14 DAY TRIAL // David Levin, 31, of Estero, Florida, has turned himself in after Florida police issued a warrant for his arrest last week. Police indicted Levin on three hacking-related charges, and Levin spent six hours in jail last Wednesday before being released on a $15,000 bond.
Police say Levin had illegally accessed state websites on three occasions. The first took place on December 19, 2015 when Levin illegally accessed the Lee County Elections website.
This incident was then followed by two other, on January 4 and 31, 2016, when Levin also hacked into the Department the State Elections website as well.
Levin never asked for permission to perform his tests
While it is common for infosec professionals to search for security flaws in state-owned infrastructure, authorities say they charged Levin because he never asked for permission prior to starting his endeavor.
Levin, who's the owner of his own company called Vanguard Cybersecurity, has also recorded a video together with Dan Sinclair, detailing how he hacked into the vulnerable website using a simple SQL injection bug.
Dan Sinclair is a candidate running for the position of Supervisor of Elections for Florida's Lee County. In the eyes of current Supervisor of Elections Sharon Harrington, this all seemed like a media stunt, and later filed a complaint against Levin.
The video was posted on YouTube on January 25, and Florida police raided Levin's house on February 8 and seized his computers.
Levin was not satisfied with finding the SQL flaw
Now authorities are claiming that Levin never asked permission to perform penetration testing on any of the state-owned servers and that he had gone overboard with his demonstration.
They say that Levin "obtained several usernames and passwords of employees in the elections office" and that he "went a step further and used the Lee County supervisor's username and password to gain access to other password protected areas."
While judges may show lenience to security researchers that discover security issues and then properly report them (as Levin also did), they might not take it to heart when the researcher uses some of the data he finds on the hacked server to escalate his access.
This incident is an exact copy of the Wesley Wineberg - Facebook incident. Back in December, Wineberg managed to hack Facebook's servers and gain access to the Instagram admin panel.
Facebook declined to pay him a bug bounty because they discovered that Wineberg had downloaded data from their servers in order to escalate his access for a bigger reward.
UPDATE: Mr. Sinclair has reached out to Softpedia with additional details on this incident, not provided in the Florida Department of Law Enforcement (FDLE) press release, which reveal that Mr. Levin had contact with authorities while performing his research.
“ Dave did not dig around in the county's systems with the userid and password. He only showed that the login worked and then immediately backed out. Also, the state REQUESTED a written report on the issues. So, claiming he went in there without their permission is also factually incorrect. Some of the statements made by FDLE Agent/Spokesperson were factually incorrect. None of these claims were verified or investigated. However, the agent certainly had no problem repeating them as fact. He was called out at the press conference for spreading misinformation. There were some other lies told there, as well. This will all come out prior to trial. The charges are bogus. ”
