[ISN] Canadian student expelled for playing security "white hat"

From: InfoSec News <alerts_at_private>
Date: Tue, 22 Jan 2013 00:19:58 -0600 (CST)
http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/

By Sean Gallagher
Ars Technica
Jan 21 2013

A 20-year-old Canadian computer science student has become, depending on your 
point of view, a martyr for computer security or a cautionary tale for students 
and others who take an interest in exposing security flaws in software 
products. While Ahmed Al-Khabaz said he felt he had a "moral duty" to probe the 
security of a student information system used by over 250,000 students, the 
school's administration said his acts were a "serious professional conduct 
issue" and expelled him. Now, fellow students are demanding his reinstatement, 
and the college and its software provider are facing a publicity and security 
backlash.

Al-Khabaz and another student reported finding a security flaw in the mobile 
application for Omnivox, a Web-based software package developed by 
Montreal-based Skytech Communications that is used by students to access and 
manage their personal information and college services—including their Social 
Insurance numbers, the Canadian equivalent of US Social Security numbers.

Omnivox is used widely by Quebec's general and vocational colleges. Al-Khabaz 
told the National Post that the software had "sloppy coding" that allowed 
anyone "with basic knowledge of computers to gain access to the personal 
information of any student"—including virtually all of the personal data the 
college had collected on them.

When Al-Khabaz and fellow student Ovidiu Mija reported the problem to the 
school's director of Information Services and Technology, they were initially 
congratulated for finding the flaw and were told it would be fixed immediately. 
But it was Al-Khabaz' next step that landed him in trouble with the school. Two 
days later, he decided to check to see if the flaw had indeed been fixed, using 
a site security scanning tool called Acunetix.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 
Received on Mon Jan 21 2013 - 22:19:58 PST

This archive was generated by hypermail 2.2.0 : Mon Jan 21 2013 - 22:17:48 PST