Feeds

Student claims code flaw spotting got him expelled from college

Canadian college denies overreacting

3 Big data security analytics techniques

A Canadian computer science student is claiming he was expelled after identifying a gaping security hole in administrative software his college was using.

Ahmed Al-Khabaz, a 20 year-old student at Dawson College in Montreal, told the National Post that he and a friend had been developing a mobile app for students to access their records when they found a hole in Omnivox software the college used. The hole allowed free access to personal information the college held on students, such as social insurance number, home address and phone number and class schedules

Al-Khabaz reported the problem to his college professor and said he and his friend were initially congratulated and were told the problem would be fixed by the college and the software's developers Skytech.

Later he ran a scan using commercial Acunetix vulnerability scanning software to check on progress and within minutes the phone at his parent's home started to ring he said. On the other end was Edouard Taza, the president of Skytech.

"He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed," the student said.

"He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the Royal Canadian Mounted Police (RCMP) and have me arrested. So I signed the agreement."

Taza said that he did mention the legal and police situation to Al-Khabaz but has denied making any threats. The security hole in question was being fixed he said, and the firm is confident no-one's privacy has been breached, but he was concerned at the scanning software used.

"This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake," he said.

Unfortunately for Al-Khabaz Dawson College didn't feel that way, and began an investigation for a for a "serious professional conduct issue." Al-Khabaz was called in for a meeting to discuss his future, which he said seemed to focus mainly around who knew about the problem with the college's code.

After the meeting a vote was taken among staff and his expulsion was confirmed by a vote of 14 to one. Al-Khabaz has appealed to the heads of the college but was turned down and is now in a difficult situation.

“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct," he said. "I really want this degree, and now I won’t be able to get it. My academic career is completely ruined."

But Dawson College has disputed his claims and says it stands by its decision. It says Al-Khabaz was formally warned to not repeat activities that he was being investigated for and was expelled for breaching those terms.

"When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student," said the educational institution in a statement.

A spokeswoman told El Reg that AL-Khabaz was praised for his resourcefulness in the initial report to his tutors, but a month later repeated unauthorized access to the software, which is run by a third-party supplier and "injected SQL code," according to his expulsion letter.

Skytech are so-far unavailable for comment about the precise nature of this SQL injection, but it's clear this case is going to take some time to sort out and we expect writs to start flying shortly. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.