Q & A - Student expelled from Dawson College - January 24, 2013

Context On October 26 2012, Dawson College’s IT Service got in touch with us to report that two Computer Science students had managed to uncover a vulnerability in one of our products used for the college’s web portal. The college immediately explained this vulnerability to us so that it be addressed as quickly as possible.

How would you qualify the identified vulnerability? It was a critical vulnerability. Had it been made public before being fixed, an ill-intentioned person could have exploited it to access a student's online account without his permission, simply by using his student ID number.

Within 24 hours, the vulnerability was permanently corrected for all of our systems affected by it, without anyone having the opportunity to exploit it.

We are forever grateful to the two students who discovered and immediately reported this vulnerability. We think they are very bright.

After the facts, we went on to congratulate and reward one of these students – the one who was not involved in the events that followed.

What were the events that followed? On October 28 2012, between 6pm and 8pm, our security systems picked-up on what appeared as a cyber-attack: thousands of requests being made on the Dawson College portal - SQL injection, XSS (Cross-Site Scripting) and other methods usually used when attempts are made to hack into a system.

Were these actions carried out in a Test or Production environment? The actions that caught our attention were carried in the Production environment (live portal) used by the college’s entire population.

Was it a way to test for the vulnerability spotted earlier? To demonstrate that the vulnerability was gone, no penetration tests of the sort nor specialised software were required.

Did your systems resist well? Yes. We test our systems regularly to make sure they stand up to such attacks. The only felt impact was slower portal access for the users on the evening of the incident. We have since then continued to reduce the impact of such attacks on portal response times for normal users.

How did you react? We detected the attack, immediately alerted our client (Dawson College), and asked permission to communicate directly with the source, as the attack came from one of their students.

The situation was serious enough for our CEO to get in touch with the student, a student that we did not know at the time.

We contacted the student and requested that he stop all attacks on the live Portal, which he immediately did. The tone of the conversation was always calm and courteous. Contrary to what was reported in some media, no threats were made. In a state of shock, the student may have misunderstood some of what was said, which only aimed to help him realize the gravity of the situation. We explained that this type of unannounced attack on production servers on which the entire population of the college relies was not appropriate, and was likely to be reported to the authorities, unless the student clearly demonstrated over the next few days that it was a faux pas on his part and that he did not have malicious intent.

The student told us he was one of the students who had alerted their college of the vulnerability detected two days earlier, and said he was not ill-intentioned, so we gave him the benefit of the doubt until we met.

How did your meetings with the student go? The meetings went well. The student acknowledged what he had done, and promised in writing not to do it again, and we found his explanations valid.

What greatly favoured him was his good deed two days before the attack, namely discovering and reporting a vulnerability which was immediately corrected.

Even if the attack was not used to test the vulnerability fix, we maintain that we will always be grateful for the discovery of this vulnerability.

That's why we closed the case in early November, without taking further action, considering the attack as a bump in the road.

What do you think of the college’s decision with regard to the student? The student experienced a different process with his college, a process that is completely external to us.

Why do you wish to help the student find a new school? Let us be clear, we do not approve of this student’s last actions, but we nonetheless believe that this event should not forever prevent him to do what he loves. Anyone who knows Skytech Communications knows that we encourage young talents in Computer Science.

We believe that this young man has learned from this experience, and deserves a fresh start to complete his studies elsewhere. Properly channeled, such talent will contribute to advancing the cybersecurity field.

Are you offering him a job? Our priority is for him to finish his studies, and yes, we are offering him a job in cybersecurity where he can put his talents to good use, outside his study hours, in a closed circuit research and development environment, all this without any controversy.

What was his reaction? We were pleased to learn, through an interview with CBC television, that he accepted our scholarship offer to pursue his studies in another college.


Official Statement - January 21, 2013

The purpose of this statement is to clarify Skytech’s position in light of the news story presently circulating in the media.

At the end of October 2012, two students from Dawson College discovered a vulnerability in the college portal.

Had it become public knowledge, this vulnerability could have allowed an attacker to gain access to a student’s online account. Within 24 hours, the vulnerability was permanently corrected for all of our systems affected by it, without anyone having the opportunity to exploit it.

Because security is such a priority for us, one of the two students who detected the vulnerability was congratulated and rewarded.

The situation with the other student (the one in the media) was more complicated. After having done a good deed by collaborating with his classmate to discover the vulnerability, he acted alone and was traced while committing what we consider to be a cyber-attack using specialized software on the college’s production servers. We notified the college at once and with their permission, we contacted the student and requested that he stop all attacks on the live Portal.

We then determined that the best strategy before taking any action would be to meet with the student to better understand his motives.

During this meeting, the student apologized, explained his action and demonstrated great talent in computer science. Even if we do not approve of his action, we deemed his explanation to be valid and we filed away the attack as a bump in the road. The case was therefore closed for us in early November.

The student experienced a different process with his college, process that is external to us but that we respect.

- -

We feel that this situation should not prevent such a talented student from doing what he loves most.

Just as we are already collaborating with the other student who helped discover the flaw, we will also offer this student to work for us with mandates in IT security in order to allow him to work in the subject area he loves.

- -

Security is always at the forefront of our preoccupations and it is why we continuously strive to ensure that those using our technologies benefit from constant monitoring and reinforcement of our systems.