CNET's Dan Patterson interviewed Cris Thomas (aka Space Rogue), global strategy lead at IBM X-Force Red, about SQL injection attacks and how database hacks can lead to doubt in the election process. The following is an edited transcript of the interview.
2018: Election Hacking is a weekly series from TechRepublic sibling sites, CBS News & CNET, about the cyber-threats and vulnerabilities of the 2018 midterm election.
Dan Patterson: I think about databases all the time, but databases are maybe not connected to other parts of the external infrastructure or the internet. How would I target and attack a database? How would I get access to that?
Cris Thomas: If the databases are online and are accessible over the internet, that's your first step. You'd go to the website and change what's known as the URL or enter in some other different code to force the database to spit out all the records to you. These are often called SQL injection attacks. It's a very common attack. It's a very easy thing to misconfigure your database to be susceptible to these attacks, so it's important for election officials to make sure they've tested those configurations, that they've examined the websites that are being used to retrieve this data so that if somebody's looking at the website remotely that they don't have that ability to conduct an SQL injection attack to download all their information or make changes to the database.
SEE: Cybersecurity and the 2018 Midterms (TechRepublic Flipboard magazine)
Dan Patterson: When I think about, perhaps not the hardware or the software, I think about the people and cognitive hacking, or the vulnerabilities of human beings. How are election workers, campaign workers, grassroots organizations, how are the humans involved in the electoral process vulnerable?
Cris Thomas: They're human. Humans have vulnerabilities. They're susceptible to propaganda, they're susceptible to influences, I think what we're calling it now, where news stories are reported that indicate that oh my God, our registration database has been hacked. That weighs on people's minds and it causes them to be uncertain, have doubts about the process. Like I said, this is all about trust. Trust in the system and trust in the votes being cast and counted appropriately. By attacking databases, by promoting stories about vulnerabilities in machines, some of this is necessary but some of it also feeds into the fear that people have.
- How Florida is bolstering election security after being targeted by Russian hackers (TechRepublic)
- Ohio taps college cybersecurity experts to audit election systems before 2018 midterms (TechRepublic)
- Hackers, trolls and the fight over your vote in the 2018 midterm elections (CNET)
- Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic)
- Did Russia's election hacking break international law? Even the experts aren't sure (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Election security is a mess, and the cleanup won't arrive by the midterms (CNET)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.