[quoteHack cracked
Board of Elections Web site leaves Social Security numbers vulnerable

October 24, 2006
BY ART GOLAB Staff Reporter
For at least the last six years, a loophole in the Chicago Board of Elections Web site has exposed the Social Security numbers and birth dates of more than 1 million registered voters to anyone with a computer, a Web connection and rudimentary programming knowledge.

Until Saturday, this data -- all that is necessary for an identity thief to apply for a credit card, mortgage or even acquire an arrest record in someone else's name -- has been available through a Web site intended to tell voters their registration status.

The glitch was pointed out to the Sun-Times by Peter Zelchenko, a 43rd Ward aldermanic candidate and computer expert, who also informed the board of the problem Friday.

The board immediately closed the loophole, and board chairman Langdon Neal ordered his staff Monday to hire an outside forensic computer consultant to "look at the security of the system and also look at computer logs to determine if there has been any hacking or wholesale downloading," according to board spokesman Tom Leach.

» Click to enlarge image

Peter Zelchenko hacked into the Chicago Board of Elections Web site.
(Ernie Torres/Sun-Times)
Considering changes
"Chairman Neal is very, very concerned about this and wants immediate action taken. Obviously, the board regrets that this possibility even existed."
Leach said the board could not determine immediately whether the system had been compromised but added that the board will notify the Cook County state's attorney of the problem. It is also looking into removing all Social Security numbers from its voter registration database.

In fact, for the last three years, a complete Social Security number is no longer necessary to register. So only about 1 million of the 2.3 million active and inactive voter records in the system have Social Security numbers, according to Leach.

On the Web, until about six years ago, voters could search for their registration status using their name, Social Security number or birthday. "The new program blocked out the social numbers and the date of birth, which are still in our central files, but they apparently didn't completely close the door on the Internet," Leach said.

Database updated daily
Hacking the Board of Elections site was as simple as typing a single quote character in the "Last Name" box on chic agoelections.com.
Well-known to hackers as an "escape character," the single quote symbol brought up a line of computer code that could guide a knowledgeable person to all the information in the city voter registration database, including Social Security numbers, birthdays and home addresses.

Zelchenko, who is 44 but got his first job working in computers at age 14, demonstrated the flaw by taking about 30 seconds to bring up a Sun-Times reporter's Social Security number. Zelchenko also obtained the Social Security numbers of the three members of the Chicago Board of Elections, which the Sun-Times was able to confirm were accurate.

"Any bright high school student could figure it out," said Mandeep Khera, vice president of Cenzic, a Santa Clara, Calif., computer security firm. He said such bugs are fairly common, but the potential exposure of so many Social Security numbers is unusual.

Khera said the technique, called SQL injection scripting, can be used to retrieve hidden database information, but also can be used to alter school grades or to change the prices of items on online commerce Web sites.

Using the method, Zelchenko demonstrated, it was possible to change the Chicago Board of Elections online database. However, changes would last only for a short period, since the Web database appears to be updated every 24 hours.

But a malicious hacker could still cause a lot of trouble. Though it wouldn't change the actual polling places, it "could cause a lot of confusion" by misdirecting people who go to the elections Web site to find out where they vote, Zelchenko said.

First noticed 3 years ago
Zelchenko said it would be short work to write a script, or small program, that could automatically download the entire database.
Leach said such a mass download would be difficult because the Web site has a timer on it that would cut off a query that takes a long time.

Zelchenko first noticed the glitch three years ago, and saw that it could be exploited to bring up name and address information for more than one voter at a time.

Last week, he discovered that Social Security numbers were at risk. Friday, Zelchenko told the Sun-Times and contacted the board.

Leach said the first the board heard of the problem was late last week.

agolab@suntimes.com


http://www.suntimes.com/news/metro/1083 ... 24.article