Security Researcher Arrested after Revealing Flaws in Election Website

 

A security researcher who revealed vulnerabilities in a Florida county election website has been arrested on criminal charges for unauthorized access (hacking) and was jailed for six hours.

The Florida Department of Law Enforcement have accused a 31-year-old Estero man, Dan Levin, of hacking into the state elections website on January 4 and January 31. He had allegedly also hacked into the Lee County elections website on December 19, last year.

A security consultant and founder of Vanguard Cybersecurity, Levin turned himself in to the FDLE for three third-degree-felony counts of property crimes.

Describing the attack in an arrest report, the FDLE stated:

An SQL (Structured Query Language) is a code injection technique used to attack data-driven applications. An SQL injection enables an individual to obtain secure information, such as usernames and passwords, from vulnerable sources.

Levin attests that his actions were to help the standard of cybersecurity of the elections websites, as described in a YouTube video. Incidentally, the video also features Dan Sinclair, a candidate running for the supervisor position.

The video can be found below:

https://www.youtube.com/watch?v=38rsseDeFYQ

Sinclair revealed that Levin had contacted him in December after taking a federal course online alongside Department of Defense officials that focused on penetration testing of online systems. Levin told Sinclair that he could hack into the elections website.

Levin was able to gain control of a content management system (CMS), used to control the official website of Florida’s Office of Elections.

He used Havij, a freely available SQL testing software that routinely checks for vulnerabilities, on the state elections website.

Two weeks passed after the YouTube video went live. The Florida police raided Levin’s house to seize his computers afterwards.

FDLE Special Agent Larry Long told News-Press:

He took usernames and passwords from the Lee County website and gained further access to areas that were password protected. The state statue is pretty clear.

You need to have authentication before you do that.

Levin was booked into Lee County Jail at 10 A.M. and released just after 3: 40 P.M. on a $15,000 bond.

 Image credit: Youtube.