Savage Havij

Vanguard Cybersecurity man David Levin was arrested after disclosing SQL injection vulnerabilities that revealed admin credentials in the Lee County state elections web site.
The Florida Department of Law Enforcement says the 31-year-old Estero man hacked into Lee County state elections website 19 December.

Levin (@realdavidlevin) faced three third-degree felony counts of property crime.
Levin was released under a US$15,000 bond.
A Florida Department of Law Enforcement official says in a statement that Levin turned himself in after an arrest warrant was issued.
“… Levin used a specialist software program to obtain illegal access to the Lee County state elections website and while he had access he obtained several usernames and passwords of employees in the elections office
Levin then went a step further and used the Lee County supervisor’s username and password to gain access to other password protected areas.
All this was done Levin not seeking permission from the elections office.”
Police seized computers from Levin’s house in a February raid.

.@troyhunt is right, and I let hubris get the best of me.

From now on I’m asking myself, “What Would Troy Do?” #WWTD
— David Levin (@realDavidLevin) May 9, 2016
Levin detailed the SQL injection in a YouTube video shot with elections supervisor Dan Sinclair explaining how he used the popular basic Havij security tool to find the holes.
He says he then used credentials stored in cleartext to login to supervisor accounts.
“This is about as sophisticated as a system was 10 years ago and this is 2016,” Levin says in the video.
Dan Sinclair said Levin “did nothing wrong” and was “a whistleblower” describing his arrest as horrible.
“Dave didn’t cause these problems, he only reported them,” Sinclair says, adding that the elections office could not previously detect intrusions.
Levin also provided defensive measures to the state about how it could fix the hole and detect further intrusions.

Bootnote It is worth noting that security guy Dan Kaminsky’s 2012 Whitehat hacker guide is still solid advice for bug hunters who hope to reverse the sorry state of internet security without getting arrested.

Image: Dan Kaminsky.


Rise of the machines