"It was a real eye opener ..."
It's really, really, sad the people looking after these seems regard it that way.
They should already be well aware of this, and themselves as targets.
IT admins have received a flash warning from the FBI to harden up their systems following attacks against servers run by two US state election boards. The security advisory states that the security breaches in June and August emanated from IP addresses around the world and involved Acunetix, SQLMap, and DirBuster tools. It …
They're probably the only people in the world that it IS a surprise to seeing as everyone in the IT world had been shouting that this is a bad idea since its inception.
Put the voting results in a database and rigging an election immediately becomes staggeringly more viable by its very nature. Whether by outside independent hackers as this sheriff seems concerned with, or by corrupt officials which all the rest of us are actually more scared of. If there's a paper trail then theoretically you can at least verify. But you have to establish a pretty high level of suspicion to get the state to undertake that level of effort - especially given the partisan nature of US politics where one winning party will be fighting tooth and nail to block it (there were actually Republican supporters physically breaking into places to stop the recount in the W. Bush election) and the possibility the incumbent may be complicit.
For crying out loud - how hard is it to count the number of "%" in the URL, and if there are more than, say, 10 percent signs, it's definitely an SQL injection and so you ban the IP address. Don't give them a second chance, just ban the IP address. It's not a mistake, it's an attack, ban 'em.
Oh, make sure your normal operation doesn't use % in the URLs.
If they can't prevent the most common SQL injections by counting % then send the programmers back to high school.
"The July attack used a SQL injection technique to get into the website server for the Illinois Board of Elections, and stole the personal data of 200,000"
What was a database containing 200,000 voter records even doing on the Internet and vulnerable to an SQL injection hack from 1998.
"Homeland Security Secretary .. Johnson .. pledged help for state officials in securing their systems, including having the DHS send specially trained staff to help."
Is it wise to give the DHS root access to the voting machines?
With tards like this making stuff you can kinda see why. The PHP people thought "we must help them!" and of course they themselves are tards who invented games like:
1) underscore roulette
2) guess the order of the arguments
3) warning kerplunk
4) find the variable typo that was silently initialised into an array and happened
5) 2 or two?
and of course:
6) is it a map-like not-map-or-list or a list-like not-map-or-list
They didn't get it right.
(Forgive where this post went, I really hate PHP)
Just about anyone can get for a few hundred dollars voter lists from their county clerks. Including name, address, may be phone number, when they voted etc. All the candidates do. I doubt there is any more in the files they got.
The problem is potentially getting into and possibly changing vote totals especially from electronic voting machines.
Seriously, this is a solved problem. It's been a solved problem for years. The only way this can happen is if the codebase is written by a completely ignorant prat who has never hears of input validation, parameterised SQL or prepared statements....
"The June SQLi attack targeted the Illinois Board of Elections, and was used to swipe the personal data of 200,000 citizens, ..." So the perps got what personal data that wasn't already published by the Illinois Board of Elections? FYI: voter registration rolls in the US are generally a matter of public record and usually include information like name, physical address, date of birth, race, gender, phone number, registration ID number, voters status (if you voted in previous elections), party affiliation.
As an example anyone can purchase a complete copy of Florida's voter registrations roll for a measly $5.00 US.
Why is some of this information even collected? The gringos get upset if one mentions that they have race problems (and other countries are much more relaxed about it), but they do stupid things like this to institutionalise it.
The fact that one can buy this information, and then use it to steal identities has clearly not crossed their minds. Also, I know understand how every dead person is able to vote...
Biting the hand that feeds IT © 1998–2019