How a security pro’s ill-advised hack of a Florida elections site backfired

Whistleblowing is overshadowed when SQL injection gives way to unauthorized access.

Read the whole story

 

[Eurynom0s]

Doesn't white-hat, by definition, mean that you were authorized to try to break into the system? I thought it's grey-hat when you're not malicious but you also didn't get permission first.

 

[SwordFishData]

As a resident of Lee County, FL, two towns over, I am not surprised.

Edit for clarification: I am not surprised by the insecurity. I am surprised that someone I don't know pulled this off. I obviously do not have a good enough handle on the nerd crowd.

 

[SuperDave]

Similarly, the CMS Levin logged had also been retired and replaced with one that ran WordPress.

Snerk. That's an upgrade.

 

[biffbobfred]

Not condoning the breakin but I do wonder what he could have done. The state that had an ballot that was illegal by state law help determine the governor's brother get elected doesn't seem very likely to listen to "hey this could be a problem". There seems a gap between software vulnerability notifications - i'll post example exploit code in 90 days - and server vulnerabilities - post an exploit and you're arrested.

 

[iamaelephant]

SuperDave[/url]":2xk14une]

Similarly, the CMS Levin logged had also been retired and replaced with one that ran WordPress.

Snerk. That's an upgrade.

I'm no fan of Wordpress but it's a definite upgrade from some crappy hand-rolled SQL-injection-vulnerable plain-text-password-storing monstrosity.

 

[DRJlaw]

biffbobfred[/url]":2readgbz]There seems a gap between software vulnerability notifications - i'll post example exploit code in 90 days - and server vulnerabilities - post an exploit and you're arrested.

Well, of course there is. In the first case, you are manipulating your own copy of software code on your own computer system (or a client's copy on a client's computer system, presumably with their permission), so that any damage you may cause, data you may exfiltrate, etc. -- whether you choose to disclose that fact or not -- is essentially your own (or at least a risk that the client has assumed).

In the second case, you are manipulating someone else's copy of software code on someone else's computer system and doing god knows what to software, live data, and stored records that you have no business accessing. Then we get to investigate whether you are a grey hat hacker or a black hat hacker, because the person who is doing unsanctioned penetration testing can totally be trusted to report his or her activities with complete detail and honesty.

So yes, there's a "gap," or what others would call "a significant difference" between invited testing and trespassing.

Edit: remove typos and redundancy.

 

[Ralf The Dog]

biffbobfred[/url]":62u1ydl5]Not condoning the breakin but I do wonder what he could have done. The state that had an ballot that was illegal by state law help determine the governor's brother get elected doesn't seem very likely to listen to "hey this could be a problem". There seems a gap between software vulnerability notifications - i'll post example exploit code in 90 days - and server vulnerabilities - post an exploit and you're arrested.

Demonstrate an exploit on a system you are not authorized to access and get arrested. It has noting to do with the time elapsed. It is about using the exploit, without permission.

 

[M-S-G]

Pro tip for the 'security' consultant:
Don't post video evidence of illegal sh*** on the Internet.

 

[Ralf The Dog]

M-S-G[/url]":17exafc7]Pro tip for the 'security' consultant:
Don't post video evidence of illegal sh*** on the Internet.

Or at a minimum, use a fake name and a mask.

 

[Static and Noise]

Eurynom0s[/url]":2ezb4z3u]Doesn't white-hat, by definition, mean that you were authorized to try to break into the system? I thought it's grey-hat when you're not malicious but you also didn't get permission first.

I always understood White-hat to mean somebody who did no damage, stole no information etc, and reported the vulnerabilities to the relevant party. Grey-hat being more "hmmm", oftentimes people trying to "make a point" about security in less than smart ways, though not necessarily meaning any harm. Like this one if you recall:

"On March 14, Helkowski made his point rather dramatically by posting the university president’s Social Security number and phone number to reddit. He then sent an anonymous e-mail to the members of the university’s newly formed security task force, telling them in no uncertain terms just how horrible their security was."

http://meincmagazine.com/information-tech ... tells-all/

 

[Rockchurch]

I am confused that anybody would think this anything other than a crime.

It's no different than posting a video showing how easy it is to break into the county surveyor's office, or the local water treatment plant, or election boxes on voting day.

There are numerous ways of discovering and alerting the public to lax security among the public services sector without actually committing trespass or other crime. Investigative journalists have been doing this for a long time.

If you can't get permission to try to break in, then you document the vulnerability, replicate the vulnerability on your own system, and demonstrate the breach.

Is it as influential as an unauthorized breach? No. Will it send you to prison? Also no.

 

[CatOne41]

Rockchurch[/url]":1n7ol491]I am confused that anybody would think this anything other than a crime.

It's no different than posting a video showing how easy it is to break into the county surveyor's office, or the local water treatment plant, or election boxes on voting day.

There are numerous ways of discovering and alerting the public to lax security among the public services sector without actually commuting trespass or other crime. Investigative journalists have been doing this for a long time.

If you can't get permission to try to break in, then you document the vulnerability, replicate the bulnerability on your own service, and demonstrate the vulnerability.

Is it as influential as an unauthorized breach? No. Will it send you to prison? Also no.

Right. Stealing a car is a crime, regardless of whether it's an easy car to steal, or the doors are unlocked, or even if the keys are left in the ignition.

 

[graylshaped]

The only thing I'm surprised by is that people are surprised to discover Floridian electoral systems are deeply, deeply flawed.

We've known that for at LEAST sixteen years. Any number of documentaries have been made spelling out the why and the how.

This doesn't excuse what he did in publicizing this the way he did. There are channels to take this stuff through that don't involve teaching the bad guys.

 

[cdshine]

How on earth can any decent developer store passwords in plain text??

Also I thought the latest web frameworks automatically had some sort of prevention against SQL injection attacks?

 

[geo_2]

This guy is screwed in more ways than one. First, it's seems a foregone conclusion that he will be convicted. He provided the evidence himself. Second, though he was probably looking for publicity for his company he got the wrong kind of publicity, so his company just took a big hit too.

Just a about the first thing you learn as a security professional is get permission from someone with authority to give it...IN WRITING. It doesn't sound like this hack required much skill, but even if he and his company have terrific technical skills they've proven to be, at least, extremely unprofessional. Good luck in finding business now.

 

[NickBII]

Static and Noise[/url]":1gmwexjg]

Eurynom0s[/url]":1gmwexjg]Doesn't white-hat, by definition, mean that you were authorized to try to break into the system? I thought it's grey-hat when you're not malicious but you also didn't get permission first.

I always understood White-hat to mean somebody who did no damage, stole no information etc, and reported the vulnerabilities to the relevant party. Grey-hat being more "hmmm", oftentimes people trying to "make a point" about security in less than smart ways, though not necessarily meaning any harm. Like this one if you recall:

"On March 14, Helkowski made his point rather dramatically by posting the university president’s Social Security number and phone number to reddit. He then sent an anonymous e-mail to the members of the university’s newly formed security task force, telling them in no uncertain terms just how horrible their security was."

http://meincmagazine.com/information-tech ... tells-all/

Greyhat wouldn't be grey if there some widely-agreed upon, easily applied, definition of the term. That is what the widely agreed, easily applicable term "grey area" means.

In this case I'd lean towards grey because altho he apparently didn't do anything to the system, but he did use their problems as a way to get notoriety on Youtube without doing anything to help them fix those problems.

 

[MatthewSleeman]

Eurynom0s[/url]":fl31wb58]Doesn't white-hat, by definition, mean that you were authorized to try to break into the system? I thought it's grey-hat when you're not malicious but you also didn't get permission first.

White Hat would be a moral term and not a legal one.

I'm unsure of the law in the US, but here in OZ if you don't have permission from the system admin to use log in details that's hacking and I'd imagine it's similar in the US.

For instance if I was to give my user name and password to one of the authors here so they could post a comment for me, that would STILL be hacking

 

[mecasull]

Free the west Raleigh three

(On the off chance someone from TWW reads through these comments)

 

[NickBII]

cdshine[/url]":gn8hpppo]How on earth can any decent developer store passwords in plain text??

Also I thought the latest web frameworks automatically had some sort of prevention against SQL injection attacks?

There are 3,000+ Counties in the US. This gives an average population of 100k.

Almost all of them have some sort of role in elections, generally through a County Clerk or similar elected position; altho in some states (like Ohio) there's an independent Board of Elections for each County. So it's really not a surprise one of them had shitty web security. In fact I suspect quite a few them will have systems implemented by somebody's brother back in '05 for cheap.

In this case they claim that website had been taken out of active service, and was only being kept active for a few more months so they could refer to it's data (read: "We weren't sure this newfangled Wordpress shit would work, so we kept the old site just in case, but we'll be damned if we put it that way in the media").

 

[XolotlLoki]

Neither the article nor any of the comments seemed to realize that people likely reused their compromised passwords on the new system. Even if they were told to change the passwords, it was probably a trivial transformation ('password' -> 'password1').

I think the elections people are in serious denial about the severity of their fuckup...

 

[lewisje]

mecasull[/url]":1199dyk2]Free the west Raleigh three

(On the off chance someone from TWW reads through these comments)

They are not forgotten.

 

[AharmX]

Do not find a vulnerability and post it on reddit find a vulnerability and sell it to someone or use it to fuck with the election! Nobody cares how shitty Floridas cms is its fucking Florida.

 

[kwxdcrd]

Making people look bad is the worst crime of all

 

[bvz_1]

Somewhat ironically, the end result of this little debacle for the hacker is that, if convicted, he may well never be allowed to vote in Florida again.




Of course, given the shitty state of their elections systems, it is entirely possible his vote was never actually counted in the first place...

 

[toast0]

iamaelephant[/url]":2pszrbkf]

SuperDave[/url]":2pszrbkf]

Similarly, the CMS Levin logged had also been retired and replaced with one that ran WordPress.

Snerk. That's an upgrade.

I'm no fan of Wordpress but it's a definite upgrade from some crappy hand-rolled SQL-injection-vulnerable plain-text-password-storing monstrosity.

I think that's a distinction without a difference? The crappy hand-rolled site probably didn't act as a DDoS reflector, but that's a handy dandy feature of wordpress, plus whatever exciting security things are found every couple of months, and then there's plugins.

 

[berrardo]

Oh wow. That's just like, universally *stupid*, man!

 

[runbigfoot]

bvz_1[/url]":28so1iif]Somewhat ironically, the end result of this little debacle for the hacker is that, if convicted, he may well never be allowed to vote in Florida again.




Of course, given the shitty state of their elections systems, it is entirely possible his vote was never actually counted in the first place...

The Chicago Electorate Motto, Vote Early and Often.

 

[CuriousChris]

Security researchers by definition research vulnerabilities in applications. the clear majority of this is uninvited.

It is a known fact many organisations do not believe they are vulnerable or prefer a head in the sand attitude. Therefore do not invite someone in. Clearly this county does not understand security otherwise they would not run critical infrastructure on wordpress. It has its role as a blogging platform and for that its great but when you extend it to something else you are asking for trouble.

What this guy did was stupid and as a security researcher he should have been aware of the risks, posting to youtube was plain dumb.

Please though, tell me how many exploits are discovered by "invited" researchers.

 

[Eurynom0s]

CuriousChris[/url]":1chfeafi]Security researchers by definition research vulnerabilities in applications. the clear majority of this is uninvited.

It is a known fact many organisations do not believe they are vulnerable or prefer a head in the sand attitude. Therefore do not invite someone in. Clearly this county does not understand security otherwise they would not run critical infrastructure on wordpress. It has its role as a blogging platform and for that its great but when you extend it to something else you are asking for trouble.

What this guy did was stupid and as a security researcher he should have been aware of the risks, posting to youtube was plain dumb.

Please though, tell me how many exploits are discovered by "invited" researchers.

There's a pretty gigantic and obvious difference between privately letting the organization you just hacked into know what you found, and posting a Youtube video of you doing it.

 

[soulsabr]

Ralf The Dog[/url]":1n9ltrb9]

M-S-G[/url]":1n9ltrb9]Pro tip for the 'security' consultant:
Don't post video evidence of illegal sh*** on the Internet.

Or at a minimum, use a fake name and a mask.

 

[fishbait]

Ralf The Dog[/url]":1ssk37el]

M-S-G[/url]":1ssk37el]Pro tip for the 'security' consultant:
Don't post video evidence of illegal sh*** on the Internet.

Or at a minimum, use a fake name and a mask.

and a tor browser, and one use credentials made from that browser, and a throw-away one use email made from that browser, and edit the video to remove all audio prior to posting, and do your hacking through tor as well and be sure to remove all acess traces from the system
oh and do all this from a virtual machine wiped and reset after each use whose external address is and internal ip and is configure to only connect through the tor proxy.


if you have to use a phone use a burner phone(a prepaid phone loaded with minutes paid for with cash)

 

[fishbait]

adminfoo[/url]":32q9j7jp]

Eurynom0s[/url]":32q9j7jp]Doesn't white-hat, by definition, mean that you were authorized to try to break into the system? I thought it's grey-hat when you're not malicious but you also didn't get permission first.

Wow. The above has received 43 upvotes and 1 downvote as I write this. (None of the votes are mine, btw.)

Does that mean that 43 Ars readers truly believe that simply having white-hat intentions is the same as having authorization to hack at any security mechanism, pick any lock, sneak into any bank vault?

If so ... wow.

i feel like you might not understand the different hackers

white hat hackers obey law do legitimate pen testing(with a note in writing legal agreement etc), give a company time after reporting a vulnerability before publishing it etc white hackers are kinda like captain america for computers morally upright

grey hackers are ambiguous not generally malicious or criminally intended but willing to break the rules hack into systems their not authorized, but wont generally gather personal data or if they do they wont use it for other criminal purposes, grey hackers are kinda like batman, or the winter soldier, not exactly good not exactly evil

black hat are the hackers generally referred to when the media reports a breach of data they break into systems with full criminal intent, they'll break into a server for corporate espionage, deploy ransomware to extort a profit, steal information to sell to others on the black market, turn other pc into bots to add to a bot-net for things like DDOS or spam, propagate viruses, etc etc, their like the joker no good intentions whatsoever

so yes the 43 people do believe in the comments truth but no not that white hat means just good intentions

 

[BloodNinja]

iamaelephant[/url]":2cj08ro2]

SuperDave[/url]":2cj08ro2]

Similarly, the CMS Levin logged had also been retired and replaced with one that ran WordPress.

Snerk. That's an upgrade.

I'm no fan of Wordpress but it's a definite upgrade from some crappy hand-rolled SQL-injection-vulnerable plain-text-password-storing monstrosity.

True, but barely.

 

[adminfoo]

fishbait[/url]":2qjjbzuw]

adminfoo[/url]":2qjjbzuw]

Eurynom0s[/url]":2qjjbzuw]Doesn't white-hat, by definition, mean that you were authorized to try to break into the system? I thought it's grey-hat when you're not malicious but you also didn't get permission first.

Wow. The above has received 43 upvotes and 1 downvote as I write this. (None of the votes are mine, btw.)

Does that mean that 43 Ars readers truly believe that simply having white-hat intentions is the same as having authorization to hack at any security mechanism, pick any lock, sneak into any bank vault?

If so ... wow.

i feel like you might not understand the different hackers

I'm clear on the terms; the post I quoted seemed (to me) to put the cart before the horse. So let me state it more clearly:

The white hat does not grant the authorization; the authorization grants the white hat.

 

[XolotlLoki]

I'm

adminfoo[/url]":1le46x8l]

fishbait[/url]":1le46x8l]

adminfoo[/url]":1le46x8l]

Eurynom0s[/url]":1le46x8l]Doesn't white-hat, by definition, mean that you were authorized to try to break into the system? I thought it's grey-hat when you're not malicious but you also didn't get permission first.

Wow. The above has received 43 upvotes and 1 downvote as I write this. (None of the votes are mine, btw.)

Does that mean that 43 Ars readers truly believe that simply having white-hat intentions is the same as having authorization to hack at any security mechanism, pick any lock, sneak into any bank vault?

If so ... wow.

i feel like you might not understand the different hackers

I'm clear on the terms; the post I quoted seemed (to me) to put the cart before the horse. So let me state it more clearly:

The white hat does not grant the authorization; the authorization grants the white hat.

No one ever said, or implied otherwise.

 

[MatthewSleeman]

XolotlLoki[/url]":3adtx4h7]

adminfoo[/url]":3adtx4h7]
I'm clear on the terms; the post I quoted seemed (to me) to put the cart before the horse. So let me state it more clearly:

The white hat does not grant the authorization; the authorization grants the white hat.

No one ever said, or implied otherwise.

Well apart from the fact that the article says that he didn't have permission and many readers seem to think that he's still a white hat

 

[NickBII]

adminfoo[/url]":30cvnty6]

fishbait[/url]":30cvnty6]

adminfoo[/url]":30cvnty6]

Eurynom0s[/url]":30cvnty6]Doesn't white-hat, by definition, mean that you were authorized to try to break into the system? I thought it's grey-hat when you're not malicious but you also didn't get permission first.

Wow. The above has received 43 upvotes and 1 downvote as I write this. (None of the votes are mine, btw.)

Does that mean that 43 Ars readers truly believe that simply having white-hat intentions is the same as having authorization to hack at any security mechanism, pick any lock, sneak into any bank vault?

If so ... wow.

i feel like you might not understand the different hackers

I'm clear on the terms; the post I quoted seemed (to me) to put the cart before the horse. So let me state it more clearly:

The white hat does not grant the authorization; the authorization grants the white hat.

That doesn't disagree with the original post. In that post, if you go after a system from somebody who refuses to grant permission you're not white hat, because "it's grey-hat when you're not malicious but you also didn't get permission first."

 

[NickBII]

MatthewSleeman[/url]":33cqbtgh]

XolotlLoki[/url]":33cqbtgh]

adminfoo[/url]":33cqbtgh]
I'm clear on the terms; the post I quoted seemed (to me) to put the cart before the horse. So let me state it more clearly:

The white hat does not grant the authorization; the authorization grants the white hat.

No one ever said, or implied otherwise.

Well apart from the fact that the article says that he didn't have permission and many readers seem to think that he's still a white hat

Please name one of this "many."

Of the one I can count (hi!) giving an unambiguous, simple declarative statement on whether this was white or gray I said grey. Everyone else just seems to be assuming of course it's grey, so they didn't bother with a simple declarative either way.