By Marissa Payne
After the arrest of a former University of Iowa wrestler in connection with a high-tech academic-misconduct scandal, the UI is actively finding ways to limit cybersecurity threats.
In early 2018, UI faculty and staff will be required to partake in the two-step login process. It will be required to access MAUI starting Jan. 2, and ICON starting Feb. 5, according to a university announcement. Students will not be required to opt in, but they are encouraged to do so.
Authorized users can complete the login process “using their phones, a pre-generated list of pass codes, or a token device that creates a one-time code after users enter their HawkIDs and passwords.”
Jane Drews, the UI ITS chief information security officer, told The Daily Iowan in an email that a number of steps have been taken to improve the university’s cybersecurity posture, including requiring password changes for individuals with accounts known to be compromised in the incident, improved physical security on all classroom computers, and a new grade-change-monitoring dashboard for ICON instructors.
A Jan. 20 email from Drews to the UI community stated that approximately 250 university faculty, staff, and students had been notified that unauthorized individuals had obtained their HawkID and password “using physical devices that had been secretly attached to university computers in classrooms and computer labs.”
In the email, Drews said ITS was in the process of manually examining computers to look for suspicious devices and planning to expand two-factor authentication.
Former Hawkeye wrestler Trevor Graves was arrested in October on charges related to alleged academic misconduct. According to an FBI affidavit, ITS officials suspected Graves carried out the scheme using a keystroke logging device that was inserted into computers in various classrooms to record instructors’ HawkID login information.
Drews did not answer a question from The Daily Iowan regarding whether the changes were in response to the Graves incident.
However, the UI said in a June announcement about the changes that the two-step login expansion “follows a recent discovery that devices attached to classroom computers had surreptitiously recorded hundreds of HawkIDs and passwords.”
“At the end of the spring semester, we’ll evaluate faculty and staff experiences and exception requests and look for potential improvements,” Drews said in the UI announcement. “Adding a step to the login process is a modest tradeoff for keeping academic records accurate.