Extra credit

Helkowski knew that the backdoor script he reported to the University was closed, but he suspected there might be more exploits in place on other websites within the UMD system that could grant him the same access to university databases.

“I searched for other PHP scripts with the word ‘upload’ in their name by Googling it,” he said. “And then I went and looked at those files, and looked at the code, and they were vulnerable as well. And that’s when I found another shell script. So not only have I found another place that was vulnerable, but it’s already been attacked.”

“They opened my gate to my backyard. They went to my side door and bashed the door in.”

Using one of these backdoors, Helkowski didn’t have to do any real hacking to gain access to nearly everything on the server. With the door wide open for him, Helkowski started to see what he could do within the system.

The answer turned out to be just about anything. He managed, using the access made available to him through the Web server’s privileges, to install and compile the Gnu C Compiler (gcc) on the server. He installed the Nmap security scanner on the server. Helkowski even established a remote Xwindow session to the server from his home computer and was able to run Oracle command-line utilities against databases using passwords he was able to read in the script files—including that database called “LDAP.”

“I had access for quite a while. I could have escalated my access,” Helkowski said. “I did not do that but was considering that.”

But Helkowski decided that he reached “the turning point—where I would go from whitehat to black hat,” he said. “I decided I needed to tell them immediately, and I gave them a full list of what I did in detail. That way the university would have full evidence of what I did and be able to distinguish me from a malicious person. I didn't want to interfere with the investigation.”

The way Helkowski chose to communicate that information, however, did not exactly cast him in the best light. He devised a plan that he thought would help both get the university’s attention about the severity of their security problems while keeping him out of hot water. As it turned out, he succeeded on the first count but failed miserably on the second.

Using the LDAP database, Helkowski obtained the e-mail addresses of all of the members of President Loh’s newly formed security task force. He also obtained President Loh’s Social Security number and phone number. On the night of March 14, to demonstrate the seriousness of the situation, he posted the information to Pastebin and linked it on reddit. He then sent a lengthy e-mail to all of the members of the security task force from an anonymous e-mail service, claiming to be a hacker who obtained a copy of the security report that Helkowski leaked to the University.

His e-mail, which was included with the eventual FBI search warrant affidavit, read in full:

Security Taskforce, There are current open holes that haven’t been fixed. Out of politeness I’ll give you a chance to respond directly about this to me, and I’ll consider pulling it off the public Internet. Please read [URL of reddit link]. Your internal IDs are listed below to get your attention. This isn’t spam. If you want to cooperate I would be willing to provide details (cooperate as in just let me impart useful information on things that need to be fixed immediately—at no cost or demands of any sort btw), but I would want some assurance (in legal writing) that I will not be charged with any crimes. If not, consider this your fair warning and last contact from me. -ThePPM

Helkowski didn’t think that this came off as threatening. “Based on their response, it seemed they wanted to cooperate, though they may have thought I was malicious,” he said. “I said, I need assurances you will not press charges against me, and they said absolutely.”

In the meantime, Helkowski shared what he was doing with a number of his co-workers, and some of those chats took place through the computer gaming service Steam. On March 15, the FBI was already questioning employees of The Canton Group, including one co-worker who provided a log of his Steam chat conversation with Helkowski.

By the next afternoon, the FBI had a warrant. At 7pm on March 16, the FBI and Secret Service literally knocked Helkowski’s door in.

“Is there a party at my house?”

“So what they did was they opened my gate to my backyard,” Helkowski said, describing the raid. “They went to my side door and bashed the door in.”

Frightened by the raid, Helkowski’s dog ducked out a doggy door into the backyard and escaped through the still-open gate. “And they were basically, ‘Oh well, the dog ran off,’” he said.

Helkowski and his wife weren’t at home when the raid started. They were at dinner with acquaintances following a musical performance at a nearby university. As the couple arrived at their Parkville home around 8pm, they noticed that things were not as expected.

“I saw the lights of my house all lit up,” Helkowski said. “I saw people walking around the front yard, cars and SUVs in front of my house [and] in my driveway, and I was like, ‘What, is there a party in my house?’ So I slowed down and pulled over a little bit­—and they immediately yelled, ‘Pull the car over, stop the car, put the window down, and put both your hands out the window.’ And I saw they had a gun on me.”

Helkowski told the agents he would cooperate, and he asked if someone would call his father to help retrieve his dog. An agent did call his father, posing as one of Helkowski’s friend, saying that he saw the dog loose. When Helkowski’s father arrived and opened his car door, the dog jumped in—and agents then brought his father inside while the search continued.

Helkowski admitted to the agents that he dumped information from the University of Maryland servers to his computers. And there was no shortage of computer gear for the agents to search. “In my house, the main server I was using was a dual Opteron system with 64 gigabytes of memory,” Helkowski recounted. “They took that and all the USB drives and SD chips on that desk and anywhere near it—which was like 15. They took my PSP.”

They also took the hard drive out of his wife’s computer—a system he built from a former server—and her USB drive. He later called the FBI and told them that there was nothing on his wife’s USB drive that had anything to do with him, and “they’ve since returned it to me,” he said.

FBI agents skipped over other items, such as an old server that sat partially disassembled. “I had taken the memory out just because I was going to do something else with it,” Helkowski said. Agents also passed on collecting “about 400 LTO-3 backup tapes, about 15 terabytes' worth.”

After the FBI left, Helkowski realized that he still had a copy of some of the dumped data. “I relayed that information to the FBI because I’m cooperating with them,” he said. “They said, ‘We need to take that too.’ And I said, ‘Well, I have that on an encrypted drive which I’m not going to give you the password to because I have other stuff on it.’ So they came to the house and watched while I used a secure delete utility and they verified it was gone.”

The next day, Helkowski went into work and told his employer about the raid. He was let go shortly afterward. Helkowski said he was laid off without a reason.

We contacted The Canton Group and the University of Maryland to get their side of the story, but neither organization would discuss the case. Jason DeLoach, an attorney for The Canton Group, told us only that “The Canton Group continues to cooperate with law enforcement to aid in their investigation of David Helkowski. David is no longer an employee of The Canton Group. We are fully cooperating with The University of Maryland and conducting our own internal investigation into this matter. We will have no further comment due to the ongoing investigations.”

End of line

Though he has not been charged with a crime, Helkowski has since contacted the office of the Federal Public Defender in Baltimore for representation. Even if no charges materialize, Helkowski knows that he may now be unemployable in his chosen profession.

"I really hate The Canton Group—I think they're a bunch of idiots."

“I suspect that when potential employers learn of this, I may not be able to get a job,” he said. “I will probably remain unemployed, which will probably drive me into bankruptcy.”

But that doesn’t mean Helkowski has any particular regrets about what he did. He feels that he would have been laid off anyway—even if he hadn’t escalated his security concerns to the level that involved federal law enforcement.

“I definitely did not mean to cause any damage to the University or to The Canton Group,” he said, reflecting on the experience. “I really hate The Canton Group—I think they're a bunch of idiots.”

If the vulnerabilities Helkowski says he found were the ones used by attackers to gain access to personal information of students and staff, it wouldn’t be unusual. It's not the first time a publicly facing website—with relatively low value to attackers on its own—was used as the gateway for a much more damaging intrusion. As for The Canton Group, its obligations regarding the overall security of the site are unclear, given that the firm was hired to migrate the University off the very site that was vulnerable.

IT contractors face this sort of dilemma all the time. Pros are often faced with pre-existing systems that are poorly configured and potentially riddled with vulnerabilities, even as they are asked to integrate work with other systems over which they have little control.

In the weeks since Helkowski originally posted what he did to reddit, we’ve spoken with a number of people who’ve worked in IT on both sides of the contractor/client relationship, including people who have worked at other universities. What Helkowski described resonated with all of them: contractors who complained that clients didn’t care about reported vulnerabilities and internal IT people who bemoaned legacy systems bolted together on the cheap with no one left to maintain them.

But none of these people took matters into their own hands the way Helkowski did. Regardless of whether it was well-intentioned or otherwise, Helkowski's attempt to create a teachable moment in the middle of an investigation—one involving the University of Maryland’s own IT department, federal officials, security experts from MITRE, and other outside organizations—ended up creating more confusion and cost. It’s a move that even Helkowski admits may keep him from ever holding a job in IT again.