Dec 15 The U.S. agency charged with ensuring
that voting machines meet security standards was itself
penetrated by a hacker after the elections in November,
according to a security firm working with law enforcement on the
The security firm, Recorded Future, was monitoring
underground electronic markets where hackers buy and sell wares
and discovered someone offering logon credentials for access to
computers at the U.S. Election Assistance Commission, company
Posing as a potential buyer, the researchers engaged in a
conversation with the hacker, said Levi Gundert, vice president
of intelligence at the company, and Andrei Barysevich, director
of advanced collection.
Eventually they discovered that the hacker had obtained the
credentials of more than 100 people at the Commission after
exploiting a common database vulnerability, the researchers
The hacker was trying to sell information about the
vulnerability to a Middle Eastern government for several
thousand dollars, but the researchers alerted law enforcement
and said Thursday that the hole had been patched.
Created by the Help America Vote Act of 2002 and led by
presidential appointees, the Election Assistance Commission
certifies voting systems and develops standards for technical
guidelines and best practices for election officials across the
A spokesman for the Commission did not immediately respond
to requests for comment. An FBI spokeswoman said her agency was
unlikely to comment without confirmation from the Commission.
The researchers said that the Russian-speaking hacker had an
unusual business model, in that he scanned for ways to break
into all manner of businesses and other entities and then moved
rapidly to sell that access, rather than stealing the data
"We don't think he actually works for any government or is
super-sophisticated," Barysevich said.
In the case of the election commission, the hacker used
methods including an SQL injection, a well-known and preventable
flaw, obtaining a list of usernames and obfuscated passwords,
which he was then able to crack.
Though much of the Commission's work is public, the hacker
gained access to non-public reports on flaws in voting machines.
In theory, someone could have used knowledge of such flaws
to attack specific machines, said Matt Blaze, an electronic
voting expert and professor at the University of Pennsylvania.
The researchers were confident that the hacker moved to sell
his access soon after getting it, meaning that he was not inside
the system before election day. Further, the U.S. voting process
is decentralized and there were no reports of widespread fraud
(Editing by Jonathan Weber)