YIKES: Lee County Hacking Controversy

hacker.inside

[Image via wallconvert]

An absolutely extraordinary story has been unfolding in Lee County, Florida where two men – one of whom is running for Supervisor of Elections – are under investigation by the Florida Department of Law Enforcement for hacking the county elections website, ostensibly to identify security flaws. The News-Press has the story:

State law enforcement officials served a search warrant Monday morning in the investigation of two men accused of hacking the Lee County supervisor of elections website.

“There was an attempted hacking of the website, but this is an ongoing investigation,” said Vicki Collins, spokeswoman for the Lee County Supervisor of Elections. “The info they accessed was an old server with no (useful) information on it … Nobody is compromised.”

Dan Sinclair is running for supervisor position against the incumbent Supervisor of Elections Sharon Harrington.

He appeared in a video of the hacking posted to YouTube with David LevinCEO of Vanguard Cybersecurity, walking through how Levin hacked into the Lee elections website a couple of weeks ago.

When asked if his actions were part of a political stunt, Sinclair said his weren’t but that Harrington going to the FDLE to report the situation was.

“This office did not invite them into the website,” Collins said.

Sinclair said he was the one who told the office they had the security issues in the first place and had Levin walk them through how he got in.

“They wouldn’t have the information if we didn’t give it to them,” Sinclair said.

He said Levin called him in December after taking an online federal course, including some Department of Defense officials, about penetration testing of online systems and told him that he could easily get into the Lee elections website.

“He went in there and did the right thing,” Sinclair said of Levin.

Sinclair said Levin got as far as a link to a table of Social Security numbers for a state voter database and stopped.

“I didn’t do anything illegal and Dave didn’t do anything intentionally illegal,” Sinclair said.

He said Levin backed out “as soon as” they realized how far in they were.

After the Sinclair told her about the issues, Harrington contacted Lee Sheriff Mike Scott, who told her to go to the FDLE.

Sinclair said that Levin was on his way to work about 7 a.m. when he got a call from his wife that state agents were outside their home and wanted him to come back.

He said that FDLE officers took the laptops of Levin and his wife and his cellphone.

Molly Best, an FDLE spokeswoman, confirmed that a search warrant was served, but because it is an active investigation, “we’re not able to release anything at this time.”

Levin accessed intra-office passwords, Collins said.

She said the hacking “had nothing whatsoever with the tabulation center” which is in a separate system “that is not even able to be accessed by the Internet.”

Sinclair maintains that he and Levin have fully cooperated [with] state authorities and that Harrington has not handled the situation well or thanked him for coming forward and trying to help.

“This whole thing is pretty disgusting,” he said.

My reaction to this whole affair can be summarized in one word: YIKES.

Obviously, it isn’t good that the elections website is vulnerable; the supervisor should immediately move to protect the office and its data if it hasn’t happened already. And while the office claims that no election-critical systems were compromised, it looks like there were lots of opportunities to have personally-identifiable and sensitive individual information disclosed. Even worse, the fact that the hacker (however well-intentioned, if that’s indeed the case) was uninvited and affiliated with a candidate for the very office that was hacked is absolutely not a model for this kind of penetration testing going forward. Indeed, there are federal and state laws that criminalize such behavior, and both men involved should probably expect to face some kind of legal scrutiny (if not prosecution) before this is all over.

This kind of activity – using unsolicited penetration testing as a campaign tactic – is a bad, BAD example for the field going forward.

Stay tuned for more news on the investigation … but again, YIKES.

3 Comments on "YIKES: Lee County Hacking Controversy"

  1. I believe that is one of the so much vital information for me.
    And i am glad studying your article. But want to statement
    on some normal issues, The site taste is great,
    the articles is really excellent : D. Good activity, cheers

  2. We absolutely love your blog and find almost all
    of your post’s to be just what I’m looking for. Would you offer guest writers to write content for
    you? I wouldn’t mind producing a post or elaborating on many of the subjects you write
    about here. Again, awesome site!

  3. Hello there I am so grateful I found your blog page, I really found you by error,
    while I was searching on Yahoo for something else, Anyways I am here now and would just like to
    say thanks for a tremendous post and a all round enjoyable
    blog (I also love the theme/design), I don?t have time to
    go through it all at the minute but I have bookmarked it and also added your RSS feeds,
    so when I have time I will be back to read a lot more,
    Please do keep up the great work.

Leave a comment

Your email address will not be published.


*