Whistleblowing is overshadowed when SQL injection gives way to unauthorized access.
“Based on the evidence obtained regarding the SQL injections attack Levin performed against the Lee County Office of Elections on December 19, 2015, probable cause does exist to charge Levin with unauthorized access of any computer, computer system, computer network, or electronic device, a violation of Florida Statute 815.06(2)(a), a third degree felony,” prosecutors wrote.
As ill-advised as it was for Levin to log in to the website CMS, the video raises some unsettling concerns about the security of the Lee County elections website, which is used to display voting results, verify registration status, and provide ballots for upcoming elections. In the video, Levin shows how he was able to use a SQL injection attack to obtain the user names and plain-text passwords belonging to Harrington and at least 10 other account holders. He then shows how the password for Harrington’s account allowed him to enter the CMS and move through various application menus.
According to Dan Sinclair, a Lee County resident who is a candidate running against Harrington for the elections supervisor post, Levin used a separate SQL injection attack to obtain plain-text passwords for the state’s Office of Elections website but never used them to log in. Sinclair told Ars that Levin discovered the vulnerabilities on his own and then notified Sinclair of the findings. Sinclair said Levin is declining to speak to reporters pending the outcome of the case filed against him. Ars was unable to reach Levin directly.
Officials at the Lee County Elections Office told Ars that, contrary to the claims of Levin and Sinclair, the security of all of the election systems—including voter registration, vote tabulations, and website—were never at risk. The server that was vulnerable to Levin’s SQL injection attack, they said, had been retired in October. At the time of Levin’s attack, at least two months later, it no longer stored sensitive data and had been replaced by a new server that wasn’t vulnerable to the attack, they said. Similarly, the CMS Levin logged in to had also been retired and replaced with one that ran WordPress. While the older CMS was allowed to continue running during a transition period, its functionality was limited to storing only historical data, the officials said. People logging in to it didn’t have the ability to post new pages to the site or to access voter data or tabulation systems, they said.
Ultimately, the picture that emerges from the hack and the resulting arrest provides cautionary tales for the entire cast of characters. An elected official charged with ensuring the security of her department’s computer systems allowed servers operated by her office to remain vulnerable to hacks that are so common that even unskilled script kiddies can carry them out with aplomb. As anyone with even a passing familiarity with network security knows, hackers are often able to pivot from low-level systems to more sensitive ones. And even if the unauthorized access in this case couldn’t be escalated, the hacks can give rise to the appearance of insecurity, which is never good for democracy, especially in a state like Florida, where confidence in voting systems is already lacking.
But it’s equally problematic for Levin to have posted a video showing him using pilfered credentials to log in to a system he had no authorization to access. Levin’s commendable deed in blowing the whistle on lax security practices in Lee County’s Elections Office has been overshadowed by actions of his own doing and very well may result in him having a criminal record for the rest of his life.