Answer the questions below:

1. Imagine you work for KU IT Security and the Chancellor asks for your security recommendations based on this eventWhat would be a good initial response to answer the Chancellors question?

2. Identify at least three (3) threats, two (2) vulnerabilities, and three (3) costs/impacts that you can think of from this security incident.

3. In considering the CIA triad, what are Confidentiality, Integrity, and Availability concerns with this case?

4. How would you treat this risk (discuss at least three (2) steps you would take)?

A former University of Kansas freshman, in fear of flunking out, successfully used a device called a keystroke logger to steal instructors confidential login information, hack into multiple campus computers and change Fs to As, according to an arrest affidavit in the case.

Although the hacking apparently went unnoticed for most of two semesters, the student eventually got caught and is now facing a string of felony computer crime charges.

An affidavit supporting the arrest of Varun H. Sarja outlines the KU police investigation into the case and Sarjas admission to detectives that he hacked into the system to change almost all of his 10 grades during the 2016-17 school year.

The Journal-World recently requested the affidavit from Douglas County District Court and received it Wednesday. Allegations in the document have not been proved in court.

Sarja, of Olathe, is charged with eight counts of identity theft, nine counts of unlawful computer acts and one count of attempted unlawful computer acts 18 counts in all, and all felonies. He allegedly committed the crimes from December 2016 through May 2017, according to the charges.

Sarja made his first appearance in court Jan. 16 for charges that were filed Nov. 8, according to court records.

Sarja is no longer a KU student but was a freshman in engineering for the 2016-17 school year, KU spokeswoman Erinn Barcomb-Peterson confirmed.

Keystroke loggers, which start at around $20 and are sometimes made to look like USB drives, are often used by cybercriminals to steal personal information from public computers and keyboards.

The devices plug easily into computers and record every keystroke thats typed, enabling hackers to obtain others usernames and passwords for accounts and computer systems.

According to the affidavit in Sarjas case, prepared by a KU police detective:

Sarja was on academic probation in spring 2017, and after being surprised to see he had an A in math, a School of Engineering academic adviser and the math professor began checking into it. The math professor said that although his personal records showed Sarja got Fs for the fall and spring semesters, those grades had both been changed to As.

Police began contacting Sarjas other instructors. After checking records, many of them also found that Sarjas grades had been changed and said they didnt do it or give anyone their login credentials. That included class grades entered in KUs Enroll and Pay system and some individual assignment grades entered in the Blackboard system.

Some Fs had been changed to As, one C became an A, and in one case an F was changed to a B which the instructor noted was conspicuously entered as lowercase b.

Upon searching Sarjas phone, police found an apology letter that Sarja wrote to KU IT as well as a document listing several KU instructors usernames and passwords. The phone also showed Sarja had searched for the phrase email keylogger.

KU police attended a July 20, 2017, hearing to remove Sarja from the university, and interviewed him multiple times throughout the investigation.

Sarja told a detective he had changed all but two of his 10 grades at KU, and he had obtained about 10 username and password combinations to do it. He said he plugged a USB key logger into campus computers to get usernames and passwords, but threw it away when he moved out of the KU residence halls at the end of the spring 2017 semester.

In at least one attempt, Sarja was not successful.

In early May 2017, Sarja tried to insert a USB stick into computers in Wescoe Hall, telling a KU IT employee he was there to complete a security check. But the KU IT employee turned Sarja away because he didnt have the proper credentials, then contacted police.

Sarja told detectives he was scared to tell his parents he had failed classes and wanted to be successful.

He changed his grades because he loved engineering and if he failed he would no longer be able to pursue engineering, according to the affidavit. Sarja stated he also didnt want to let his parents down, and he hadnt done as well as he would have liked to.

The Journal-World reported in October that KU police had investigated the case and that the district attorney was reviewing it for charges.

Police, the DA and KU officials at that time would not confirm whether that investigation was into the same cybersecurity breach reported earlier that month by the Journal-World, in which a KU engineering student used a keystroke logger to obtain faculty members login information and passwords and changed his failing grades to As. The newspaper reported the breach after details were shared at a KU School of Engineering Senate meeting.

University officials said at the time that the hack was minimal and caught quickly and that a disciplinary process is taking place for the person responsible.

Barcomb-Peterson did not respond to a request for further comment Wednesday.

Sarjas listed attorney, John Kerns, did not return messages from the Journal-World Wednesday afternoon.

Sarja has posted bond of $2,500 and remains out of custody. His next court appearance is scheduled for Feb. 13.

UPDATE:

KU student who hacked computers and changed his grades is convicted of 4 felonies

A former University of Kansas student who used a keystroke logger to steal professors passwords, hack into KUs computer system and change his grades is now a convicted felon for those crimes.

At the court hearing, he promised he had removed keystroke logger software from all of his electronic devices and would not access it again.

Varun H. Sarja, 20, of Olathe pleaded guilty on Thursday to four of the 18 felony counts he originally faced, two counts of identity theft and two counts of unlawful computer acts. Under the plea agreement, the remaining 14 charges were dropped.

With no prior criminal history, Sarja will face probation under the states sentencing guidelines, Douglas County District Court Judge Kay Huff said. Hes scheduled to be sentenced July 2.

Sarja also will be required to get a mental health evaluation, allow law enforcement to verify that his electronics no longer have the keystroke logger program and write apology letters to all the professors and teaching assistants who were affected, under plea deal recommendations from prosecutor Deborah Moody and Sarjas attorney, John Kerns.

Before accepting Sarjas plea, the judge asked him to explain to her what he did wrong.

Quite simply, I used passwords that werent mine to change my grades in the KU system, Sarja said.

Sarja told the judge that he has completed his sophomore year of college, but did not specify where.

KU held a hearing to remove him from the university in summer of 2017, after KU police began investigating the hacking but before criminal charges were filed, in November 2017.

The Journal-World first reported the cybersecurity breach in October 2017, after details were shared at a KU School of Engineering Senate meeting but the involved student was not named. University officials said then that the hack was minimal and caught quickly and a disciplinary process is taking place for the person responsible.

Sarja was a freshman studying engineering at KU during the 2016-17 school year, when he successfully used a keystroke logger to steal instructors confidential login information, hack into multiple campus computers and change Fs to As.

Keystroke logger devices plug easily into computers and record every keystroke thats typed, enabling hackers to obtain others user names and passwords for accounts and computer systems.

Sarja was on academic probation in spring 2017, and after being surprised to see he had an A in math, a KU School of Engineering academic adviser and the math professor began checking into it.

An ensuing investigation by KU police revealed that Sarja had changed almost all of his 10 grades that year, starting in December, and stole teachers login credentials to do it. Sarja told detectives he loved engineering, wanted to be successful and was scared to tell his parents he had failed classes.

The Journal-World requested Sarjas booking photo from the Douglas County Sheriffs Office, but did not immediately receive a response as to whether it would be released.

KU student sentenced for changing failing grades to As

July 3, 2018

LAWRENCE, Kan. (AP) A former University of Kansas student who hacked the schools computer system to changing his failing F grades to As has been sentenced to probation.

20-year-old Varun Sarja used a keystroke logger program to change his grades in the 2016-17 school year when he was a freshman studying engineering.

Keystroke loggers enable hackers to obtain usernames and passwords by recording keystrokes on devices.

Sarja, of Olathe, was placed on academic probation in spring 2017. When records revealed he had achieved an A in math, an academic adviser and the math professor investigated.

Sarja pleaded guilty in May to felony identity theft and unlawful computer acts.

During sentencing Monday, Sarja learned he faces an 18-month prison sentence if he violates the terms of his probation.

KU computer hacker granted probation, ordered to apologize to professors

Jul 2, 2018

A former University of Kansas student who hacked into the schools computer system and changed his failing grades to As was granted probation for the resulting felony convictions. He also must write letters apologizing to the professors he fraudulently signed in as.

As the prosecutor and his defense attorney had requested in a plea agreement, Varun H. Sarja, 20, of Olathe received a year and a half probation, with an underlying 18-month prison sentence that he could be ordered to serve should he fail at probation.

Douglas County District Court Judge Kay Huff sentenced Sarja Monday.

Sarja, who has no prior criminal record, agreed to the terms of his probation, including that he would apologize directly to those affected by writing letters to the university and the professors involved.

Sarja previously assured the judge, upon his conviction in May, that he had removed keystroke logger software which is what he used in the KU computer crimes from all of his electronic devices and would not access it again. Keystroke loggers are devices that plug into computers and record everything thats typed, enabling hackers to obtain usernames and passwords for others accounts and computer systems.

Sarja initially was charged with 18 felony counts. He pleaded guilty to two counts each of identity theft and unlawful computer acts, and the remaining counts against him were dismissed.

Sarja was a freshman studying engineering at KU during the 2016-17 school year, when he used a keystroke logger to steal instructors confidential login information, hack into multiple campus computers and change Fs to As.

A KU School of Engineering academic adviser noticed in spring 2017 that Sarja who was on academic probation at that time had an A in math and began checking into the situation along with the math professor.

An ensuing investigation by KU police revealed that Sarja had changed almost all of his 10 grades that year, starting in December, and stole teachers login credentials to do it. Sarja told detectives he loved engineering, wanted to be successful and was scared to tell his parents he had failed classes.

KU held a hearing to remove Sarja from the university in summer of 2017.

The Journal-World first reported the cybersecurity breach in October 2017, after details were shared at a KU School of Engineering Senate meeting, but the involved student was not named.

The criminal charges were filed against Sarja in November 2017.