11 Year Old At DefCon "Hacking Conv." Changed Florida Election Results In A Replical Web. 10 Mins

That kids dad knows his son has seen his entire computer history...
 
Those crazy hackers cannot leave them alone. :)



Hacking the elevator.

https%3A%2F%2Fblueprint-api-production.s3.amazonaws.com%2Fuploads%2Fcard%2Fimage%2F826003%2F427fc24d-a074-4052-8efc-5089e3638b19.jpg
 
tonni said:
Barron Trump needs to be the guy in charge of defending voting machines from hackers. I'm guessing a proper firewall would've stopped all of this. Anyway it is probably possible to hack into paper ballots as well so I don't see the problem.
Click to expand...
There are web application firewalls and network firewalls, but a firewall isn't really the issue here. If it's SQL injections that are the problem, the thing needed is input sanitization to ensure that SQL statements and queries can't be entered into normal input fields. Take, for example, the fields where you enter your username and password. If not properly coded, you can run SQL commands into these fields, allowing you to see or alter databases that you shouldn't have access to. The problem is with the code itself from the manufacturer, so their developers need to go back through and change the code. Proper security configurations during the Software Development Life Cycle and periodic penetration tests of the system to look for vulnerabilities would have reduced the changes of these vulnerabilities making it to software currently in production.
 
panamaican said:
I think the counter position presented (either by the machine manufacturers or the Florida election board, I don't remember which) is that this didn't mirror the actual scenario in real life. There was something about the kids have unfettered physical access to the machines which is not how it works in reality. I don't know how much of a difference that makes but they assert that it does matter.

That said, I think this is still a significant issue and I'd like to know that more is being done to protect this element of our democracy.
Click to expand...

The infrastructure would play a large role in preventing access to the physical machine, for sure. Even putting these people on the same network as the target machine is removing a lot of barriers.

It would be easy enough to set up a system where you can verify the results and know if they had been tampered with after the fact (assuming the person doing the tampering doesn't have access to a computer with the power equivalent to a theoretical quantum computer). Recovering the original results would be another issue, but probably the best way would be to use some kind of redundancy. I.e. storing the results on separate physical machines on separate physical networks, and storing the signature for the results on a machine that isn't actually connected to any network, except to transfer the signature information. Also, not storing the entirety of the results in one place, but spreading it out to ensure that even if one bucket is compromised the others remain untouched.

Part of me wants to believe they probably already have systems like this in place - redundancy is standard disaster recovery infrastructure and keeping secret things "secret" should kind of go without saying. But it's also the government - and not just one government but 50 of them. Someone is going to drop the ball and make all of the passwords their birthday. If they had a military budget and were putting people on the moon, I'd have more faith. But they don't and they're making voting systems. I have a feeling the same level of scrutiny just isn't there.



Honestly I'm leaning more towards that we should keep on with paper ballots. Sure, there's room for human error. But faking 1,000,000 million votes on paper is going to be a hell of a lot more conspicuous than changing 1,000,000 votes in a database.
 
sub_thug said:
There are web application firewalls and network firewalls, but a firewall isn't really the issue here. If it's SQL injections that are the problem, the thing needed is input sanitization to ensure that SQL statements and queries can't be entered into normal input fields. Take, for example, the fields where you enter your username and password. If not properly coded, you can run SQL commands into these fields, allowing you to see or alter databases that you shouldn't have access to. The problem is with the code itself from the manufacturer, so their developers need to go back through and change the code. Proper security configurations during the Software Development Life Cycle and periodic penetration tests of the system to look for vulnerabilities would have reduced the changes of these vulnerabilities making it to software currently in production.
Click to expand...
<{dayum}>
 
sub_thug said:
There are web application firewalls and network firewalls, but a firewall isn't really the issue here. If it's SQL injections that are the problem, the thing needed is input sanitization to ensure that SQL statements and queries can't be entered into normal input fields. Take, for example, the fields where you enter your username and password. If not properly coded, you can run SQL commands into these fields, allowing you to see or alter databases that you shouldn't have access to. The problem is with the code itself from the manufacturer, so their developers need to go back through and change the code. Proper security configurations during the Software Development Life Cycle and periodic penetration tests of the system to look for vulnerabilities would have reduced the changes of these vulnerabilities making it to software currently in production.
Click to expand...

I wish the article stated, at all, how he did it.
 
Dr. Shoemaker said:
I wish the article stated, at all, how he did it.
Click to expand...
Post 2 by @PEB has a Twitter post where you can see SQL mentioned a few times, although the text is cut in some places. Based on that, I'm thinking that the majority of the vulnerabilities were SQLi, although if those were there, I can all but guarantee that some other vulnerabilities were present as well.
 
PEB said:
I don't know how many people would know what DefCon is so the parentheses is to point out that it was a hacking convention. Just putting DefCon some may not know what it was supposed to be.
Click to expand...

Fair, sorry, I forget sometimes that normal people don't necessarily care about this kind of stuff :) My dream is to get my bosses to send me there at some point, but the lectures (esp for Black Hat) are insanely expensive. We're talking workshops that run in the $4-5k range...
 
Ugh, if this kid was really using SQL injection then whoever coded that website needs to be fired into space from a rail gun. SQL injection was old hat 15 years ago and pretty much every framework and language around has some kind of support for validating forms. This is more of a case of ultra shitty coding than the kid being a genius.

Most likely they gave the contract to some Indian chop shop instead of qualified, experienced professionals then wonder why the shit is full of holes. It amazes me in the modern world how people take the standards of things like buildings and ships so seriously but treat the quality of software as an afterthought.
 
It's a mock website that doesn't utilize any of the actual systems or system types of voting machines etc... it's a pretty much a "kid beats kid security test".
 
sub_thug said:
Post 2 by @PEB has a Twitter post where you can see SQL mentioned a few times, although the text is cut in some places. Based on that, I'm thinking that the majority of the vulnerabilities were SQLi, although if those were there, I can all but guarantee that some other vulnerabilities were present as well.
Click to expand...

Thanks for calling that out, I missed it. God that's disheartening.
 
Is breaking into an imitation website exactly like breaking into the real thing???
 
silus_2000 said:
Is breaking into an imitation website exactly like breaking into the real thing???
Click to expand...
They likely reproduce the website down to the SQL tables. They likely don't want to freak out people.

A lot of these hackers are good people an likely got work from Florida to improve their security. They cannot claim they are hacking Florida election system because that would be breaking the law.
 
Dr. Shoemaker said:
@sub_thug what's your craft?
Click to expand...
It’s going to sound super weird, but I’m Army SF. I moonlight as a cybersecurity engineer (mostly as a pen tester but a few A&A engagements) for a few reasons: army pay sucks, it’s a great field that loved the fact that I have active security clearances and pen tests normally happen off normal business hours, it’s a good field to get some experience in so I can easily transition when I retire, and because it’s just plain cool :) You?
 
Time to to go back to paper ballots.

Dems...its time to go back to stuffing ballots.

I'm sure most 13 year old computer hackers are Republicans.
 
This story is setting up some bs.
 
IReallyDoTrainUFC said:
You all really believe that voting is necessary, sacred, or not fixed? Pffftt...

Jump back into reality. It doesn't matter who is in there, the Federal Reserve still controls the pursestrings while you rubes get locked into never ending debates about "transsexual rights" and all that other bullshit.

They've pulled the wool over your eyes.
Click to expand...

Trump would have lost. We still have mostly legit votes.
 
You must log in or register to reply here.

Latest posts

Forum statistics

Threads
1,237,053
Messages
55,463,752
Members
174,785
Latest member
JoyceOuthw

Share this page

Back
Top