Please read the following announcement about thanks posts and their replacement; the like / thanks button.
Welcome to nsane.forums
- Access special members only forums
- Start new topics and reply to others
- Subscribe to topics and forums to get automatic updates
Hackers Elect Futurama's Bender to the Washington DC School Board
Posted 02 March 2012 - 02:39 PM
Bender as featured in 'Futurama: Bender’s Big Score.
Electronic voting has earned a pretty bad reputation for being insecure and completely unreliable. Well, get ready to add another entry to e-voting's list of woes.
One Bender Bending Rodríguez was elected to the 2010 school board in Washington DC. A team of hackers from the University of Michigan got Bender elected as a write-in candidate who stole every vote from the real candidates. Bender, of course, is a cartoon character from the TV series Futurama.
This was not some nefarious attack from a group of rouge hackers: The DC school board actually dared hackers to crack its new Web-based absentee voting system four days ahead of the real election. University of Michigan professor Alexander Halderman, along with two graduate students, did the deed within a few hours.
After looking over the e-voting system's Ruby on Rails software framework, Halderman’s team discovered that they could use a shell injection vulnerability to get into the system. This allowed them to retrieve the “public key," which is used to encrypt the ballots. With the public key in hand, the hackers were able to change every ballot already in the system and replace any subsequent real ballots with fakes.
While the hackers were mucking about the system’s server, they discovered other files that were not ballot-related in the /tmp/ directory. Among them was a 937-page PDF containing instructions to individual voters as well as authentication codes for every voter. If someone with malicious intent got their hands on these codes, they could use them to cast ballots as a real voter.
The researchers also managed to hack into the network, allowing them to gain access to other systems within the building. The team was able to get into the surveillance system, which gave them access to the security cameras. This allowed them to time their attacks so that the technicians would not notice the additional server activity.
When the team tried to get into the terminal server, they noticed there was an attack coming from Iran; they traced the IP address to the Persian Gulf University. The team realized the Iranians were getting in with one of the default admin logins (user: admin, password: admin). To stop the outside attacks the team blocked the offending IP address with iptables (a piece of software for server admins) and replaced the admin password with something more challenging. The team also blocked similar attacks launched from New Jersey, India, and China.
For the team’s pièce de résistance, the researchers replaced the “Thank you for voting" note with “Owned,” and programed the site to start playing the University Of Michigan's Fight Song “Hail To The Victors!” 15 seconds later. Despite all this, the system administrators did not notice anything strange until two days later.
Halderman’s closing statements on e-voting are that a single flaw in the configuration of the system could be fatal, and secure Internet -based voting won’t be ready until there are significant fundamental advances in computer security. Be sure to check out the full paper on Attacking the Washington, D.C. Internet Voting System.
View: Original Article
Posted 03 March 2012 - 04:06 AM
They did a good thing and they owned the admins...
BTW - who would be stupid enough not to change the default admin passwd ??
Posted 03 March 2012 - 04:54 AM
Posted 03 March 2012 - 07:41 AM
Posted 03 March 2012 - 01:59 PM
It's really not impossible to make a server which cannot be breached. It just takes time, effort and there's a trade-off on usability.
It makes me wonder if they still can't make an e-voting system that's secure, then what about online banking? Are they actually secure?..