Two 11-year-old budding hackers last week at DEF CON in Las Vegas used SQL injection attack code to break into a replica of the Florida Secretary of State’s website within 15 minutes, altering vote count reports on the site. Meanwhile, further down the hall in the adult Voting Machine Hacking Village at Caesars Palace, one unidentified hacker spent four hours trying to break into a replica database that housed the real, publicly available state of Ohio voter registration roll. He got as far as the secured server — penetrating two layers of firewalls with a Khali Linux pen testing tool — but in the end was unable to grab the data from the database, which included names and birthdates of registered voters. “He got to the secure file server but didn’t know how to write the query to pull the data out,” says Alon Nachmany, solution engineer with Cyberbit, which ran the voter registration database simulation. That he got as close to the data as he did was no small feat, however. “He got very far, but he didn’t have the skill needed to pull the file itself,” Nachmany says.
The setup, using Cyberbit’s training and simulation platform for cyber ranges, was designed to mimic a typical county election system — with a web application server on a DMZ behind a firewall and a secure file server sitting behind its own firewall — but was created more for a red-team training scenario, says Bash Kazi, a Cyberbit partner who built it. “We used a more sophisticated network and attack scenario that somebody would have to much more training to hack,” he says.
While the election-office simulation challenge proved to be too much of one for most takers at the voting system hacking event, security experts say that these and other Web-based systems, such as states’ election-reporting websites and candidate websites, are the most likely (and easy) targets of attackers for the fall midterms.
Full Article: Election Websites, Back-End Systems Most at Risk of ….