This week, cases of Covid-19 took an upward trend. This comes the same week Tr*mp acknowledged, “that he intentionally played down the deadly nature of the rapidly spreading coronavirus last winter as an attempt to avoid a ‘frenzy’…” according to The Washington Post in an article released last Wednesday. The following day, Microsoft released a report that hackers in Russia, Iran, and China recently targeted both the Democratic and Republican camps. If Tr*mp was attempting to garner votes by admitting his failures at a time his campaign enjoys a downward trend, it is overshadowed by the Microsoft report reminding us that in 2016 the American people were hacked both technologically and psychologically by Russia in order to get him elected — and they may just do it again.

A group Microsoft calls Strontium (aka APT28 aka Fancy Bear), best known for targeting the Democratic campaign during the 2016 presidential election, were identified by Microsoft’s Threat Intelligence Center (MTIC) as behind attacks spanning from September 2019 to present day. Their current targets are organizations affiliated with the 2020 presidential Democratic and Republican campaigns, as well as some political organizations in Europe. They are attempting to collect individuals’ log in credentials through brute force and password spray.

Source: https://www.dnsstuff.com/sql-injection

In 2016, Strontium targeted state and local election offices and employed malicious SQL injections to gain access to voter information in their databases. So how does it work? Pretty simple — one adds malicious code into an input section on the client-side of a web application, and if the back-end does not have protections in place, the code runs commands to deliver information. In this case, voter information.

Let’s say there was a website for people to discuss politics and a malicious group wanted to obtain information on users who identify with the Green Party. Inside of an input form, they might code that looks like this:

The hacker would put this code into a user input field, and the command is executed in the shell returning the id, name, and password information of a user. Hackers use ‘OR 111’ and/or ‘OR 1=1’ in order to always execute code (as they result to true).

Hackers may also use * to obtain all columns in a users table to view other details, such as a home address. This information could be helpful to view the parish or county in which they vote.

Here is an example of another approach to obtain username and password information on a website’s input fields.

Here is a similar approach where OR “”=” is always true as well.

If there are no measures taken to prevent these codes from running, then the website or application will not differentiate between a text input and malicious code. One way to prevent this?

Specify parameters. When creating your schemas, include the “@” symbol.

Assign each parameter to the desired value. @1 = 1234 Sesame St.

With the 2020 presidential election only months away, it is vital our government offices have taken precautions from one of the most widespread forms of attack. You see here how easy it is to obtain user data, as well as protect against it. For more details on how to set parameters visit: https://docs.microsoft.com/en-us/sql/relational-databases/stored-procedures/specify-parameters?view=sql-server-ver15#passing-values-into-parameters

xoxo,
Gossip Girl (basically a whistleblower at this point)