Slashdot Mirror

← Back to Stories (view on slashdot.org)

Election Assistance Commission Hacked Using SQL Injection (reuters.com)

Posted by BeauHD on from the irony-at-its-finest dept.

whoever57 writes: The commission that is responsible for ensuring the integrity of voting machines was itself hacked. The hacker gained access to non-public reports on weaknesses in voting machines. The hack occurred after the election, so it is unlikely that this hack resulted in changing the result. However, if one hacker can break in, how does anyone know that there was not a prior hack? The hack used an SQL injection flaw to gain access to usernames and passwords which were then cracked. wiredmikey adds: Researchers have discovered that a Russian-speaking hacker broke into the U.S. Election Assistance Commission (EAC) systems, and has been trying to sell stolen access credentials -- including admin-level -- on the underground. On December 1, researchers with Recorded Future discovered internet chatter that appeared to relate to an EAC breach. A hacker, called "Rasputin" by Recorded Future, was discussing the sale of more than 100 EAC access credentials to a middle-eastern government broker. The hacker claimed to have accessed the systems via an SQLi vulnerability, which Recorded Future was able to locate and report. EAC said Thursday that was aware of the "potential intrusion" and was investigating the incident.

15 of 103 comments (clear)

  1. Re:Quoting Trump by Phydeaux314 · · Score: 2

    They didn't. It was brought up in private discussions in October (September? I forget), but the white house decided not to go public with the findings out of fear of unduly influencing the election.

    --
    Never underestimate the stupidity inherent in all human beings.
  2. Oooh more rational discussion by locater16 · · Score: 2

    I like forward to the reasonable, rational, well cited discussion to follow herein. I'm sure everyone will remain professionally calm and quite intelligible and on point in this. I look forward to it all, and god save the Lizard Queen.

  3. Maybe that was the plan all along by scatbomb · · Score: 4, Interesting

    Maybe that was the plan all along. They sat on this information so they could bury it if their candidate won and bring it to light if their candidate lost so as to throw the legitimacy of the vote into question.

    1. Re:Maybe that was the plan all along by 0100010001010011 · · Score: 3, Insightful

      Every day, more clinton email scandal and no chance for policy discussion.

      Because we the media didn't spend a large chunk of its time talking about Trump's pussy grabbing or his tweets. I honestly heard more about Trump's tweets than I did Clinton's e-mails.

      So lets not pretend if the e-mails weren't released they would have talked about 'policy' at all.

  4. Re:Quoting Trump by rmdingler · · Score: 2

    Perhaps, incredulously, the reason Señor Trump seemingly wildly accused the election of being rigged is that he knew more than we did, but mistakenly assumed he was not the beneficiary.

    Hell, perhaps he's a savant with the ability to grasp immunity by merely convincing us all he's a clown.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  5. Re:Well by Unordained · · Score: 4, Insightful

    Agreed.
    I get that developers are lazy and can be expected to shy away from security features that get in the way, but come on, Prepared Statements have been around for a very long time, and in a lot of ways, they make your life easier (prettier code, streamed-blob-handling, no escaping, datatype checks):
    They should be your /default/ coding practice, not what you reluctantly pick up after a breach or an audit!

  6. Re:Well by Chelloveck · · Score: 2

    Why is SQL injection still a thing? Hell, why is SQL still a thing? I have nothing against relational databases, but the Structured Query Language itself is an accident waiting to happen. Why the hell aren't people using proper language bindings instead of trying to pass control and data interleaved into a single text stream?

    --
    Chelloveck
    I give up on debugging. From now on, SIGSEGV is a feature.
  7. Re:Well by Narcocide · · Score: 2

    Why is SQL injection still a thing?

    Apparently it has something to do with outsourcing coding to the cheapest bidder. Can't comment on the rest.

  8. Re:Quoting Trump by hey! · · Score: 3, Informative

    Senate Majority leader objected, if I recall, to the information being made public so close to election day.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  9. Re:SQL injection, really?? by hey! · · Score: 2

    I know. I mean for chrissake already, it's been fourteen years since SQL injection was identified as a serious security hole.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  10. Not a problem if it happened in Australia by aberglas · · Score: 2

    All votes are on paper. All counts are scrutineered at the polling booth, a quick and painless process. (Real scrutineering where the votes are seen, not some bullshit where scrutineers look through a window.) And then the subtotals are independently tallied by the parties.

    Would be annoying if the main Electoral Computers computers were compromised, but no big deal. It would be obvious when the subtotals did not tally, and a recount would quickly rectify it.

    So, what is so different in the USA!

  11. FBI and CIA confirm Russian takeover by Anonymous Coward · · Score: 2, Insightful

    Bullshit, how would you involved the Russian hackers? How would you fake the evidence for the CIA and FBI both to confirm it?

    http://www.aol.com/article/2016/12/16/fbi-backs-cia-assessment-of-russia-2016-election-hack/21629706/

    The hacked election registration websites have been confirmed.
    The hacked DNC emails were released DURING the election, you claim "sat on information" yet no such sitting occurred.
    CIA says they hacked the RNC emails too. They just haven't released them, and haven't sexed them up.

    That means that Putin has both chosen the USA President, AND has the secrets of the elected lot for future leverage.

    Can I remind you that Hillary got more millions votes than Trump. And Trump has not sold off his foreign businesses, despite promising to do so by Thursday, a deadline passed already. He still has offshore accounts, he still received foreign income.

    You want to put him, with fewer votes, into the Whitehouse, using the rules, yet he is in violation of those rules. You are helping turn USA into a Russian puppet state.

  12. Re:"Russian speaking" and "underground" by MightyMartian · · Score: 3, Insightful

    It's strange how many ACs there are out there telling us how Russia is our friend.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  13. Re:Oh for christ's sake by i.r.id10t · · Score: 2

    Give them a break - no one realized that Senator ;); -- Drop Table Votes; was running for reelection.

    --
    Don't blame me, I voted for Kodos
  14. Re:Oh for christ's sake by WaffleMonster · · Score: 2

    "The hack used an SQL injection flaw. . ."

    Jesus wept...excuse me while I execute a nuclear-grade facepalm. Have none of these people ever heard of sanitizing data?

    What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?