Editor’s Note: Updated to clarify that the sites were unreachable outside Canada, but accessible from IP addresses within that country and to add comment from Skytech on the Internet filtering. – PFR (1/22/2013) The web sites of a number of Canadian General and Vocational Colleges were unreachable from IP addresses outside Canada on Tuesday, after news spread that Dawson College, in Montreal, expelled a student who uncovered and reported security holes in a web-based student portal used at the school. The web site for Dawson College, dawsoncollege.qc.ca returned a 403 “Access Denied” message on Monday evening and Tuesday morning, along with the web sites for John Abbott College, the Collège de Maisonneuve and Cégep de Trois-Rivières. The schools all use the Omnivox software by local firm Skytech Communications to manage their student portals. The web site for Skytech Communications could not be reached either early Tuesday and returned the same 403 error. Calls […]
Tag: hacking
Student Exposes Gaping Hole In Software, Gets Expelled
The days of chasing down white-hat security researchers with packs of lawyers like they were criminals is long behind us – or is it? A new story out of Canada suggests that “killing the messenger” is still the preferred response of some organizations when presented with inconvenient truths about shoddy and insecure software. According to a story in Sunday’s National Post, a 20 year-old student at Dawson College has been expelled after he discovered and responsibly disclosed a gaping security hole in a management platform used by Dawson and many of Quebec’s General and Vocational Colleges” (or CEGEPs), which server around 250,000 students. Ahmed Al-Khabaz, a student in Dawson’s Computer Science program discovered the flaw while designing a mobile application to give students easier access to the campus’s Omnivox program, which is used to manage a wide range of student services. In an interview with National Post, Al-Khabaz said that […]
For Industrial, Medical Systems: Bugs Run In The Family
On the surface, the kinds of industrial control systems that run a power plant or factory floor are very different from, say, a drug infusion pump sitting bedside in a hospital intensive care unit. But two security researchers say that many of these systems have two important things in common: they’re manufactured by the same company, and contain many of the same critical software security problems. In a presentation at gathering of industrial control security experts in Florida, researchers Billy Rios and Terry McCorkle said an informal audit of medical devices from major manufacturers, including Philips showed that medical devices have many of the same kinds of software security holes found in industrial control system (ICS) software from the same firms. The research suggests that lax coding practices may be institutionalized within the firms, amplifying their effects. Rios (@xssniper), a security researcher at Google, and McCorkle (@0psys), the CTO of SpearPoint […]
University Course Will Teach Medical Device Security
The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices. The course, EECS 598-008 “Medical Device Security” will teach graduate students in UMich’s Electrical Engineering and Computer Science program “the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.” It comes amid heightened scrutiny of the security of medical device hardware and software, as more devices connected to IP-based hospital networks and add wireless monitoring and management functionality. The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the US Food and Drug Administration (FDA) reported that software failures were the root cause of a quarter […]
Does Your LinkedIn Profile Hold The Key To Your Password?
Say what you want about social media. The bare fact is that folks use it – more of them every day. In fact, social media sites like Facebook, Twitter and YouTube are growing – quickly – and have come to define our modern online experience. That said: the sites represent a huge security risk. Sites like Facebook, Twitter and Instagram are increasingly used as platforms to circulate scams and malicious links. A larger and more nebulous threat is posed by all the information that organizations and their workers are spilling online. It’s already common knowledge that hackers and other “bad guys” comb through worker profiles or LinkedIn, Facebook and other sites to help craft targeted attacks. But could your social networking profile provide more useful information – like your password? Independent security researcher Itzik Kotler thinks so. Kotler is the creator of Pythonect, a new, experimental dataflow programming language based […]
