Hack cracked

From the Sun-Times:

Hack cracked
Board of Elections Web site leaves Social Security numbers vulnerable

October 24, 2006
BY ART GOLAB Staff Reporter
For at least the last six years, a loophole in the Chicago Board of
Elections Web site has exposed the Social Security numbers and birth
dates of more than 1 million registered voters to anyone with a
computer, a Web connection and rudimentary programming knowledge.

Until Saturday, this data -- all that is necessary for an identity
thief to apply for a credit card, mortgage or even acquire an arrest
record in someone else's name -- has been available through a Web site
intended to tell voters their registration status.

The glitch was pointed out to the Sun-Times by Peter Zelchenko, a
43rd Ward aldermanic candidate and computer expert, who also informed
the board of the problem Friday.

The board immediately closed the loophole, and board chairman Langdon
Neal ordered his staff Monday to hire an outside forensic computer
consultant to "look at the security of the system and also look at
computer logs to determine if there has been any hacking or wholesale
downloading," according to board spokesman Tom Leach.

Considering changes
"Chairman Neal is very, very concerned about this and wants immediate
action taken. Obviously, the board regrets that this possibility even
existed."

Leach said the board could not determine immediately whether the
system had been compromised but added that the board will notify the
Cook County state's attorney of the problem. It is also looking into
removing all Social Security numbers from its voter registration
database.

In fact, for the last three years, a complete Social Security number
is no longer necessary to register. So only about 1 million of the 2.3
million active and inactive voter records in the system have Social
Security numbers, according to Leach.

On the Web, until about six years ago, voters could search for their
registration status using their name, Social Security number or
birthday. "The new program blocked out the social numbers and the date
of birth, which are still in our central files, but they apparently
didn't completely close the door on the Internet," Leach said.
Database updated daily
Hacking the Board of Elections site was as simple as typing a single
quote character in the "Last Name" box on chic agoelections.com.

Well-known to hackers as an "escape character," the single quote
symbol brought up a line of computer code that could guide a
knowledgeable person to all the information in the city voter
registration database, including Social Security numbers, birthdays
and home addresses.

Zelchenko, who is 44 but got his first job working in computers at age
14, demonstrated the flaw by taking about 30 seconds to bring up a
Sun-Times reporter's Social Security number. Zelchenko also obtained
the Social Security numbers of the three members of the Chicago Board
of Elections, which the Sun-Times was able to confirm were accurate.

"Any bright high school student could figure it out," said Mandeep
Khera, vice president of Cenzic, a Santa Clara, Calif., computer
security firm. He said such bugs are fairly common, but the potential
exposure of so many Social Security numbers is unusual.

Khera said the technique, called SQL injection scripting, can be used
to retrieve hidden database information, but also can be used to alter
school grades or to change the prices of items on online commerce Web
sites.

Using the method, Zelchenko demonstrated, it was possible to change
the Chicago Board of Elections online database. However, changes would
last only for a short period, since the Web database appears to be
updated every 24 hours.

But a malicious hacker could still cause a lot of trouble. Though it
wouldn't change the actual polling places, it "could cause a lot of
confusion" by misdirecting people who go to the elections Web site to
find out where they vote, Zelchenko said.
First noticed 3 years ago
Zelchenko said it would be short work to write a script, or small
program, that could automatically download the entire database.

Leach said such a mass download would be difficult because the Web
site has a timer on it that would cut off a query that takes a long
time.

Zelchenko first noticed the glitch three years ago, and saw that it
could be exploited to bring up name and address information for more
than one voter at a time.

Last week, he discovered that Social Security numbers were at risk.
Friday, Zelchenko told the Sun-Times and contacted the board.

Leach said the first the board heard of the problem was late last week.