Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« The FBI is Tracking Whom? | Main | Picking a Single Voice out of a Crowd »

October 14, 2010

Pen-and-Paper SQL Injection Attack Against Swedish Election

Some copycat imitated this xkcd cartoon in Sweden, hand writing an SQL injection attack onto a paper ballot. Even though the ballot was manually entered into the vote database, the attack (and the various other hijinks) failed. This time.

Three news links, in Swedish.

Posted on October 14, 2010 at 6:35 AM27 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

OMG that is a total Election WIN! Someone needs to get this out to FailBlog pronto.

Posted by: Mike B at October 14, 2010 6:51 AM

It's hilarious, but I'm not seeing the 'fail' here - nothing bad happened, and if you're going to allow write-in votes you can't really have poll workers dropping them on the grounds that they think they're silly.

Posted by: ewan at October 14, 2010 7:16 AM

At least the Data Entry person was smart enough to filter their input, haha.

Posted by: Dennis Suitters at October 14, 2010 7:26 AM

Babel Fish doesn't cover Swedish :(

Posted by: Phillip at October 14, 2010 7:41 AM

Posted by: zoli at October 14, 2010 7:42 AM

@Phillip:
Babel Fish doesn't cover Swedish :(
---

translate.google.com does a quite a good job.

Posted by: Hum Ho at October 14, 2010 7:47 AM

@Ewan

It is not up to a single poll worker to decide which votes are valid, even if they are silly!

Posted by: M.V. at October 14, 2010 7:50 AM

How long before we see elections where there's a list of reserved words for the candidate- and party-namespaces?

Posted by: Tanuki at October 14, 2010 9:16 AM

Were it a successful attack, the most interesting thing to watch would be whether news sites would become secondary victims if they published the attack without properly escaping the article text.

Posted by: brianary at October 14, 2010 9:33 AM

@MikeB: FailBlog or ItMadeMyDay.com?

Posted by: Harry at October 14, 2010 9:57 AM

I think, the hackers and/or the vote-typist made an essential fault here by which the attack did not work. That does not mean it would never work at all:
Supposing, that the program these data-files are fed into is just a simple csv-file-upload directly converted into some kind of sql-statement, your injection needs to start with the usually trailing " (or whatever sign the database uses to mark the end of a field-value) followed by a ; (or whatever the database uses to mark the end of a command) before you could start injecting your code. At least the " must have got lost somewhere in the process, thereby transforming the sql-statement into a regular field-value.

How the java and links should have worked, i can't see, but then I don't know how the election system over there works ...

Posted by: André at October 14, 2010 10:05 AM

Hack Denna Kalle Anka (Hack This Donald Duck)

Posted by: Kalle Anka at October 14, 2010 10:08 AM

http://www.translation-guide.com/...

Swedish translator online.

Posted by: Do Not Duck at October 14, 2010 10:13 AM

@André: I believe the javascript and links were there on the (I believe correct) assumption that vote tallys would be available online. If improperly escaped, they could potentially compromise systems that browsed election results.

What would you even call that? Cross-media scripting?

Posted by: lazlo at October 14, 2010 10:32 AM

We've crossed the paper/computer boundary, all we need is the computer/brain boundary and we can have Snowcrash!

Posted by: RH at October 14, 2010 10:57 AM

Knowing Swedish people I think next election this will happen even more frequently:-P

Dagens Nyheter, 2014:
"Vinnaren i valet:

(Dagens Nyheter is a swedish daily paper)

Posted by: Hum Ho at October 14, 2010 11:21 AM

@lazlo: They are just available in excel and tsv formats.

Posted by: olof at October 14, 2010 11:32 AM

...I think THIS xkcd represents what happens on this forum and others quite often...

http://xkcd.com/386/

Posted by: ab at October 14, 2010 11:36 AM

Now *THAT*'s voting Pirate Party!

Posted by: Neil in Chicago at October 14, 2010 12:12 PM

Perhaps it's paranoid of me, but just because we can see the attacks that failed doesn't mean we can conclude that all the attacks failed!

(cf why you can't prove security through pen testing...)

Posted by: GregW at October 14, 2010 2:25 PM

So, can you try to prosecute somebody for this? Can you try to track them down? Votes are anonymous...but trying to commit election fraud is illegal...I can imagine some lawyers arguing for a long time on that.

Posted by: gopi at October 14, 2010 3:01 PM

Looks like they typed in a "(" instead of a "

Electronic voting systems will solve this problem. You will never have to worry about your vote for "" being mis-recorded as a vote for "(script src=foo)".

Posted by: gopi at October 14, 2010 4:49 PM

Whoops, forgot to escape my HTML!

Also, the "preview" button here is broken in its handling of HTML escaping:

After a preview, the "comments" input field contains the *parsed*, *sanitized* output, not my original text.

Thus:
1. Anything between a < and > is dumped.
2. I originally typed &lt; &gt; into the field. After a preview, those have been replaced with < >, so if I post, it posts broken text.

Now, my original comment, hopefully escaped right:

Looks like they typed in a "(" instead of a "<".

Electronic voting systems will solve this problem. You will never have to worry about your vote for "<script src=foo>" being mis-recorded as a vote for "(script src=foo)".

Posted by: gopi at October 14, 2010 4:55 PM

@gopi: not necessarily typed. The text was OCRed -- and may thus have been tuned to find 'normal' text, rather than code.

Posted by: ath at October 15, 2010 1:11 AM

I worked as an election official (a the lowest level) in the 1998 election in Sweden (I'm a Swedish citizen) and I've stood for election at the municipal level in all elections since then. All votes in Swedish elections are made by putting a piece of paper, roughly 4x6 inches in size, into a sealed envelope; these envelopes are then opened and counted by hand at each voting location.
Sometimes counting machines (standardized bill counters) are used to verify the manual count.

Most votes are pre-printed with a party name and a number of candidates. These votes are sorted and placed into different stacks according to party name.
Votes that do not have a pre-printed party name on them are inspected by at least two different election officials; if the hand-written party name on the vote is identical to or sufficiently close to the name of a registered party, the vote is transferred to the stack with the corresponding pre-printed votes. Otherwise these "odd" votes are recorded, manually, onto a special piece of paper.

The resulting vote totals are recorded on paper; the count is then signed and counter-signed by election officials on-site. This official count and all votes are then transported to central counting stations for a second round of counts.

This initial round of counting is usually completed some 6-8 hours after closure of the voting station. (In 2010, there were 5668 voting stations; some 6 028 000 votes were recorded in the national level).

In the second round of counting OCR scanners are used, but only for the pre-printed votes - they are used to capture votes for individuals within the registered parties. To my knowledge, hand-written votes are always dealt with manually, and usually they go through several stages of manual interpretation and recording (both pen-and-paper and keyboard-and-screen recording) before they are committed to a database. So an SQL injection attack using this signalling path is a looong shot.

So I strongly doubt that the hand-written party name
pwn DROP TABLE VALJ
(VALJ means "elect" in Swedish) was meant as a serious attempt at disrupting the Swedish elections.
Despite the fact that The Economist reported it as "an attempt to sabotage the Swedish election" or some such nonsense.

The list of all hand-written votes is at
http://www.val.se/val/val2010/handskrivna/...

Posted by: Jonas Ö at October 15, 2010 6:40 AM

@Jonas Ö:

Interesting. Of course, due to the paper trail, if they realize they've been pwned they can add some more input sanitization and re-scan the ballots...

Posted by: gopi at October 15, 2010 3:07 PM

Amateurs use SQL injection attacks on ballots.

Professionals change their name to SQL injection attacks and run for office.

Posted by: Davi Ottenheimer at October 19, 2010 4:06 PM

Subscribe to comments on this entry

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2012 J F
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier
Syndication
Full Text Feed
Excerpts Feed

Follow on Twitter
Subscribe via Kindle

Translations
German
Italian

more translations

Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more