The days of chasing down white-hat security researchers with packs of lawyers like they were criminals is long behind us – or is it? A new story out of Canada suggests that “killing the messenger” is still the preferred response of some organizations when presented with inconvenient truths about shoddy and insecure software.
According to a story in Sunday’s National Post, a 20 year-old student at Dawson College has been expelled after he discovered and responsibly disclosed a gaping security hole in a management platform used by Dawson and many of Quebec’s General and Vocational Colleges” (or CEGEPs), which server around 250,000 students.
Ahmed Al-Khabaz, a student in Dawson’s Computer Science program discovered the flaw while designing a mobile application to give students easier access to the campus’s Omnivox program, which is used to manage a wide range of student services. In an interview with National Post, Al-Khabaz said that security hole was the product of sloppy coding and would allow someone with “basic knowledge of computers” to easily get access to any student’s Omnivox account, which contains a wide range of sensitive personal information.
CEGEPs are similar to junior colleges in the United States – offering the equivalent of grades 12 and 13 for students after high school, but before university. They offer a wide range of courses and pre-professional training, according to Mathieu Perron, a staff member at the Dawson Student Union, who is representing Al-Khabaz.
Dawson has around 10,500 student. The College last made the news in September, 2006, when a 25 year-old man, Kimveer Gill, went on a shooting rampage at the college, killing one person and injuring 19 others, before taking his own life.
The Omnivox system is the main student and faculty portal, providing a way to communicate and access grades, class schedules and assignments, Perron said. While working on his mobile application to access Omnivox, Al-Khabaz discovered that the system used an insecure method to generate unique account IDs. Simply by knowing a student’s school ID or a staff member’s employee ID, Al-Khabaz realized that he could access their Omnivox account, Perron told The Security Ledger.
After discovering the hole, Al-Khabaz followed so-called “responsible disclosure” protocol: bringing it to the attention of Dawson’s Director of Information Services and Technology, who promised to address the issue with Skytech, which makes Omnivox, and have the issue addressed. Al-Khabaz was reportedly thanked by Dawson staff for disclosing the hole.
After that, things took a strange turn. When Al-Khabaz, some time later, used a free, online web scanner from the firm Acunetix to scan Skytech’s Omnivox system from his home computer to see if the hole had been fixed, it raised the ire of Skytech’s president, Edouard Taza, who warned Al-Khabaz that he was conducting a cyber attack that could land him in jail. In an interview with the Post, Al-Khabaz said Taza threatened to have him arrested by the Royal Canadian Mounted Police (RCMP) unless he signed a non-disclosure agreement designed to stop him from talking about the company’s software.
Speaking to the Post, Taza acknowledged mentioning legal consequences to Al-Khabaz, but denied threatening the 20 year-old. Al-Khabaz, he said, should not have scanned Skytech’s systems without the company’s permission.
Shortly thereafter, Al-Khabaz faced a disciplinary hearing with Dawson’s Dean, Dianne Gauvin and his program coordinator, Ken Fogel over his decision to test Omnivox for the fix. Following that, 14 of 15 professors in the Dawson computer science department voted to expel Al-Khabaz and he was dismissed. Subsequent appeals to academic dean and director of the school were denied.
A statement on the College’s web site said that the College stands by its decision and its policies “regarding academic integrity and professional code of conduct.” Citing Quebec’s provincial privacy laws, Dawson said it was prohibited from discussing the details of a student’s file with the media, but that it uses due process and diligence in every case. The College took issue with the National Post article, which it called inaccurate, and defended its treatment of Al-Khabaz.
“The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct. Conditions for remaining in the College on good terms are clearly explained in person to the student. When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student,” the College said. Al-Khabaz violated the professional code of conduct of the Computer Science program of which he was a part. That policy states that students are”expected to exhibit behaviour appropriate to the profession. Appropriate behaviour must be displayed in all activities associated with the program, in classrooms, labs, during the internship, in relations with fellow students, staff, faculty, employers and clients.”
Of course, the College’s conclusion that pen testing web applications is unprofessional might strike some as funny. And Perron notes that Al-Khabaz says he was given a Omnivox test server to use by the college and conducted his scans of Omnivox from a personal computer located in his parents’ apartment, not using school resources.
Perron said that Al-Khabaz has already received job offerings assuming he is not reinstated. In the meantime, the Student Union says sentiment on campus and in Montreal is that Dawson overreacted in expelling Al-Khabaz. The Union is hoping to appeal to the administration to reverse its decision.