Blog - David Helkowski
index

UMD Data Breach

A bit over 5 years ago I was involved in the events following a serious data breach at the University of Maryland. I was pulled into the FBI / Secret Service investigation due to my involvement. It may not be clear, but I did not start the data breach. Criminal elements of unknown source stole data from the university, and I was investigated as a suspect of the data breach. Since I am not a criminal, and did not "steal" any data from the university, I was cleared of wrongdoing and all of the equipment taken from me for investigation was returned to me ( after 3 years... ).

There is a lot of information online about this event. No small amount of it is due to me publicly discussing the events, both online myself on Reddit and by speaking publicly to the media ( before the public defender ordered me to stop speaking freely about it... ) I don't personally feel that the information about it all is clear or accurate. Of particular offense are the news articles that dominate Google searches for my name. Clear explanation of what occured and the fallout has been long overdue. I am choosing to speak out about the events now for three reasons: One, to clear my name from the "I'm a evil black hat hacker" stigma. Two, because over 5 years have passed since it all went down ( both state and federal time periods in which they could choose to prosecute me for some nonsensical invented reason have now passed ) Three, because I think the public, particularly anyone who ever worked for or went to the university, deserve to know the truth about the whole scenario ( or at least what I perceive to be the truth given my limited knowledge of the full scenario )

Following is a chronological list of the events that occured as related from my current memory of the events:

  1. I worked at the Canton Group consulting company in Baltimore as a consultant.

  2. I was tasked to migrate data from UMD systems due to a project to move websites of theirs from Coldfusion/PHP based sites to a Drupal based solution.

  3. During migration, I noted that 30+ databases were accessible to all running Coldfusion pages run at UMD. The databases included an 'LDAP' database.

  4. I dumped the usernames and passwords for the Coldfusion databases into a secure encrypted place, just in case I needed any of them to do my data migration.

  5. During migration, I discovered that there were backdoors ( installed by some criminals likely ). I found the backdoors because my computer triggered a virus alert when I mirrored the contents of UMD sites to my computer.

  6. I reported the backdoors to my supervisor at the Canton Group and to the other folks on my time working on the Drupal solution for UMD. I was told by them all they would tell the university.

  7. Months passed ( 4+ months )

  8. I saw in the news that a data breach had occured at the university. I mentioned this to my coworkers, wondering it was related to the backdoors I found installed previously.

  9. Coworkers said "nope no way it is related".

  10. I asked coworkers "were the backdoors I reported ever dealt with"?

  11. Coworkers said "yes they were"

  12. I asked "who told them, and what exactly was told to them about the backdoors?"

  13. They responded "well, we told them we found some security problems, but they never asked for details, so we never shared any."

  14. I responded "so you mean to tell me that the backdoors are still there right now"

  15. They said "no way."

  16. I opened the site and showed coworkers the backdoors were still there ( this is post public news that a data breach occurred and FBI and Secret Service are investigating ) Way to go FBI for NOT noticing any installed backdoors, nor monitoring traffic and noticing me even hitting the backdoor URL.

  17. Coworkers, surprised, said "well that backdoor surely does not have access to the information stated in the news as haven been stolen"

  18. I told them that the backdoors have access to install files on the web server, and so can setup a Coldfusion script. I told them Coldfusion has access to 30+ databases, including an LDAP database, that could possibly contain the data described as having been stolen.

  19. Coworkers did not believe me.

  20. I opened the LDAP database ( using my legitimate credentials, not through the backdoor, despite backdoor also having access to it )

  21. I showed the schema of the database to coworkers. It had the following for each person in the DB: ( among other attributes I cannot recall at this moment )
    • Full Name
    • Home phone number
    • Major
    • GPA
    • Position ( employee versus student )
    • Social Security Number
    • Home address
    • Student Identification Number ( if any )
    • Employee Identification Number ( if any )
    This is notably more information than the university reported as having been leaked. They specifically stated that no course related information was leaked, but GPA and Major were absolutely among the data that leaked. They lied ( as you will read here is one of their many lies, both to me and to the public )

  22. The coworkers said "surely the access available is restricted to read only of only some of the fields and none of the `PII`"

  23. I responded "nope. I am pretty sure the Coldfusion user to the LDAP database has full access to everything."

  24. One of my coworkers was attending the university, taking a class also from the head of incident response at the university. I asked him "is it okay with you if I open your record in the database to demonstrate that the user does have access." He said to go ahead. I opened his record and showed it to him. It did in fact show all of his PII. He was very surprised.

  25. I went to my supervisor at the time at the point and told him of all of this. My supervisor said to write up a report detailing everything that happened.

  26. I wrote up an accurate report containing all of the above. I showed it to my supervisor and said we need to share it with the university.

  27. Supervisor responded "no we cannot show this to the university, if we do we could get in trouble. It essentially admits that we knew of open security holes at the university and we did not tell the university about them."

  28. I responded: "No. It admits that neither you nor the rest of the team informed the university. I correctly reported it to you and to the team and none of you properly handled it. You told me at the time that you handled it and you did not."

  29. I was directly ordered to revise the report removing the statements of when I found the backdoors, to alter it to just leave out when I discovered them and say that we discovered some backdoors. That is extremely deceptive and I consider it to be horribly wrong. I understand the point of my supervisor not wanting to admit any fault, but it is still a shitty move on behalf of the Canton Group. This is my first time publicly admitting this is what happened, because I don't like throwing anyone under the bus, but it is what happened and was very shitty.

  30. In order to "please" my supervisor, I revised the report as directed and gave it back to him. In order to not wrongly deceive the university I also leaked the full unchanged report to the head of incident response at the university by giving it to my coworker taking his class ( Danny ), and asked Danny to give it to his professor. He agreed and did so.

  31. I asked my supervisor to be involved in the discussion with the university. He refused, trying clearly in my opinion to prevent them from knowing the full truth. It didn't matter, because they did receive the full truth, and so requested to have a meeting with me present to demonstrate the backdoors found.

  32. During the demonstration meeting I was asked to utilize the backdoor and show that it had full access to the data breach data. I did the following during the demonstration:
    • I showed them the two backdoors I had found ( basic PHP backdoors able to run scripts )

    • I showed them a <10 line coldfusion script I created/copied from online that is able to dump the usernames and passwords of every database coldfusion has access to.

    • I uploaded the coldfusion script to the website using the backdoor

    • I demonstrated the script running, pointing out the plaintext passwords and the list of databases.

    • I noted specifically LDAP database was in the list

    • I noted that since Coldfusion could access the database, I could get any data that user had access to through Coldfusion, and hence through the script. For simplicity I explained it would be easier to show what that user had access to by using my legit access.

    • I used my legit access to the systems to open a VPN connection into university network, and then used the LDAP credentials from Coldfusion to open a GUI access to the database.

    • I opened the schema of the database there, and pointed out the available fields.

    • I opened up the 'passwords' table, and pointed out that the users and passwords that had access to the LDAP database as root. The passwords were in plaintext there. I pointed out this was obvious because the password for the local police access to LDAP was "#FastRand#". I explained this was clearly an attempt to programatically set a random password there, but instead that text became the password.

    • I was asked to bring up a few user records to show I had access to the PII. I did so. There was silence for 10 seconds at this point in shock that the information was so clearly exposed with few actual necessary steps to get to it.

  33. I was thanked for my time and assistance. I did not receive any bonus compensation, no letter of recognition. I was just told, esentially, "hey thanks for the free work analyzing our security."

  34. I waited two weeks to see if the university would remove the backdoors I reported. They did.

  35. I speculated whether they scanned for any additional backdoors, since university, FBI, and secret service all seemed incompetant. I reasoned that they did not.

  36. I used my legit university access to scan their server(s) for backdoors.

  37. I found two additional backdoors not yet noticed by myself, and seemingly not by uni, FBI, or secret service.

  38. I wondered to myself if they changed any of the exposed database credentials from Coldfusion.

  39. I dumped the passwords again through Coldfusion to check. No usernames or passwords had been changed since my initial dump at the very start of it all. That means that the university did not change any passwords for their exposed databases, even after the public data breach. This is horrible and shameful. Really all of the security personel at UMD should be fired immediately, including particularly the head of incident response. Not only were the passwords unchanged, additional databases were now exposed compared to when I did the initial dump. Also horribly, Coldfusion was still running without having locked it down in any way to prevent the trivial dumping process ( such as by upgrading Coldfusion to a non-vulnerable version which they could have easily done )

  40. I attempted to get in contact with the head of incident response of UMD. He would not take my calls.

  41. I had Danny reach out to him in person. He did so and reported back. The result was the head of incident response stated that he will not talk to me. Reason 100 why the guy should be fired. If someone is trying to report a security hole, and your job is head of incident response, you should listen. Public and students of university: You perhaps should have sued this guy ( the head of incident response ) to oblivion for being directly at fault in not taking appropriate actions.

  42. I called the local police connected to the university. I was forwarded to the chief of police office at the uni. I got through to his secretary. The secretary said this was very important and he would could me back. He did not ( for 1+ day )

  43. I found the person who wrote all the security policies for UMD ( and also for other Maryland universities ). I called his office. I got through to another secretary. That person also said it was important and he would call me back. He did not ( for 1+ day )

  44. I randomly chose the seeming top 3 newspaper outlets in Maryland, and sent emails to them detailing the situation. I recieved no response ( for 1+ day )

  45. I speculated to myself what to do next, as no one would listen to me. I discussed with coworkers at work what to do. I settled on the idea that I would hack into the university myself ( without using any of the holes I had discovered, since FBI / Secret Service could potentially be watching those for usage by criminals ). I would pretend to be a rogue hacker, and detail my exploit online publicly, in order to force the university to fix their shitty security.

  46. Coworkers did not like this idea and advised me not to do so, to just forget about it all and move on with my life. I said I would not, that the problems were very serious, and the data was still potentially actively continuing to leak to criminals. They still said not to do it.

  47. I explained to them, that, in loose theory, I wasn't "stealing" anything by doing this, since I had legit access to the systems I would be "hacking into". At no point in my "hacking process" would I be gaining confidential access to the systems that I did not already have. Eg: I could simply connect with my credentials and download any files I wanted from university servers legitimately because it was required for my job. The only weirdness would be that it would "seem" that I was acting as a bad actor, because they wouldn't know the "hacker" was a legitimate employee with existing access. They explained, as it probably obvious to everyone, that none of this would matter and I'd still get in trouble.

  48. I explained to coworkers that there would be no problem, so long as they don't tell anyone I am doing so. I explained also that I would cooperate fully with the university ( in the role of anonymous hacker ) once they cooperated and began listening to me.

  49. Coworkers still thought I was stupid for going so far to try to protect the data, but did nothing to stop me. In retrospect, perhaps they should have "ratted me out" at this moment, but they did not. ( ultimately they did later though )

  50. I purchased a non-logging VPN service through a foreign country ( Switzerland I think? I can't recall exactly ) I didn't use bitcoins or any such nonsense. I used Paypal to pay for it and my own email address.

  51. I Googled for "image upload UMD" and/or various combinations of domain names of the university. I found 10 or so open image upload pages.

  52. I checked each one for vulnerability. At least two let me upload PHP scripts that I could then run after upload.

  53. I uploaded a PHP backdoor. ( using VPN )

  54. I used the PHP backdoor to establish a connected session between my VPN access and uni. ( by mapping a port back through the VPN )

  55. I mirrored out the full contents of all 30 databases Coldfusion had access to, including the LDAP database. This is significantly more information than was ever reported to the public as having been leaked from the university. I'm not even sure the university was ever informed that this happened by the FBI.

  56. I continued and spent nearly a week mirroring as many files as I could rapidly download from the university as I could through the hole. Notably, as said, I could download all the data with my legit access. I was purely dumping it through the hole to clearly demonstrate and prove the following:
    • The university security personel are totally incompetant

    • The FBI and Secret Service not only didn't fix any holes, they also didn't notice me connected to the University for a solid week from a foreign country dumping out data. Personally, I think heads should roll at the FBI over this.

  57. At this point, I had, in my estimation ( I don't have the data and have not had it for 5+ years at this point. I deleted the data when I no longer had official access to it as per my employee agreements ) about 100x the amount of data as was ever stated as being leaked from the university.

  58. I cut my connection, and saved all of my detailed notes as to exactly what data I mirrored and how. ( so that the FBI could differentiate from my dumps versus any activity by criminals )

  59. I speculated what to do next. I shared with a select few people I trust that I had mirrored university data and wasn't sure what to do next. Some of them said "you should sell the data." Other said "don't do anything with it. just stop." The plan all along was to go public with how I did the hack, but I didn't want to share any private information publicly.

  60. I settled on going public with only a tiny amount of the information, that seemed "morally fair" and would force the university to pay attention.

  61. In order to "establish" my "I'm a badass online hacker" fake persona, I wrote up a nonsense manifesto saying how awesome I was. The thing is online now because it was made public by FBI and the news picked it up and posted it online, and refuse to take it off the internet despite me asking them to repeatedly. It's total nonsense, but I did it to attempt to separate the "anonymous hacker" character from myself, as posting manifestos is not something I would ever do as a serious IT professional.

  62. I wrote a Reddit post detailing what I had done ( in character as anonymous hacker ). I put the following information into the post:
    • Names, position titles, and employee IDs of all ?20? of the university employees supposedly working to "fix" the university security.

    • The home phone number, home address, name, and social security number of the President of the university.

    This move was foolhardy on my part. I personally still don't feel "morally bad" about it, as all of the SSNs from everyone who every worked at or attended the university were leaked, and I very strongly feel the president of the university knew about the security holes and directed many people to do nothing about them. Despite his guilt though, I do agree I should not have posted his SSN. To my current knowledge, he never suffered any harm as a result of this.

  63. Within hours, the university reached out to my "anonymous hacker" email agreeing to cooperate in exchange for me detailing everything about the hack.

  64. In role of anonymous hacker, I asked them to agree that they would not press any charges against me for hacking them in exchange for me cooperating. They agreed.

  65. Also I asked the president of the university to agree to not sue me for posting his SSN online. He agreed and said there is no issue with it. There should be record of this agreement on UMD email servers somewhere... When later FBI threatened me, they said they could put me in jail for sharing his SSN online. Only... He said it was okay. I received clear communication that he wasn't concerned about it. I personally think that is him clearly agreeing that it doesn't matter, so I feel government/FBI is in the wrong for what they said I did illegally. Despite the oddity of the whole sequence of events, I don't see even now what I did that actually breaks any laws... The fact that I was never prosecuted for anything, either as a misdemeanor, or as a felony, despite being investigated and questioned at length by FBI, speaks for itself. If there is something I did that is actually illegal, I'm not clear on exactly why they didn't prosecute me.

  66. I cooperated with the university immediately. I pulled down the reddit post. I helped the university submit requests to google cache to remove the SSN from their cache. It was gone within hours. I began providing details on how I hacked the university exactly. ( none identifying myself as myself, only all the actions I did through VPN in role as "anonymous hacker" )

  67. I fulled expected the FBI to come bust down my door and take my computers at this point. They weirdly did not do so immediately.

  68. A week passed

  69. I was out with my wife at a nice restaurant, and drove home.

  70. On driving up to my house, I noted that the lights in my house were all brightly lit, there were many cars parked out front and in my driveway, and there were people walking back and force in my front yard.

  71. Despite speculating correctly that FBI would come "raid me", my first thought was "who is holding a party at my house?"

  72. I slowed my car down and drove slower towards my house.

  73. FBI agent(s) came running out of my house guns drawn pointing them at my car.

  74. They ordered me to stop the car and hold the key to the car out the window. I did so.

  75. They ordered me to hold my cellphone out the window also. I did so. They took my cell phone.

  76. They escorted me and my wife at gunpoint into my own home.

  77. I asked to see their warrant for raiding my house. They showed me the first page that had no details of why or by what reasoning.

  78. I asked to see the full warrant. They refused to let me see it. ( despite it being public information! This is totally wrong that they did not show it! ) Heck, the dang thing is now publicly online and I can't get it off the internet despite being cleared of any wrongdoing.

  79. They escorted me inside to sit at my own dining room table. They sat me within arms length of the main power panel for the house. I could have jumped up and shut off power for the whole house. I did not do so, but I idly speculated about whether they would shoot me if I tried. They noticed me looking at the power panel at this point, and led me away from it to sit elsewhere in my house.

  80. I observed that my dog was not there. I asked where my dog was. They said that my dog ran away when they broke down the door.

  81. I asked them if they chased after my dog and brought him back. They said no.

  82. I said that is bullshit and that they let me dog run away and should let me get him back.

  83. They said that is not their problem.

  84. I said I want to call my father to come get the dog.

  85. They allowed it, carefully monitoring my call advising me not to tell him what was going on.

  86. They began interrogating me.

  87. I told the FBI guy all about everything previous to the point of me using a VPN and all the "anonymous hacker" stuff. I said nothing of that, as in my mind they had zero evidence of it, and because I didn't do anything knowably illegal nor morally wrong I didn't feel obligated to do so.

  88. FBI guy continued interrogating me for like 3 hours.

  89. I continued to trash the university as jerks and did not cave.

  90. FBI guy then said that my coworkers already ratted me out and said that I had hacked the university. They said they have proof as well.

  91. FBI guy produced logs from Steam chat servers of my communication with a coworker admitting I hacked the university. Good job keeping my chats confidential and/or not logged Steam. Should you ever want to have secure chat... don't use Steam to do it.

  92. At this point I debated what to do next, and ultimately decided to share all my encryption passwords with FBI and cooperate fully. My only interest the entire time was having university fix their shit security and stop any active criminals from continuing to pilfer university data.

    As that goal was accomplished, I decided it was in my best interest to cooperate and tell the FBI everything rather than hide anything. I shared with them all of the above information including my computer encryption passwords ( 20+ character passwords only memorized, never written down, using beyond ascii character set )

  93. FBI led me to my computer and asked me to tell them the initial login password. I told them. A rather geeky looking female FBI agent was already at my computer doing who knows what with it. She typed in my password and hit enter. The password failed. The main FBI agent immediately got angry and said that must be a failsafe password to delete everything.

  94. I said to calm down, that it was not, that I had merely forgotten to state that the first character of my password was a capital letter. The agent retyped my password again but with a capital and it succeeded. In retrospect, the idea of having a "destroy everything" password is actually a great idea. I looked into how to do this on Windows some months later and it actually isn't that hard to do...

  95. After my computer was unlocked, I guided the FBI peoples through all of my files, showing them all of my detailed notes of my hack and all of the data that I had copied out ( also encrypted in an extra layer, which I helped them decrypt )

  96. Despite cooperating, FBI did not take just my computer. They also took a number of other things:
    • My wife's computer
      I think they shouldn't have, but interestingly I was using her computer to generate rainbow tables due to the high end graphics card installed in it, so they were likely entertained when they stumbled across the large rainbow tables I generated there.

    • My brand new PSP still in box unopened
      Exactly what use is taking that?

    • Lots of USB sticks
      Shrug... just random junk on those.

  97. Things the FBI did not take, stating they did not have to since I cooperated:
    • The laptop I use to watch anime on my TV

    • My cellphone
      Oddly they gave me my cellphone back. They asked me "any confidential PII on your phone?" I said no. They gave me my cellphone. I did not recall ever having put any of the UMD data on my phone at that moment... weeks later though I did discover I had encrypted UMD data on my phone that I forgot about. What this means is that they didn't copy the data from my phone, and thought it was "clean".

    • 300+ LTO-3 tapes
      The FBI dudes threatened to take every digital item I had in my house. I pointed at a cabinet and told them it was full of 300 LTO-3 tapes, and they should definitely take those first and have fun trying to get data out of them as I wrote it in many different formats and made no records of how to even get my data back off the tapes. I of course grinned maliciously to them and they gave me angry stares back. They refused to take the LTO-3 tapes, I'm sure purely out of laziness, and disbelief that I would ever choose to store UMD data on them.

    • A random scattering of old hard drives I had laying around. Apparently old drives didn't look appealing or likely to contain anything useful.

  98. Other random details of the raid that I recall:
    • Before FBI told me my coworkers told on me and that they had chatlogs, the FBI did demand I decrypt my computers and I refused. They said I had to and I said I could not legally do so because of my fifth amendment rights. There was some argument back and forth about that that I won't get into detail about, but it may have led to them finally admitting they had further evidence in order to try to force me to cooperate.

    • My father previously completed a degree in law and was a member of the bar. His bar registration passed at the time, but he was there for the FBI questioning me as I stated that he would act as my attorney. In retrospect, this was a bad idea as my father obviously is not a neutral third party and is more interested in keeping me out of trouble than in serving as a neutral lawyer. I don't blame him, but I would reccomend against having family stand in as your lawyer in situations such as this. I would also reccomend not to talk freely to police or FBI. The best advice I can give for interacting with police is simply to refuse to speak to them entirely. I don't believe any good comes of talking to police or FBI.

  99. I agreed with the FBI that I would cooperate with them and talk to them when they desired. This consistented of me meeting with several FBI agents at Panera bread and answering inane stupid questions 4 or 5 times over several months following the raid. During those chats the FBI claimed I was going to go to jail for what I did.

  100. During my first Panera meeting with FBI dudes, I asked them if I could tell other people about everything that happened. They said I could. I asked specifically if I could tell anyone I wanted. They said yes.

  101. I went on the internet then immediately after that and posted a detailed Reddit AMA describing everything that happened. I spent a number of hours and answered every possible question I could. I did this intentionally to attempt to get the truth out before FBI and/or legal counsel prevented me from doing so.

  102. News agencies reached out to me, and I gave multiple interviews. One of the notable ones I thought was done very professionally was the one by Arstechnica. Two of them were with television stations.

  103. Due to the FBI saying I was going to jail over it, I sought legal representation. Friends I discussed the matter with reccomended I use the federal public defender as the federal public defender is high quality compared to non-federal public defenders. I did so.

  104. The federal public defender pretty much said I was screwed, that I could be charged and put in jail for 3 years due to releasing the single SSN, even though it was just for a few hours.

  105. I met with the federal public defender a few times, and they told me to stop cooperating with the FBI. They also directed me to stop talking to the media and/or online about everything. I agree and ceased doing so.

  106. I was terminated from my position at The Canton Group over the entire event. This was not surprising to me, but I still think was obnoxious of them. They were very much in the wrong over the whole event. I actually went out of my way not to mention publicly their fault in the whole event until now. It is only now that I am describing the full sequence of events and their guilt in the matter. It is very likely that the actual criminals who stole UMD data could have been stopped from ever stealing any information had my supervisors at the Canton Group actually taken appropriate actions when I first informed them of the backdoors I found.

  107. I sought re-employment elsewhere immediately.

  108. I quickly found a position with Bridgestone doing software work.

  109. Months went by. I ultimately cooperated with the FBI in other ways some months later. They agreed not to further pursue the UMD stuff in exchange for me helping them out with other matters. ( things unrelated to me personally... ) I don't think they actually had anything reasonable to charge me with. I did cooperate with them anyway, but I don't believe it was necessary for me to do so. I highly doubt that the FBI lets anyone off the hook out of the goodness of their heart. I personally think they realized that charging me with anything was pointless and would just be a waste of time for all involved.

  110. The FBI returned all of the computer gear that they took from me during the raid/investigation. They also returned my encrypted drives. I asked them to give me my encryption password when they returned them. They refused. As a result my other data on those drives in now lost. During the year they had my drives I obviously easily forgot my 20+ character random passwords. This causes me to think and feel very poorly of FBI professionality.

  111. In the years that followed I have worked at a number of different companies doing software work. Pretty much everywhere I go I have to explain about the UMD sequence of events, because if I don't it is held against me as trying to "hide something". I have been refused employment by many employers as a result of this. I can't say that I really want to work for an employer who thinks I was doing wrong in this sequence of events. That said, should I be placed in a similar situation again and I see a security vulnerability, I will do the following:
    • Report to my direct supervisor that I found a security vulnerability, and detail it.

    • Forget about it and leave it there eteranally. Not my problem anymore.

  112. I have learned some important lessons in this whole series of events:
    • Acting as the "hero" is a thankless job and ultimately self-destructive. It's not worthwhile.

    • Computer security is horrible almost everywhere

    • FBI are obnoxious jerks. Best to avoid them.

    • You can force a horse to drink water; it just won't be very nice to you after that.

    • Caring about others, especially the broader society and humanity, above oneself is foolishness. One should care about others, and about humanity, but equally so one should care for oneself and not sacrifice yourself. If you need to "hurt yourself" to "do what is right" then what you intend to do is not in fact "right".

    • No good deed goes unpunished.

    • If your information is being stolen by criminals, don't come to me for help because I don't care. The legal system does not care either. I did what I could to try and stop such criminals and I earned nothing but misery.

    • If you want me to do something, pay me. Pro-bono work for the "good of humanity" is no longer of interest to me.