Fri, 2013-05-17 03:56 PM Original source is http://www.gsnmagazine.com/node/29499?c=cyber_security

By: Megan Horner

Nobody can argue that cyber security and data privacy have become hot topics this year. The buzz has been felt world-wide, as people strategize on both offensive and defensive aspects. When cyber security is mentioned, many reflexively jump to thoughts of firewalls, complex passwords and malware protection.

But, one of the most important and often overlooked security defenses is end user awareness. It requires everyone working within a sector to use their due diligence to ensure the integrity of that network’s infrastructure. Educating all employees provides a more holistic and long-lasting solution.

Simply installing the latest product on a machine isn’t a full-proof plan. Threats are where you least expect them and a recent “mock breach” mounted by Digital Locksmiths, a security services company, proves just that.

Digital Locksmiths were recently hired by a large manufacturing firm to ensure that all bases were covered when it came to potential security vulnerabilities. They started their assessment by attempting to hack into the company’s infrastructure, using common modes, such as eavesdropping, password cracking, DoS attacks and sniffing. The network was impenetrable, but they didn’t stop there. Instead, they chose another – often ignored — route. Armed with a smile and a buttoned-up shirt, Terry Cutler, their lead ethical hacker, entered the facility posing as an innocent passerby with an urgent need to use the restroom. The receptionist smiled and buzzed him into the facility. Once inside, Cutler grabbed two programmed USB keys from his pocket and dropped them on top of the toilet paper holders located in each stall. Then he headed back to his office where, as he expected, the USBs had been brought to life by unsuspecting employees who might have just opened up their company to a massive breach.

Social engineers manipulate people using tricks and tactics, so they are basically spoon-fed confidential information. This is the main reason end-user compliance is so important.

The example shared above is known as “baiting,” a physical tactic where a device is placed in a location where it is sure to be found and the attacker simply waits for a curious onlooker to pick up the device and plug it into his or her PC. One of the most common types of social engineering attacks, phishing, also happens to be one of the simplest. It involves sending an email from what appears to be a legitimate source requesting verification or prompting a responsive action. A real example, which Digital Locksmiths once used, was to search for corporate employees on Facebook, LinkedIn and Twitter. Cutler then searched for a common interest and sent an intriguing message like, “I noticed you’re into fishing, have you tried out this sonar gadget to help your catch?,” along with a link to an exploit code. When an attacker sends this kind of credible link, once it is clicked, the attacker will be able to pull out screen shots, monitor keyboard strokes and even take an encrypted username and password to be used in what’s called a “Pass the Hash” attack.

Many companies employ over-worked, under-paid and under-trained system administrators. The lack of educated users and admins can lead to the downloading of infected files. Information security is a complex and specialized field, which means that it is crucial that governments and civilians receive specialized cyber security training. This training is extremely low cost, when compared to the financial pain companies may have to endure have if their network becomes vulnerable to attackers.
Megan Horner is the marketing coordinator for TrainACE. She can be reached at:  mhorner@trainace.edu

 

The post End-user awareness is the missing link in cyber security appeared first on The Ethical Hacker by Terry Cutler.

It goes without saying that you should not post personal information in dangerous places like chatrooms, but what about websites that are designed to be safe and family-friendly? It has recently become known that the popular photosharing site, Shutterfly, has been untruthful about its privacy policies . Although the site claims to be entirely protected by SSL––a cryptographic protocol that keeps online communications secure––in its privacy policy , the website is using the encryption for only some aspects of the website. Other popular applications, such as Shutterfly’s popular and free “Team” service is not. The Shutterfly “Team” service has a partnership with the American Youth Soccer Organization (AYSO), and encourages parents and coaches to sign up their athletic groups so they can have a central location to share team photos and roster information, including home addresses, contact information, gender, schools, jersey numbers, and game schedules. While it is great that Shutterfly is securing its users’ credit cards, isn’t it concerning that they are not protecting children?

According to the Mother Jones article, Shutterfly representatives have been aware of this problem for at least six months, but has not taken any steps to remediate the issue, or warned its users of the insecure details on their children. Suddenly, this sensitive information could become accessible to anyone with basic tech skills, and knowledge about cookie-catching software.

There are two popular programs called Firesheep and CookieCadger that have been circulating the Internet since 2011 that make hacking unknowing user’s personal accounts quickly and easily. Provided that you are in the same wifi zone (i.e. in a coffee shop, or other hotspots that aren’t password protected) programs like Firesheep and CookieCadger allows hackers to gain access to even your password-protected websites with the click of a couple buttons. This because once you have entered your password into whatever site you are using, the SSL stops working on sites like Shutterfly that are not entirely SSL-protected. Hackers using Firesheep or CookieCadger can see that you’ve logged into these pages, and now have access to them as well. They would now be able to view all of the user’s sensitive information contained on that site. In the case of Shutterfly, they would now know everything about where you child lives, how old they are, what school they go to, and where they will be and when.

When using websites that you are trusting with personal information, it is crucial to read the privacy policy to confirm that they are protecting your sensitive data. We are living in a digital age, and we must be wary of the bad guys lurking around the web for vulnerable information. For more information on how to keep kids safe online, check out my seminar  that I did in partnership with the Lester B. Pearson School Board in 2011 and 2012.

@terrypcutler

The post Family Friendly Social Site is Leaving Your Kids’ Information Unprotected for Hackers to Find appeared first on The Ethical Hacker by Terry Cutler.

View the original source article and comments at http://www.ifsecglobal.com/author.asp?section_id=3030&doc_id=559682&

I  am a Certified Ethical Hacker, which basically means I get paid by companies to  hack into their networks.

My  company, Digital Locksmiths, was hired by a manufacturing firm in 2011 to try  and expose any security vulnerabilities that might be lurking in the ether.

A  company’s external infrastructure — including web servers, domain name servers, email servers, VPN access points, perimeter firewalls, and any other  applications publicly accessible from the Internet — is typically considered  the primary target of security attacks. So that’s where we start.

Our  methods include cracking passwords and eavesdropping as well as using keystroke  loggers, sniffers, denial-of-service, and remote controls. In this case, I tried  attacking the firewall systems with every trick in our digital lock picker’s  toolkit, but to no avail: The network was locked tight, so to speak.

So  I told myself, “Screw it. I’m going in.” You see, companies that have an  impenetrable wall against external attacks are often surprisingly open to insider  threats. Hackers are able to expose these vulnerabilities by exploiting one simple  fact: Most people will respond in a highly predictable way to a particular  situation.

First,  I did a little recon on Google Earth and Street View to familiarize myself with  the physical perimeter of the company’s building and grounds. Since the  character I was playing that day was “me,” the walking stereotype of a  friendly, guy-next-door, I put on my usual garb: a pair of good jeans and a  button-down shirt.

I  hopped into my truck and  drove over to the facility. Doing my best to look sharpish, I walked into the  front lobby and said to the receptionist: “This is really embarrassing, and I  don’t usually ask for this type of favor, but I wonder if I could use your  washroom? I knew I’d regret ordering that super-sized drink!”

She  smiled — a good sign — and buzzed me in. Once I was  inside the men’s room and had confirmed it was unoccupied, I yanked two USB  keys out of my pocket and dropped one on top of the metal toilet paper holder  in each stall.

I  quickly gave myself a thumbs-up in the mirror, strolled back to the lobby and  flashed the receptionist a big smile as I walked out the door.

I drove back to my  office and waited, because as soon as someone plugged one of my USBs into a  computer, a program on the flash drive would auto run and execute a remote  connection to my computer.

This would give me instant access and  the ability to ‘pass the hash.’ Note that I’m not talking about the good ol’ college days here — we’re essentially taking the encrypted credentials for the  computer’s owner and passing them to the company’s own server, mimicking a real, normal login.

In a short time, my computer sprang to  life: With the ability now to log into the company’s network, I was poised to  unleash all kinds of mayhem — from extracting user names and passwords to opening  and interacting with files on the compromised system, to taking screenshots of  current activity on a user’s desktop.

Needless to say, company management  was horrified to learn how easily I had hacked into their system, simply by exploiting  how people react in certain situations.

My ‘Big Gulp’ ruse was a success because, by and large, people are inclined to be helpful. And it’s true — curiosity does  kill the cat. Nine times out of ten a person who finds a random USB stick will wonder  what’s on the thing and plug it in to find out. (In fact, my backup plan  should my men’s-room story have failed was to tell the receptionist that someone  dropped this USB stick on the floor and hand it to her.)

Defending against modern attackers   This episode underscores the fact that  security involves more than just protection of your network’s firewall.  Internal threats are real — and they aren’t  all necessarily the work of a disgruntled employee.

Employees need to understand that security  threats can be triggered in numerous ways and trained on how to protect against  possible security threats that may be masquerading as something perfectly  innocuous — like the guy next door. A simple policy like mandating only one  type of USB device for internal use might have prevented me from gaining  accessing to the network in this case.

Companies also need to recognize when they have a problem — and the sooner  they know, the better their chances of minimizing the harm done. The good news is that most  enterprises have an enormous amount of data scattered throughout firewall,  application, router, and log sources that is useful for determining what sorts  of things are going on within their networks. The bad news is that all too few know how to aggregate and put that data to use.

Security  professionals need to put in place the technologies and processes that enable  them access to security logs along with some type of log management to extract  the information required to keep the infrastructure secure.

Better yet, they can employ a Security Information Event Manager (SIEM) for grabbing and correlating data, as  well as a process to integrate security data with identity and access  information. That way, in our hacking incident, a number of alerts would have  been fired off to security managers long before any proprietary data was  accessed.

While it’s true  that security threats have become more menacing, remember that security  defenses also have become more powerful. Make sure you take the necessary  steps to protect your infrastructure and your data.

Terry Cutler is a co-founder of Digital Locksmiths, an IT security  and data defense firm based in Montreal and serves as the company’s Chief  Technology Officer and Certified Ethical Hacker. You can follow him on Twitter @terrypcutler.

The post The USB Keys in the Urinal appeared first on The Ethical Hacker by Terry Cutler.

Anatomy of Cross Site Scripting Attacks

Many Web applications include unfiltered user input, such as text entered into forms, in their own output. This flaw allows attackers to inject malicious URLs into emails, social media communications, forum posts and more. Since the response to a user request is delivered from a trusted site, the client browser follows the same origin policy and executes the malicious script. The code might do any number of things including transmit session tokens and cookies or modify page HTML. The modified HTML pages could deliver an infected PDF through an iFrame to try and compromise visitors as they arrive. As the scripts target client-side browsers, even read-only websites can be vectors for XSS attacks.

An attack script running under the same permissions as an unsuspecting user could compromise a customer entering financial information or a Web administrator with superuser access to an entire website. Admin-level exploits include posting malicious content, exposing sensitive files, altering logs to cover evidence of other attacks, and even deleting sites.

Cross-site scripting attacks exploit dynamic Web content and insecure Web development practices. Web scripts parse and manipulate user input, allowing users to interactively submit and retrieve information, log in to accounts, socialize, and many other activities. If applications do not properly validate user input, attackers can inject malicious code into otherwise innocent vectors. Many Web applications are developed with security flaws in rapid coding environments that shortchange coding and testing from a security perspective. Design requirements might not adequately specify how the application should filter input, and test plans often do not include test cases for robust error checking.

Reflected XSS Attacks

A reflected or non-persistent attack sends users a link containing malicious code via email, search engine, instant message or other communication. The link is to a trusted website that reflects the code back to the user’s browser in the form of search results or other content. The client browser follows the same origin policy and executes the malicious script from the trusted site. Reflected attacks are often delivered via JavaScript and are the most common type of XSS exploit.

Stored XSS Attacks

In a stored or persistent attack, the malicious script is stored in a database, blog post or other permanent location on the target server where it can be repeatedly accessed. When a user requests the compromised information, the script executes and sends data back to the attacker’s server.

For example, an attacker seeds a user list with a link to the attack server. When an unsuspecting forum administrator clicks on the link, the session ID information with admin privileges is sent to the attacker, who now has superuser access to the victim system for as long as the session persists.

HTML-Based Attack Vectors

Attackers can hide malicious code within HTML constructs deployed on Web pages and in HTML-formatted emails. In addition to commonly used tags such as script, onmouseover and onerror, attackers can disguise a UTF-8 encoded string in an IMG or META tag to pass certain kinds of validation by the Web application. For instance, an attack might bait users by displaying a legitimate-sounding message on a trusted website. However, following the innocuous message is an invisible XSS script hidden between tags. If the user clicks on the link to display the bait message, the client browser executes the script.

While identifying all of an application’s vulnerabilities is time-consuming, the payoff of a thorough code review is worth it. Developers and testers should also seek better and continuous training in application security practices. Investing in a defensive mindset at the design and test phases reduces the burden on administrators and the victimized public.

About the Authors

Megan Horner is the Marketing and Public Relations Coordinator for the highly awarded IT certification, cyber security, and online training company, TrainACE.

Terry Cutler is a co-founder of Digital Locksmiths, an IT security and data defense firm based in Montreal and serves as the company’s Chief Technology Officer and Certified Ethical Hacker. In addition to being a licensed private investigator in Canada, Terry is an internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous national television and radio programs and is very active on the conference circuit.

Follow Terry on Twitter at @TerryPCutler

The post Anatomy of Cross Site Scripting (XSS) Attacks appeared first on The Ethical Hacker by Terry Cutler.

Courtesy of it-security.isdecisions.com

We are living in a world where cyber security is a top priority for all governments and businesses. In fact, last week the United States announced cyber security as its biggest. James Clapper, the Director of National Intelligence, says that “the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.” Hackers are able to get ahead of governments because they are applying technology faster than many can understand it. (http://ca.reuters.com/article/technologyNews/idCABRE92B0LS20130312)

These attackers are persistent, and it is important to be aware of the methods used by hackers as it is an important step towards defending sensitive company data.

When a hacker strikes, the cost to a company could potentially be millions of dollars. Not only will it affect the bottom line, but hard-earned reputations can be compromised or destroyed.

It is important to recognize the differences between the different kinds of cyber threats: external and internal. An external, or outsider threat is much trickier to pinpoint. It can be “from someone that does not have authorized access to the data and has no formal relationship to the company.” They could be from someone who is actively targeting the company, or accidentally from someone who found a lost mobile device.

Internal threats are likely to come from an authorized individual that has easy access to sensitive corporate data as part of their day-to-day duties. This could be anyone working within the company or acting as a third party representative. The Global Knowledge Blog states that insiders have a much greater advantage because they have  means, motive, and opportunity, whereas outsiders most often only have a motive. (http://globalknowledgeblog.com/technology/security/hacking-cybercrime/insider-vs-outsider-threats/)

When focusing on internal threats, we have made a digital security check list:

1. Implement an Intrusion Detection System (IDS). These systems act like security cameras watching a network.  They react to suspicious activity by logging off suspect users, or in some cases, they might reprogram firewalls to snag a possible intrusion.
2. Implement a log management platform that will centralize all the logs and correlate to find threats and alert on them.
3. Stay proactive with Identity Management systems that will monitor high risk or suspicious user activity by detecting and correcting situations that are out of compliance or present a security risk.
4. Be aware of who has keys and access codes to vulnerable information. Monitor the activity when these spaces are accessed, authorized, or not.
5. Create safety policies for when employees with these security privileges leave the company or are terminated. This will reduce the risk of theft due to careless behaviour, or break-ins from disgruntled employees.
6. Get employees involved with the security procedures of the company. As a team, you can work to strengthen your digital security practices by being kept up to date on the latest training and challenges.

Spear phishing are an extremely affective way for hackers to get in. Even though this is an outsider threat, once they trick an innocent employee into clicking on the malicious link, their PC can then be controlled by the outsider but with insider access.

 If you’d like to see an eye popping example where I claim I’d be able to hack into almost any company using a fake LinkedIn request, then I presented you’ll wanna see my keynote talk I did in Salt Lake City to 2,500 people.  http://www.terrycutler.com/2010/03/my-keynote-seminar-to-2500-people-in-salt-lake-city-2/

Lastly, I highly recommend you hire a third party security firm to evaluate your network for vulnerabilities and implement the recommended preventative measures. During these assessments you’ll be able to truly see where all your weaknesses are in your company.

 Follow me on Twitter @terrypcutler

The post Internal vs. External Threats appeared first on The Ethical Hacker by Terry Cutler.

Wed, Mar 20: Terry Cutler CTO and Certified Ethical Hacker with Digital Locksmiths discusses the potential data breach at SPVM revealing sensitive information which was confirmed to be fake by Montreal Police.

The information pulled off the Montreal police’s website and put into a Dropbox by an unknown individual or group this week wasn’t sensitive to begin with, said Montreal police spokesman Cmdr. Ian Lafrenière.   The names, job details and office phone numbers of about 100 employees were posted online in a free file-sharing program.   But Lafrenière said the details released are not sensitive and were already publicly accessible on the Internet.   “It’s information that you can gather yourself,” he said.   “It’s not even a secret, it’s not even illegal, but putting all that together in a Dropbox — for us, we consider that as intimidation.”   Though he said it may not have been illegal to gather the information, making it available in one location, accompanied by pictures of people named by the group as undercover officers, amounts to police intimidation — which is illegal.   “There is an investigation because this is clearly intimidation,” Lafrenière said.   He said the pictures in the Dropbox were not of undercover agents, but rather just ordinary people presumed by those behind the attack to be officers.  ”I got bad news for them: a lot of pictures they put there, it’s not even a police officer. We know these people and they are not police officers,” he said.

http://www.cbc.ca/news/canada/montreal/story/2013/03/20/montreal-police-spvm-website-hacked.html

Terry Cutler is a co-founder of Digital Locksmiths, Inc.(http://www.digitallocksmiths.ca) — an IT security and data defense firm based in Montreal — and serves as the company’s Chief Technology Officer.  Terry’s career in the IT security space prior to his joining Digital Locksmiths has been long and distinguished.  He was most recently a Premium Support Engineer for Novell in Canada where he analyzed network vulnerabilities and transitioned security technologies into production, and before that he held digital security leadership roles with a number of large corporations.  Through the International Council of Electronic Commerce Consultants (EC-Council), Terry earned the rank Certified Ethical Hacker in recognition of his having mastered a range of industry best practices to thwart hackers by knowing how they think and operate from the inside out.  In addition to being a licensed private investigator in Canada, Terry is an active member of both the High Technology Crime Investigation Association and the Center for Internet Security.  An internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous television and radio programs and is very active on the conference circuit. More at http://www.terrycutler.com

The post Information leaked from Montreal police SPVM website not sensitive and already public appeared first on The Ethical Hacker by Terry Cutler.

Despite the realization of the possibility of more cyber threats coming, it seems that governments are still in denial about the magnitude a cyber attack could have on their country’s safety and economy.

Back in 2010, CBC News published an article that I was interviewed for about a Canadian spy agency memo that was accidentally released, stating that government, university, and industry computer cyber attacks were growing “substantially.” A report done by the University of Toronto Citizen Lab, the Ottawa-based SecDev Group, and American researchers from the Shadowserver Foundation urged that governments must take immediate action in their digital security. This should include a comprehensive strategy to prevent attacks from hackers that use social media to steal confidential information.

At that point back in 2010, the U.S. government announced a $40-billion dollar cyber security plan to combat attacks from both domestic and foreign hackers. Prevention of cyber terrorism was a “top defence-spending priority.”

About three years later, cyber threats, terrorism, and espionage have recently been announced as the United States’ top security threat. James Clapper, the Director of National Intelligence, says that “the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.” Hackers are able to get ahead of the governments because they are applying technology faster than many can understand it.

Even though cyber attack prevention is the U.S.’s top priority in security, recent budget cuts have been called that could cause up to five thousand intelligence contractors to be  terminated, which would deter cyber security efforts.

Meanwhile, here in Canada, a recent study by Telus and the Rotman School of Management at the University of Toronto has shown that IT security has found a “pervasive sense of vulnerability” in many corporations, and it seems as if they are set up to be hacked. Walid Hejazi, a professor of business economics at Rotman, believes that “Canadian companies are operating with a false sense of security.”

It’s time legislation gets put in place to mandate corporations and government to get testing 1 to 4 times a year to stay vigilant.

What would you suggest ?

The post Canadian Government and Corporations are operating with false sense of security appeared first on The Ethical Hacker by Terry Cutler.

Click here to listen to the interview   Terry_Cutler_Brent Loucks_Show_Mar6

Computer held for ransom ?

Click here for removal instructions  http://www.microsoft.com/security/portal/shared/ransomware.aspx

What is ransomware?

Ransomware is a type of malware that prevents you from using your computer or accessing your data until you pay a certain amount (the “ransom”) to a remote entity. There are two types of ransomware:

• Lockscreen ransomware, which displays a full-screen image or webpage that prevents you from accessing anything in your computer, and
• Encryption ransomware, which encrypts your files with a password, preventing you from opening them

Most ransomware display a notification, saying that the authorities in your location have detected illegal activity in your computer. To avoid prosecution, and regain access to your files, ransomware demand payment from you in the form of a “fine”.

Paying the “fine” does not necessarily return your computer to a usable state. We do not advise that you pay. With ransomware, the threat of prosecution does not come from the legitimate authorities.

http://ckom.com/category/show-name/brent-loucks-show

The post The Brent Loucks Show – Computer held for Ransom ! appeared first on The Ethical Hacker by Terry Cutler.

Mon, Jan 21: Terry Cutler CTO and Certified Ethical Hacker with Digital Locksmiths discusses a Student expelled from Dawson College for exposing security flaw in his school’s computer system.

MONTREAL – Most students don’t see any silver linings when they get expelled  from school. Ahmed Al-Khabaz isn’t one of them.

He’s getting job offers from computer software companies — including one  whose security flaw he found while rooting around in Dawson College’s system.

“I think I’ll move on,” Al-Khabaz said Tuesday, adding he enjoyed attending  Dawson College until he was kicked out in November.

“I’ll take one of those job offers I’ve got and I’ll apply to another English  (junior college) in September.”

Al-Khabaz says he has been offered employment by the president of Skytech  Communications, which provides the software for Dawson’s system. Another 10 or  so offers are also on the table.

A Skytech spokesman was not immediately available for comment.

Al-Khabaz, 20, became persona non grata at Dawson after discovering a major  security flaw in the school’s computer system while working on a class  project.

At a news conference on Tuesday, Dawson director-general Richard Filion  acknowledged Al-Khabaz had found the flaw but said he was expelled after he  repeatedly tried to gain access to areas of the college information system where  he had no authorization.

Filion said the student was kicked out because he breached the college’s code  of professional conduct.

“Dawson College has the responsibility to instil the principles of proper  conduct in the workplace so that employers hiring our graduates know they are  responsible citizens and qualified workers who understand how to behave in a  professional environment,” Filion said.

Francois Paradis, the college’s director of information services, said  Al-Khabaz was warned after being sighted twice in Dawson’s system before he  reported the computer flaw. Paradis said Al-Khabaz was spotted again after being  told about limitations on tests he could conduct after finding the flaw.

Dawson said it was speaking out because of what it called inaccuracies in a  media barrage in the last 24 hours that has seen Al-Khabaz gain support from  students beyond Montreal.

In Ottawa, Adam Awad, national chairperson of the Canadian Federation of  Students, accused Dawson of being more interested in protecting its own image  than guarding students’ personal data.

“The administration chose to punish the whistle-blower in hopes that the  problem would quietly go away,” Awad said as he called for Al-Khabaz to be  reinstated.

Filion said Dawson considered pushing for criminal charges against Al-Khabaz  but the institution decided to deal with the matter on an academic level and  leave any further action to Skytech.

Speaking to reporters after Dawson’s news conference, which he attended as a  member of the audience, Al-Khabaz rejected the college’s version of events. He  said it concentrated on “the negative stuff.”

“I was just scanning the software because I was scared for our data,” he  said.

The student said he also asked for permission to do the later scan when he  was told he was not authorized to carry out the task.

He said he had three meetings with college officials and explained what he  was doing.

“I really wanted to help,” said Al-Khabaz.

He rejected the college’s characterization of his activity as an attack,  calling the allegation “false.”

“A smart man would hide his identity if he was going to do that,” he said,  pointing out he never tried to conceal who he was or cover his tracks.

The post Student expelled from Dawson College for exposing security flaw appeared first on The Ethical Hacker by Terry Cutler.

He’s getting job offers from computer software companies — including one  whose security flaw he found while rooting around in Dawson College’s system.

“I think I’ll move on,” Al-Khabaz said Tuesday, adding he enjoyed attending  Dawson College until he

was kicked out in November.

“I’ll take one of those job offers I’ve got and I’ll apply to another English  (junior college) in September.”

Al-Khabaz says he has been offered employment by the president of Skytech  Communications, which provides the software for Dawson’s system. Another 10 or  so offers are also on the table.

A Skytech spokesman was not immediately available for comment.

Al-Khabaz, 20, became persona non grata at Dawson after discovering a major  security flaw in the school’s computer system while working on a class  project.

At a news conference on Tuesday, Dawson director-general Richard Filion  acknowledged Al-Khabaz had found the flaw but said he was expelled after he  repeatedly tried to gain access to areas of the college information system where  he had no authorization.

Filion said the student was kicked out because he breached the college’s code  of professional conduct.

“Dawson College has the responsibility to instil the principles of proper  conduct in the workplace so that employers hiring our graduates know they are  responsible citizens and qualified workers who understand how to behave in a  professional environment,” Filion said.

Francois Paradis, the college’s director of information services, said  Al-Khabaz was warned after being sighted twice in Dawson’s system before he  reported the computer flaw. Paradis said Al-Khabaz was spotted again after being  told about limitations on tests he could conduct after finding the flaw.

Dawson said it was speaking out because of what it called inaccuracies in a  media barrage in the last 24 hours that has seen Al-Khabaz gain support from  students beyond Montreal.

In Ottawa, Adam Awad, national chairperson of the Canadian Federation of  Students, accused Dawson of being more interested in protecting its own image  than guarding students’ personal data.

“The administration chose to punish the whistle-blower in hopes that the  problem would quietly go away,” Awad said as he called for Al-Khabaz to be  reinstated.

Filion said Dawson considered pushing for criminal charges against Al-Khabaz  but the institution decided to deal with the matter on an academic level and  leave any further action to Skytech.

Speaking to reporters after Dawson’s news conference, which he attended as a  member of the audience, Al-Khabaz rejected the college’s version of events. He  said it concentrated on “the negative stuff.”

“I was just scanning the software because I was scared for our data,” he  said.

The student said he also asked for permission to do the later scan when he  was told he was not authorized to carry out the task.

He said he had three meetings with college officials and explained what he  was doing.

“I really wanted to help,” said Al-Khabaz.

He rejected the college’s characterization of his activity as an attack,  calling the allegation “false.”

“A smart man would hide his identity if he was going to do that,” he said,  pointing out he never tried to conceal who he was or cover his tracks.

The post Student expelled from Dawson College for exposing security flaw – Global National Interview appeared first on The Ethical Hacker by Terry Cutler.