Although he isn’t overly happy that a police tactical unit kicked in his parents’ front door, Spencer Brydges is pleased he’ll be getting his day in court.
The 25-year-old recent computer science grad from Laurentian University faces charges of unauthorized use of a computer system, mischief to data and breach of probation.
The charges stem from a Brydges’ decision back in January to hack into Laurentian University’s computer network. He didn’t cause any damage, install any malware or do anything malicious. What Brydges did do was tell the university what he’d done in hopes the school would fix what the recent grad said are gaping holes in LU’s cyber security.
Rather than pat Brydges on the back for what he did, Laurentian called in the police. This month, a Greater Sudbury Police tactical unit used a battering ram to bust in the front door of Brydges’ parents Sudbury home to arrest him and seize his devices.
This story really begins about two years ago. Brydges had suspicions, he said, about how robust LU’s computer security was, so he decided to test it by trying to get into the school’s parking database.
You can’t call what he did a hack, technically. All he did was guess a password (which was, fittingly enough, “parking” he said).
“The fact is, the initial vulnerability I discovered, there was no hacking required,” he said. “If someone knew the link to the page, they could access it. The system didn’t check to see if you’d logged in.”
He explained that what this means is the school was using the login page to intranet.laurentian.ca as a floodgate to protect certain information, namely sexual assault reports. If for some reason, that login page was disabled or taken down, nothing would prevent Google from indexing the database and, in effect, making all the private information contained therein public.
“That’s a pretty serious vulnerability and a symptom of a bigger problem,” he told Sudbury.com.
Brydges downloaded some data to show the school how easy it was and notified them. He said he was thanked, asked to delete the data he’d downloaded and told if he found other vulnerabilities, not to download or retain any information.
He said he was also told the school was working to make its network more secure. Brydges said he wasn’t sure about that, so he decided over two days in January to see just how secure the network was.
From Jan. 23-25, he went “as deep as I could into the system.” He said he got “exceptionally far.” Did he find problems? You bet, he said.
“I found dozens (of problems),” he said. “It’s the way they wrote the whole system. It’s like the developer didn’t write it with security in mind.”
Interestingly, Brydges said he thinks the reason police were called into the case was due to one of the vulnerabilities he uncovered. He said the school's Webadvisor system (an online system where students can register for classes, view grades and get transcripts, for instance) is set up so that it doesn’t keep logs, meaning there was no way for the school to see what Brydges — or someone with malicious intent — had done.
Accessing Webadvisor gave him the ability to see things like student social insurance numbers, addresses and banking information.
“There’s no way for them to see if I’d downloaded anything,” he said. “That’s why the police are involved, to determine” that he hadn’t taken data that could be used to commit financial fraud, for instance.
A former IT person for Laurentian, as an example, knowing the vulnerability could get in and out of the system and there would be no record anything untoward had occurred, Brydges said.
Brydges wrote up a report for the school on what he had done and what he had found. He made no effort either to disguise his actions. He used his own computer and didn’t mask his IP address.
What’s more, Brydges notified Laurentian in January and the school called the police in in February. Greater Sudbury Police arrested and charged Brydges this month, six months later.
Brydges said he even volunteered to hand over his devices and speak with police months ago, but got no response. In the intervening time, he could have wiped or destroyed any evidence of his hacking — he didn’t, he said, because he wasn’t being malicious. He wants the problems he said he found fixed.
“I hope Laurentian University beefs up their security and I hope this goes to court so I can speak freely about what I found,” he said. “I’m happy they’re investigating — they’ll see I’m not engaging in (anything illegal).
“I can’t stand having my data stored somewhere that isn’t secure.”
Sudbury.com did reach out to Laurentian University to ask about the specific criticisms Brydges makes. The school declined to comment “out of respect for the legal process.”
Brydges will be in a Sudbury courtroom in September to answer to the charges.