"The injection is done by observing HTTP requests by means of eavesdropping on network traffic. When an interesting target is observed, another device, the shooter, is tipped to send a spoofed TCP packet... For the attack to succeed the packet injected by the shooter has to arrive at the target before the ‘real’ response of the webserver. By exploiting this speed difference or race condition, one can impersonate the webserver."
For the packet capture savvy, Fox-IT also published some pcaps which they have shared with CloudShark (link takes you to the CloudShark summary entry on the attack that links to the annotated pcaps) and made a quick video explaining how it works.
And somebody finally said it out loud.
Virginia election officials have decertified an electronic voting system after determining that it was possible for even unskilled people to surreptitiously hack into it and tamper with vote counts.
The AVS WINVote, made by Advanced Voting Solutions, passed necessary voting systems standards and has been used in Virginia and, until recently, in Pennsylvania and Mississippi. It used the easy-to-crack passwords of "admin," "abcde," and "shoup" to lock down its Windows administrator account, Wi-Fi network, and voting results database respectively, according to a scathing security review published Tuesday by the Virginia Information Technologies Agency. The agency conducted the audit after one Virginia precinct reported that some of the devices displayed errors that interfered with vote counting during last November's elections.
There would be no way to know if there were any additional functions embedded in those devices.
It took 20 years for Snowden to reveal the NSA's illegal surveillance, and the previously almost-unimaginable bounds to which they were willing to go to monitor US civilians.
Just saying,
If you have a procedure with 10 parameters, you probably missed some.