YIKES: Lee County Hacking Controversy
[Image via wallconvert]
An absolutely extraordinary story has been unfolding in Lee County, Florida where two men – one of whom is running for Supervisor of Elections – are under investigation by the Florida Department of Law Enforcement for hacking the county elections website, ostensibly to identify security flaws. The News-Press has the story:
State law enforcement officials served a search warrant Monday morning in the investigation of two men accused of hacking the Lee County supervisor of elections website.
“There was an attempted hacking of the website, but this is an ongoing investigation,” said Vicki Collins, spokeswoman for the Lee County Supervisor of Elections. “The info they accessed was an old server with no (useful) information on it … Nobody is compromised.”
Dan Sinclair is running for supervisor position against the incumbent Supervisor of Elections Sharon Harrington.
He appeared in a video of the hacking posted to YouTube with David Levin, CEO of Vanguard Cybersecurity, walking through how Levin hacked into the Lee elections website a couple of weeks ago.
When asked if his actions were part of a political stunt, Sinclair said his weren’t but that Harrington going to the FDLE to report the situation was.
“This office did not invite them into the website,” Collins said.
Sinclair said he was the one who told the office they had the security issues in the first place and had Levin walk them through how he got in.
“They wouldn’t have the information if we didn’t give it to them,” Sinclair said.
He said Levin called him in December after taking an online federal course, including some Department of Defense officials, about penetration testing of online systems and told him that he could easily get into the Lee elections website.
“He went in there and did the right thing,” Sinclair said of Levin.
Sinclair said Levin got as far as a link to a table of Social Security numbers for a state voter database and stopped.
“I didn’t do anything illegal and Dave didn’t do anything intentionally illegal,” Sinclair said.
He said Levin backed out “as soon as” they realized how far in they were.
After the Sinclair told her about the issues, Harrington contacted Lee Sheriff Mike Scott, who told her to go to the FDLE.
Sinclair said that Levin was on his way to work about 7 a.m. when he got a call from his wife that state agents were outside their home and wanted him to come back.
He said that FDLE officers took the laptops of Levin and his wife and his cellphone.
Molly Best, an FDLE spokeswoman, confirmed that a search warrant was served, but because it is an active investigation, “we’re not able to release anything at this time.”
Levin accessed intra-office passwords, Collins said.
She said the hacking “had nothing whatsoever with the tabulation center” which is in a separate system “that is not even able to be accessed by the Internet.”
Sinclair maintains that he and Levin have fully cooperated [with] state authorities and that Harrington has not handled the situation well or thanked him for coming forward and trying to help.
“This whole thing is pretty disgusting,” he said.
My reaction to this whole affair can be summarized in one word: YIKES.
Obviously, it isn’t good that the elections website is vulnerable; the supervisor should immediately move to protect the office and its data if it hasn’t happened already. And while the office claims that no election-critical systems were compromised, it looks like there were lots of opportunities to have personally-identifiable and sensitive individual information disclosed. Even worse, the fact that the hacker (however well-intentioned, if that’s indeed the case) was uninvited and affiliated with a candidate for the very office that was hacked is absolutely not a model for this kind of penetration testing going forward. Indeed, there are federal and state laws that criminalize such behavior, and both men involved should probably expect to face some kind of legal scrutiny (if not prosecution) before this is all over.
This kind of activity – using unsolicited penetration testing as a campaign tactic – is a bad, BAD example for the field going forward.
Stay tuned for more news on the investigation … but again, YIKES.