

Small coding mistake led to big Internet voting system failure - sg2342
http://www.fiercegovernmentit.com/story/small-coding-mistake-led-big-internet-voting-system-failure/2012-02-22

======
gvb
1) The coding mistake was typographically small, but _HUGE_ in impact.

2) Reading further, the test included the exposed network, which had _more_
critical flaws: default passwords, no passwords, and terminal server keylogger
feature that they used to capture the switches' admin password.

See "4 Attacking the Network Infrastructure" where they thoroughly penetrated
the internal network. The funniest (in a sad way) part was...

"The first SSH attack we observed came from an IP address located in Iran
(80.191.180.102), belonging to Persian Gulf University. We realized that one
of the default logins to the terminal server (user: admin, password: admin)
would likely be guessed by the attacker in a short period of time, and
therefore decided to protect the device from further compromise that might
interfere with the voting system test. We used iptables to block the offending
IP addresses and changed the admin password to something much more difficult
to guess. We later blocked similar attacks from IP addresses in New Jersey,
India, and China."

