SQL INJECTION ATTACK IS TIED TO ELECTION COMMISSION BREACH
December 18, 2016
Seid Yassin (367 articles)
Share

SQL INJECTION ATTACK IS TIED TO ELECTION COMMISSION BREACH

Just as cybersecurity concerns over the U.S. presidential election reach a fevered pitch, the U.S. agency responsible for certifying that voting machines work properly says it may have been hacked.

That’s after independent researchers say they uncovered evidence that hackers have infiltrated the agency in question – the U.S. Election Assistance Commission. On Thursday security firm Recorded Future reported that a hacker offered to sell knowledge of an unpatched SQL injection vulnerability on the Dark Web.

The vulnerability would have given an attacker access to the Election Assistance Commission (EAC) website and backend systems. In addition to knowledge of the vulnerability, the seller also included 100 potentially compromised access credentials for the system, including some with administrative privileges.

Related Posts WordPress Plugins Leave Black Friday Shoppers Vulnerable November 22, 2016 , 9:55 am Cisco Warns of Critical Flaw in Email Security Appliances September 29, 2016 , 12:21 pm Critical MySQL Vulnerability Disclosed September 12, 2016 , 11:00 am “This vulnerability would of given an adversary access to the EAC database, allowed them to plant malware on the site or effectively stage a watering hole attack,” said Levi Gundert, VP of intelligence and strategy at Recorded Future.

EAC is an independent bipartisan commission that develops voting guidelines and provides information on administering elections.

The commission is also responsible for testing and certifying voting equipment and systems to ensure they meet security standards, according to the agency’s website. Gundert said access to EAC’s systems by an attacker would be invaluable for future attacks, helping them glean sensitive information about existing electronic voting systems as well as those coming online.

Source | threatpost