Skip to content

"The DCCC Hacked: SQL Injection? Come on."

By Jeff Williams, Co-Founder, Chief Technology Officer

July 29, 2016

Hacked

    

Jeff's comments here are a follow-up to his blog post "International hacks, politics and knee-jerk cybersecurity... never a good mix - Russia & the DNC Hack." You may want to read that post too!


Some software is more important than other software. The software in medical devices that keeps people alive? That’s important. The software that controls the economy?  Important. The software that controls airplanes. Again… important. And the software that undergirds our democracy … the software that ensures our elections are fair? That’s pretty important stuff.

We need to hold the purveyors of this important software to a higher standard. We must have assurance that these critical applications are resilient against those who would undermine our democracy. This assurance isn’t necessarily easy to generate. Building rugged software that has strong defenses against both expected and unexpected attacks takes a level of rigor not found in most software organizations.

But we are not even close. Maybe not even really *trying*. When a voter records system is susceptible to SQL injection, we should all be concerned. SQL injection has been well known and well understood for over 20 years. It has headlined the OWASP Top Ten for 14 years. Protecting against SQL injection isn’t even tremendously difficult.

Could these attackers have modified voter records? Maybe even affect whether voters who thought they were registered could actually vote when they show up on Election Day? Or maybe the bad guys sell these records to one of the candidates, so they can target those critical “undecided” voters better. 

I’ve reviewed the code of an electronic voting/election management system for one of the major vendors. I can only say that I expected better. What we found was that these systems have the same types of security mistakes as everything else. Which is to say they had a lot of easily identifiable vulnerabilities.

Let’s raise the bar for software that’s part of “critical infrastructure.” We shouldn’t have to blindly trust that software has basic security protections. Many years ago I proposed a “software facts” label that would let software buyers and users know about the security in an application. I find this highly preferable to a liability regime, and something that wouldn’t put undue burden on software producers. Let’s go Congress, FEC, FTC, NIST, DHS, NSA, and POTUS….

You know that quote from Marc Andreessen, “software is eating the world”?  Well it just might.

~Jeff Williams
CTO & Founder, Contrast Security

Here are a couple of links to articles that pertain to this topic:
Cyberattack Compromises Unknown Number of Voter Records in Illinois
Exclusive: FBI probes hacking of Democratic congressional group - sources
Hacked
Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Previous

With Only a Hammer, Everything Looks Like a Security Vulnerability!
Next

Peiter Zatko's (Mudge) Cyber Independent Testing Lab methods.... just another flash in the pan?