back to article FBI: Look out – hackers are breaking into US election board systems

IT admins have received a flash warning from the FBI to harden up their systems following attacks against servers run by two US state election boards. The security advisory states that the security breaches in June and August emanated from IP addresses around the world and involved Acunetix, SQLMap, and DirBuster tools. It …

  1. Anonymous Coward
    Anonymous Coward

    "It was a real eye opener ..."

    It's really, really, sad the people looking after these seems regard it that way.

    They should already be well aware of this, and themselves as targets.

    1. This post has been deleted by its author

    2. h4rm0ny

      Re: "It was a real eye opener ..."

      They're probably the only people in the world that it IS a surprise to seeing as everyone in the IT world had been shouting that this is a bad idea since its inception.

      Put the voting results in a database and rigging an election immediately becomes staggeringly more viable by its very nature. Whether by outside independent hackers as this sheriff seems concerned with, or by corrupt officials which all the rest of us are actually more scared of. If there's a paper trail then theoretically you can at least verify. But you have to establish a pretty high level of suspicion to get the state to undertake that level of effort - especially given the partisan nature of US politics where one winning party will be fighting tooth and nail to block it (there were actually Republican supporters physically breaking into places to stop the recount in the W. Bush election) and the possibility the incumbent may be complicit.

    3. BillG
      Facepalm

      Preventing SQL Injection

      For crying out loud - how hard is it to count the number of "%" in the URL, and if there are more than, say, 10 percent signs, it's definitely an SQL injection and so you ban the IP address. Don't give them a second chance, just ban the IP address. It's not a mistake, it's an attack, ban 'em.

      Oh, make sure your normal operation doesn't use % in the URLs.

      If they can't prevent the most common SQL injections by counting % then send the programmers back to high school.

  2. Paul Crawford Silver badge

    XKCD from the past

    Before any other commentard slips this one in:

    https://www.xkcd.com/463/

    1. Adam 1 Silver badge

      Re: XKCD from the past

      So true. Norton antivirus would be so much worse.

  3. Brian Miller

    Laundry to the rescue!

    What we need to guard against, is the dead rising to vote, so the job of security must go to the Laundry! (What was Charles Stross' US equivalent? I can't remember.)

    Anyways, remember to register your full name with punctuation.

    1. ma1010 Silver badge

      Re: Laundry to the rescue!

      The Black Chamber was the US organization in charge of defense against supernatural entities.

  4. Will Godfrey Silver badge
    FAIL

    Surprised?

    Nope.

    After repeatedly hearing about multiple defects in many electronic voting systems that a school kid would be ashamed of. I see no likelihood of this ever improving.

  5. Walter Bishop Silver badge
    Joke

    The matrix has you

    "The July attack used a SQL injection technique to get into the website server for the Illinois Board of Elections, and stole the personal data of 200,000"

    What was a database containing 200,000 voter records even doing on the Internet and vulnerable to an SQL injection hack from 1998.

    "Homeland Security Secretary .. Johnson .. pledged help for state officials in securing their systems, including having the DHS send specially trained staff to help."

    Is it wise to give the DHS root access to the voting machines?

    1. C0p3n

      Re: The matrix has you

      "Is it wise to give the DHS root access to the voting machines?"

      Why, do you not trust them or something? They're just harmless public servants .... :)

  6. Anonymous Coward
    Anonymous Coward

    I hate magic-quotes and that weird "virgin string purity" thing PHP has but...

    With tards like this making stuff you can kinda see why. The PHP people thought "we must help them!" and of course they themselves are tards who invented games like:

    1) underscore roulette

    2) guess the order of the arguments

    3) warning kerplunk

    4) find the variable typo that was silently initialised into an array and happened

    5) 2 or two?

    and of course:

    6) is it a map-like not-map-or-list or a list-like not-map-or-list

    They didn't get it right.

    (Forgive where this post went, I really hate PHP)

  7. a_yank_lurker Silver badge

    SQL Injection

    Really, SQL injection was used. How lame but given it is Illinois I am not surprised so they are broke and dominated the infamous cesspit Chicago.

  8. Mike 16 Silver badge

    Hacking Elections?

    I thought the RNC was sitting this one out (like the Berners who could have otherwise been relied on to bus voters around a few precincts. Different tech for different ideology)

  9. Yet Another Anonymous coward Silver badge

    Thank god

    Somebody is trying to do something about this election - even if it does mean that "Clippy" gets to be the next president

  10. James Loughner
    Windows

    How silly

    Just about anyone can get for a few hundred dollars voter lists from their county clerks. Including name, address, may be phone number, when they voted etc. All the candidates do. I doubt there is any more in the files they got.

    The problem is potentially getting into and possibly changing vote totals especially from electronic voting machines.

    1. Adam 1 Silver badge

      Re: How silly

      So they got the ability to run arbitrary SQL but decided to only run Select statements. Yeah, the other one plays jingle bells.

  11. Mystic Megabyte Silver badge
    Trollface

    what!

    Teh 'merkins invented the interwebs but can't work it :(

  12. Tom 7 Silver badge

    Only allow the web user to run stored procedures

    makes maintenance easier too - honest!

  13. MrKrotos
    WTF?

    Stupid comment

    "Before anyone panics, it looks likely that this was a simple attack to steal personal information, rather than an attempt to change the course of the election."

    Oh thats okay then! Yeah pretty sure I would feel just fine about that if it was my information.

  14. PassiveSmoking

    How are SQL injections still happening?

    Seriously, this is a solved problem. It's been a solved problem for years. The only way this can happen is if the codebase is written by a completely ignorant prat who has never hears of input validation, parameterised SQL or prepared statements....

    oh.

  15. DMcDonnell

    Took what?

    "The June SQLi attack targeted the Illinois Board of Elections, and was used to swipe the personal data of 200,000 citizens, ..." So the perps got what personal data that wasn't already published by the Illinois Board of Elections? FYI: voter registration rolls in the US are generally a matter of public record and usually include information like name, physical address, date of birth, race, gender, phone number, registration ID number, voters status (if you voted in previous elections), party affiliation.

    As an example anyone can purchase a complete copy of Florida's voter registrations roll for a measly $5.00 US.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Took what?

      Good point. It costs $500. But I'd be more worried about miscreants altering data than taking it.

      C.

    2. Anonymous Coward
      Anonymous Coward

      Re: Took what?

      Why is some of this information even collected? The gringos get upset if one mentions that they have race problems (and other countries are much more relaxed about it), but they do stupid things like this to institutionalise it.

      The fact that one can buy this information, and then use it to steal identities has clearly not crossed their minds. Also, I know understand how every dead person is able to vote...

  16. Keith Langmead

    Directory traversal

    I'm suprised they allow parent paths, I thought that was known to be a risk since the turn of the century!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019