Whitehat hacker breaches UMD servers to jump-start security remediation

Daving Helkowski, a software architect/engineer working for software consultancy Canton Group, has made a serious mistake that has already cost him his job and might end up costing him even more.

Canton Group has been hired by the University of Maryland School of Public Health to perform website migration in the wake of the much publicized breach that resulted in the compromise of personal information of some 310,000 staff and students.

According to the affidavit of the FBI agent heading the investigation, Helkowski identified a vulnerability within the UMD network used by the attackers, and he apparently reported it. But after the University didn’t move to patch the hole promptly enough for his taste, he misused it to breach the network in the same way that the previous attackers did, and took private information stored on the servers.

He then anonymously sent a letter to the University’s Task Force on Cybersecurity, warning them once again about the security holes that have to be fixed, and pointing them to a pastebin post in which he listed some of the stolen information. He offered to cooperate with them to help them fill the holes and asked in return not to be charged with any crimes.

But, unfortunately for him, he also shared his plans with two of his colleagues at Canton Group in Steam chats, and that’s what pointed the FBI in the right direction.

Two days ago, Helkowski started a reddit thread in which he explained the circumstances of the raid that was recently performed on his house.

He claims to have cooperated with the authorities. “During the RAID I provided my 20+ character system encryption password, my Keepass password, the location of my keyfiles, and a full description of everything. I basically ‘confessed’ everything to the FBI already. My stance is that I did nothing ‘morally wrong.’ My attempt the entire time has been to help the university improve their security,” he shared.

The University of Maryland has publicly commented on the hack on March 20 by saying that the FBI had informed them of the hack and that the “intrusion resulted in no public release of any information and no damage to the institution, except for the release of personal data of one senior University official, who has been notified.”

They made sure to note that the two hacks were unrelated.

In the wake of the revelation of his transgression, Helkowski has been let go by Canton Group. He hasn’t yet been formally charged, but that could easily change in the incoming weeks.