SQL Injection Vulnerability and the U.S. Election Agency

Amidst growing doubts of Russian involvement in the recent US presidential elections, there are fresh reports about a possible election agency breach. According to an article published in Reuters, a security firm (Recorded Future) was monitoring underground markets for a potential data dump and they found information on log-on credentials for access to computers at the U.S. Election Assistance Commission. It is notable that the agency was responsible to ensure that the voting machines meet security standards.

The researchers from the security firm contacted hackers posing as buyers and learned that the Russian-speaking hacker (also referred to as Rasputin) had obtained a credential for around 100 people working at the election commission. The FBI is currently investigating the matter.

How did the hackers crack the election agency?

According to the researchers, hackers were continuously scanning the assets associated with the US presidential elections looking for any weakness that they can exploit. With a myriad of automated vulnerability-detection tools available to these hackers, it becomes easier to find and crack vulnerabilities.

In the case of the election commission, it has been reported that the hackers used SQL injection, amongst other preventable flaws, to obtain a list of usernames and passwords. Recorded Future has provided a detailed summary of the incident here.

Questions That Need to be answered

The culpability of the Putin government becomes clearer in the post-election phase. Obviously, there are a number of questions that remain unanswered now especially with the growing number of hacking incidents at the top level.

1. When did the hacks occur?

Apart from Wikileaks somehow obtaining the contents of Democratic servers, every other piece of a possible breach in the government’s data has come after the election results came out. There is, however, no information on when the hacks happened, and more importantly, did they actually skew the election results.

2. What was the motive?

Politics, money, or something else? While there are many speculations on what actually happened, there should be investigations on the motive of such data breaches around the election times. Are there any Trump organization business records that might shed light on any debt or obligation that the Trump family might have in Russia and any significant income flows from Russia?

3. Was it preventable?

If the hackers really used SQL Injection, how could have the security folks at the US Election Agency ignored one of the most common vulnerabilities? Did they not run automated security tests and penetration testing to find the flaws? Weren’t their security measures in place to identify Russian hackers? The answers to these questions will not only shed light on what really happened but also how this could be prevented in the future.

Finding and Fixing Flaws before the Breaches Happen

Although we do not know the implications of these data breaches, there is plenty to be pondered upon. If a nation cannot assure unbiased elections, are we really ready to dive into the digital age? That is the exact problem that we are trying to solve.

Indusface, through its Total Application Security solution, aims to manage security risks by finding and fixing flaws before hackers. It helps detect, protect, and monitor such application-layer threats including automated attacks. Offered as a service, it provides full management of the operation using subject matter experts at a fraction of the cost of hiring an in-house team. It includes:

• Latest security notification to protect your applications from known vulnerabilities
• Periodic penetration testing
• Business logic tests on all applications to find sql injection vulnerabilities, zero-day threats, and automated application risks
• Custom WAF rules to block attacks (via virtual patching).
• Look beyond Time To fix value from Virtual Patching.  The real benefit is tracking and dynamically increasing your defense posture based on an attempted attack attempt against an existing vulnerability
• Tracking the malicious behavior of an attacker initially versus simply blocking the attack.
• 24*7 monitoring to gather information such as IP address, User ID if authenticated, GEO location, navigation/user behavior, and machine fingerprint that can help gain intel about the attacker’s methodologies to use that information in creating more aggressive blocking rules from these attackers.