters, the student eventually got caught and is now facing a
string of felony computer crime charges.

An affidavit supporting the arrest of Varun H. Sarja outlines the KU
police investigation into the case and Sarja’s admission to detectives
that he hacked into the system to change almost all of his 10 grades
during the 2016-17 school year.

The Journal-World recently requested the affidavit from Douglas County
District Court and received it Wednesday. Allegations in the document
have not been proved in court.

Sarja, of Olathe, is charged with eight counts of identity theft, nine
counts of unlawful computer acts and one count of attempted unlawful
computer acts — 18 counts in all, and all felonies. He allegedly
committed the crimes from December 2016 through May 2017, according to
the charges.

Sarja made his first appearance in court Jan. 16 for charges that were
filed Nov. 8, according to court records.

Sarja is no longer a KU student but was a freshman in engineering for
the 2016-17 school year, KU spokeswoman Erinn Barcomb-Peterson

Keystroke loggers, which start at around $20 and are sometimes made to
look like USB drives, are often used by cybercriminals to steal
personal information from public computers and keyboards.

The devices plug easily into computers and record every keystroke
that’s typed, enabling hackers to obtain others’ usernames and
passwords for accounts and computer systems.

According to the affidavit in Sarja’s case, prepared by a KU police detective:

Sarja was on academic probation in spring 2017, and after being
surprised to see he had an A in math, a School of Engineering academic
adviser and the math professor began checking into it. The math
professor said that although his personal records showed Sarja got F’s
for the fall and spring semesters, those grades had both been changed
to A’s.

Police began contacting Sarja’s other instructors. After checking
records, many of them also found that Sarja’s grades had been changed
and said they didn’t do it or give anyone their login credentials.
That included class grades entered in KU’s “Enroll and Pay” system and
some individual assignment grades entered in the “Blackboard” system.

Some F’s had been changed to A’s, one C became an A, and in one case
an F was changed to a B — which the instructor noted was conspicuously
entered as lowercase ‘b.’

Upon searching Sarja’s phone, police found an apology letter that
Sarja wrote to KU IT as well as a document listing several KU
instructors’ usernames and passwords. The phone also showed Sarja had
searched for the phrase “email keylogger.”

KU police attended a July 20, 2017, hearing to remove Sarja from the
university, and interviewed him multiple times throughout the

Sarja told a detective he had changed all but two of his 10 grades at
KU, and he had obtained about 10 username and password combinations to
do it. He said he plugged a USB key logger into campus computers to
get usernames and passwords, but threw it away when he moved out of
the KU residence halls at the end of the spring 2017 semester.

In at least one attempt, Sarja was not successful.

In early May 2017, Sarja tried to insert a USB stick into computers in
Wescoe Hall, telling a KU IT employee he was there “to complete a
security check.” But the KU IT employee turned Sarja away because he
didn’t have “the proper credentials,” then contacted police.

Sarja told detectives he was scared to tell his parents he had failed
classes and wanted to be successful.

“He changed his grades because he loved engineering and if he failed
he would no longer be able to pursue engineering,” according to the
affidavit. “Sarja stated he also didn’t want to let his parents down,
and he hadn’t done as well as he would have liked to.”

The Journal-World reported in October that KU police had investigated
the case and that the district attorney was reviewing it for charges.

Police, the DA and KU officials at that time would not confirm whether
that investigation was into the same cybersecurity breach reported
earlier that month by the Journal-World, in which a KU engineering
student used a keystroke logger to obtain faculty members’ login
information and passwords and changed his failing grades to A’s. The
newspaper reported the breach after details were shared at a KU School
of Engineering Senate meeting.

University officials said at the time that the hack “was minimal and
caught quickly” and that a “disciplinary process is taking place for
the person responsible.”

Barcomb-Peterson did not respond to a request for further comment Wednesday.

Sarja’s listed attorney, John Kerns, did not return messages from the
Journal-World Wednesday afternoon.

Sarja has posted bond of $2,500 and remains out of custody. His next
court appearance is scheduled for Feb. 13.

More information about the BreachExchange mailing list