Political consultant and cybersecurity company owner David Levin has been jailed on accusations of hacking into the state elections website on Jan. 4 and Jan. 31.
The Florida Department of Law Enforcement accused Lee, who turned himself in just hours after an arrest warrant was issued in his name, of three counts of third-degree-felony property crimes. After six hours in Lee County Jail, Lee paid a $15,000 bond and was released, pending his appearance in court.
“An SQL (Structured Query Language) is a code injection technique used to attack data-driven applications,” as the Florida Department of Law Enforcement describes the attack. “An SQL injection enables an individual to obtain secure information, such as usernames and passwords, from vulnerable sources.”
Levin explained the attack in a YouTube video, stating that it involved an SQL vulnerability that he exploited to gain access to the website’s databases. “This is about as sophisticated as a system was 10 years ago and this is 2016,” says Levin in the video.
One of the tools used is pretty common in the security industry when testing for vulnerabilities, although the issue at hand is that he did not seek permission from the election website when conducting the research.
“… Levin used a specialist software program to obtain illegal access to the Lee County state elections website and while he had access he obtained several usernames and passwords of employees in the elections office,” according to the Florida Department of Law Enforcement statement. “Levin then went a step further and used the Lee County supervisor’s username and password to gain access to other password protected areas. All this was done Levin not seeking permission from the elections office.”
The 31-year-old researcher also provided instructions and recommendations on how the vulnerability could be patched and fixed to prevent others from exploiting it.