Security Analyst Arrested For Disclosing Security Flaw In Florida County's Election Systems

from the life-lessons dept

A Florida man has been charged with felony criminal hacking charges after disclosing vulnerabilities in the voting systems used in Lee County, Florida. Security analyst David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the county's election systems. Levin was charged with three counts of unauthorized access to a computer, network, or electronic device and released on $15,000 bond. Levin's first and biggest mistake was to post a video of himself on YouTube logging into the Lee County Elections Office network using the credentials of Sharon Harrington, the Lee County Supervisor of Elections.

That gave prosecutors the ammo they needed to arrest Levin, even if he believed he was doing locals a favor:
"Based on the evidence obtained regarding the SQL injections attack Levin performed against the Lee County Office of Elections on December 19, 2015, probable cause does exist to charge Levin with unauthorized access of any computer, computer system, computer network, or electronic device, a violation of Florida Statute 815.06(2)(a), a third degree felony."
But at least a portion of Levin's crime may be of the political variety. In the video posted to YouTube Levin detailed the SQL injection alongside a man by the name of Dan Sinclair, who just so happens to be running against Harrington for the Elections Supervisor position. In the video, Levin details the relatively simple method of using a SQL injection attack to obtain login names and plain-text passwords belonging to Harrington and at least 10 other account holders:
Sinclair has been telling local news outlets that the arrest is politically motivated and the result of "political corruption." Officials at the Lee County Elections office claim however that elections data was never actually at risk:
"The server that was vulnerable to Levin's SQL injection attack, they said, had been retired in October. At the time of Levin's attack, at least two months later, it no longer stored sensitive data and had been replaced by a new server that wasn't vulnerable to the attack, they said. Similarly, the CMS Levin logged into had also been retired and replaced with one that ran WordPress. While the older CMS was allowed to continue running during a transition period, its functionality was limited to storing only historical data, the officials said. People logging into it didn't have the ability to post new pages to the site or to access voter data or tabulation systems, they said."
Granted it's not clear if the data, usernames and passwords used in the attack were also potentially useful in compromising any of the county's other systems, and Levin's currently too busy in the court system to offer additional insight.

At the end of the day there's plenty of fault and lessons to go around. The county obviously shouldn't keep systems with easily-exploitable vulnerabilities online, as such lower-level systems could open the door for attacks on higher-level operations. Levin meanwhile could have taken any number of steps to reveal the flaws without risking prosecution, and step one to not getting arrested for computer crimes usually involves you avoiding posting videos of you breaking the law on YouTube. Following Dan Kaminsky's guide on how to disclose vulnerabilities without getting arrested is a good starting point for anybody that may someday find themselves in Levin's shoes.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, dan sinclair, david levin, disclosure, florida, lee county, voting, vulnerability


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    TechDescartes (profile), 10 May 2016 @ 11:05am

    Run for Cover

    Isn't it ironic that to cover their own tails, they have to claim that nothing really was at risk? Kinda defeats the claim that he was putting anything at risk in the first place.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2016 @ 11:11am

      Re: Run for Cover

      Thats a great point.

      I think maybe he put their jobs at risk and thats why he needed to be arrested.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 May 2016 @ 12:39pm

        Re: Re: Run for Cover

        This is a voting machine from the same company that had less security than Mossack Fonseca.

        Yep, is the company that bought out Diebold, and was owned by the same guys, whose security saved votes in cleartext, and could be hacked from afar, with literally zero contact with the machine itself.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2016 @ 11:19am

    "replaced with one that ran WordPress."

    They take down one insecure system that may have had unique vulnerabilities, which only people trying to attack that system would discover. They replaced it with WordPress, a platform with a reputation for vulnerabilities and an install base to justify lots of black hats spending effort finding new vulnerabilities that apply across the install base. This seems like a net loss for security.

    link to this | view in chronology ]

    • identicon
      Andreas, 11 May 2016 @ 1:50am

      Re: "replaced with one that ran WordPress."

      WordPress is not insecure. People that think that are uneducated or refuse to accept reality. Plugins and themes may be insecure but WordPress itself is not insecure. Just keep it updated.

      link to this | view in chronology ]

      • identicon
        Wendy Cockcroft, 12 May 2016 @ 6:03am

        Re: Re: "replaced with one that ran WordPress."

        The main vulnerability in WP is the passwords people choose. If your password is easy to guess, you will be hacked.

        link to this | view in chronology ]

  • identicon
    DogBreath, 10 May 2016 @ 11:25am

    I bet I know why he was arrested...

    Levin details the relatively simple method of using a SQL injection attack to obtain login names and plain-text passwords belonging to Harrington and at least 10 other account holders

    Wanna place a bet that those exact same login names and passwords obtained from the old server, will still work on the new "locked down, upgraded, not vulnerable to the old SQL injection attack, but I didn't change my password, because it's too hard to remember a new one, so I am still screwed" server?

    link to this | view in chronology ]

    • identicon
      pegr, 10 May 2016 @ 11:35am

      Re: I bet I know why he was arrested...

      Better than even that's exactly right. High 90's that with ten accounts, at least one would reuse a password.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2016 @ 11:53am

    I don't have any sympathy for David Levin. He hacked the election system by using the login credentials belonging to other people. You simply don't use someone else's login credentials to access a system designed to keep other people out. If the login isn't yours and you use it, it's hacking.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2016 @ 12:05pm

      Re:

      What you've written here is so far beyond retarded that I can actually feel my brain cells committing suicide for fear that I'll read it again.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 May 2016 @ 1:12pm

        Re: Re: something better to read

        Bev Harris found code that changed votes on voting machines from the 2000 election. They were stored that way.

        I used this search term: (bev harris florida election scam finds code on old voting machines).

        This is Bev Harris website: http://blackboxvoting.org/

        This is why David Levin deserves to be falated, not feloized. The assholes that are in charge of this country have election fraud down to an art. Moreover, these guys have such huge balls, they didn't even try that hard to hide it.

        link to this | view in chronology ]

        • identicon
          Funky Monkier, 11 May 2016 @ 8:51am

          Re: Re: Re: something better to read

          The ayes have it.. oh wait, correction the abstains have it.

          link to this | view in chronology ]

    • identicon
      wubba, 10 May 2016 @ 12:36pm

      Re: I don't have any sympathy for David Levin

      Thank you.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2016 @ 12:53pm

      Re:

      @ a non-cow at 11:53
      i have no sympathy for authoritarian suckups who have no common sense, AND DONT WANT ANY...
      they want Big Daddy to make a brightline distinction for EVERYTHING, for all time ! !
      in short, you do not want to think, you do not want subtle distinctions, you do not want extenuating circumstances, you simply want Big Daddy to tell you who to hate...

      link to this | view in chronology ]

      • identicon
        Loki, 10 May 2016 @ 1:20pm

        Re: Re:

        You've pretty much described most major religions on the planet.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 May 2016 @ 1:33pm

        Re: Re:

        Funny how they like the safety of having a slave collar around their neck so much they insist we all wear them to the point they start trying to put them on other people.

        link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 10 May 2016 @ 12:34pm

    And this is why you shouldn't do white-hat security probes...

    ...rather should hack to commit crimes, e.g. throw elections.

    In for the sheep, in for the flock.

    link to this | view in chronology ]

    • icon
      Roger Strong (profile), 10 May 2016 @ 1:40pm

      Re: And this is why you shouldn't do white-hat security probes...

      A couple years ago I did a Google search on my apartment address to see if anything interesting had happened recently.

      One of the results returned was all of a tenant's personal information needed to rent a suite as a plain text file. Everything needed for identity theft. It was coming from a web site trying to be the go-to place for folks looking for apartments.

      I changed the record number in the URL and got someone else's information.

      I notified the site owner, the 3rd party web development company and the tenant - *without* mentioning calling the 2nd URL. I've seen too many stories of people being arrested after reporting problems like these.

      The tenant went to the press.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2016 @ 12:45pm

    Another pathway to victory closed to HRC, Damn.

    link to this | view in chronology ]

  • icon
    ECA (profile), 10 May 2016 @ 12:49pm

    Anyone HERE know programming??

    WHY?
    There are better ways to program computers so as NOT to use any advanced abilities of remote/local access..
    Why is it so hard to use Hardware/software to protect remote systems??
    This is BASIC stuff from YEARS ago..
    Banks used to use Wireless and Modems...and shortwave..

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 May 2016 @ 2:32pm

      Re: Anyone HERE know programming??

      Yes.

      And I am a little perturbed (though not surprised) at such a system using SQL at all. Possibly more correct would be define a protocol, and write records in straight binary to a write only media like a cdrom burner, preferably with block chaining. It should be a ONE WAY irrevocable transaction as much as possible.

      Using SQL for this job is like using a 5 axis industrial robot to jerk off. There are certain inherent hazards.

      link to this | view in chronology ]

      • icon
        ECA (profile), 11 May 2016 @ 1:06am

        Re: Re: Anyone HERE know programming??

        i really have a problem with all these failing to Protect hardware and BASIC programming, for an election machine..

        The only problem I see, is HOW MUCH money someone is willing to PAY to corrupt it..

        1. DONT need a high end computer..
        2. Dont need fancy programming..
        3. BASIC 1...could get this done..bag graphics, but it would be DONE..
        4, STORE data on a RO CD/DVD/whatever...and pop it into a Machine to send ALL DATA...

        I see broken machines, I see EASY to hack machines, I see every reason under the sun..for WHY they dont want this to work..

        EVEN in the old days, they have shown that ANY system was corruptible...as long as you had people on the inside..

        link to this | view in chronology ]

      • identicon
        Roborto (profile), 11 May 2016 @ 9:08am

        Re: Re: Anyone HERE know programming??

        Using SQL for this job is like using a 5 axis industrial robot to jerk off. There are certain inherent hazards.

        Uh, [hey], [do you have a line on those 5 axis thing a ma jig robots?] I'm mostly bionic and that is absolutely prohibited in my programming.. ;o)

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2016 @ 12:56pm

    Instead of logging into their system, he should have contacted them by letter or email informing them of the security flaw. But, when will idiots learn? If you discover a security flaw, never inform the company or agency about it because 99% of the time, they will have you arrested and charged with a crime.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2016 @ 1:25pm

    you make the criminals in charge look bad and you will discover that the laws and rights you were taught protect you no longer exist in this democracy turned police state.

    link to this | view in chronology ]

  • icon
    Oblate (profile), 10 May 2016 @ 2:13pm

    A problem for some, an opportunity for others

    This won't be fixed until something ridiculously crooked happens, as some (i.e. those currently in charge) seem to consider it a feature not a bug- otherwise it would have already been fixed..

    I predict the winner of the next election in Florida: Votey McVoteface (I).

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 May 2016 @ 2:18pm

    Reminds me of Clint Curtis

    You can understand why Florida would over-react. It isn't like FL hasn't had the more voting irregularities than every other state in the union in the past couple of decades.

    Block chaining may eventually fix voting machine corruption, but that still doesn't change the fact that the UI can still be corrupted before the record is created.

    Which was basically what < HREF="https://en.wikipedia.org/wiki/Clint_Curtis">Clint was hired to do.

    Ho hum. So much graft, intimidation, poll taxing, etc. So little time.

    link to this | view in chronology ]

  • identicon
    Anonymous Cowherd, 10 May 2016 @ 5:36pm

    Life lessons

    1. Whether you get arrested for trying to help comes down to "Are they dicks?"
    2. The answer to the above question is "Yes."

    link to this | view in chronology ]

  • identicon
    US Citizen Usurped, 11 May 2016 @ 8:39am

    I believe in democracy, but

    There has to be some way in which someone up there can usurp election results, right? Discovering that is a big NO NO. Democracy only works if those who are running the show are able to continue running the show. Its a big show.

    link to this | view in chronology ]

  • icon
    Tynkir (profile), 12 May 2016 @ 1:38pm

    He very clearly broke the law and published a video of him breaking it! If you think they're being jerks arresting him, you're wrong.

    He was NOT hired by Lee County to hack them, nor had he ever been granted access to the systems, not did he have permission to use that users credentials.

    Totally illegal.

    Also, why does he keep calling SQL "Search Query Language"?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.