This story, " School that expelled student hacker may have ignored 16-month-old security flaw," was originally published at. In my opinion, the existence of an f-file that old and the events leading up to the expulsion of Mr Al-Khabaz represent a pattern of un-ethical and completely inadequate IT security practice at Dawson College. But on the other, not even know about a publicly compromised webserver on its domain. Nobody here can believe that, on the one hand, the CEGEP has the arrogance to expel this student.
#OMIVOX EDOUARD PASSWORD#
The presence of the f**.file means a hacker successfully a shell to the domain: that is, "a script that provides a CLI to the compromised system with extensive system-level access to all records, data and nodes attached to the system regardless of the level of password protection offered by the website," per Blanchard.Īn anonymous Halifax-based security researcher told Blanchard the following: "primary Dawson College public domain may remain compromised following a 2011 incursion by an unknown hacker named 'iskorpitx.' That hacker appears to have successfully uploaded a 'Shell' to the domain, leaving a public 'f** file' alerting administrators of the site that a successful incursion had taken place.Īs of midnight Monday, the Dawson College server still returned the file using any web browser, despite credible Twitter alerts about the compromise to earlier that evening from multiple sources." One wonders, though, whether Dawson College will mete out similarly harsh justice to whomever neglected to fix a purported flaw in one of its public-facing Web servers, which has reported some 16 months ago, according to technology columnist Jon Blanchard. Fortunately, he still has a bright future, as he's reportedly received job offers since the incident gained attention - including one from Skytech. But if he was warned of the consequences of his actions and he chose to ignore them, he ultimately has no one but himself to blame. What that means is, his grades for the semester will all show up as zeroes on his record plus, he has the black mark of being expelled for unprofessional conduct. Hence, the college's academic computing board voted 14-1 to expel him. Unfortunately, Al-Khabaz appears to have ignored the advisory, even though his intentions may not have been malicious. Though the school has been cagey in providing details, citing Quebec privacy law, it appears Al-Khabaz was issued an advisory that he would face expulsion if he failed to cease and desist in tampering with the portal.
Al-Khabaz opted to sign the NDA.ĭawson College wasn't about to let Al-Khabaz off so easily. Taza accused him of launching a cyber attack against the portal and gave him the choice between signing a nondisclosure agreement or being reported to the police. Almost immediately, he received a call from Edouard Taza, president of Skytech. The trouble started two days later, when Al-Khabaz ran a vulnerability-scanning program called Acunetix to determine whether the flaw had been fixed. He said he was told that the school would work with Skytech, the makers of the flawed Omnivox software, and would fix the problem immediately.
#OMIVOX EDOUARD SOFTWARE#
He said he stumbled across the flaw, which he attributed to " sloppy coding," while working on a project for his school's software development club.Īl-Khabaz diligently reported the flaw to the head of the institution's IT department and was praised for his efforts. Whether Al-Khabaz deserved his punishment is certainly worth questioning, though it's also worthwhile to ask why the college hadn't bothered to fix a flaw in its public-facing Web server 16 months after it had first been reported.īased on the various reports and statements about the incident, here's what went down: In September, the student uncovered flaws in the online academic portal, exposing sensitive information - Social Security numbers, phone numbers, and home addresses - belonging to more than 250,000 college students.
It's tough not to feel pangs of sympathy for Hamed Al-Khabaz, the 20-year-old aspiring computer scientist who was expelled from Dawson College after exposing a security flaw in the school's academic portal.
0 kommentar(er)
