January 21, 2013

Canadian student whistleblower tells his college about massive security breach in their system, gets expelled

He’s been called a criminal, a liar, a hacker and a thief.

He was kicked out of school and saw his academic record go up in smoke last fall, but now it appears Ahmed Al-Khabaz will have the last laugh.

The 20-year-old computer science student was expelled from Dawson College in November after stumbling upon a potentially disastrous security flaw in the school’s computer system. Al-Khabaz was working on a mobile application for Dawson’s website when he discovered a weakness that could have jeopardized the personal information of more than 250,000 students.
After persisting in his inquiry, Al-Khabaz claims he was threatened with legal action by the CEO of Skytech Communications, the company that runs Dawson’s site and the websites of more than 100 CEGEPs and universities. On Monday, after Al-Khabaz’s struggle gained international notoriety, Skytech seemed to have a change of heart.

On Monday afternoon, a Skytech employee confirmed media reports that the IT company has offered the 20-year-old a part-time job and a scholarship to finish his studies at another school. 
A representative from the Dawson Student Union, who was speaking on behalf of Al-Khabaz Monday evening, said Al-Khabaz hadn’t received a direct job offer from Skytech, but had heard about the offer in the media.

“This wasn’t a game for me, it was my moral duty to protect the students’ data,” Al-Khabaz told The Gazette earlier Monday. “If I was really acting maliciously, I could have concealed my identity, stolen all of that information and sold it. But instead I alerted the right people; I didn’t try to hide who I was, I just tried to make sure they were following through and fixing the site’s weaknesses.”

Dawson’s website runs a program called Omnivox, which allows students to add, drop and change classes online. The site also stores a backlog of thousands of social insurance numbers, home addresses, phone numbers and a litany of other information that was vulnerable even to a novice hacker, according to Al-Khabaz.

After initially alerting his college and Skytech, he says he was commended for his work.
But when Al-Khabaz continued to scan Omnivox for holes, he says he was expelled from his school, given zeros across his college transcripts and forced to pay back thousands of dollars in grants awarded to him by Quebec’s student aid program. 

Al-Khabaz says he was threatened with police action if he didn’t agree to meet with Skytech, show them the rest of their vulnerabilities and sign a non-disclosure agreement preventing him from discussing the security lapses.

In an interview with the National Post, a representative from Skytech acknowledged mentioning a potential police investigation into Al-Khabaz’s actions.
On Monday, Dawson College issued a statement disputing Al-Khabaz’s version of events, claiming “the college has no recourse but to take the appropriate measure to sanction the student.” 

A spokesperson for the downtown CEGEP could not elaborate on the circumstances surrounding Al-Khabaz’s expulsion, citing confidentiality laws.

A network security expert says the young man is not at fault and should be rewarded for pointing out what is becoming an all-too-common problem throughout Canada.
Terry Cutler, who runs a Montreal-based data security firm called Digital Locksmiths, says Dawson’s alleged security blunder could have cost the school millions.

“It’s common, it’s something you see all the time. For instance, a high school hired me after one kid hacked into their network, changed his grades, changed his friends’ grades and downgraded his enemies’ grades. This is a high school kid, not someone who went to MIT.”
But for his part, Al-Khabaz says he hasn’t completely lost faith in the Montreal-based web firm.
“I had a really bad feeling about Dawson’s site but that doesn’t mean it’s the same with Skytech’s other clients,” he said. “They need to up their game with Dawson, that’s all I can say.”
A representative from Skytech did not return The Gazette’s phone calls or emails.

No comments:

Post a Comment