[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
- To: noloader@xxxxxxxxx
- Subject: Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
- From: Julius Kivimäki <julius.kivimaki@xxxxxxxxx>
- Date: Tue, 22 Jan 2013 02:44:16 +0200
How is Omnivox's security relevant when this kid is running DoS tools on
their sites? (Acunetix is a nice database heavy HTTP flood tool.)
>
>
2013/1/22 Jeffrey Walton <noloader@xxxxxxxxx>
> On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse <philip@xxxxxxxxx>
> wrote:
> > Moreover, he ran it again after reporting it to see if it was still
> there.
> > Essentially he's doing an unauthorised pen test having alerted them that
> > he'd done one already.
> If his personal information is in the proprietary system, I believe he
> has every right to very the security of the system.
>
> Is he allowed to "opt-out" of the system (probably not)? If not, he
> has a responsibility to check.
>
> Open question: does Canada have Security Testing and Evaluation (ST&E)
> and Reverse Engoneering (ER) exemptions in its laws? Even the United
> States' DMCA has them. For reference for others in the US who may be
> subject to bullying (companies have tried it on me):
>
> DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering
> and security testing and evaluation. The RE exemption is in Section
> 1205 (f) REVERSE ENGINEERING. The ST&E exemption is in Section 1205
> (i) SECURITY TESTING.
>
> > a class A moron.
> What does that make Omnivox, which appears to have done no testing?
>
> Jeff
>
> > On 21 Jan 2013, at 21:10, Benji <me@xxxxxxxxx> wrote:
> >
> > He found the vulnerability by running Acunetix against the system. He is
> > what most be would describe as, a class A moron.
> >
> >
> > On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures <lisfrank@xxxxxxxxxxxxxxxx>
> > wrote:
> >>
> >> A student has been expelled from Montreal’s Dawson College after he
> >> discovered a flaw in the computer system used by most Quebec CEGEPs
> >> (General and Vocational Colleges), one which compromised the security of
> >> over 250,000 students’ personal information.
> >>
> >> Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a
> >> member of the school’s software development club, was working on a
> mobile
> >> app to allow students easier access to their college account when he
> and a
> >> colleague discovered what he describes as “sloppy coding” in the widely
> >> used Omnivox software which would allow “anyone with a basic knowledge
> of
> >> computers to gain access to the personal information of any student in
> the
> >> system, including social insurance number, home address and phone
> number,
> >> class schedule, basically all the information the college has on a
> >> student.”
> >>
> >> http://tinyurl.com/bcdrelh
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/