As Western University students return to the polls to vote, for the second time, in the 2012 University Students’ Council (USC) elections, criminal charges are pending for the accused recent grad who hacked the server and invalidated roughly 10,000 student votes – believed to be the highest turnout in a USC election to date.
“A decision to declare the election invalid was made in consultation with the USC after Western’s Information Technology Services (ITS) department had determined that the USC elections portal, located on the Western server, was compromised,” said Irene Birrell, Western’s university secretary, last week.
All USC elections were declared invalid as well as elections for undergraduate student positions to Western’s Board of Governors, Senate and answers to two referendum questions.
Keith Horwood, a Western student who took credit for hacking the voteusc.ca server the night of Feb. 14 and changing voting options to things like Justin Bieber’s haircut, came forward with a YouTube video after campus police honed in on him and started questioning his friends.
“We had a number of witnesses (whom) we interviewed and were able to focus in on a particular individual, before he put the video up on YouTube,” said Elgin Austen, Campus Community Police Services director. “We knew the computers that were used in the hack were being tracked by ITS – there was more than one – had an owner with an IP address. When we went to the address, we found out it was not the owner who was using them for the (hack).”
Because the hack was initiated off campus, campus police handed the case over to the London Police Service (LPS) for investigation, Elgin explained.
In his video, Horwood explained he found a security flaw in the server and couldn’t resist the opportunity for a prank.
“It was like somebody had just put the world’s coolest toy or the world’s most attractive woman in front of me and then they were like, ‘Yo, stay away.’ And you know what? I couldn’t,” Horwood said in the video.
What he did required no technical mastery, he explained, casually apologizing to candidates and adding only after the hack did he realize the magnitude of his actions.
But according to Debbie Jones, ITS director, Horwood’s alleged prank wasn’t as simple as he claims.
When ITS identified the attack, they saw someone actually spent a couple of hours just trying to find a hole, Jones said. Someone spent nine hours total on this. They did a lot of work and when ITS looked at it, what was done was fairly high level.
“This person wasn’t a novice at this sort of thing,” she said.
ITS responded quickly and with due diligence, Jones added.
“We shut down the election, and went though code. It has been set up on a new sever, the code has been checked and we rewrote some code. Also on the server, they did some hardening and the security team did a penetration test so it would be ready,” she said.
The hack posed no real security threat to Western’s severs, the personal information of its community members or even the election itself, Jones explained.
“He couldn’t get any information out of there. The code was written so it couldn’t save passwords or names. The only thing he could have done is what he did – disrupt the election.”
Other Western servers containing private and personal information have more sophisticated databases, so anyone looking for a hole, wouldn’t be able to hack them.
“If he wanted to do something good, as he says he did, he could have just come forward and said ‘I found this (hole),’” Jones said, noting an ITS estimate for costs associated with the hack are at roughly $8,000.
Austen said factoring in ITS operating costs and USC election efforts, he thinks the hack will cost Western close to $20,000.
Contacted this week, Cst. Dennis Rivest of the LPS said the investigation is in its final stages and the cyber-crime unit anticipates charges to be laid by the end of the week.