Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Government Security Privacy United States Technology

Election Assistance Commission Hacked Using SQL Injection (reuters.com) 103

whoever57 writes: The commission that is responsible for ensuring the integrity of voting machines was itself hacked. The hacker gained access to non-public reports on weaknesses in voting machines. The hack occurred after the election, so it is unlikely that this hack resulted in changing the result. However, if one hacker can break in, how does anyone know that there was not a prior hack? The hack used an SQL injection flaw to gain access to usernames and passwords which were then cracked. wiredmikey adds: Researchers have discovered that a Russian-speaking hacker broke into the U.S. Election Assistance Commission (EAC) systems, and has been trying to sell stolen access credentials -- including admin-level -- on the underground. On December 1, researchers with Recorded Future discovered internet chatter that appeared to relate to an EAC breach. A hacker, called "Rasputin" by Recorded Future, was discussing the sale of more than 100 EAC access credentials to a middle-eastern government broker. The hacker claimed to have accessed the systems via an SQLi vulnerability, which Recorded Future was able to locate and report. EAC said Thursday that was aware of the "potential intrusion" and was investigating the incident.
This discussion has been archived. No new comments can be posted.

Election Assistance Commission Hacked Using SQL Injection

Comments Filter:
  • I like forward to the reasonable, rational, well cited discussion to follow herein. I'm sure everyone will remain professionally calm and quite intelligible and on point in this. I look forward to it all, and god save the Lizard Queen.
  • Fuck you guys for not hiring me.

    • by hey! ( 33014 )

      I know. I mean for chrissake already, it's been fourteen years since SQL injection was identified as a serious security hole.

  • by aberglas ( 991072 ) on Friday December 16, 2016 @09:52PM (#53501327)

    All votes are on paper. All counts are scrutineered at the polling booth, a quick and painless process. (Real scrutineering where the votes are seen, not some bullshit where scrutineers look through a window.) And then the subtotals are independently tallied by the parties.

    Would be annoying if the main Electoral Computers computers were compromised, but no big deal. It would be obvious when the subtotals did not tally, and a recount would quickly rectify it.

    So, what is so different in the USA!

    • by bongey ( 974911 )

      Detroit had 37% of the precincts had more votes than ballots.One precincts had 351 votes with 50 ballots.Hillary got 95% of the vote in Detroit. Detroit is now lying about voting machines being broken, stated in 2003 "cannot over vote with optical scan". pg 24 . Majority of Detroit is newer optical machines. https://www.michigan.gov/docum... [michigan.gov]
      Detroit News press article. http://www.detroitnews.com/sto... [detroitnews.com]
      Here is a breakdown of the irregularities in Detroit’s 662 precincts:

      236 precincts in balance

  • "The hack used an SQL injection flaw. . ."

    Jesus wept...excuse me while I execute a nuclear-grade facepalm. Have none of these people ever heard of sanitizing data?

    • Give them a break - no one realized that Senator ;); -- Drop Table Votes; was running for reelection.

      • The whole SQL injection thing is like stubbing your toe on the doorway every time you walk through it and still never learning to be careful around that door.

        I have no more pity or sympathy for people that get fucked over from SQL injection, I'm just all out of tears for them.

        When I would hear about SQL injection compromising a site I used to be like "Oh wow, that sucks, sorry to hear that" but now I'm like "TOUGH SHIT YOU STUPID FUCKER".

    • "The hack used an SQL injection flaw. . ."

      Jesus wept...excuse me while I execute a nuclear-grade facepalm. Have none of these people ever heard of sanitizing data?

      What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?

      • What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?

        Ask little Bobby Tables, he'll tell you: https://xkcd.com/327/ [xkcd.com]

        • What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?

          Ask little Bobby Tables, he'll tell you: https://xkcd.com/327/ [xkcd.com]

          There is sadly widespread belief SQLi is caused by failure to perform data validation/sanitization. This belief is both incorrect and dangerous.

          • There is sadly widespread belief SQLi is caused by failure to perform data validation/sanitization. This belief is both incorrect and dangerous.

            Whatever you say, Mr Expert.

  • Billions of tax dollars went to purchase electronic voting machines that were designed to be hacked. If they were hacked perhaps the real issue was that they were hacked by the wrong people?
    • by HiThere ( 15173 )

      Bingo! We have a winner!

      And notice that this has been known for over a decade, and neither party did anything to fix it. (Except in the sense of "fixing a horse race".)

  • by Anonymous Coward

    Only somebody that should be stuck in jail writes SQL by tacking strings together.

  • Seriously. Rasputin ?

    This is just part of the show people, don't you see that ?
    You have bigger enemies within your own country than Russia will ever be.

    The ones that are "manufacturing" these retarded articles/news for a start.

    • by HiThere ( 15173 )

      The name is clearly drama, and not evidence, but it could be the guy's handle...or one of them. If I saw myself as a sinister mastermind behind the throne I might use that pseudonym. It wouldn't reveal much about me except that I know a bit of history, and give a bit of insight into how I saw myself which would be pretty obvious anyway.

      I doubt that ANYONE takes that as evidence. (FWIW the only connection I have with Russia is a bit of reading material and the name of a hamburger ["A Taste of Russia"] th

  • Seriously, it's one of the oldest and most obvious tricks in the book. That a site would still be able to be exploited that way is just embarrassing.

"All my life I wanted to be someone; I guess I should have been more specific." -- Jane Wagner

Working...