Security Analyst Arrested For Disclosing Security Flaw In Florida County's Election Systems

from the life-lessons dept

A Florida man has been charged with felony criminal hacking charges after disclosing vulnerabilities in the voting systems used in Lee County, Florida. Security analyst David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the county’s election systems. Levin was charged with three counts of unauthorized access to a computer, network, or electronic device and released on $15,000 bond. Levin’s first and biggest mistake was to post a video of himself on YouTube logging into the Lee County Elections Office network using the credentials of Sharon Harrington, the Lee County Supervisor of Elections.

That gave prosecutors the ammo they needed to arrest Levin, even if he believed he was doing locals a favor:

“Based on the evidence obtained regarding the SQL injections attack Levin performed against the Lee County Office of Elections on December 19, 2015, probable cause does exist to charge Levin with unauthorized access of any computer, computer system, computer network, or electronic device, a violation of Florida Statute 815.06(2)(a), a third degree felony.”

But at least a portion of Levin’s crime may be of the political variety. In the video posted to YouTube Levin detailed the SQL injection alongside a man by the name of Dan Sinclair, who just so happens to be running against Harrington for the Elections Supervisor position. In the video, Levin details the relatively simple method of using a SQL injection attack to obtain login names and plain-text passwords belonging to Harrington and at least 10 other account holders:

Sinclair has been telling local news outlets that the arrest is politically motivated and the result of “political corruption.” Officials at the Lee County Elections office claim however that elections data was never actually at risk:

“The server that was vulnerable to Levin’s SQL injection attack, they said, had been retired in October. At the time of Levin’s attack, at least two months later, it no longer stored sensitive data and had been replaced by a new server that wasn’t vulnerable to the attack, they said. Similarly, the CMS Levin logged into had also been retired and replaced with one that ran WordPress. While the older CMS was allowed to continue running during a transition period, its functionality was limited to storing only historical data, the officials said. People logging into it didn’t have the ability to post new pages to the site or to access voter data or tabulation systems, they said.”

Granted it’s not clear if the data, usernames and passwords used in the attack were also potentially useful in compromising any of the county’s other systems, and Levin’s currently too busy in the court system to offer additional insight.

At the end of the day there’s plenty of fault and lessons to go around. The county obviously shouldn’t keep systems with easily-exploitable vulnerabilities online, as such lower-level systems could open the door for attacks on higher-level operations. Levin meanwhile could have taken any number of steps to reveal the flaws without risking prosecution, and step one to not getting arrested for computer crimes usually involves you avoiding posting videos of you breaking the law on YouTube. Following Dan Kaminsky’s guide on how to disclose vulnerabilities without getting arrested is a good starting point for anybody that may someday find themselves in Levin’s shoes.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Analyst Arrested For Disclosing Security Flaw In Florida County's Election Systems”

Subscribe: RSS Leave a comment
32 Comments
Anonymous Coward says:

Re: Re: Run for Cover

This is a voting machine from the same company that had less security than Mossack Fonseca.

Yep, is the company that bought out Diebold, and was owned by the same guys, whose security saved votes in cleartext, and could be hacked from afar, with literally zero contact with the machine itself.

Anonymous Coward says:

"replaced with one that ran WordPress."

They take down one insecure system that may have had unique vulnerabilities, which only people trying to attack that system would discover. They replaced it with WordPress, a platform with a reputation for vulnerabilities and an install base to justify lots of black hats spending effort finding new vulnerabilities that apply across the install base. This seems like a net loss for security.

DogBreath says:

I bet I know why he was arrested...

Levin details the relatively simple method of using a SQL injection attack to obtain login names and plain-text passwords belonging to Harrington and at least 10 other account holders

Wanna place a bet that those exact same login names and passwords obtained from the old server, will still work on the new “locked down, upgraded, not vulnerable to the old SQL injection attack, but I didn’t change my password, because it’s too hard to remember a new one, so I am still screwed” server?

Anonymous Coward says:

I don’t have any sympathy for David Levin. He hacked the election system by using the login credentials belonging to other people. You simply don’t use someone else’s login credentials to access a system designed to keep other people out. If the login isn’t yours and you use it, it’s hacking.

Anonymous Coward says:

Re: Re: something better to read

Bev Harris found code that changed votes on voting machines from the 2000 election. They were stored that way.

I used this search term: (bev harris florida election scam finds code on old voting machines).

This is Bev Harris website: http://blackboxvoting.org/

This is why David Levin deserves to be falated, not feloized. The assholes that are in charge of this country have election fraud down to an art. Moreover, these guys have such huge balls, they didn’t even try that hard to hide it.

Anonymous Coward says:

Re: Re:

@ a non-cow at 11:53
i have no sympathy for authoritarian suckups who have no common sense, AND DONT WANT ANY…
they want Big Daddy to make a brightline distinction for EVERYTHING, for all time ! !
in short, you do not want to think, you do not want subtle distinctions, you do not want extenuating circumstances, you simply want Big Daddy to tell you who to hate…

Roger Strong (profile) says:

Re: And this is why you shouldn't do white-hat security probes...

A couple years ago I did a Google search on my apartment address to see if anything interesting had happened recently.

One of the results returned was all of a tenant’s personal information needed to rent a suite as a plain text file. Everything needed for identity theft. It was coming from a web site trying to be the go-to place for folks looking for apartments.

I changed the record number in the URL and got someone else’s information.

I notified the site owner, the 3rd party web development company and the tenant – without mentioning calling the 2nd URL. I’ve seen too many stories of people being arrested after reporting problems like these.

The tenant went to the press.

Anonymous Coward says:

Re: Anyone HERE know programming??

Yes.

And I am a little perturbed (though not surprised) at such a system using SQL at all. Possibly more correct would be define a protocol, and write records in straight binary to a write only media like a cdrom burner, preferably with block chaining. It should be a ONE WAY irrevocable transaction as much as possible.

Using SQL for this job is like using a 5 axis industrial robot to jerk off. There are certain inherent hazards.

ECA (profile) says:

Re: Re: Anyone HERE know programming??

i really have a problem with all these failing to Protect hardware and BASIC programming, for an election machine..

The only problem I see, is HOW MUCH money someone is willing to PAY to corrupt it..

1. DONT need a high end computer..
2. Dont need fancy programming..
3. BASIC 1…could get this done..bag graphics, but it would be DONE..
4, STORE data on a RO CD/DVD/whatever…and pop it into a Machine to send ALL DATA…

I see broken machines, I see EASY to hack machines, I see every reason under the sun..for WHY they dont want this to work..

EVEN in the old days, they have shown that ANY system was corruptible…as long as you had people on the inside..

Anonymous Coward says:

Instead of logging into their system, he should have contacted them by letter or email informing them of the security flaw. But, when will idiots learn? If you discover a security flaw, never inform the company or agency about it because 99% of the time, they will have you arrested and charged with a crime.

Anonymous Coward says:

Reminds me of Clint Curtis

You can understand why Florida would over-react. It isn’t like FL hasn’t had the more voting irregularities than every other state in the union in the past couple of decades.

Block chaining may eventually fix voting machine corruption, but that still doesn’t change the fact that the UI can still be corrupted before the record is created.

Which was basically what < HREF=”https://en.wikipedia.org/wiki/Clint_Curtis”>Clint was hired to do.

Ho hum. So much graft, intimidation, poll taxing, etc. So little time.

Tynkir (profile) says:

He very clearly broke the law and published a video of him breaking it! If you think they’re being jerks arresting him, you’re wrong.

He was NOT hired by Lee County to hack them, nor had he ever been granted access to the systems, not did he have permission to use that users credentials.

Totally illegal.

Also, why does he keep calling SQL “Search Query Language”?

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...