Election hacked, drunken robot elected to school board

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2012/03/01/electronic_voting_hacked_bender/

By Iain Thomson in San Francisco
The Register
1st March 2012

RSA 2012 Security experts have warned that electronic voting systems are 
decades away from being secure, and to prove it a team from the 
University of Michigan successfully got the foul-mouthed, drunken 
Futurama robot Bender elected to head of a school board.

In 2010 the Washington DC election board announced it had set up an 
e-voting system for absentee ballots and was planning to use it in an 
election. However, to test the system, it invited the security community 
and members of the public to try and hack it three weeks before the 
election.

"It was too good an opportunity to pass up," explained Professor Alex 
Halderman from the University of Michigan. "How often do you get the 
chance to hack a government network without the possibility of going to 
jail?"

With the help of two graduate students, Halderman started to examine the 
software. Despite it being a relatively clean Ruby on Rails build, they 
spotted a shell injection vulnerability within a few hours. They figured 
out a way of writing output to the images directory on the compromised 
server, and of encrypting traffic so that the front-end intrusion 
detection system couldn't spot them. The team also managed to guess the 
login details for the terminal server used by the voting system. This 
wasn't exactly difficult, since the user name and password were both 
"admin".

[...]


______________________________________________________________________________
CISSP and CEH training with Expanding Security is the fastest, easiest way
to grock the relevant data you need now.   A free class invite is in every
PainPill.  Sign up for the free weekly PainPill.  It's that easy.
http://www.expandingsecurity.com/PainPill