Tuesday, October 24, 2006

A candidate for alderman...

Was in today's Sun-Times who exposed a loophole for the Chicago Board of Elections...

For at least the last six years, a loophole in the Chicago Board of Elections Web site has exposed the Social Security numbers and birth dates of more than 1 million registered voters to anyone with a computer, a Web connection and rudimentary programming knowledge.

Until Saturday, this data -- all that is necessary for an identity thief to apply for a credit card, mortgage or even acquire an arrest record in someone else's name -- has been available through a Web site intended to tell voters their registration status.

The glitch was pointed out to the Sun-Times by Peter Zelchenko, a 43rd Ward aldermanic candidate and computer expert, who also informed the board of the problem Friday.
Zelchenko, who is 44 but got his first job working in computers at age 14, demonstrated the flaw by taking about 30 seconds to bring up a Sun-Times reporter's Social Security number. Zelchenko also obtained the Social Security numbers of the three members of the Chicago Board of Elections, which the Sun-Times was able to confirm were accurate.

"Any bright high school student could figure it out," said Mandeep Khera, vice president of Cenzic, a Santa Clara, Calif., computer security firm. He said such bugs are fairly common, but the potential exposure of so many Social Security numbers is unusual.

Khera said the technique, called SQL injection scripting, can be used to retrieve hidden database information, but also can be used to alter school grades or to change the prices of items on online commerce Web sites.

Using the method, Zelchenko demonstrated, it was possible to change the Chicago Board of Elections online database. However, changes would last only for a short period, since the Web database appears to be updated every 24 hours.

But a malicious hacker could still cause a lot of trouble. Though it wouldn't change the actual polling places, it "could cause a lot of confusion" by misdirecting people who go to the elections Web site to find out where they vote, Zelchenko said.

Zelchenko said it would be short work to write a script, or small program, that could automatically download the entire database.
Leach said such a mass download would be difficult because the Web site has a timer on it that would cut off a query that takes a long time.

Zelchenko first noticed the glitch three years ago, and saw that it could be exploited to bring up name and address information for more than one voter at a time.

Last week, he discovered that Social Security numbers were at risk. Friday, Zelchenko told the Sun-Times and contacted the board.

Leach said the first the board heard of the problem was late last week.
Good job!!! And the Chicago Board of Elections are going to fix the problem. But this is not the only thing I want to mention.

Zelchenko is running for election, as noted in this article, for the 43rd Ward of Chicago. He is running against incumbent Ald. Vi Daley. I just by chance Googled his name and found his website.

His campaign website seems simple compared to what I've seen out there, but this is something I would like to see of all candidates. Especially if they're serious. Even if the website is not seen by those people who they seek to represent, this is surely a way to present yourself to the rest of the world. Especially if you seek a higher office at some point. Of course this is not to say this is what he seeks.

And he has a blog. This seems to be another trend. For the most part I've been seeing a lot of blogs by candidates out there. The man who I would have voted for governor, Bill Brady had a nice blog, too bad he didn't win the primary. I want to see how he's going to do in this election.


Ravenswood Right Winger said...

this guy saved a lot of people a lot of potential grief. I hope he wins. I hope someone beats that muppet Joe Moore in the 49th ward.

Fire Ron Guenther said...

good find

Post a Comment

Comments are now moderated because one random commenter chose to get comment happy. What doesn't get published is up to my discretion. Of course moderating policy is subject to change. Thanks!