Security Analyst Arrested For Disclosing Security Flaw In Florida County's Election Systems

from the life-lessons dept

A Florida man has been charged with felony criminal hacking charges after disclosing vulnerabilities in the voting systems used in Lee County, Florida. Security analyst David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the county’s election systems. Levin was charged with three counts of unauthorized access to a computer, network, or electronic device and released on $15,000 bond. Levin’s first and biggest mistake was to post a video of himself on YouTube logging into the Lee County Elections Office network using the credentials of Sharon Harrington, the Lee County Supervisor of Elections.

That gave prosecutors the ammo they needed to arrest Levin, even if he believed he was doing locals a favor:

“Based on the evidence obtained regarding the SQL injections attack Levin performed against the Lee County Office of Elections on December 19, 2015, probable cause does exist to charge Levin with unauthorized access of any computer, computer system, computer network, or electronic device, a violation of Florida Statute 815.06(2)(a), a third degree felony.”

But at least a portion of Levin’s crime may be of the political variety. In the video posted to YouTube Levin detailed the SQL injection alongside a man by the name of Dan Sinclair, who just so happens to be running against Harrington for the Elections Supervisor position. In the video, Levin details the relatively simple method of using a SQL injection attack to obtain login names and plain-text passwords belonging to Harrington and at least 10 other account holders:

Sinclair has been telling local news outlets that the arrest is politically motivated and the result of “political corruption.” Officials at the Lee County Elections office claim however that elections data was never actually at risk:

“The server that was vulnerable to Levin’s SQL injection attack, they said, had been retired in October. At the time of Levin’s attack, at least two months later, it no longer stored sensitive data and had been replaced by a new server that wasn’t vulnerable to the attack, they said. Similarly, the CMS Levin logged into had also been retired and replaced with one that ran WordPress. While the older CMS was allowed to continue running during a transition period, its functionality was limited to storing only historical data, the officials said. People logging into it didn’t have the ability to post new pages to the site or to access voter data or tabulation systems, they said.”

Granted it’s not clear if the data, usernames and passwords used in the attack were also potentially useful in compromising any of the county’s other systems, and Levin’s currently too busy in the court system to offer additional insight.

At the end of the day there’s plenty of fault and lessons to go around. The county obviously shouldn’t keep systems with easily-exploitable vulnerabilities online, as such lower-level systems could open the door for attacks on higher-level operations. Levin meanwhile could have taken any number of steps to reveal the flaws without risking prosecution, and step one to not getting arrested for computer crimes usually involves you avoiding posting videos of you breaking the law on YouTube. Following Dan Kaminsky’s guide on how to disclose vulnerabilities without getting arrested is a good starting point for anybody that may someday find themselves in Levin’s shoes.

Filed Under: cybersecurity, dan sinclair, david levin, disclosure, florida, lee county, voting, vulnerability