in August 2016 I discovered serious vulnerabilities affecting elections.kennesaw.edu. The website was misconfigured so that it leaked confidential election data and the version of its content management system, Drupal, was out of date and vulnerable to a well-known exploit called drupageddon. An announcement from the Drupal security team on October 29, 2014 details how severe this vulnerability is, stating that if a vulnerable Drupal server was not updated within 7 hours of the announcement it should be assumed compromised.
The server running elections.kennesaw.edu was taken offline on March 2nd, 2017 after KSU was notified a second time the server was still leaking sensitive election data. A forensic image of this server was created on March 6th, 2017 by the FBI.
2014年12月2日，即係軟件公司發佈補丁三個月之後，個server仲未更新，有人創建咗用戶“shellshock” （shellshock本身就係安全漏洞嘅名 ，利用呢個漏洞可以操控成個server），之後出現以下活動
投票機上邊嘅BallotStation系統（而家佐治亞個版本係4.5.2!）極有可能被hacker利用，之前嘅版本4.3.15已被踢爆有類似漏洞（安裝文件包含DES key明文F2654hD4，呢條key一早就街知巷聞，用來破解投票機應該輕而易舉 ）
The Diebold debacle is fascinating chronicle of corporate irresponsibility, hubris, incompetence, political chicanery, and power politics.
Diebold's story is a shining example of the voting machine industry's heritage of stupidity and arrogance and the public's tolerance of proprietary electronics and software that have never been adequately tested by impartial, legitimate domain experts.
A group of Georgia voters and a Colorado-based watchdog organization filed a lawsuit late Monday asking a judge to overturn the results of last month’s 6th Congressional District special election and scrap the state’s voting system.
The complaint, filed in Fulton County Superior Court, alleges that state and local election officials ignored warnings for months that Georgia’s centralized election system — already known for potential security flaws and lacking a paper trail to verify results — had been compromised and left unprotected from intruders since at least last summer.
October 27, 2017 APNewsBreak: Georgia election server wiped after suit filed
The server’s data was destroyed July 7 by technicians at the Center for Elections Systems at Kennesaw State University, which runs the state’s election system. The data wipe was revealed in an email sent last week from an assistant state attorney general to plaintiffs in the case that was later obtained by the AP. More emails obtained in a public records request confirmed the wipe.
After declining comment for more than 24 hours, Kennesaw State’s media office issued a statement late Thursday attributing the server wiping to “standard operating procedure.” It did not respond to the AP’s question on who ordered the action.
The Kennesaw elections center answers to Georgia’s secretary of state, Brian Kemp, a Republican running for governor in 2018 and the suit’s main defendant. His spokeswoman issued a statement Thursday saying his office had neither involvement nor advanced warning of the decision. It blamed “the undeniable ineptitude” at the Kennesaw State elections center.
June 16, 2017 AP Georgia official discounts threat of exposed voter records
Lamb discovered the security hole as he did a search of the website of the Center for Election Systems at Kennesaw State, which manages voting statewide. There, he found a directory open to the internet that contained not just the state voter database, but PDF files with instructions and passwords used by poll workers to sign into a central server used on Election Day. Lamb said he downloaded 15 gigabytes of data, which he later destroyed.
The directory of files “was already indexed by Google,” Lamb said in an interview — meaning that anyone could have found it with the right search.
“I don’t know if the vote could have been rigged, but compromising that server would have served as a great pivot point and malware could have been planted easily,” he added.
NOV 14, 2017 https://www.wabe.org/two-georgia-election-servers-timeline/
Lamb notified Merle King, the executive director of the KSU Center for Elections Systems, where a server (elections.kennesaw.edu) was housed that contained the information Lamb accessed. King pressed Lamb not to talk to anyone about what he’d found.
Information security specialist Christopher Grayson accesses the server at the Center for Elections Systems and finds the same information discovered in August by Lamb is still available.
1st: Grayson contacts a friend, Andy Green, who teaches IT security at KSU. Green discovers the vulnerability for himself and contacts KSU’s Chief Information Security Officer, Stephen Gay. Gay alerts the Center for Elections Systems of an “alleged data breach” on the server (elections.kennesaw.edu). The KSU information security office seizes the server.
3rd: KSU turns the server (elections.kennesaw.edu) over to the FBI, which has recently opened an investigation into the breach.
A 180-page collection of Kennesaw State emails, obtained Friday by the Coalition for Good Governments via an open records search, details the destruction of the data on all three servers and a partial and ultimately ineffective effort by Kennesaw State systems engineers to fix the main server’s security hole.