Context On October 26 2012, Dawson College’s IT Service got in touch with us to report that two Computer Science students had managed to uncover a vulnerability in one of our products used for the college’s web portal. The college immediately explained this vulnerability to us so that it be addressed as quickly as possible.
How would you qualify the identified vulnerability? It was a critical vulnerability. Had it been made public before being fixed, an ill-intentioned person could have exploited it to access a student's online account without his permission, simply by using his student ID number.
Within 24 hours, the vulnerability was permanently corrected for all of our systems affected by it, without anyone having the opportunity to exploit it.
We are forever grateful to the two students who discovered and immediately reported this vulnerability. We think they are very bright.
After the facts, we went on to congratulate and reward one of these students – the one who was not involved in the events that followed.
What were the events that followed? On October 28 2012, between 6pm and 8pm, our security systems picked-up on what appeared as a cyber-attack: thousands of requests being made on the Dawson College portal - SQL injection, XSS (Cross-Site Scripting) and other methods usually used when attempts are made to hack into a system.
Were these actions carried out in a Test or Production environment? The actions that caught our attention were carried in the Production environment (live portal) used by the college’s entire population.
Was it a way to test for the vulnerability spotted earlier? To demonstrate that the vulnerability was gone, no penetration tests of the sort nor specialised software were required.
Did your systems resist well? Yes. We test our systems regularly to make sure they stand up to such attacks. The only felt impact was slower portal access for the users on the evening of the incident. We have since then continued to reduce the impact of such attacks on portal response times for normal users.
How did you react? We detected the attack, immediately alerted our client (Dawson College), and asked permission to communicate directly with the source, as the attack came from one of their students.
The situation was serious enough for our CEO to get in touch with the student, a student that we did not know at the time.
We contacted the student and requested that he stop all attacks on the live Portal, which he immediately did. The tone of the conversation was always calm and courteous. Contrary to what was reported in some media, no threats were made. In a state of shock, the student may have misunderstood some of what was said, which only aimed to help him realize the gravity of the situation. We explained that this type of unannounced attack on production servers on which the entire population of the college relies was not appropriate, and was likely to be reported to the authorities, unless the student clearly demonstrated over the next few days that it was a faux pas on his part and that he did not have malicious intent.
The student told us he was one of the students who had alerted their college of the vulnerability detected two days earlier, and said he was not ill-intentioned, so we gave him the benefit of the doubt until we met.
How did your meetings with the student go? The meetings went well. The student acknowledged what he had done, and promised in writing not to do it again, and we found his explanations valid.
What greatly favoured him was his good deed two days before the attack, namely discovering and reporting a vulnerability which was immediately corrected.
Even if the attack was not used to test the vulnerability fix, we maintain that we will always be grateful for the discovery of this vulnerability.
That's why we closed the case in early November, without taking further action, considering the attack as a bump in the road.
What do you think of the college’s decision with regard to the student? The student experienced a different process with his college, a process that is completely external to us.
Why do you wish to help the student find a new school? Let us be clear, we do not approve of this student’s last actions, but we nonetheless believe that this event should not forever prevent him to do what he loves. Anyone who knows Skytech Communications knows that we encourage young talents in Computer Science.
We believe that this young man has learned from this experience, and deserves a fresh start to complete his studies elsewhere. Properly channeled, such talent will contribute to advancing the cybersecurity field.
Are you offering him a job? Our priority is for him to finish his studies, and yes, we are offering him a job in cybersecurity where he can put his talents to good use, outside his study hours, in a closed circuit research and development environment, all this without any controversy.
What was his reaction? We were pleased to learn, through an interview with CBC television, that he accepted our scholarship offer to pursue his studies in another college.