Each week, Extra Crunch members have access to conference calls moderated by the TechCrunch writers you read every day. This week, security reporter Zack Whittaker discussed his exclusive report about Tufts University veterinary student Tiffany Filler who was expelled on charges she hacked her grades. Being Canadian and therefore in the U.S. on a student visa, she had to immediately leave the country.
From the transcript:
Firstly, given the legal risks, the potential public relations nightmare, and the ethics behind what looked like a failed due process, why didn’t Tufts hire a third-party forensics team to investigate the incident, especially given the nature of the allegations?
Secondly, how did Tufts decide that the student was to blame for these hacks? Attribution for any hack or cyber attack is often difficult, if not impossible. And the school’s IT department showed no evidence it was qualified to investigate the source of the breaches and demonstrates a clear lack of forensics, given the conclusions it came to, according to a forensics expert we spoke to.
This was definitely one of the toughest stories I’ve had to report in years, in the last seven or eight years, covering cybersecurity, national security. Those are rare for security reporters to focus on a single person for the reporting. Typically I write about data breaches or vulnerabilities or hacks that affect thousands, if not millions, of users around the world.
But this story was far too interesting not to dig into. We tried not to determine whether or not she was guilty or innocent. The fact of the matter is that both sides had conflicting evidence, but Filler offered … it was everything, and Tufts declined to comment on 19 very specific questions we sent.
This is a deeper look into a complicated story that also contains lessons for startups in varying stages of existence. Read on.
For access to Whittaker’s full transcription and for the opportunity to participate in future conference calls, become a member of Extra Crunch. Learn more and try it for free.
Eric: This is Eric Eldon, the managing editor of Extra Crunch, and with me today is Zack Whittaker, our security correspondent, who covers a wide range of security and hacking issues and a variety of things. Over the past year, he has been doing a deep investigation into a rather troubling case that has happened at Tufts University.
For the format today, Zack is going to tell us all about his approach for the next few minutes in his own words. Then he will open it up to questions for all of you on the phone as well as myself. So without further ado, I’ll let Zack get started.
Zack: Yeah, thanks a lot Eric, much appreciated. Big thanks to everyone who read the story. It took a long time to get this far. The story went out on Friday. It’s received a really good reception, very happy with it. I’m very tired, for what it’s worth. Yeah, this took a long time, weeks and weeks of talking to people, calling people, and trying to figure out exactly what happened here.
Even then, we still ended with more questions than answers. For anyone who read, this was a very deep story, a deep-dive story about a veterinary student, who was accused of hacking her grades. Tufts University pulls this student, her name was Tiffany Filler, out of her classes. She was still in her bloodied scrubs from treating patients, and faced several accusations from the university. Tufts said she systematically broke into several user accounts, modified permission access to those accounts, and changed grades of others.
The school says its IT department used extensive logs and database records to trace activity back to her computer, based off a unique identifier and a Mac address, as well as using other indicators, such as the network she was allegedly using, the campus’s wireless network, or her own off-campus residence.
She claims her innocence, and said the school didn’t provide her with specific dates and times of the allegations, and that she was unable to defend herself, and as a private university students already face an uphill battle in trying to defend themselves.
As one expert, trained in free speech at universities told me, universities can operate like shadow criminal justice systems, without any of the protections or powers of a criminal court. As was the case with Filler, many students aren’t given time to prepare for hearings, have now rights to an attorney, and are not given any or all of the evidence.
After months of wrangling with the school, and following her expulsion, which was suspended since her appeal, Filler finally managed to get the precise times of the alleged hacks. It was only then that she was able to provide evidence, that showed on several occasions, she wasn’t at her computer.
In one case she was literally in the neighboring state, which she said she had proved she could not have carried out these hacks. Only one occasion was needed to cast doubt on Tufts’ evidence, but she provided evidence in nearly all of [instances where she was] accused of hacking. She also has alibis and testimony from her friends. She has payment receipts. She has photos on a fitness and fleet tracker, which we sent off for forensics. The evidence confirmed her side of events — and put Tufts’ findings into question.
But it wasn’t enough. Tufts expelled Filler. It was just a few months ago before she was set to graduate this May. As a Canadian citizen, her visa was revoked. She was told to leave the country as soon as possible. The very next day, she took one of the last flights out of the U.S. with no medical degree that she spent four years on, no job, and tens of thousands of student loans to pay back.
Since this story published, a petition, spearheaded by the Harvard Graduate Student’s Union, has been signed with more than 330 names. Tufts, on the other hand, has said nothing. But this story left open several major questions, that hopefully we can discuss today.
Firstly, given the legal risks, the potential public relations nightmare, and the ethics behind what looked like a failed due process, why didn’t Tufts hire a third-party forensics team to investigate the incident, especially given the nature of the allegations?
Secondly, how did Tufts decide that the student was to blame for these hacks? Attribution for any hack or cyber attack is often difficult, if not impossible. And the school’s IT department showed no evidence it was qualified to investigate the source of the breaches and demonstrates a clear lack of forensics, given the conclusions it came to, according to a forensics expert we spoke to.
This was definitely one of the toughest stories I’ve had to report in years, in the last seven or eight years, covering cybersecurity, national security. Those are rare for security reporters to focus on a single person for the reporting. Typically I write about data breaches or vulnerabilities or hacks that affect thousands, if not millions, of users around the world.
But this story was far too interesting not to dig into. We tried not to determine whether or not she was guilty or innocent. The fact of the matter is that both sides had conflicting evidence, but Filler offered … it was everything, and Tufts declined to comment on 19 very specific questions we sent.
Whereas one student told us, quote, “We got her side of the story, and Tufts was not transparent,” so that’s the story in a nutshell. I hope you get to read it if you haven’t already. I’d really like to open this up for questions from the audience.
One of the questions we already got so far was do you think this was an inside job or a cover-up by someone high up at Tufts University? That’s an interesting question.
I think given that Tufts suffered from a broken system, that was built on getting results fast and not fairly, in my opinion, I don’t know for sure why the school built its ethics and grievance system in the way that it did. Casually, it’s built from an academic makeup of about eight or so academics. Many of which, most of which, are not trained in technical details of hacking and cyber crime.
Many universities have a very similar system as well, where they take in information from sources of evidence into the IT departments and statements and witnesses and then they make a decision, which gets passed to another body for punishment or penalty.
I think in this case there was a strong possibility of confirmation bias in which the IT staff either thought or were told of suspicious activity, and tied it to a particular user, in this case it was a student, Tiffany Filler.
One of my big unanswered questions to Tufts was how many other instances were there of alleged hacking that didn’t tie the student to the activity. Again, as I mentioned, Tufts University did not comment on the story. We gave them several opportunities to comment. They said that they were unable to comment, quote, “For privacy reasons with the student involved,” who is no longer at the university.
Eric: Zack, I was wondering, as I read that story, and as I watched it unfold, why don’t you hear about things happening like this more often? There are data breaches all the time. There are people on the inside, who are doing the wrong thing sometimes, and there are plenty of private institutions, whether they’re universities or non-profits or companies themselves, who maybe have a lot of technical sophistication, where that the evidence that you need to prove something is very hard to come by, especially when you’re just sort of looking at the forensics of where a photo was taken, or when somebody logged into a computer.
It seems like, along with everything else on the internet, that you’re sort of stuck in this position where you never really know it’s true. So how do you expect this kind of issue to be resolved in the future, when we’re talking about Google getting hacked and Facebook getting hacked and people trying to access who’s responsible on the inside or the outside?
Zack: That’s a really interesting question. I think one of the big focuses is we need to look at is why don’t we, as you said, why don’t we see more of these stories coming out. I think the fact is that when forensics … Often forensics can be done at a very, very basic primitive level, and it can be done by a third party.
Often, and companies and universities will bring in a third-party company to examine systems and logs and databases and so on. Those forensic teams will find information that may not necessarily find in favor of the person they’re investigating. They might find evidence that they have violated the terms and conditions of their employment, for example, if they’re working somewhere.
I think the fact that many of the cases where allegations are made they can be proven, and they can be proven with evidence. It’s very rare that you see someone, especially university students, accused of a crime. In this case hacking is a crime. It’s a federal crime under the Computer for an Abuse Act.
It’s very rare to see a case of wrongful identification. Often you see stories of hacking
where students have been taught, and they’ve pled guilty in court for criminal charges. In this case, the university has made no attempt or effort, that we’re aware of, to file charges against the students.
Which was a bit of a red flag. We wondered why, given the severity of the alleged hacking incidence, why the university didn’t file charges. We have no, again, no answer from Tufts on this one.
To your second point, I think this is a very interesting question, because — that’s the attribution problem, which makes it difficult, if not impossible, to determine the identity of a hacker or even in the case of the federal authorities, it makes it very difficult for them to launch the response or a retaliation strike.
Take a few years ago, for example, remember the Sony hack? It took years to figure out that it was likely to be North Korea. It took logistics department two years to drop an indictment, and much of the intelligence came from third-party security firms, which provides intelligence and evidence of their own.
Lots of companies, like universities and even governments, try to attribute hacks, or attacks, to certain hackers or groups, known as threat actors. But technology is confusing and complicated. It’s not difficult to launch an attack from one country and make it look like it came from another.
This can be said for the same — for an attack or a hack can come from one house in one neighborhood or an entire different country. Codes can be reused from one hacker to another. Sometimes codes even get open sourced and published, making it available to anyone, and attacked possible by everyone. But also attribution makes it so much more difficult when can attack can come from anyone. Often, what investigators try to find, especially at the governmental level, much of their efforts depend on the attacker’s OPSEC, and that is operational security that practices in trying to prevent information about them leaking as part of their processes.
They can be identified based on the tools on the procedures that they use. Some cyber securities like Dragos don’t attribute at all. They find these little points and point some blame where they could be focused on examining how attacks take place, with what tools, and how to prevent them in the future.
Now, we take this back to Tufts, the evidence that they had, in their documents that they presented to the student, which is IP addresses, is an attribution. That’s been shown to courts. Mac addresses can be spoofed. They’ve misidentified the phone that the student allegedly used.
The school claims that the computer name she used is one thing, when in fact it was something else. As is the case with this student at Tufts University, and in many other cases around the world when governments try to file charges against threat actors and other hackers, attribution isn’t a science. It’s a rush to the finish line, especially for governments and for personal purposes.
Eric: It sort of feels like we’re facing a future where this sort of misattribution problem is just going to become more normal, and we’re going to — like the world basically has to wrestle with the fact that everything about how our institutions of technology work are subject to attack from whatever you want to call them. It’s just like we’re in a permanent state of guerilla warfare, essentially, when it comes to cybersecurity. That’s just like sort of in the same way that people are having trouble like, “Is this photo real? Has it been Photoshopped?” The conversation around deep fakes, and where that’s going, it feels like that’s … There’s a parallel sort of vibe here that we’ll become more normal as more people realize that security is basically impossible, right?
Zack: Yeah, you make a very good point- Especially with this stuff called deep fakes problem as well. You’ve got the greater … the computational power and the greater network power, the great difficulty in trying to attribute, especially in trying to attribute and trying to discover whether something is real or not.
And also in cybersecurity, it’s not necessarily about trying to … It depends on what your goals and objectives are. Some companies are trying to prevent cyber attacks. Some companies try to figure out who the cyber attacker was. Some companies are trying to focus on how to protect in the future.
Ultimately, I don’t think it necessarily matters, always, who is behind a cyber attack, especially as a … it depends again, on some of these factors, but in a nation-state setting, if you have one country attacking the other, that goes back to playing into all kinds of reasons of legal wrangling and political disputes and so on.
So there is some necessary importance to having attribution to some extent, but again, in some cases, it’s not necessarily the primary focus of some people. Attribution doesn’t always help. Knowing how attackers use their tools, and use their systems, and use their knowledge and power, is more important than knowing who’s behind it.
Because ultimately it’s not preventing these attacks from happening in the future, not necessarily knowing who they are, because ultimately it comes down to what did you do with the information? You file indictments. You file court charges and so on.
In the situation with nation-states actors that does not really do much. The Justice Department has been rolling out these name and shame indictments for the last year or so, since President Trump came into office. These name and shame indictments are to, well quite literally, name and shame the people who are thought to be involved in these nation-state attacks.
It makes it very difficult for them to extradite them from places like China, Iran, North Korea and so on, but it does limit their ability to move freely outside the country from which they’re residents of. So there is some power there.
But, again, attribution, in this day and age, isn’t the primary focus for a lot of people. It’s trying to figure out exactly what these people or what these threat groups are doing in order to prevent it from happening in the future.
Eric: Well, so Zack, let’s take it back to Tufts and that front, like if you were starting from scratch, and you’re aware of the right protocols for dealing with the best practices now, I should say, for dealing with hacks, what would you do, or what would you have done if you were Tufts, and you were presented with this kind of information?
Zack: The very first thing I would have done is I would have gotten all of the information that I could have done, and which it seems like they did, and immediately hire a forensic team, a third-party forensic team. It depends, ultimately, especially when you look at a private university like Tufts, it depends what their motive are here.
If their motives are to find and catch a person they think is hacking the system, versus trying to wrap something up, as I said earlier, it’s a rush to the finish line, is that what they’re trying to do? If I wanted to conduct a full and thorough investigation, the chances of me finding out who the hacker was may still be limited, may still be slim.
There may not be no guarantees that after an extensive reckoning of the logs and the looking at the data and the databases and all kinds of things, and looking at your activity. It still may not provide a conclusive point to in fact to who did this.
Right now I think Tufts biggest fear is that, and again, we don’t have inside knowledge to what their dealings are, but one of the biggest concerns I think they have is that they still have a hacker out there manipulating grades, and/or changing grades or altering systems and network having access and being able to create a foothold into the network, that they can exploit later.
I think that’s their biggest fear. I think the other side to this is that none of this would have happened had Tufts had a half decent security posture in the first place. Many of the exploits, that are allegedly taken, and that allegedly happened, involved bypassing two-factor authentication, simply by choosing a login method that didn’t require it.
In other cases, they were able to pivot from account to anther account, gaining what we call an escalation of privileges, by giving yourself greater access than you’ve had in the first place. None of this should have happened on a corporate network.
You have to remember, a university is for all intents and purposes like a big company, like an enterprise. You have to run it like an enterprise network. If they are not … if their network is not in a place where it can defend from an insider attack, then god only knows how many other issues they might have from outside attacks and so on.
The first thing they should do, hire a forensics team. The second thing they should do is try and figure out how they can secure the systems going forward. There’s very little evidence to show that they’ve actually fixed half the issues that they claim they have.
Eric: I have to wonder is this … It basically sounds like you’re saying people in the IT department are connected to it. It was easier for them to find somebody to blame than blaming their own system and themselves, by extension?
Zack: Yeah, as I mentioned earlier, there is a … It seems like there may have been some kind of confirmation, but it’s not clear exactly what their processes were, but we found no evidence that the IT department had any qualifications or were able to conduct a thorough forensics of the systems that were allegedly impacted.
Whereas a third-party security firm could have done that. In farming it out to a third-party security firm, many exist, we … For our forensics, for this story, we used a company called Rendition Introspect, run by a former hacker at the National Security Agency, called Jake Williams, very nice guy, worked with us for the story.
He examined some of the data for us to confirm some of those accounts. Companies like Rendition Introspect, and many other companies out there, do … They do forensics and instant response for universities, enterprises, corporations and so on, not only does it distance themselves from the investigation, it gives them a clear head.
They get no conformation bias. They look for the information without any kind of prior thinking of who it might have been, but also gives them the chance to document everything in a way that is able to take and present it to a court if it goes that way, if it goes to trial, if there’s ever a case where a civil case has been brought against wrongful termination, when the criminal charges are filed by a company, or in this case maybe a university, it’s good to have that third-party documentation of a company, because frankly, that evidence looks so much …
It looks so much better collected by people who are qualified to do the job. In this case, there’s no evidence to show that the IT staff at Tufts University actually knew what they were even doing.
Eric: On the other hand, this is a common criticism that you hear of private institutes of higher education in general is that there are all sorts of issues where it’s all done behind closed doors. I know you noted this before, so I mean it … One gets the impression that institutes, like Tufts will … It’s actually pretty easy for them to keep doing that sort of thing with no real issues, unless the federal government forces them to change. I mean this is what Title IX was about, right?
Zack: Yeah.
Eric: If you’re taking federal money you have to do what the government, the federal government says, if it changes its tune on what you’re supposed to do. But if it doesn’t change, then it’s kind of proceed as planned, right? This issue has come out in a ton of different ways in the courts over the years. Title IX is the most obvious example.
Zack: Yeah, Title IX is a good example. It’s very possible that in the next few days and weeks, the student in this case, is very much within her right to file a Title IX complaint if she believes that she may have been discriminated against based on her gender, based on her nationality, for example, it’s very possible that may be a way that she can resolve this situation.
I’m a firm believer that private universities have their own rules and public universities have a different set. That said, like the student in this story, now I’m not an American. We both come from different countries. In my case it’s the United Kingdom, where all but two universities are public. Pretty much all of the universities in the U.K., and many in Canada, are completely public. They’re open to everyone. They receive federal money from the governments. The student, the only recourse that she can really get, is to mount a legal challenge based on, from my understanding, is a technicality more than the allegations themselves. She would have to argue that the school didn’t follow its own internal guidelines.
Which says, according to the document I received, showing the school’s handbook, a student must have quite substance of each allegation, at least seven days before the hearing, which was in October. I detailed it in my story. The student said that she did not receive this. This was also documented in several emails to and from the school’s dean, Joyce Knoll, who ultimately made a decision in January to expel the student.
The frustrating part of all of this is the one-sided-ness of the entire process, not just before and during, but also after. Tufts declined to comment, as I mentioned, on grounds it would violate the student’s privacy. So we asked the school if they would comment, if the student waives their right to privacy, but they didn’t.
The law, as it stands now, in my opinion, should … The law, as it stands now, does not permit private universities, or allow private universities to release a tons of information about students, and that’s reasonable to some extent. But students should have access to files and documents, as requested, by the student, very similar to how Freedom of Information rules work.
Private universities like Tufts are not bound by these laws. There are several other laws that regulate privacy and education and rights for students at higher education. Most of those do apply to private universities as well, but students should be able to essentially file a request for information about their own studies and their cases, like we can in Canada and like we can in the U.K.
Do you understand that’s the process in which they have been suspended or expelled in case one of these happen. I think that’s a really important thing that could potentially change this kind of thing happening in the future, not only would it prevent miscarriages of justice happening, if this was the case, but it would also help hold universities accountable for, as we suspect in this case, for a very rushed job, that came to conclusions that they couldn’t substantiate.
Eric: If you’re just joining us, we do have a little bit of time for questions. Just press star six to unmute yourself and go ahead and ask Zack while he’s here.
Zack: Yeah, I’d love to hear any questions that anyone has. You’re more than welcome to ask them, if you’ve got any questions about the story, any questions about my work as a security reporter, anything like that, anything you want to ask, and I’d gladly take any questions that you have over the next few minutes.
I actually have to say, it’s a bizarre thing to say in a sense, but this is a very enjoyable story to report. I’m not sure it’s enjoyable in the right way, actually, but it was a very tough story to report. It took a long time collate and to fact check and a considerable time to write.
It’s a deeply personal story for a student to be faced with these allegations and not … especially in a foreign country, even if it is just across the border, but it’s a very frustrating and stressful ordeal that the student has went through. I think in this case, it’s, again, as I had mentioned, it’s not necessarily about finding guilt or innocence. I think it’s very important that universities can show transparency and due process in the kind of process that they go through, especially when someone is facing suspension or expulsion.
Speaker: Hey, Zack, I’ve got a question for you. Thanks for taking the time here. What’s the big lessons here for startups, from a security and an IT standpoint?
Zack: That’s a really good question. I think it’s really important that no matter how big of a company you are, no matter how small you are, every company in this day and age faces some kind of cyber threats, whether it’s ransomware being thrown on my computer from a dodgy email attachment, or whether it’s an insider threat of someone stealing information.
Or even if you’re a very powerful startup, versus say a government department, you may still face very similar threats from nation-states and nation-state backed access. Every company in this day and age should remember that they are ultimately a security … They have to be and think like a security company. They have the threat level. They have to think about the threats that they face. They have to think about the kinds of attacks they might get. They have to think about the data.
Also, this just comes down to simply just try to understand your security posture. It’s not necessarily about trying to do like an inventory of exactly what systems you have and so on. It’s trying to understand the threat that you face of a business.
Every single company, every university, everything government department, should do this, especially startups, because when you’re a startup, when you’re a small company, when you’re still trying to find investors and trying to raise that money, all it takes is one data instant, and you can be out. You can be completely out of the game. I think it’s really important that companies try to focus on what threats they face and attack those threats as they come in.
They should focus on hiring a chief security officer. They need to want to be focusing on the threats they face, how they’re going to deal with them, trying to understand the insider threats they face, trying to ensure policies within the company or strict enough to prevent data leaks and data breaches. I mean every startup should ideally have a chief security officer as standard, especially with data-only startups that collect a lot of information, app startups and so on.
I think that’s a really important point, even though it will cost you money, it will cost you another seat, another seat in a C-suite, it’s very important that if you take security seriously you’ll have a chief security officer and people will see that and people will take you seriously.
Eric: Thanks Zack, well really appreciate you taking the time today. We’re going to wrap up now. Zack is on Twitter if you want to find him there.
To download and listen to the full conference call, click here.