Jump to content

Hackers Elect Futurama's Bender to the Washington DC School Board


nsane.forums

Recommended Posts

nsane.forums

University of Michigan researchers hack the Washington DC electronic voting system, and elect Bender, the drunk robot from Futurama, as school board president.

BmxBO.png

Bender as featured in 'Futurama: Bender’s Big Score.

Electronic voting has earned a pretty bad reputation for being insecure and completely unreliable. Well, get ready to add another entry to e-voting's list of woes.

One Bender Bending Rodríguez was elected to the 2010 school board in Washington DC. A team of hackers from the University of Michigan got Bender elected as a write-in candidate who stole every vote from the real candidates. Bender, of course, is a cartoon character from the TV series Futurama.

This was not some nefarious attack from a group of rouge hackers: The DC school board actually dared hackers to crack its new Web-based absentee voting system four days ahead of the real election. University of Michigan professor Alexander Halderman, along with two graduate students, did the deed within a few hours.

After looking over the e-voting system's Ruby on Rails software framework, Halderman’s team discovered that they could use a shell injection vulnerability to get into the system. This allowed them to retrieve the “public key," which is used to encrypt the ballots. With the public key in hand, the hackers were able to change every ballot already in the system and replace any subsequent real ballots with fakes.

While the hackers were mucking about the system’s server, they discovered other files that were not ballot-related in the /tmp/ directory. Among them was a 937-page PDF containing instructions to individual voters as well as authentication codes for every voter. If someone with malicious intent got their hands on these codes, they could use them to cast ballots as a real voter.

The researchers also managed to hack into the network, allowing them to gain access to other systems within the building. The team was able to get into the surveillance system, which gave them access to the security cameras. This allowed them to time their attacks so that the technicians would not notice the additional server activity.

When the team tried to get into the terminal server, they noticed there was an attack coming from Iran; they traced the IP address to the Persian Gulf University. The team realized the Iranians were getting in with one of the default admin logins (user: admin, password: admin). To stop the outside attacks the team blocked the offending IP address with iptables (a piece of software for server admins) and replaced the admin password with something more challenging. The team also blocked similar attacks launched from New Jersey, India, and China.

For the team’s pièce de résistance, the researchers replaced the “Thank you for voting" note with “Owned,” and programed the site to start playing the University Of Michigan's Fight Song “

” 15 seconds later. Despite all this, the system administrators did not notice anything strange until two days later.

Halderman’s closing statements on e-voting are that a single flaw in the configuration of the system could be fatal, and secure Internet -based voting won’t be ready until there are significant fundamental advances in computer security. Be sure to check out the full paper on Attacking the Washington, D.C. Internet Voting System.

view.gif View: Original Article

Link to comment
Share on other sites


  • Replies 5
  • Views 1.3k
  • Created
  • Last Reply

Heh.... e-vote... my @ss.

They did a good thing and they owned the admins...

BTW - who would be stupid enough not to change the default admin passwd ??

Link to comment
Share on other sites


RadioActive

It makes me wonder if they still can't make an e-voting system that's secure, then what about online banking? Are they actually secure?..

Link to comment
Share on other sites


lol ...

bite my shiny metal a@@ !

Link to comment
Share on other sites


It makes me wonder if they still can't make an e-voting system that's secure, then what about online banking? Are they actually secure?..

It's really not impossible to make a server which cannot be breached. It just takes time, effort and there's a trade-off on usability.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...