Election Assistance Commission Hacked Using SQL Injection (reuters.com) 103
whoever57 writes: The commission that is responsible for ensuring the integrity of voting machines was itself hacked. The hacker gained access to non-public reports on weaknesses in voting machines. The hack occurred after the election, so it is unlikely that this hack resulted in changing the result. However, if one hacker can break in, how does anyone know that there was not a prior hack? The hack used an SQL injection flaw to gain access to usernames and passwords which were then cracked.
wiredmikey adds: Researchers have discovered that a Russian-speaking hacker broke into the U.S. Election Assistance Commission (EAC) systems, and has been trying to sell stolen access credentials -- including admin-level -- on the underground. On December 1, researchers with Recorded Future discovered internet chatter that appeared to relate to an EAC breach. A hacker, called "Rasputin" by Recorded Future, was discussing the sale of more than 100 EAC access credentials to a middle-eastern government broker. The hacker claimed to have accessed the systems via an SQLi vulnerability, which Recorded Future was able to locate and report. EAC said Thursday that was aware of the "potential intrusion" and was investigating the incident.
Re: (Score:2)
Bobby Tables Strikes again !!!
Re: (Score:3)
Re: (Score:2)
Why is SQL injection still a thing?
Apparently it has something to do with outsourcing coding to the cheapest bidder. Can't comment on the rest.
Re: (Score:2)
I have nothing against relational databases, but the Structured Query Language itself is an accident waiting to happen.
Agreed. Lost track of the number of times I've forgotten to type 'where' and all my conditions get tagged to the last join without something warning me about how much of a dumbass I am.
Re: (Score:2)
That's Bobby Drop Tables to you...
Re:Well (Score:5, Insightful)
Agreed. /default/ coding practice, not what you reluctantly pick up after a breach or an audit!
I get that developers are lazy and can be expected to shy away from security features that get in the way, but come on, Prepared Statements [wikipedia.org] have been around for a very long time, and in a lot of ways, they make your life easier (prettier code, streamed-blob-handling, no escaping, datatype checks):
They should be your
Re: (Score:2)
Wow this place has slid a lot in recent years
Re: (Score:2)
For you that are slower then tar...
Hey! tar is pretty fast by itself. Just use a faster compression algorithm if it doesn't seem fast enough for you.
Re: (Score:2)
I think that the phrase "this attack" is being used in multiple senses. I don't even think you're disagreeing with each other, just not understanding each other.
"this attack" 1) This instance of an attack. 2) This variety or technique for attacking a site.
Both meanings are valid, but if you mix them up misunderstanding results.
Oooh more rational discussion (Score:2)
Re:"Russian speaking" and "underground" (Score:4, Insightful)
It's strange how many ACs there are out there telling us how Russia is our friend.
Re: (Score:2)
IIUC, when you trace this back the the original article (for this kind of article, not necessarily this particular article), it means it was routed through a Russian ISP. Even then I'm not sure they take into account the possibility of forged headers.
That said, for the kind of attack this is reported to be there's no particular reason to doubt that the attack came from Russia. But even so why claim government involvement when it's the kind of attack a high school kid could put together? Of course, this d
SQL injection, really?? (Score:1)
Fuck you guys for not hiring me.
Re: (Score:3)
I know. I mean for chrissake already, it's been fourteen years since SQL injection was identified as a serious security hole.
Re: (Score:1)
Not a problem if it happened in Australia (Score:3)
All votes are on paper. All counts are scrutineered at the polling booth, a quick and painless process. (Real scrutineering where the votes are seen, not some bullshit where scrutineers look through a window.) And then the subtotals are independently tallied by the parties.
Would be annoying if the main Electoral Computers computers were compromised, but no big deal. It would be obvious when the subtotals did not tally, and a recount would quickly rectify it.
So, what is so different in the USA!
Re: (Score:2)
Detroit had 37% of the precincts had more votes than ballots.One precincts had 351 votes with 50 ballots.Hillary got 95% of the vote in Detroit. Detroit is now lying about voting machines being broken, stated in 2003 "cannot over vote with optical scan". pg 24 . Majority of Detroit is newer optical machines. https://www.michigan.gov/docum... [michigan.gov]
Detroit News press article. http://www.detroitnews.com/sto... [detroitnews.com]
Here is a breakdown of the irregularities in Detroit’s 662 precincts:
236 precincts in balance
Oh for christ's sake (Score:2)
"The hack used an SQL injection flaw. . ."
Jesus wept...excuse me while I execute a nuclear-grade facepalm. Have none of these people ever heard of sanitizing data?
Re: (Score:3)
Give them a break - no one realized that Senator ;); -- Drop Table Votes; was running for reelection.
Re: (Score:2)
The whole SQL injection thing is like stubbing your toe on the doorway every time you walk through it and still never learning to be careful around that door.
I have no more pity or sympathy for people that get fucked over from SQL injection, I'm just all out of tears for them.
When I would hear about SQL injection compromising a site I used to be like "Oh wow, that sucks, sorry to hear that" but now I'm like "TOUGH SHIT YOU STUPID FUCKER".
Re: (Score:3)
"The hack used an SQL injection flaw. . ."
Jesus wept...excuse me while I execute a nuclear-grade facepalm. Have none of these people ever heard of sanitizing data?
What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?
Re: (Score:2)
What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?
Ask little Bobby Tables, he'll tell you: https://xkcd.com/327/ [xkcd.com]
Re: (Score:2)
What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?
Ask little Bobby Tables, he'll tell you: https://xkcd.com/327/ [xkcd.com]
There is sadly widespread belief SQLi is caused by failure to perform data validation/sanitization. This belief is both incorrect and dangerous.
Re: (Score:2)
There is sadly widespread belief SQLi is caused by failure to perform data validation/sanitization. This belief is both incorrect and dangerous.
Whatever you say, Mr Expert.
Really? (Score:1)
Re: (Score:2)
Bingo! We have a winner!
And notice that this has been known for over a decade, and neither party did anything to fix it. (Except in the sense of "fixing a horse race".)
Parameterized Query? (Score:1)
Only somebody that should be stuck in jail writes SQL by tacking strings together.
Theater (Score:2)
Seriously. Rasputin ?
This is just part of the show people, don't you see that ?
You have bigger enemies within your own country than Russia will ever be.
The ones that are "manufacturing" these retarded articles/news for a start.
Re: (Score:2)
The name is clearly drama, and not evidence, but it could be the guy's handle...or one of them. If I saw myself as a sinister mastermind behind the throne I might use that pseudonym. It wouldn't reveal much about me except that I know a bit of history, and give a bit of insight into how I saw myself which would be pretty obvious anyway.
I doubt that ANYONE takes that as evidence. (FWIW the only connection I have with Russia is a bit of reading material and the name of a hamburger ["A Taste of Russia"] th
Re: (Score:2)
Re: (Score:3)
They didn't. It was brought up in private discussions in October (September? I forget), but the white house decided not to go public with the findings out of fear of unduly influencing the election.
Re: (Score:2)
They should have come out with it before the vote. Now the winner has no credibility.
Re: (Score:1)
he had credibility before?
Re: Quoting Trump (Score:1)
But it would still have been too late, people already found out that the loser also had no credibility.
I don't believe it would have changed much, half the country already hated Hillary and voted Trump out of spite.
Re: (Score:2)
Less than 20 percent voted for Obama too. The fact that most of the US land mass is rural and Republican is irrelevant. Most US citizens live in the small patches that vote Democratic. One person, one vote - except for the extra 2 votes that give rural states an extra 60 or so EC votes. Yep, that's the system - but don't claim it means that most Americans want Trump as President. Only the barest majority wanted him in some of the biggest states he won. FL, PA, WI, MI.
Re: The voters rejected Trump, Clinton won (Score:1)
Re: The voters rejected Trump, Clinton won (Score:1)
Maybe that was the plan all along (Score:5, Interesting)
Re: (Score:2, Insightful)
Seems unlikely because Russian hacking has consistently helped Trump. If they had been able to produce evidence of that, even just reports from the CIA or FBI, it would have badly damaged his campaign.
I'm sure de-legitimizing Trump's administration was Russia's plan all along. Weaken the US with someone they think will make a poor leader, who is easily goaded and who will be too busy fighting his fellow citizens over everything on multiple fronts to oppose Russia. Plus they already lent him a lot of money,
Re: (Score:2, Troll)
has consistently helped Trump
What exactly did "Russia's" hacking do to help Trump? No one has ever fought the authenticity of the leaked e-mails. Leading up to the election we had plenty of coverage on Trump's mouth (From pussy grabbing and beyond). The only thing the leaks did was validate what most people already thought about Clinton's team.
Look at the numbers for the swing states Trump flipped and secured his win (Wisconsin and Michigan). Republican turnout was near flat. 3rd Parties got a big bump and the DNC took a big hit. Thes
Re:Maybe that was the plan all along (Score:4, Insightful)
Every day, more clinton email scandal and no chance for policy discussion.
Because we the media didn't spend a large chunk of its time talking about Trump's pussy grabbing or his tweets. I honestly heard more about Trump's tweets than I did Clinton's e-mails.
So lets not pretend if the e-mails weren't released they would have talked about 'policy' at all.
The leaked emails are NOT legit (Score:1)
"The leaked emails are certainly legit - that's not the question"
Not they're not, they're a mass of legit emails with a bit of propaganda added (or critical information removed) to sex them up a bit. That's how Russian propaganda works.
" Every day, more clinton email scandal and no chance for policy discussion. That's how propaganda works."
Exactly, every day you would make some innuendo against emails provided for the purpose by Manafort (Trump's propagandist who's a lobbyist known for doing similar pro-Rus
Re: (Score:2)
s with a bit of propaganda added
So Russia managed to crack DKIM?
critical information removed
Even better, make up what ever information you think they had removed. Did all of the e-mails talking about screwing Bernie really end with "Lol J/k"?
He'll literally have offshore bank accounts and a company to launder that money
And the Clintons have their foundation.
Re: The leaked emails are NOT legit (Score:1)
FBI and CIA confirm Russian takeover (Score:2, Insightful)
Bullshit, how would you involved the Russian hackers? How would you fake the evidence for the CIA and FBI both to confirm it?
http://www.aol.com/article/2016/12/16/fbi-backs-cia-assessment-of-russia-2016-election-hack/21629706/
The hacked election registration websites have been confirmed.
The hacked DNC emails were released DURING the election, you claim "sat on information" yet no such sitting occurred.
CIA says they hacked the RNC emails too. They just haven't released them, and haven't sexed them up.
That me
Re: (Score:2)
Re: (Score:2)
They were in a lose-lose situation. The information was out there - and it was real information. Most of it was simply embarrassing stuff, but it played into the public's dislike of Clinton. Of course the Republican national committee's emails probably contained stuff that was at least as 'bad', but the public never saw that.
If Obama complained too loudly, he'd have been seen as using his office to influence the election - and that would've cast doubt on its legitimacy. They thought Clinton was going to
Re: (Score:3)
Perhaps, incredulously, the reason Señor Trump seemingly wildly accused the election of being rigged [theguardian.com] is that he knew more than we did, but mistakenly assumed he was not the beneficiary.
Hell, perhaps he's a savant with the ability to grasp immunity by merely convincing us all he's a clown.
Re:Quoting Trump (Score:4, Informative)
Senate Majority leader objected, if I recall, to the information being made public so close to election day.
Re: (Score:1)
Re: (Score:2)
I am:
"That played well before the election. Now? We don't care."
or maybe this one is better:
"You people were vicious, violent, screaming, 'Where's the wall? We want the wall!' Screaming, 'Prison! Prison! Lock her up!' I mean you are going crazy. I mean, you were nasty and mean and vicious and you wanted to win, right? But now, you're mellow and you're cool and you're not nearly as vicious or violent, right? Because we won, right?"