eWeek Security Watch
Advertisement
Advertisement
September 17, 2008 9:28 AM

Carleton University - Home of the Asinine Administrators



I remember when I got to college in 1992 there was this guy I met in my dorm who was already way tapped into the Internet and IT security and white hat hacking.

While my own computer skills consisted of playing games and knowing how to write Cobol programs that would produce groups of letters that looked vaguely like Christmas trees on a dot matrix print outs and the like, this kid was hacking into business networks and then sending reports of his findings to the companies' owners to let them know how lame their security was.

I think he lasted one semester before he quit school to go make lots of money working in IT security for one of said companies on Wall St. He's probably running his own consulting company somewhere now, or retired drinking cocktails while we all sit here at work.

Anyway, an incident reported this week in the Canadian press points out how far behind some people remain in terms of understanding the value of ethical hacking, even when someone is merely trying to help them help themselves.

Even worse, it was a case where an undergraduate college student was simply trying to inform his own school of how eminently hackable their e-mail system was, yet they're having him prosecuted for doing his work in seemingly the most ethical manner possible, when instead they should really be thanking him.

Or, you know, doing something crazy like giving him a work study job in the IT department and helping him continue to learn about something that could help him get a good job some day, in a field in which he's clearly already displayed above-average interest and aptitude, but I guess that's not what schools are meant for.

As first reported by the Ottawa Citizen, 20 year old Mansour Moufid is instead facing criminal charges for exploiting the network of Carleton University, where he was attending classes at the school's Ottawa campus, and sending a detailed report to school officials illustrating his work and warning them to bolster their defenses.

Despite merely informing the school of just exactly how he was able to get his hands on the e-mail passwords of some 32 students at the school in this manner, and willingly answering investigators' questions about the hack, they're throwing the book at him.

Makes sense, you know, if you're a bureaucrat whose expensive IT security system just got owned by a kid.

I guess the Carleton officials would have preferred that instead of one of their own students proving his industriousness and intelligence in trying to help them close a gaping security breach, that someone unknown would have scooped the social security numbers of their students or faculty or alumni and sold the information to the highest bidders.

The guy is smart and he did them a favor, but of course they're embarrassed since they just got exploited by a kid and now they're making an example of him.

Well, anyone who follows security knows who the real culprits are in this scenario, and they all work for Carleton University.

"Our first concern is for our students and we will continue to review and, if necessary, upgrade our e-mail system in light of this incident," school officials said in a statement. "The university is confident that its student e-mail and Campus Card system remain viable and at no time was credit card information accessible. A third-party audit of the university's computer network concluded earlier in the year that the system had multiple security features and was deemed very secure."

Yeah, well, sounds like a heck on an audit, and how confident were you before this guy showed you how vulnerable you really were?

Kudos to Moufid, it sounds like he's got a much brighter future than some of his so-called teachers. Too bad they're too obtuse to realize it, eh?

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

Posted by Matthew Hines on September 17, 2008 9:28 AM

| Comments (2) | del.icio.us | digg.com | Trackback | Post a Comment
TrackBack

TrackBack

http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/14970

Comments (2)

Williams :

Thank you Matt for your comment, we have a contribution from someone who is working in the field of security.

Posted by Williams | September 21, 2008 6:34 AM

williams :

Hacker quits school to avoid punishment
Student says he was just pointing out security flaws, but Carleton wants him to admit to offences
Brendan Kennedy, Ottawa Citizen
Published: Thursday, September 25, 2008

OTTAWA -- The Carleton University student who hacked into the electronic accounts of 32 students to expose the system's security flaws has decided to leave the school rather than accept its punishment, which was delivered in a private hearing Thursday.

Mansour Moufid, a 20-year-old second-year math student, sent a 16-page report to university administrators and students under the pseudonym "Kasper Holmberg" earlier this month, in which he showed that he had accessed the Campus Card accounts of 32 students.

Mr. Moufid could have accessed student e-mails, course registrations, library records and personal financial information, as well as any money students put on their cards. But he states in his report that he had done it to encourage the university to improve its security.

Mr. Moufid told the Citizen Thursday that he will not be returning to Carleton this year because the university is asking him to lie.

"They're asking me to say I did something I didn't do," he said.

In a two-page letter delivered to Mr. Moufid Thursday and obtained by the Citizen, the university's associate vice-president, Suzanne Blanchard, lists six sanctions imposed on Mr. Moufid for violating the school's Student Rights and Responsibilities Policy.

One of the six sanctions requires Mr. Moufid to write a letter of apology to the 32 students whose accounts he accessed, the university and the university community, and it stipulates that the letter must include "that you lied about alerting the university before distribution (of the report)."

Mr. Moufid said he mailed a copy of his technical report to Carleton's Information Privacy Officer and its information co-ordinator in mid-August, two weeks before he sent it to the affected students and campus media.

A spokesman for the university, Christopher Walters, refused to comment on Mr. Moufid's hearing, saying it was "a private university matter." No member of the university's administration was available for comment.

The other sanctions against Mr. Moufid include: paying $608 for the cost of 32 new student cards; paying $2,160 for the cost of extra security staff for the residence buildings "due to the unknown risk caused by the breach of the campus card system;" seven hours of community service per week at a food bank; completion of an ethics course; that Mr. Moufid allow the university to monitor all of his online activity through any Carleton University server for as long as he has access to those services, and that information may be shared among university officials; and that, if Mr. Moufid violates the university's student policy again, he will be expelled.

The discipline does not include any academic penalty, suspension or expulsion.

The sanctions are prefaced by a note that states Mr. Moufid's actions put students at risk and that it was not his first offence.

Mr. Moufid said he was given a verbal warning by university administration last year when, as a first-year student living in residence, he created different IP addresses for his computer in order to access certain restricted websites and online resources.

Mr. Moufid said he would have been happy to comply with all of the sanctions and return to the university, except where the letter of apology required him to admit to lying to the university.

"The way they're treating me has really bothered me," he said, but also said that he was thankful he wasn't suspended or expelled.

"I wrote the report because I wanted people to know," he said. "Carleton has to know that there's a problem. Obviously they didn't know that certain things were possible with their system, and I thought students should also know because it directly concerns them."

In his statement of defence, Mr. Moufid writes that he "never had any intention to harm my fellow students or Carleton University in any way," and that his ultimate goal was to see security improved.

"To be clear: I did not create any security problem, but simply revealed it; I did not alter or destroy any data although I could have; I did not take any advantage of any student, either financially or otherwise, although I could have; I was acting in good faith, with the interests of the student body - of which I am a part of - in mind," reads a portion of his statement.

Mr. Moufid said that the system wasn't difficult to crack and that he first noticed its vulnerability last year, but didn't write the report until the summer.

The campus cards are used like debit cards throughout campus, and Mr. Moufid said he was able to easily crack the system by using a computer program that captured information when the cards were swiped.

He said he captured the information simply by running the program on the computers attached to the card-swipe machines.

The cards do not require students to enter a personal identification number (PIN.)

Mr. Moufid admitted that he probably could have done things differently to prove his point in a way that would have been more favourable to the university, but he added that he doesn't think they would have taken it seriously.

"To make them do something, you have to at least let them believe that it could be made public."

He said he followed the information security industry's standard practices of "responsible disclosure" or "full disclosure" by informing the university and the affected students of the security flaws and that he did not intend any maliciousness, adding that he is interested in pursuing a career in information security.

In addition to the university's discipline, Mr. Moufid was also charged under the Criminal Code with mischief to data and unauthorized use of a computer.

Both charges carry a maximum prison sentence of 10 years. He is scheduled to appear in court on Oct. 15.

Mr. Moufid said he was surprised by the severity of the charges.

"Ten years in prison? That's like the Mafia or something."

Mr. Moufid said he had decided to go back to his summer job in Mississauga, where he worked in a warehouse, and was planning to resume his studies at another university next September.

Posted by williams | September 26, 2008 4:57 AM

Post a Comment

 
 
RSS Syndication

Security News

Advertisement

TLD regulation

Adware

Android

Apple

Applications Whitelisting

AV tools

Backdoor

BlackBerry

Blacklisting

Blended attack

Botnet CnCs

Botnets

Browsers

CAG

China

Cisco

click fraud

Cloud computing

Conficker

Corporate espionage

Cyber-war

Data Breach

Data Security

Data securityAdd category

Database security

DDoS

Disaster Planning

domain registration abuse

e-banking fraud

eBay

Enterprise security strategy

Ethical hacking

Exploits and Attacks

Facebook

File-sharing

Flaws

Google

Government standards

Hactivism

ID theft

Identity fraud

Identity Theft

iframe

Illegal pharmacies

Industry events

Infrastructure security

Internet regulation

Intrusion Detection/Prevention

iPhone

ISPs

Java

MAAWG

Malware

Malware toolkits

Mergers and Acquisitions

Messaging security

Microsoft

Microsoft Windows

Mobile malware

multimedia

NIST

Online malware

Open Source

Oracle

Patches

Phishing and Fraud

PowerPoint

Privacy

Product Reviews

Products

Regulation

Risk Management

Rogue AV

Rootkits

RSA Security Conference

Russia

SaaS

SCADA

Search

SEO

SEO poisoning

Smartphone security

Social engineering

Social networking

Spam

SQL injection

Trojan attacks

Twitter

video games

Virus and Spyware

Vulnerability Research

Web 2.0

Windows 7

YouTube

Advertisement
Security Watch     Contact Us | Advertise | Site Map
eWEEK Quick LInks

Security:
Enterprise Security
Network Security
Infrastructure Security
How To: Data
IT Security News
Cheap Hack Blog
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
Storage Reviews
Data Storage News
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows Vista
Managed Print Services
Cloud Computing
PC Reviews
Microsoft Watch Blog
Apple Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Mobile Applications
Wireless News
Mobile Reviews
Apps & Development:
Application Development
SAAS
Search Engines
Database Software
Web 2.0
IT Project Management
Emerging Tech Blog
CIO Insight Blogs
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel Partners
Careers Blog
Value Added Resellers
More eWeek Links:
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Podcasts
Tech Videos
Green IT
eWeek Magazine Subscriptions
Enterprise Websites:
ZDE Home
Baseline
Channel Insider
CIO Insight
eSeminars
eWeek Mid-Market
Publish Online
Web Buyers Guide
Developer Websites:
Dev Shed
DeveloperShed
ASP Free
MS DevSource
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
iGrep Search Engine
PDF Zone
Linux Watch

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt, and eWeek Security Watch are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
eWeek is your best source for the latest Technology News.
Hosted by Hostway.

Ziff Davis Enterprise