A 20-year-old student at Carleton University in Ottawa, Ontario, faces criminal charges after he allegedly breached the security of the school's network and then sent a 16-page report detailing the security issues and potential solutions to network administrators and other students.
The student, identified as Ottawa resident Mansour Moufid in an article in the Ottawa Citizen, has been charged with mischief to data and unauthorized use of a computer, according to the news site. The charges stem from a breach of the school's computer systems over the summer. University officials received a report on August 29 that explained the breach and the security vulnerabilities exploited by the hacker, Carleton University officials said in a statement.
"Carletons Department of University Safety brought the individual in for questioning today and he is fully cooperating with officials," state the release, which was posted last Friday. "He has also handed over all his materials. Police are still involved in the case and there may be an internal disciplinary procedure."
The hacking charges are the latest incident to underscore that security researchers who poke around other people's systems to test their security -- frequently referred to as gray-hat hackers -- should be ready to face the legal consequences. In 2005, a prospective student at the University of Southern California (USC) used simple database injection techniques to retrieve the names and Social Security numbers of seven prospective students to demonstrate the flaw to the university and contacted SecurityFocus, which acted to relay information to the university. The student, Eric McCarty, was later prosecuted and plead guilty. He received six months of home detention and a felony on his record.
In the latest case, Moufid reportedly had gotten the passwords for the accounts of 32 users. The university has maintained that the breach was extremely limited.
"Carleton is confident that its student email system remains viable and secure," the school said in its statement. "We want to reassure students that their personal information is not in jeopardy."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos