Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Florida Election Servers Hacked Again

After state officials boasted about security improvements following a breach, a hacker once again breached the same voter record systems.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
For the second time in a week, a hacker has broken into systems connected with voting in Florida, stolen data, and released it to the public.

The most recent breach occurred after Florida election officials had touted the security of their systems. "Glad you cleaned things up, pretty secure now guys," said the hacker responsible for the attack--who goes by the name "Abhaxas"--in a post to Pastebin uploaded on Thursday. That post also contained data obtained during the second hack.

Via Twitter, Abhaxas said that hacking into the servers--using well-known and what would be easy-to-close holes--took him about 10 minutes. Furthermore, he said he had access to all 310 databases on the server, though only publicly released information from two of them.

Florida officials said that the data stolen during the first breach was from an election office system in Liberty County. After that breach, Tim Durham, the chief department supervisor of elections for Collier County, downplayed the potential impact on election results, saying that every vote generates a paper trail. "Paper ballots are reviewed and compared with totals that are given per the voting machine and that's done at an open public meeting," he said, according to Storify. Likewise, another election official said that all vote tabulation was handled by a separate system, not breached during the attacks, that wasn't connected to any other systems.

Altering or tampering with election records is a third-degree felony in Florida. But the breach poses a pertinent question: Are electronic voting records so secure that an interested third party--perhaps even a foreign government--couldn't tamper with the results? The 2004 presidential election, of course, ultimately hinged on less than 400,000 votes cast in Florida.

Abhaxas made that point in the document that included information from the breached servers. "Who still believes voting isn't rigged? If the United States Government can't even keep their ballot systems secure, why trust them at all? Fail!" Furthermore, it sounds as if attackers wouldn't have to breach too many systems to create an impact. According to a Twitter post from Abhaxas, "after some research, I've found out 1 company manages all but 6 [counties'] voting sites--hosted on the same server."

The public dump of Florida voting system information is the latest in a recent string of so-called "hacktivist" efforts, which wield hacking as a means to a political end. Recently, for example, hacktivist group Anonymous has been launching distributed denial of service attacks against Turkish government agencies' websites, in protest against the country's plans to begin filtering the country's Internet access on August 22. (People in Turkey have also taken to the streets in protest.)

Likewise, as part of its 50-day hacking spree, LulzSec released a trove of sensitive information from the Arizona Department of Public Safety, in protest against the country's immigration policies. Less than one month later, that department was again hacked by the LulzSec and Anonymous spin-off known as AntiSec.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.