RE: Lieberman Campaign Says Web Site Hacked

["Richard M. Smith" <rms () bsf-llc com>]

SQL Injection to a MySQL database?  Hmm, was any donor information stolen?

I wrote about security issues at political Web sites back in 2004:

http://www.computerbytesman.com/security/bush-v-kerry.htm

Richard 

-----Original Message-----
From: Dude VanWinkle [mailto:dudevanwinkle () gmail com] 
Sent: Tuesday, August 08, 2006 5:10 PM
To: Drsolly
Cc: Richard M. Smith; funsec () linuxbox org
Subject: Re: [funsec] Lieberman Campaign Says Web Site Hacked

On 8/8/06, Drsolly <drsollyp () drsolly com> wrote:
> > "Voters cannot go to our Web site. They cannot access information,"
Smith
> > said. "It is a deliberate attempt to disenfranchise voters.
>
> I feel *so* disenfranchised.


this link was over on FD:

http://www.dailykos.com/story/2006/8/8/144119/5628


Quick Update/Summary: The site is setup on a single vulnerable server,
with, apparently, no backup plan. At best, completely incompetent. At
worst, downright Rovian. But since another site is running fine, on
the same server, it's downright bizarre that they couldn't fix Joe's
site in the last 18+ hours - it's obviously not a bandwidth (DoS or
limitation) issue. It appears the party line is that the site was
affected by a "SQL Injection" attack. Whether this was done via the
open and non-firewalled MySQL port on the single linux server, or via
poor form validation, we'll never know (if it was done at all).
Regardless, there is no reason the database can't be cleaned up,
restored or otherwise fixed, in 18 hours, as Matt Stoller points out.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.