Lee County Supervisor of Elections Server Security Issues

This video was NOT released until AFTER the Lee County SoE staff CONFIRMED they had fixed the holes and the information was not compromised. The holes were fixed on 1/25/2016 prior to the uploading and airing of this video.

For more information go to www.FreeDaveLevin.com

There are holes in the Lee County Supervisor of Elections' Servers. We helped them plug the holes.

Dave meant Structured Query Language. He was a little tired the day it was filmed. He realized what he said when he reviewed the video. By then the video had been edited and completed. Sorry Dave.

You can also find more information at:
- Facebook: www.facebook.com/DanForSupervisor
- Resume site, news, videos: www.DanSinclair.com
- Campaign site: www.DanForSupervisor.com
- Dan's Twitter: @DanForSuprvisor
- Dan's Instagram: @DanForSupervisor
- Dave's Twitter: @realDavidLevin
- Dave's LinkedIn: https://www.linkedin.com/in/davidmlevin

---

Closed Caption:

I'm dancing Claire I'm running for
supervisor elections i'm here with Dave
Levin David's vanguard cybersecurity
dave was nice enough to join us today
and tell us about a problem with the
supervisor elections office that he
found with their servers a big gaping
hole in their security so thank you day
for coming today really appreciate it
glad to be here yeah you can be in
Siberia and still perform the attack
that I've performed on the local
supervisor election website so this is
very important you don't need to be in
the building
you don't need to live here in lee
county can be halfway around the world
and still perform what's called an SQL
injection attack using a search query
language and you're using that to trick
the system into giving you information
that might not otherwise be accessible
to the public and basically what they
found and you'll see the video here in a
second is that he found the tables the
databases he was able to spoof them into
getting any getting information and the
big biggest problem we have a nice the
design databases when you design a
database you always have a separate
database for your passwords and your
user IDs and those are encrypted and
they found that they were just the table
in this database not which was encrypted
its basic database design and is
extremely lot I mean it should have been
protected the first things i'm doing i'm
looking for a vulnerability page that is
using search query language something
that you might see on a day-to-day basis
i'm looking for injection . i'm i'm
asking a bunch of different questions I
fold it into into giving me the columns
and the rose and in that database we
found the usernames and passwords and
they were just sitting right there all
encrypted
ok so once you pull those up and then
the next part we have to show is you
actually testing out and showing that it
really did work and he's really were the
real passwords and everything right to
the
admin login page and the first attempt
with these supervisors login credentials
was successful and then you can see me
in the back end
browsing perusing different different
features of the admin account
yeah this is this is about a
sophisticated as system was 10 years ago
now this is 2016 and we should be we
should not protecting our information
we're a little behind the supervisors
office we spend millions of dollars a
year but we don't seem to quite be
anywhere near caught up with technology
there so i think we need some we need
some major overhaul going on with that
office
yeah definitely I think the other thing
that's important here too is a you know
we've had people talk about hiring an IT
person if they get into office this
problem that we've seen not just with
this particular issue but with the whole
process with the supervisors office is
there's there's a top-down problem right
yeah I'd say that the the key is not
hiring an IT person key is selecting an
IT person to be the head of the
supervisor of elections because we're
seeing now that elections are more and
more data-driven every year so it's it's
definitely a qualifier for the position
and we haven't noticed a problem with a
particular employee we've noticed a
problem with the whole system but it's
not like we have a particular person we
go hey this person is a problem we have
a problem with the whole system and we
need an overhaul right and someone
someone has to know what they're doing
when they get in there and overall yes
and and the person who is in charge of
the office should be setting the example
for instance you want to have a password
that stuff no one can guess it shouldn't
be something as simple as your favorite
football team where your name backwards
happy birthday door area well thank you
for bringing this to me i really
appreciate it and we're going to report
this to the Division of Elections let
them know there's a problem and from
what you said the problem isn't just
with the lee county office could be
potentially with other offices as well
that hadn't protected themselves
including the division
including the Division of Elections so
we'll get that out to them we're going
to get it up to the news and make sure
they know about it and hopefully look at
this problem you know solve pretty
quickly I think it's a good public
service you're doing
thank you and yea we'll have to let the
public know what's going on and
hopefully we get these get these issues
fixed
absolutely thanks Dave