Election Assistance Commission Hacked Using SQL Injection

whoever57 writes: The commission that is responsible for ensuring the integrity of voting machines was itself hacked. The hacker gained access to non-public reports on weaknesses in voting machines. The hack occurred after the election, so it is unlikely that this hack resulted in changing the result. However, if one hacker can break in, how does anyone know that there was not a prior hack? The hack used an SQL injection flaw to gain access to usernames and passwords which were then cracked. wiredmikey adds: Researchers have discovered that a Russian-speaking hacker broke into the U.S. Election Assistance Commission (EAC) systems, and has been trying to sell stolen access credentials -- including admin-level -- on the underground. On December 1, researchers with Recorded Future discovered internet chatter that appeared to relate to an EAC breach. A hacker, called "Rasputin" by Recorded Future, was discussing the sale of more than 100 EAC access credentials to a middle-eastern government broker. The hacker claimed to have accessed the systems via an SQLi vulnerability, which Recorded Future was able to locate and report. EAC said Thursday that was aware of the "potential intrusion" and was investigating the incident.

Re:Quoting Trump

[Phydeaux314]

They didn't. It was brought up in private discussions in October (September? I forget), but the white house decided not to go public with the findings out of fear of unduly influencing the election.

Re:Quoting Trump

[AmiMoJo]

They should have come out with it before the vote. Now the winner has no credibility.

Re:Quoting Trump

he had credibility before?

Re: Quoting Trump

But it would still have been too late, people already found out that the loser also had no credibility.
I don't believe it would have changed much, half the country already hated Hillary and voted Trump out of spite.

Oooh more rational discussion

[locater16]

I like forward to the reasonable, rational, well cited discussion to follow herein. I'm sure everyone will remain professionally calm and quite intelligible and on point in this. I look forward to it all, and god save the Lizard Queen.

Re:Well

[Archangel+Michael]

Bobby Tables Strikes again !!!

Maybe that was the plan all along

[scatbomb]

Maybe that was the plan all along. They sat on this information so they could bury it if their candidate won and bring it to light if their candidate lost so as to throw the legitimacy of the vote into question.

Re:Maybe that was the plan all along

[AmiMoJo]

Seems unlikely because Russian hacking has consistently helped Trump. If they had been able to produce evidence of that, even just reports from the CIA or FBI, it would have badly damaged his campaign.

I'm sure de-legitimizing Trump's administration was Russia's plan all along. Weaken the US with someone they think will make a poor leader, who is easily goaded and who will be too busy fighting his fellow citizens over everything on multiple fronts to oppose Russia. Plus they already lent him a lot of money, so have plenty of leverage if plan A fails.

Re:Maybe that was the plan all along

[0100010001010011]

has consistently helped Trump

What exactly did "Russia's" hacking do to help Trump? No one has ever fought the authenticity of the leaked e-mails. Leading up to the election we had plenty of coverage on Trump's mouth (From pussy grabbing and beyond). The only thing the leaks did was validate what most people already thought about Clinton's team.

Look at the numbers for the swing states Trump flipped and secured his win (Wisconsin and Michigan). Republican turnout was near flat. 3rd Parties got a big bump and the DNC took a big hit. These are states that Sanders won in the Primary. The Russians didn't do the DNC primary. The Russians didn't push superdelegate counts before they were elected. The Russians didn't collude to keep Sanders out. The Russians weren't complete assholes to Sanders supporters during the Primary.

Clinton lost because she was Clinton. No amount of word twisting on how it was some IRC user name Vlad is going to change that.

Re:Maybe that was the plan all along

[0100010001010011]

Every day, more clinton email scandal and no chance for policy discussion.

Because we the media didn't spend a large chunk of its time talking about Trump's pussy grabbing or his tweets. I honestly heard more about Trump's tweets than I did Clinton's e-mails.

So lets not pretend if the e-mails weren't released they would have talked about 'policy' at all.

Re:Maybe that was the plan all along

[Rob+Y.]

They were in a lose-lose situation. The information was out there - and it was real information. Most of it was simply embarrassing stuff, but it played into the public's dislike of Clinton. Of course the Republican national committee's emails probably contained stuff that was at least as 'bad', but the public never saw that.

If Obama complained too loudly, he'd have been seen as using his office to influence the election - and that would've cast doubt on its legitimacy. They thought Clinton was going to win, so why cast that into doubt. And she would've won without Comey's interference. Her resulting drop in the polls was more than the margin she lost by in the states that swung.

But to suggest that complaining now is inappropriate is to suggest doing nothing about a foreign government breaking into the US political machine and using that material to influence the election. I.e., Watergate on steroids. They can't ignore that. And if that casts doubt on Trump's legitimacy, well, they're real doubts. He should be preparing to govern accordingly. But he won't - just like G.W.B, who governed as if he had a mandate, despite losing the popular vote - as well as the EC, had there not been the Pat Buchanan stupid ballot problem in Broward County,

Re:Quoting Trump

[rmdingler]

Perhaps, incredulously, the reason Señor Trump seemingly wildly accused the election of being rigged is that he knew more than we did, but mistakenly assumed he was not the beneficiary.

Hell, perhaps he's a savant with the ability to grasp immunity by merely convincing us all he's a clown.

Re:Well

[Unordained]

Agreed.
I get that developers are lazy and can be expected to shy away from security features that get in the way, but come on, Prepared Statements have been around for a very long time, and in a lot of ways, they make your life easier (prettier code, streamed-blob-handling, no escaping, datatype checks):
They should be your /default/ coding practice, not what you reluctantly pick up after a breach or an audit!

Re:Well

[Chelloveck]

Why is SQL injection still a thing? Hell, why is SQL still a thing? I have nothing against relational databases, but the Structured Query Language itself is an accident waiting to happen. Why the hell aren't people using proper language bindings instead of trying to pass control and data interleaved into a single text stream?

Re:The hack occurred after the election

[coolmoe2]

you obviously don't understand the idea of impossible. So what they had the site secured against injection attacks then did not and now they are vulnerable again magically? You could use a brush up with a dictionary dude. For you that are slower then tar you can attack multiple times and just because this one was DETECTED does not mean ones in the past were impossible.
Wow this place has slid a lot in recent years

Re:Well

[The-Ixian]

That's Bobby Drop Tables to you...

SQL injection, really??

[Narcocide]

Fuck you guys for not hiring me.

Re:SQL injection, really??

[hey!]

I know. I mean for chrissake already, it's been fourteen years since SQL injection was identified as a serious security hole.

Re:Well

[Narcocide]

Why is SQL injection still a thing?

Apparently it has something to do with outsourcing coding to the cheapest bidder. Can't comment on the rest.

Re:Quoting Trump

[hey!]

Senate Majority leader objected, if I recall, to the information being made public so close to election day.

Re:The hack occurred after the election

[ls671]

For you that are slower then tar...

Hey! tar is pretty fast by itself. Just use a faster compression algorithm if it doesn't seem fast enough for you.

Not a problem if it happened in Australia

[aberglas]

All votes are on paper. All counts are scrutineered at the polling booth, a quick and painless process. (Real scrutineering where the votes are seen, not some bullshit where scrutineers look through a window.) And then the subtotals are independently tallied by the parties.

Would be annoying if the main Electoral Computers computers were compromised, but no big deal. It would be obvious when the subtotals did not tally, and a recount would quickly rectify it.

So, what is so different in the USA!

Re:Not a problem if it happened in Australia

[bongey]

Detroit had 37% of the precincts had more votes than ballots.One precincts had 351 votes with 50 ballots.Hillary got 95% of the vote in Detroit. Detroit is now lying about voting machines being broken, stated in 2003 "cannot over vote with optical scan". pg 24 . Majority of Detroit is newer optical machines. https://www.michigan.gov/docum...
Detroit News press article. http://www.detroitnews.com/sto...
Here is a breakdown of the irregularities in Detroit’s 662 precincts:

236 precincts in balance — equal numbers of voters counted by workers and machines
248 precincts with too many votes and no explanation (77 were 1 over; 62 were 2 over, 37 were 3 over, 20 were 4 over, 52 were 5 or more over).
144 precincts with too few votes and no explanation (81 were 1 under, 29 were 2 under; 19 were 3 under; 7 were 4 under; 8 were 5 or more under)
34 precincts out of balance but with an explanation
Let us call it what really happened in Detroit , massive voter fraud by ballot stuffing. No national liberal press outlets are really reporting it at all.

The real kicker, Michigan law prevents a recount if the vote total doesn't match ballot count. The law basically allows sweeping voter fraud under the rug.

Oh for christ's sake

[JustAnotherOldGuy]

"The hack used an SQL injection flaw. . ."

Jesus wept...excuse me while I execute a nuclear-grade facepalm. Have none of these people ever heard of sanitizing data?

Re:Oh for christ's sake

[i.r.id10t]

Give them a break - no one realized that Senator ;); -- Drop Table Votes; was running for reelection.

Re:Oh for christ's sake

[WaffleMonster]

"The hack used an SQL injection flaw. . ."

Jesus wept...excuse me while I execute a nuclear-grade facepalm. Have none of these people ever heard of sanitizing data?

What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?

Re:Oh for christ's sake

[JustAnotherOldGuy]

The whole SQL injection thing is like stubbing your toe on the doorway every time you walk through it and still never learning to be careful around that door.

I have no more pity or sympathy for people that get fucked over from SQL injection, I'm just all out of tears for them.

When I would hear about SQL injection compromising a site I used to be like "Oh wow, that sucks, sorry to hear that" but now I'm like "TOUGH SHIT YOU STUPID FUCKER".

Re:Oh for christ's sake

[JustAnotherOldGuy]

What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?

Ask little Bobby Tables, he'll tell you: https://xkcd.com/327/

Re:Oh for christ's sake

[WaffleMonster]

What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?

Ask little Bobby Tables, he'll tell you: https://xkcd.com/327/

There is sadly widespread belief SQLi is caused by failure to perform data validation/sanitization. This belief is both incorrect and dangerous.

Re:Oh for christ's sake

[JustAnotherOldGuy]

There is sadly widespread belief SQLi is caused by failure to perform data validation/sanitization. This belief is both incorrect and dangerous.

Whatever you say, Mr Expert.

Really?

[thunderclees]

Billions of tax dollars went to purchase electronic voting machines that were designed to be hacked. If they were hacked perhaps the real issue was that they were hacked by the wrong people?

Re:Really?

[HiThere]

Bingo! We have a winner!

And notice that this has been known for over a decade, and neither party did anything to fix it. (Except in the sense of "fixing a horse race".)

Parameterized Query?

Only somebody that should be stuck in jail writes SQL by tacking strings together.

FBI and CIA confirm Russian takeover

Bullshit, how would you involved the Russian hackers? How would you fake the evidence for the CIA and FBI both to confirm it?

http://www.aol.com/article/2016/12/16/fbi-backs-cia-assessment-of-russia-2016-election-hack/21629706/

The hacked election registration websites have been confirmed.
The hacked DNC emails were released DURING the election, you claim "sat on information" yet no such sitting occurred.
CIA says they hacked the RNC emails too. They just haven't released them, and haven't sexed them up.

That means that Putin has both chosen the USA President, AND has the secrets of the elected lot for future leverage.

Can I remind you that Hillary got more millions votes than Trump. And Trump has not sold off his foreign businesses, despite promising to do so by Thursday, a deadline passed already. He still has offshore accounts, he still received foreign income.

You want to put him, with fewer votes, into the Whitehouse, using the rules, yet he is in violation of those rules. You are helping turn USA into a Russian puppet state.

Re:FBI and CIA confirm Russian takeover

[scatbomb]

First of all, whoever hacked into the DNC and leaked the emails did much to improve the transparency of the DNC and brought into light some serious questions about how they are conducting themselves. It's a shame that the truth is disgusting they had to hide it. Second, It's electoral college vote not popular vote which determines the presidency. Hillary's lead comes from California, a state which is highly liberal and so Republicans votes matter very little. If it had been a popular vote, perhaps more Republicans in liberal areas would have turned out. We'll never know. Third, I am not a Republican and never claimed to be. I supported Dr. Marc Allen Feldman until his unfortunate death during the primary. Fourth, the public turned on Hillary because they dislike her at a personal level, they don't believe in the Liberal agenda, and are rightly fearful of political dynasties. Agree or not, we all must abide by the people's decision. Finally, I'm definitely not a Trump supporter or a Hillary supporter, I don't identify as R or D, I'm one of the growing number of people who disliked both parties and both candidates. I wrote in the name of my deceased Libertarian candidate as a protest. Still, there is little evidence to support the idea that the US will be a puppet state, you are spreading FUD plain and simple. You're trying to generate FUD about the legitimacy of this election because you are unhappy with the result. I know you've been brainwashed by the Democrats (or Green or whatever you are) but believe me, the hype is overblown every year. That's how they brainwash you, is by spreading FUD about the other candidates. Don't listen to it. Was Obama as bad as the Republicans said he'd be? NO! Was Bush as bad as the Democrats said he'd be? NO! It's never as bad as the opposition says it will be, that's just how they get support, by spreading FUD. Stop being a tool and spreading their FUD. Get your own opinions and quit parroting the bullshit you read in online political echo chambers.

The leaked emails are NOT legit

"The leaked emails are certainly legit - that's not the question"

Not they're not, they're a mass of legit emails with a bit of propaganda added (or critical information removed) to sex them up a bit. That's how Russian propaganda works.

" Every day, more clinton email scandal and no chance for policy discussion. That's how propaganda works."
Exactly, every day you would make some innuendo against emails provided for the purpose by Manafort (Trump's propagandist who's a lobbyist known for doing similar pro-Russia elections around the world), and many of you were doing Putin's work for him.

Trump isn't the choice of the America people, they voted for Hillary. He isn't the GOP's choice, he just hijacked their primaries. He's Putin's choice of President.

They want to put him in power using the Electoral College, yet he won't even abide by the Emolument clause. He'll literally have offshore bank accounts and a company to launder that money (name brand licenses) AND be running the country at the same time.

Re:The leaked emails are NOT legit

[0100010001010011]

s with a bit of propaganda added

So Russia managed to crack DKIM?

critical information removed

Even better, make up what ever information you think they had removed. Did all of the e-mails talking about screwing Bernie really end with "Lol J/k"?

He'll literally have offshore bank accounts and a company to launder that money

And the Clintons have their foundation.

Re: The leaked emails are NOT legit

[coteriescavenger]

You can claim the emails were faked all you want, despite that there is no evidence to support tampering, or even that Russia was involved. The truth is, your news sources are so corrupt that you didn't even know there was a revolution happening leading up to the election. You're still lost in that same cloud of propaganda, squirming to hide its disgusting back room deals. Close your eyes and repeat after me, "I am a good slave!"

Re:"Russian speaking" and "underground"

[MightyMartian]

It's strange how many ACs there are out there telling us how Russia is our friend.

Re:Quoting Trump

[skids]

I am:

"That played well before the election. Now? We don't care."

or maybe this one is better:

"You people were vicious, violent, screaming, 'Where's the wall? We want the wall!' Screaming, 'Prison! Prison! Lock her up!' I mean you are going crazy. I mean, you were nasty and mean and vicious and you wanted to win, right? But now, you're mellow and you're cool and you're not nearly as vicious or violent, right? Because we won, right?"

Re:Why reveal method?

[Lordpidey]

I can think of two reasons. One, they wanted to embarrass the commission, SQL injection flaws are seriously novice. Two, they are lying, and want to throw out a red herring.

Re:Well

[WaffleMonster]

I have nothing against relational databases, but the Structured Query Language itself is an accident waiting to happen.

Agreed. Lost track of the number of times I've forgotten to type 'where' and all my conditions get tagged to the last join without something warning me about how much of a dumbass I am.

Theater

[geekymachoman]

Seriously. Rasputin ?

This is just part of the show people, don't you see that ?
You have bigger enemies within your own country than Russia will ever be.

The ones that are "manufacturing" these retarded articles/news for a start.

Re:Theater

[HiThere]

The name is clearly drama, and not evidence, but it could be the guy's handle...or one of them. If I saw myself as a sinister mastermind behind the throne I might use that pseudonym. It wouldn't reveal much about me except that I know a bit of history, and give a bit of insight into how I saw myself which would be pretty obvious anyway.

I doubt that ANYONE takes that as evidence. (FWIW the only connection I have with Russia is a bit of reading material and the name of a hamburger ["A Taste of Russia"] that I ate a couple of days ago.)

Re:The voters rejected Trump, Clinton won

[Rob+Y.]

Less than 20 percent voted for Obama too. The fact that most of the US land mass is rural and Republican is irrelevant. Most US citizens live in the small patches that vote Democratic. One person, one vote - except for the extra 2 votes that give rural states an extra 60 or so EC votes. Yep, that's the system - but don't claim it means that most Americans want Trump as President. Only the barest majority wanted him in some of the biggest states he won. FL, PA, WI, MI.

Re:The hack occurred after the election

[HiThere]

I think that the phrase "this attack" is being used in multiple senses. I don't even think you're disagreeing with each other, just not understanding each other.

"this attack" 1) This instance of an attack. 2) This variety or technique for attacking a site.

Both meanings are valid, but if you mix them up misunderstanding results.

Re:Russian-speaking?

[HiThere]

IIUC, when you trace this back the the original article (for this kind of article, not necessarily this particular article), it means it was routed through a Russian ISP. Even then I'm not sure they take into account the possibility of forged headers.

That said, for the kind of attack this is reported to be there's no particular reason to doubt that the attack came from Russia. But even so why claim government involvement when it's the kind of attack a high school kid could put together? Of course, this doesn't prove the Russian government wasn't involved. Or the Nigerian government. Possibly there is evidence in "Who's selling the goods?", but that's inferential, as information can be sold repeatedly...and sold on by the buyer.

Re: The voters rejected Trump, Clinton won

[coteriescavenger]

You think a foreign business is a conflict of interest!? Sure, a little, but nothing like accepting bribes from Qatar, you dummy! Your so called "sane" politicians have been doing this for YEARS! Maybe a little bit of what you think is crazy is what we've needed all along. Good becomes evil in an empire of lies.

Re: The voters rejected Trump, Clinton won

[coteriescavenger]

Hillary didn't win. It's not about who appeals to the most people, it's about who appeals to the most different kinds of people. Otherwise, you have 5% of indoctrinated counties monopolizing elections against 95% of diverse-minded Americans.

Comment removed

[account_deleted]

Comment removed based on user account deletion