back to article Researcher arrested after reporting pwnage hole in elections site

Vanguard Cybersecurity man David Levin was arrested after exploiting and disclosing SQL injection vulnerabilities that revealed admin credentials in the Lee County state elections website. The Florida Department of Law Enforcement says the 31-year-old Estero man hacked into Lee County state elections website on 19 December. …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Breaking into computers you don't own..

    ..and we're not asked to, is breaking the law.

    Welcome to the real world of consequences for your actions.

    Of course, doing this via another compromised machine, creating maximum damage in the process, and staying anonymous results in them getting royally fucked but you go clean and clear.

    What a shame these guys are being dicks about being caught with their pants down...

    1. Anonymous Coward
      Anonymous Coward

      Re: Breaking into computers you don't own..

      What a shame these guys are being dicks about being caught with their pants down...

      Indeed.

      If this doesn't illustrate the dangers of internet voting then I don't know what does.

      Wanna win an election? Get yourself the best hacker. Won an election and slightly surprised by the result? Maybe one of your supporters did more than simply vote for you. Unhappy with the prospect of a candidate winning whose policies you don't like? Start rummaging around the voting website.

      If there is any doubt about the integrity of an electoral process then the credibility of the result will be questioned. Democracy works if, and only if, the result is hard to fake. That's why paper votes work and electronically counted votes do not (especially as most polls are supposed to be secret ballots - makes it hard to analyse and investigate electoral fraud). Everyone can witness and believe in a paper voting and counting process. Almost no on can witness and believe in an electronically counted vote.

      1. Neil Barnes Silver badge

        Re: Breaking into computers you don't own..

        Knock knock.

        "Hi. I noticed your window is open. You might want to close it; there are burglars about."

        (a) "Thanks, I'll sort it."

        (b) "You're nicked, son!"

        1. Adam 52 Silver badge

          Re: Breaking into computers you don't own..

          Not really, a closer story might be:

          "I noticed your window was on the latch, so I undid the catch, crawled inside, rumaged through your stuff and then told my mates in the pub about it."

          1. Mycho Silver badge

            Re: Breaking into computers you don't own..

            Actually, in Lincolnshire, there were complaints made after the police did a public awareness exercise by walking up to people's houses and putting leaflets through open windows warning of the risk of burglary. Certainly, legal action was threatened by some of the targetted residents.

            1. Bronek Kozicki Silver badge
              Joke

              Re: Breaking into computers you don't own..

              Ah, but that's Lincolnshire

              1. Mycho Silver badge

                Re: Breaking into computers you don't own..

                Lee County might be Lincolnshire 2.0

            2. Anonymous Coward
              Anonymous Coward

              Re: Breaking into computers you don't own..

              "Certainly, legal action was threatened by some of the targetted residents."

              Until they realised no laws were broken and there was no chance of getting some money for being dicks.

            3. SolidSquid

              Re: Breaking into computers you don't own..

              Not quite as bad as Coventry City, where the police were letting themselves into houses where the owner had forgotten to lock the door and tweeting photos of themselves there. Was an official police program too, they were intending it as a way to get people to pay more attention to their house security, but I suspect leaflets would have been preferred in that case

          2. DanForSupervisor

            Re: Breaking into computers you don't own..

            Your statement/analogy is not factually accurate. Dave only collected the screen shots for the state AFTER THEY ASKED FOR THEM.

            Prior to that he just found the holes and reported them.

          3. DanForSupervisor

            Re: Breaking into computers you don't own..

            Here is a closer story:

            There was no “break[ing] into an account” as Sharon Harrington states. Sharon left the door open. Dave was driving by and saw the door had been left open by his neighbor renting the house, Sharon. He knew the person who left the door open would call the police and pretend that Dave somehow opened the door. So, he called a neighbor who understands doors and could confirm that, yes, the door in fact was left wide open. He wanted a witness, in case the person who was renting the house lied to the police. The neighbor he called, Dan, called the renter and informed her she left her door wide open. The renter couldn’t be bothered to call Dan back, ever. Instead, she called her door repair guy to call Dan back. This door guy works full time for the renter and was actually the one who left the door open to begin with. Dan and Dave had to explain repeatedly to the door guy:

            a. That the door was left open

            b. What door it was on the house

            c. How to close the door

            d. How to secure the door, so this did not happen again

            e. That they were lucky a burglar did not see the open door and steal anything or vandalize the house before Dave saw the open door and Dan reported it

            1. Adam 52 Silver badge

              Re: Breaking into computers you don't own..

              It's a SQL injection attack, not exactly rocket science but not "an open door" either.

              And once in he uses it to get a list of user credentials, so that's not backing out as soon as possible.

              Sure it's a shoddy website but he's still committing a crime if it were under English law and I'd expect under US too.

              If not, of course, US arrest criteria are must stricter than the UK, so I'm sure we'll be hearing about the damages for unlawful arrest in due course (but somehow I doubt it).

              1. Wayland Bronze badge

                Re: Breaking into computers you don't own..

                SQL injection is quite obvious after you have written a web driven application with an SQL back end. Once it occurs to you that the text box on the web page gets interpreted by the SQL engine then you realize just how creative you can get by 'escaping' the text string and writing in native SQL which may even feature access to the OS command line or executables.

                I figured this out 18 years ago when I discovered this problem in my own code.

                I wrote active web page code something like

                IF PASSWORD$ = [user.password] THEN 'let me in'

                where PASSWORD$ was the input the user typed on the web page.

                If the user typed ¬[user.password]¬ or whatever squiggle escaped the string then the code would be read as

                IF [user.password] = [user.password] THEN 'let me in'

                The funny thing was that I wrote it in VBA but the next guy rewrote it in Java because he said VBA was shit but it had the Java version of the same bug.

                The solution of course was to pass all user input through a function that would clean out any funny characters.

                1. Vic

                  Re: Breaking into computers you don't own..

                  The solution of course was to pass all user input through a function that would clean out any funny characters.

                  The solution is to use prepared statements, which completely obviate all SQL injection attacks in one fell swoop...

                  Vic.

          4. energystar
            Pint

            Re: Breaking into computers you don't own..

            Sounds fun. Cheers!

        2. This post has been deleted by its author

        3. DanForSupervisor

          Re: Breaking into computers you don't own..

          Good Post Neil Barnes. One of the only accurate ones I have seen here.

        4. Whiznot

          Re: Breaking into computers you don't own..

          Your comment is a poor characterization of reality. The hole in election machine security exists to enable rigged elections. The rulers in control don't like their tricks exposed. Go directly to jail.

      2. Anonymous Coward
        Anonymous Coward

        Re: Breaking into computers you don't own..

        > If this doesn't illustrate the dangers of internet voting then I don't know what does.

        > Wanna win an election? Get yourself the best hacker.

        It's been done before, with much less sophisticated methods.

        And it even got a favorable SC ruling.

        It will be done again and again,.

        As many times as they can get away with it.

        Till it's too late.

      3. Mark 85 Silver badge

        Re: Breaking into computers you don't own..

        That's why paper votes work and electronically counted votes do not (especially as most polls are supposed to be secret ballots

        Paper ballots are no guarantee either. Consider the famous Chicago Graveyard voters. Or LBJ's first election to state government where the elections board was burning the ballots in the basement while the State Police were breaking down the front door.

    2. DanForSupervisor

      Re: Breaking into computers you don't own..

      1. No one was "caught." The issues were reported by Dave. In fact neither the county nor the state could tell if they had EVER had a data breach. The state was very clear about that.

      2. Dave stopped as soon as he proved the holes were real. There was no rummaging around inside someone else's system. He did not take any information, either.

      3. Dave not only reported the holes, he showed them how to find the holes. After explaining where the holes were, they still could not find them. So, he showed them how to fix the holes and gave them Best Practices going forward. The state asked for a written report, which he provided. They gave him permission to go into the system. When Dave found they did not even have the most basic tools to detect intruders, he provided them with those software tools.

      4. The FDLE did not actually investigate. They just tried to find a law they felt Dave broke (which is not an applicable law in this case), and tried to figure out how to nail him on it. They reported the current Supervisor's claims as fact without investigating. The claims turned out to be false. The FDLE did not put a real IT person on the case and STILL does not understand what happened or how it happened. The only dates they used they received from Dave and I, in cooperating into the investigation of why the holes were left there for years to begin with. The investigation is supposed to be into the Gross Negligence of the state and county. However, the FDLE is allowing themselves to be used as political pawns by a corrupt politician.

      Don't buy into this nonsense. Your comments just make you look very uniformed.

      1. ecofeco Silver badge

        Re: Breaking into computers you don't own..

        Thanks for the report Dan. So it's clearly a case of revenge for looking bad. Better known as "official repression" which means after the dust settles, they've just set themselves up for a major civil rights lawsuit.

      2. Wzrd1

        Re: Breaking into computers you don't own..

        1: He intentionally breached systems without the consent of the operator. That is indeed a crime.

        2: He continued to breach more systems without the consent of the operators. That's also a crime.

        3: Had he asked for permission, they may well have given it and then it would not have been a crime.

        4: If someone breached my systems without my permission, I'll be taking them to court and get awarded punitive damages.

        5: If someone entered my home without permission, they'll leave with a pair of 5.56 mm holes in them - head and chest, as I live in a castle doctrine state. I'm also a retired soldier who never learned how to miss.

        Want to stay out of trouble? Easy, don't fuck with other people's shit without permission. If you ask me, I'll probably let you try to breach my systems, if you don't ask permission, we'll be meeting in court.

        1. Anonymous Coward
          Anonymous Coward

          Re: Breaking into computers you don't own..

          5: If someone entered my home without permission, they'll leave with a pair of 5.56 mm holes in them

          Umm - Is it wise to tell the ever-lurking troll armies of the net that the 'swatting' of your home could be particularly interesting in this way?

    3. DanForSupervisor

      Re: Breaking into computers you don't own..

      This may help:

      There was no “break[ing] into an account” as Sharon Harrington states. Sharon left the door open. Dave was driving by and saw the door had been left open by his neighbor renting the house, Sharon. He knew the person who left the door open would call the police and pretend that Dave somehow opened the door. So, he called a neighbor who understands doors and could confirm that, yes, the door in fact was left wide open. He wanted a witness, in case the person who was renting the house lied to the police. The neighbor he called, Dan, called the renter and informed her she left her door wide open. The renter couldn’t be bothered to call Dan back, ever. Instead, she called her door repair guy to call Dan back. This door guy works full time for the renter and was actually the one who left the door open to begin with. Dan and Dave had to explain repeatedly to the door guy:

      a. That the door was left open

      b. What door it was on the house

      c. How to close the door

      d. How to secure the door, so this did not happen again

      e. That they were lucky a burglar did not see the open door and steal anything or vandalize the house before Dave saw the open door and Dan reported it

    4. Anonymous Coward
      Anonymous Coward

      Florida the sucks ass state

      Wow was going to get worked up about this article but then I saw it didn't happen in the developed world (Florida) so that was a relief. The state whose child protective services loses kids in its custody regularly. Even African and middle east states send election monitors to Florida.

      1. Gray
        Windows

        Re: Florida the sucks ass state

        Florida: budget mismanagement, corruption, crony politics and voter suppression.

    5. ian 22
      Coat

      Re: Breaking into computers you don't own..

      You gotta unnerstand, this is Florida home of the hanging chad and other Republican defense strategies. No doubt this lad interrupted the Governor's plan for reelection, and now he's going to pay for it.

      Mines the one with the extra ballots in the pocket.

      1. John II

        Re: Breaking into computers you don't own..

        "Hanging chads" ballots the fault of Republicans? Sorry, Ian, you are really reaching back into situations you don't understand. Those ballots were created by, and were the responsibility of, a Democrat elections official for that county.

        A bit too cute by half, mate.

  2. Anonymous Coward
    Anonymous Coward

    No good deed goes unpunished

    White hats are so beta.

    Cover your tracks. Sell that precious booty for bitcoins. If it's not worth anything, wreck shit up for maximum karmic restitution.

    If the company goes out of business so much the better. They just got slapped by the invisible hand.

  3. Gordon 10 Silver badge

    Vengeful Bureaucrat?

    Interesting that he actually appears in a YouTube vid with the Election supervisor who presumably was very grateful for the the heads up.

    I wonder which mean spirited SOB decided to prosecute? Names would be good.

    1. rh587

      Re: Vengeful Bureaucrat?

      It's seems Dan Sinclair is a candidate for the Election Supervisor gig. It may well be the incumbent (one Sharon Harrington) who has pushed for the arrest.

      She is likely hacked off that:

      1. He put it on YouTube before he told her department.

      2. He did it whilst sat on a couch with someone who is running for her job.

      Additionally, he didn't just discover the SQL Injection flaw and let them know - he exploited it, extracted data, used that data (logging in), etc which goes beyond just telling someone their window is open, into the realms of climbing in and going through their stuff. Though in his defence, they'd basically left a big neon sign next to their open window saying "free stuff here" and it you'd have to think it's unlikely he was the first in. Without intrusion detection, all elections since that system was installed are suspect.

      1. DavCrav Silver badge

        Re: Vengeful Bureaucrat?

        "She is likely hacked off that:

        1. He put it on YouTube before he told her department.

        2. He did it whilst sat on a couch with someone who is running for her job."

        Maybe he'd be better at her job then she would? Since her reaction is to have a guy arrested rather than sort the security out in the first place?

      2. DanForSupervisor

        Re: Vengeful Bureaucrat?

        rh587, it was NOT on YouTube before Dave told them about the holes, HELPED THEM FIX THE HOLES, and then gave them best practices going forward AND the software tools to identify and prevent hacks going forward.

        No information was released until after the holes were fixed.

        It really helps when you stick with the facts, and not just make up your own theories. ;)

    2. DanForSupervisor

      Re: Vengeful Bureaucrat?

      Good point. The outgoing Supervisor is the one that called the FDLE. Very bitter.

      1. Wzrd1

        Re: Vengeful Bureaucrat?

        @DanForSupervisor, you'd never get my vote at all, as you've failed to comprehend the law's basics.

        I'll use an example for you.

        Kwikset is a cheap, popular lock that is extremely easy to pick. His SQL injection attack was like me sticking my lock picks into that Kwikset lock and picking the lock. Without permission, I'd be committing burglary and rightfully convicted of burglary. With permission, I'd be evaluating security by showing that even my modicum of skill was able to pick the lock in seconds.

        He should have written up a proposal, explaining that he's a security researcher and he was interested in examining their network for vulnerabilities for free. There's a fair chance that he'd have gotten permission. Instead, he went in, played around, exfiltrated data, all without permission. He picked the cheap lock and entered.

        I'd have pushed to have him charged as well. I'd also have hit the roof that my site was so vulnerable and saw to it that it was properly secured.

        But then, I'm an information security professional. The only systems I break into are my own and obviously I've given myself permission to breach my own systems.

        1. Intractable Potsherd Silver badge

          Re: Vengeful Bureaucrat? @Wzrd1

          The problem with your approach is that it requires someone who a) may not care, or b) put the vulnerabilities in for their own purposes to give permission for you to look. In some cases - and electronic voting systems is one - it is in the public interest to see i) if they are insecure and ii) what sort of damage could be done by a black hat. Indeed, it would also be in the public interest to do this without informing the people responsible for the site, in case they covered up holes that might already have been exploited. We are living in a world where computer breaches are all too common, and the people responsible (the data custodians) are none too willing to inform people about them. What this guy did seems reasonable to me - get in, scope what damage could be done, then get out and contact the site owner before going public. No need for law-enforcement, just a "thank you for being responsible".

    3. Anonymous Coward
      Anonymous Coward

      Re: Vengeful Bureaucrat?

      Well one edge to Trump as the nominee as neither party needs to be worried about placing operatives in the right offices in Florida this time around.

  4. redpawn Silver badge

    Appearance of security only wanted

    The government will pretend that bad guys are too dumb to have found the security hole so the evil hacker must be punished. The truth is that our voting system is insecure by design. Here in the US there are plenty of instances of vote swapping on electronic vote tallies. Do a Google search if you don't believe me. Don't expect security which prevents deniability by the parities involved in fraud whether they be corporate or government actors. Remember you can't check the code. It is proprietary.

    Insist on a verifiable paper printout or paper ballot which can be checked by a human.

    1. Anonymous Coward
      Anonymous Coward

      Re: Appearance of security only wanted

      >Insist on a verifiable paper printout or paper ballot which can be checked by a human.

      So happy my state actively encourages mail in balloting (one of few things about elections they do right). Fsck standing in lines to then place an invisible vote.

  5. Blofeld's Cat
    Facepalm

    Hmm...

    Evidently somebody still believes the best way to protect their stuff is to train a crack squad of marksmen to shoot any messenger who comes into range.

    1. asdf Silver badge

      Re: Hmm...

      One of the few things bipartisan as Obama's war on whistle blowers attests too.

  6. alain williams Silver badge

    Gary McKinnon

    This is what the USA govt was trying to do to Gary: shoot the messenger.

    The 'crime' that they are worried about is causing embarrassment by showing that their system administrators are incompetent.

    1. SolidSquid

      Re: Gary McKinnon

      Well there was also a pretty sizeable expense caused by him bypassing their security systems. Admittedly the expense was "doing their damn job andgetting their systems properly secured", but technically was still an expense

      1. Anonymous Coward
        Anonymous Coward

        Re: Gary McKinnon

        by expense, they don't mean doing their job properly, perhaps just starting to do their job at all.

        The article suggests they didn't have any intrusion detection in place, so the researcher may not even be the first through the [open] door.

        I think he was unwise to use the credentials, however the official response seems to be less than helpful. Had he simply rigged the vote no one would have even noticed...

        1. Anonymous Coward
          Anonymous Coward

          Re: Gary McKinnon

          Do others suspect that these systems are built like this on purpose?

          1. JustNiz

            Re: Gary McKinnon

            Of course they are. All government elections are just a sham who's only actual purpose is to keep up the fantasy that we are living in democracy. The actual result has already been decided behind closed doors and not at all by you or me.

  7. Anonymous Coward
    Anonymous Coward

    Which bit of this do you lot not understand?

    >Levin then went a step further and used the Lee County supervisor's username and password to gain access to other password protected areas.

    It's all very well finding a hole which allows you to get credentials it's another thing completely to use those credentials. He crossed the line.

    1. fajensen Silver badge

      Re: Which bit of this do you lot not understand?

      Yep. Next Time: Do buy some Beer and Popcorn then post the exploit on 4Chan and let "the internet" run with it; there can never be enough tranny-pr0n on an insecure election site!

    2. Anonymous Coward
      Anonymous Coward

      Re: Which bit of this do you lot not understand?

      Didn't he do this whilst the supervisor was present?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019