Saturday, July 14, 2018

Why wasn’t a recount demanded of Illinois Nov. 2016 election results? It’s been public knowledge since July 2016 that Illinois Online Voter Registration system was hacked by a common hacking method

Added: There's no special interest in Illinois voter data: "Ken Menzel, the general counsel for the Illinois Secretary of State, told this writer, “What’s new about what happened last year [2016] is not that someone tried to get into our system but that they finally succeeded in getting in.” Menzel said hackers “have been trying constantly to get into it since 2006.”

And it’s not just state voter registration databases that cybercriminals are after, according to Menzel. “Every governmental data base – driver’s licenses, health care, you name it – has people trying to get into it,” he said." July 2, 2017, “Foisting Blame for Cyber-hacking on Russia,“ Consortium News, Gareth Porter 

July 20, 2016, “McLean County Clerk – Kathy Michael” 

#illinoisstateboardofelections #victimofcyberattack

“This message was sent to all Election Authorities in Illinois:

Not good news....see message received today from Illinois State Board of Elections. Our voting system through SBE has been “down” for several days; now we know why. #hacked

They were able to retrieve a number of voter records. We are in the process of determining the exact number of voter records and specific names of all individuals affected.”

IVRS referenced in this message stands for Illinois Voter Registration System.

Dear Election Authority,

We will begin the process of bringing IVRS and the Paperless Online Voter Application (POVA) system back online tomorrow (Thursday, July 21st). Below is an explanation of why the systems have been unavailable for the past week.

The State Board of Elections (SBE) fell victim to a cyberattack that was detected on July 12, 2016.Specifically, the target was the IVRS database. Once discovered, State Board of Elections closed the point of entry. On July 13th, once the severity of the attack was realized, as a precautionary measure, the entire IVRS system was shut down, including online voter registration.

SBE’s Information Technology and Voting and Registration Systems staff immediately began researching the extent of the infiltration. Thus far, we have determined the following:

· The pathway into IVRS was NOT through our firewalls but through a vulnerability on our public web page that an applicant may use to check the status of their online voter registration application.

· The method used was SQL injection [Structured Query Language]. The offenders were able to inject SQL database queries into the IVRS database in order to access information. This was a highly sophisticated attack most likely from a foreign (international) entity.

· We have found no evidence that they added, changed, or deleted any information in the IVRS database. Their efforts to obtain voter signature images and voter history were unsuccessful.

· They were able to retrieve a number of voter records. We are in the process of determining the exact number of voter records and specific names of all individuals affected. (Because of the complex methods used to access the data, this may take 10-15 days.)

· In an effort to prevent an attack such as this from happening in the future, we have made a number of security enhancements to the IVRS and POVA systems.

·Once the system is brought back online, all IVRS user passwords will need to be changed at the first login (or by your vendor for system specific accounts). The new password must be a minimum of eight characters in length, one of which must be a non-alphanumeric character ($, *, # etc.).

Pursuant to the Personal Information Protection Act (815 ILCS530/), the Illinois General Assembly and the Office of the Attorney General have been notified of the incursion

Furthermore, once we have determined the number of voter records and the individuals whose information was collected, we are prepared to take the proper steps required to notify those persons.

A separate notification will be sent indicating when you and your staff may access IVRS. Thank you for your patience regarding this matter.

Kyle Thomas

Illinois State Board of Elections Director-Voting and Registration Systems
Office(217) 782-1590


Added: SQL injection” is an old hacker tool widely used since the late 1990s:

11/25/2013, “How Was SQL Injection Discovered?”, Sean Michael Kerner

SQL injection has become the scourge of the Internet era. Year after year, it is cited as one of the top security vulnerabilities on the Internet, responsible for countless data breaches.

Jeff Forristal, also known by the alias Rain Forrest Puppy, was one of the first people to ever document SQL injection. Forristal, now the CTO of mobile security vendor Bluebox Security, wrote the first public discussion about it, back in 1998….

Back in December of 1998, Forristal was writing about how to hack a Windows NT server and found something out of the ordinary. At that time in the late 1990s, few websites were using full Microsoft SQL server databases, he said. Instead many used simple Microsoft Access-based databases.”…

Among comments:

“Dorkus  December 7, 2016 at 12:34 pm
All true, however as a footnote, Andrew Plato at Anitian claims to have successfully executed a SQLi attack in 1995 while working at Microsoft. He claims he went to the devs and showed them and they yelled at him to shut up. Which is completely believable considering the time and Microsoft devs.”


5/2/18, How to Prevent SQL Injection Attacks,, Paul Rubens

“Your company’s website does not have to be the next victim of a SQL injection breach. Here’s how to prevent SQL injection attacks.”

SQL injection is a hacking technique that was discovered more than fifteen years ago and is still proving to be devastatingly effective today, remaining a top database security priority. It was used [in July 2016] in the run-up to the 2016 U.S. presidential election to compromise the personal data [in the Online Voter Registration System of the State of Illinois] of 200,000 Illinois voters  as well as in high-profile attacks against organizations such as Sony Pictures, PBS, Microsoft, Yahoo, Heartland Payment Systems, and even the CIA.

SQL, or Structured Query Language, is the command-and-control language for relational databases such as Microsoft SQL Server, Oracle, and MySQL.”…

Comment: It barely made news when NASA computers were fully breached 13 times in 2011:

3/2/2012, NASA says it was hacked 13 times last year [2011],” Reuters

NASA said hackers broke into its computer systems 13 times last year, stealing employee credentials and gaining access to mission-critical projects in breaches that could compromise U.S. national security.”…
And: Depraved indifference of US government employees on display having been warned in 2009:

11/15/2012, “NASA to encrypt data after its latest laptop loss,” BBC

“The NASA Watch blog, which comments on affairs at the agency, had previously criticised it for a series of other data losses. 

It noted that the organisation had been warned in 2009 that it was not taking enough steps to sufficiently protect information and had reported the loss or theft of 48 of its mobile computing devices between April 2009 and April 2011.”…

Comment: Whatever happened to everyone’s “national security” concerns? There continues to be zero concern for waste/theft of billions of US taxpayer dollars. US agencies unable to secure their data should be closed down. At minimum, they should cease using computers. Business can be conducted as it was before computers existed. Knowing no computer is secure, it’s criminal for government offices/agencies to continue using computers.


No comments: