School that expelled student hacker may have ignored 16-month-old security flaw

Dawson College stuck to its policies in expelling Hamed Al-Khabaz, but now the school must answer for its security failings

It's tough not to feel pangs of sympathy for Hamed Al-Khabaz, the 20-year-old aspiring computer scientist who was expelled from Dawson College after exposing a security flaw in the school's academic portal. Whether Al-Khabaz deserved his punishment is certainly worth questioning, though it's also worthwhile to ask why the college hadn't bothered to fix a flaw in its public-facing Web server 16 months after it had first been reported.

Based on the various reports and statements about the incident, here's what went down: In September, the student uncovered flaws in the online academic portal, exposing sensitive information -- Social Security numbers, phone numbers, and home addresses -- belonging to more than 250,000 college students. He said he stumbled across the flaw, which he attributed to "sloppy coding," while working on a project for his school's software development club.

Al-Khabaz diligently reported the flaw to the head of the institution's IT department and was praised for his efforts. He said he was told that the school would work with Skytech, the makers of the flawed Omnivox software, and would fix the problem immediately.

The trouble started two days later, when Al-Khabaz ran a vulnerability-scanning program called Acunetix to determine whether the flaw had been fixed. Almost immediately, he received a call from Edouard Taza, president of Skytech. Taza accused him of launching a cyber attack against the portal and gave him the choice between signing a nondisclosure agreement or being reported to the police. Al-Khabaz opted to sign the NDA.

Dawson College wasn't about to let Al-Khabaz off so easily. Though the school has been cagey in providing details, citing Quebec privacy law, it appears Al-Khabaz was issued an advisory that he would face expulsion if he failed to cease and desist in tampering with the portal. Unfortunately, Al-Khabaz appears to have ignored the advisory, even though his intentions may not have been malicious. Hence, the college's academic computing board voted 14-1 to expel him. What that means is, his grades for the semester will all show up as zeroes on his record; plus, he has the black mark of being expelled for unprofessional conduct.

The punishment is certainly a harsh one. But if he was warned of the consequences of his actions and he chose to ignore them, he ultimately has no one but himself to blame. Fortunately, he still has a bright future, as he's reportedly received job offers since the incident gained attention -- including one from Skytech.

One wonders, though, whether Dawson College will mete out similarly harsh justice to whomever neglected to fix a purported flaw in one of its public-facing Web servers, which has reported some 16 months ago, according to technology columnist Jon Blanchard. Per Blanchard:

"[A ]primary Dawson College public domain may remain compromised following a 2011 incursion by an unknown hacker named 'iskorpitx.' That hacker appears to have successfully uploaded a 'Shell' to the domain, leaving a public 'f** file' alerting administrators of the site that a successful incursion had taken place.

As of midnight Monday, the Dawson College server still returned the file using any web browser, despite credible Twitter alerts about the compromise to @mydawsoncollege earlier that evening from multiple sources."

The presence of the f**.file means a hacker successfully a shell to the domain: that is, "a script that provides a CLI to the compromised system with extensive system-level access to all records, data and nodes attached to the system regardless of the level of password protection offered by the website," per Blanchard.

An anonymous Halifax-based security researcher told Blanchard the following:

Nobody here can believe that, on the one hand, the CEGEP has the arrogance to expel this student ... But on the other, not even know about a publicly compromised webserver on its domain ... In my opinion, the existence of an f-file that old and the events leading up to the expulsion of Mr Al-Khabaz represent a pattern of un-ethical and completely inadequate IT security practice at Dawson College.

This story, "School that expelled student hacker may have ignored 16-month-old security flaw," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.