Editor’s Note: Updated to include comment from Dawson CS Professor Simonelis. – PFR 1/22/2013 The expulsion of a 20 year-old computer science major at Dawson College in Quebec, Canada has laid bare what one expert says is a culture gap between academic computer science departments and the ‘real world’ of application development. In the wake of news stories that have drawn attention to the case, Dawson’s faculty and administration have stood by their decision, saying that “hacking” of the type Ahmed Al-Khabaz was engaged in was an example of “unprofessional conduct” by a computer sciences engineer. This, even as private sector firms – including the company whose software Al-Khabaz exposed – have come forward with job offers and scholarships. Al-Khabaz was expelled in November by a school administration that looked askance at his security audits of a student portal web site dubbed “Omnivox,” accusing him of launching “SQL injection” attacks […]
Privacy
Update: Canadian Colleges Go Dark Following Expulsion of Whitehat
Editor’s Note: Updated to clarify that the sites were unreachable outside Canada, but accessible from IP addresses within that country and to add comment from Skytech on the Internet filtering. – PFR (1/22/2013) The web sites of a number of Canadian General and Vocational Colleges were unreachable from IP addresses outside Canada on Tuesday, after news spread that Dawson College, in Montreal, expelled a student who uncovered and reported security holes in a web-based student portal used at the school. The web site for Dawson College, dawsoncollege.qc.ca returned a 403 “Access Denied” message on Monday evening and Tuesday morning, along with the web sites for John Abbott College, the Collège de Maisonneuve and Cégep de Trois-Rivières. The schools all use the Omnivox software by local firm Skytech Communications to manage their student portals. The web site for Skytech Communications could not be reached either early Tuesday and returned the same 403 error. Calls […]
Student Exposes Gaping Hole In Software, Gets Expelled
The days of chasing down white-hat security researchers with packs of lawyers like they were criminals is long behind us – or is it? A new story out of Canada suggests that “killing the messenger” is still the preferred response of some organizations when presented with inconvenient truths about shoddy and insecure software. According to a story in Sunday’s National Post, a 20 year-old student at Dawson College has been expelled after he discovered and responsibly disclosed a gaping security hole in a management platform used by Dawson and many of Quebec’s General and Vocational Colleges” (or CEGEPs), which server around 250,000 students. Ahmed Al-Khabaz, a student in Dawson’s Computer Science program discovered the flaw while designing a mobile application to give students easier access to the campus’s Omnivox program, which is used to manage a wide range of student services. In an interview with National Post, Al-Khabaz said that […]
For Industrial, Medical Systems: Bugs Run In The Family
On the surface, the kinds of industrial control systems that run a power plant or factory floor are very different from, say, a drug infusion pump sitting bedside in a hospital intensive care unit. But two security researchers say that many of these systems have two important things in common: they’re manufactured by the same company, and contain many of the same critical software security problems. In a presentation at gathering of industrial control security experts in Florida, researchers Billy Rios and Terry McCorkle said an informal audit of medical devices from major manufacturers, including Philips showed that medical devices have many of the same kinds of software security holes found in industrial control system (ICS) software from the same firms. The research suggests that lax coding practices may be institutionalized within the firms, amplifying their effects. Rios (@xssniper), a security researcher at Google, and McCorkle (@0psys), the CTO of SpearPoint […]
University Course Will Teach Medical Device Security
The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices. The course, EECS 598-008 “Medical Device Security” will teach graduate students in UMich’s Electrical Engineering and Computer Science program “the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.” It comes amid heightened scrutiny of the security of medical device hardware and software, as more devices connected to IP-based hospital networks and add wireless monitoring and management functionality. The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the US Food and Drug Administration (FDA) reported that software failures were the root cause of a quarter […]
