[SecurityRatty] tag: diebold

Diebold Finally Admits its Voting Machines Drop Votes

Thu, 28 Aug 2008 02:38:35 +0000

Premier Election Solutions, formerly called Diebold Election Systems, has finally admitted that a ten-year-old error has caused votes to be dropped.

It's unclear if this error is random or systemic. If it's random -- a small percentage of all votes are dropped -- then it is highly unlikely that this affected the outcome of any election. If it's systemic -- a small percentage of votes for a particular candidate are dropped -- then it is much more problematic.

Ohio is trying to sue:

Ohio Secretary of State Jennifer Brunner is seeking to recover millions of dollars her state spent on the touch-screen machines and is urging the state legislature to require optical scanners statewide instead.
In a lawsuit, Brunner charged on Aug. 6 that touch-screen machines made by the former Diebold Election Systems and bought by 11 Ohio counties "produce computer stoppages" or delays and are vulnerable to "hacking, tampering and other attacks." In all, 44 Ohio counties spent $83 million in 2006 on Diebold's touch screens.

In other news, election officials sometimes take voting machines home for the night.

My 2004 essay: "Why Election Technology is Hard."

Ohio official sues e-voting vendor for lost votes

Fri, 08 Aug 2008 09:00:00 +0000

The Ohio Secretary of State Jennifer Brunner filed a lawsuit against e-voting vendor Premier Election Solutions for dropped votes in the state's March primary election. Premier Election Solutions was formerly called Diebold Election Systems.

The Onion on Airport Security and Voting

Fri, 06 Jun 2008 10:13:11 +0000

"Reporters Expose Airport Security Lapses By Blowing Up Plane" and "Diebold Accidentally Leaks Results Of 2008 Election Early".

What if Diebold was bought out by Steve Wynn or Donald Trump?

Wed, 26 Mar 2008 23:41:03 +0000

Sadly, some electronic voting machine manufacturers in the USA have been getting some bad press regarding their machines’ alleged accuracy issues. Martin McKeay put up this post with a mock news video about electronic voting machine risks the other day (click HERE). This could be just the tip of the iceberg. Maybe we could all [...]

UTC makes $3B hostile bid for Diebold

Mon, 03 Mar 2008 11:00:00 +0000

United Technologies Corp. made a $3 billion unsolicited offer to acquire Diebold, the parent company of e-voting systems maker Premier Election Solutions.

Central Bank of the UAE reports ATM fraud to lenders

Mon, 03 Mar 2008 08:41:37 +0000

Technorati Tag: Security Breach

Date Reported:
2/27/08

Organization:
Central Bank of the UAE

Contractor/Consultant/Branch:
Unknown lender

Victims:
ATM customers

Number Affected:
Unknown

Types of Data:
Bank card and account details, PIN numbers, and possible other related information.

Breach Description:
The Central Bank of the UAE has issued a statement claiming that criminals installed a card skimming device and video camera on at least one ATM in the UAE. Bank card details and PIN numbers were exposed in the attack that lasted from February 19th - 25th, 2008. Every customer that used the compromised ATM(s) during the time in question has been affected.

Reference URL:
ArabianBusiness.com news story
The Central Bank of the UAE press release
ITP News online story

Report Credit:
The Central Bank of the UAE

Response:
From the online sources cited above:

The card details of potentially thousands of UAE residents have been stolen by a gang of fraudsters who hacked into a bank's ATM machine

We have been informed by one of the banks operating in the UAE that a gang of computer professionals has managed to insert an electronic reader into the card reader of one of its ATMs, which enabled them to copy the data of all the cards used in the said ATM during the period 19-25 February 2008.
[Evan] Obviously I don't use ATM machines in UAE much, but aren't there controls in place to prevent most tampering? The ATMs around here in Minnesota (US) would be very difficult (not impossible) to mess with.

They have also managed to compromise the PIN through a small video camera placed above the ATM.

We attach herewith the list of ATM cards belonging to your customers who have used the ATM Machines belonging to the bank which has advised us of the ATM fraud.
[Evan] Judging from this statement, this appears to be a copy of the letter sent to the banks affected. I think it would be wise for the Central Bank to disclose the banks to the public so that affected customers can be better prepared.

We, therefore, advise you to:
1- Block the usage of the attached ATM cards;
and
2- Either to replace the cards or change the Pin numbers as deemed appropriate.
3- Fully checking all you ATMs to make sure there are no traces on ATM skimming devices or tampering on the ATM.

It is not known whether the gang has been caught, how much money had been stolen or the exact number of people affected.

Please report to the Central Bank - UAESWITCH any losses on the attached card numbers and the transactions originating country immediately.

For any clarifications, banks should contact the UAESWITCH immediately on Tel. No.: (02)6915395, Fax No.: (02)6674521 or email xxxxx@ebuae.go.ae attention Mr. Aden Omar, for action.

Interesting Comments on the ArabianBusiness.com Story:
Posted by KANDARP BAXI, DUBAI, UAE on 3 March 2008 at 16:50 UAE time
" Also it is high time one gets to know which bank / where etc rather than wait to go to the ATM and find out your account has been 'swiped' out.

All the more reasons for this information to be given ASAP, considering the pathetic customer service in most banks."

Posted by Avikul Hemmad, Dubai, UAE on 3 March 2008 at 16:38 UAE time
" The idea of publishing such news should be to inform the public about the modus operandi and ways to detect and avoid problems.

How would the layman identify "skimming machines" or whatever they are called, if they don't know what to look for? Why don't you give more details so bank customers and the general public can be wary???

Incomplete reporting only adds to the confusion."

[Evan] I agree with these two commenters. I don't understand why the Central Bank of the UAE even decided to make anything public if there is nothing actionable for the people affected. There is not enough information to help anyone.

It is often very (and I mean VERY) difficult to notice good card skimmers and cameras. Here is an example borrowed from the University of Texas.

Card skimmer being installed

Card skimmer after installation

Camera to capture PIN numbers hidden in an innocent looking brochure box

Camera is now installed.

This is only an example. There are more sophisticated skimmers and cameras out there. Diebold has a pretty good whitepaper ATM Fraud and Security.

Commentary:
Good commentary from ArabianBusiness.com:
"Skimming attacks normally involve the placement of a fake card reader over the regular card reader in an ATM, which reads and records the data from the card's magnetic strip, while either a hidden camera or a nearby observer, known as a ‘shoulder surfer', steals the PIN."

"The stolen details can then be used to create fake cards or make purchases online, or the data may be sold on to other gangs of fraudsters.

Skimming fraud has been seen in most regions of the world, and banks usually take measures to protect machines, such as installing plastic guards to prevent the installation of illicit card readers, camera monitoring of ATMs and regular inspections of machines."

"Most skimming attempts now either target high usage ATMs for a very short period of time to steal the maximum number of card details in a short amount of time, or machines in out-of-the-way locations where the reader will not be detected as quickly."

[Evan] It is unusual that a skimming device and video camera were installed for such a long period of time. It is important as bank customers to be cognizant of anything that seems a little out of place when using ATMs. If something is noticed, report it to the bank as soon as possible. Personally, I prefer to use ATMs at bank branches and ones located in buildings or rooms that require card access.

Past Breaches:
Unknown

More trustworthy election systems via SDL?

Mon, 04 Feb 2008 20:34:00 +0000

Hi folks, Eric Bidstrup here.

We interrupt our regular schedule of blog postings to offer this special post for “Super Tuesday” given the subject matter. Hope you enjoy…

This year is a presidential election year in the United States. Selecting a new president is perhaps the ultimate example of the importance of having a trustworthy election process. There have been some well chronicled examples of elections with extremely close results, where the winner’s margin of victory was perhaps smaller than the election system’s margin of error. The term “Hanging Chads,” from the 2000 U.S Presidential election, is now part of the American vocabulary, and locally here in Washington State our last gubernatorial election in 2004 required 3 recounts with the final winner being determined by a margin of only 129 votes, or 0.0045% of the popular vote.

The populace demands confidence that, even in close elections, the election result accurately reflects the voters’ intent. In theory, such precision can be improved by using computers and technology.

However, it seems that every recent election season brings stories in the media about security concerns regarding voting machine (and their software) security. A recent New York Times article provides a good overview of voting machine security concerns; and academic studies on voting systems last year in California, Connecticut, Florida, and Ohio provide some interesting insights about security concerns and vulnerabilities in voting systems from several vendors.

These analyses are fascinating to us, because they offer an opportunity to see how a set of experts look at products other than ours. Applied security researchers often analyze our products, and often share their processes and tools with us, but it’s rare to see a top-to-bottom product review released. In California, there was both white and black box testing done by different teams, and we’ve studied these reports to see the perceptions of development practices from other vendors and results of a different type of review process.

Something my colleagues and I find very interesting is that many of the vulnerabilities noted in these reports could have been prevented by following the requirements in Microsoft’s Security Development Lifecycle. The studies performed in California (prepared at UC Berkeley but created by teams of academics from across the United States) included detailed source code analysis. I’ll select out a few examples from those studies and describe them here. (Note: I’m deliberately picking a few examples from each vendor assessed in the study. I am not attempting to criticize any specific vendor, but rather am trying to illustrate examples of areas where application of the SDL could help contribute towards society’s need for trustworthy computing in a very visible and important application.)

Let’s start with the Source Code Review of the Sequoia Voting System. Two examples from the executive summary are interesting:

“Cryptography. …Many cryptographic functions are implemented incorrectly, based on weak algorithms with known flaws, or used in an ineffective or insecure manner. Of particular concern is the fact that virtually all cryptographic key material is permanently hardcoded in the system (and is apparently identical in all Sequoia hardware shipped to different jurisdictions)…

Software Engineering. …The software suffers from numerous programming errors, many of which have a high potential to introduce or exacerbate security weaknesses. These include buffer overflows, format string vulnerabilities, and type mismatch errors….”

A deeper reading of the cryptographic concerns (page 29 in report) notes concerns (amongst others) over the use of a flawed implementation of the SHA hash algorithm and use of the Data Encryption Standard (DES) algorithm. The SDL has specific policies outlining appropriate selection of cryptographic algorithms. For example, DES is prohibited except for backwards compatibility. SDL also requires that applications use operating system cryptographic functions and libraries. The cryptography team in the operating systems group is supported by world-class cryptographers who carefully scrutinize the implementation of crypto algorithms, and additionally these operating system functions are formally reviewed and certified by the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) who validates cryptographic modules meet Federal Information Processing Standards (FIPS). Most application developers are not cryptographers and hence are unlikely to encode crypto algorithms correctly. The SDL requires the use of standard crypto functions and outlines requirements on algorithm selection, key length and key management.

Moving to the software engineering concerns; while several common coding and design concerns are noted (e.g. input validation) I want to select one with a bit more subtlety: running code from USB sticks (page 37 in report). From the report, it appears the code present on the USB sticks is used to program a component (HAAT) of their client (WinEDS) to prepare for a specific election. The valid concern noted by the study is that USB sticks used by WinEDS to configure the HAAT are implicitly trusted to have appropriate authorization to program the voting devices for an election, and that a formal authorization framework didn’t appear to be present. The implication being (as stated in the report): “If such a stick is used in a HAAT that has been compromised by an attacker, or an attacker can provide a maliciously modified USB stick in place of a legitimate one, the attacker could surreptitiously take complete control over the WinEDS client”. Basically, this is a potential “rootkit” for election systems. A threat model, a fundamental design requirement of the SDL, could help uncover such design issues and illustrate the need for mitigations.

Now, let’s turn to the Source Code Review of the Hart InterCivic Voting System. I’ll try to keep my commentary balanced by selecting two examples here as well:

From the executive summary:

“Unsecured network interfaces … Voters can connect to unsecured network links in a polling place to subvert eSlates, as well as to eavesdrop on cast votes and to inject new votes. Poll workers can connect to JBCs or eScans over the management interfaces and perform back-office functions such as modifying the device software. The impact of this is that a malicious voter could potentially take over one or more eSlates in a precinct and a malicious poll worker could potentially take over all the devices in a precinct. …

Failure to protect ballot secrecy Hart’s system fails to adequately protect ballot secrecy...”

The concerns about unsecured network interfaces are discussed in the context of authentication and least privilege (pages 24-25). While that is certainly a reasonable perspective, with the SDL we take a broader view and require all teams to threat model the attack surface of the software being developed. Attack surface is the enumeration of all possible entry points that an attacker could use to compromise software (code listening to network interfaces, code that accepts data from external sources, etc). The SDL requires development teams to both minimize attack surface in the software they are building and to consider attacks from each entry point on the attack surface to ensure that mitigations are present. It would appear that these examples show that the development teams didn’t adopt such a systematic approach, or failed to think about mitigations of each possible attack if they did.

Ballot secrecy is an example where security and privacy concerns intersect. Many people confuse security and privacy, and both are fundamental to trust. Privacy addresses a wide variety of concerns about many types of data (such as Personally Identifiable Data (PII), ballot data, etc.), how it’s handled (gathered, transmitted, stored, and disposed of) and what rights and expectations different stakeholders may have regarding that data. (Tina Knutson gave a great overview on these issues in a previous blog posting “Privacy is not just about data security“). Security provides the mechanisms, policies, and practices to enforce privacy requirements. Given the intertwined nature of these issues, both are addressed in the SDL.

The concerns about vote storage (section 6.8, page 58 of report) review some classic challenges in software security and privacy with weak random number generation. Randomization is important here since it controls how votes are stored in memory, and weak randomization enables someone to reverse engineer how individual voters voted by examining the aggregate tally of votes (which can be found on the Mobile Ballot Boxes “MBB”) in conjunction with the audit log. The MBB has mitigations in place to protect integrity (tampering) of votes, but doesn’t appear to protect against information disclosure. The SDL cryptographic policies also cover correct random number generation. The challenge of fully considering all ways in which data can be reverse engineered, contextualized (order of log entries providing information that can be linked to individuals’ choices), and correlated with other data sources is a growing challenge. In the SDL privacy policies, we call attention to these issues, but it’s still a challenge.

Next, let’s look at the Source Code Review of the Diebold Voting System. Again, I’ll pick two subjects.

“Vulnerability to malicious software: The Diebold software contains vulnerabilities that could allow an attacker to install malicious software on voting machines or on the election management system…

Vulnerability to malicious insiders: The Diebold system lacks adequate controls to ensure that county workers with access to the GEMS central election management system do not exceed their authority….”

Let’s look at the “Malicious Software” first: While there’s a lot of discussion of general concerns with viruses and malicious payloads, I’d like to drill down on a specific case noted in section 4.2.3 (page 29). The typical concerns around string handling in C/C++ and buffer overflows are mentioned. What is interesting is that in many places this system uses the Microsoft Foundation Classes (MFC) CString class to help mitigate such concerns. The problem noted is that this practice is not consistently followed, and in fact there is a case of one specific function making calls to both CString *and* a standard C string library, in the same function. So here it appears the engineering team had the right idea by trying to remove calls to potentially risky C string library functions (just as required in SDL), but they just weren’t able to consistently and completely apply it.

Regarding the executive summary concern about malicious insiders, I’m inclined to attribute it to what’s described in section 4.3 on page 30: “No formal threat model or security plan” and “No formal security training”. Both of these are pivotal elements in the SDL. Several comments are offered to the effect that “security measures that are in place appeared to be ad hoc”, and “When new developers arrive at the company, they do not receive any kind of security training”. We’ve blogged here in the past about the importance of both areas, so I won’t repeat that again. (See Adam’s Threat Modeling series and Dave’s “Security Education v. Security Training” posts respectively for more info).

Is the SDL enough to ensure trustworthy voting systems?

When I offered this blog post for the review of my colleagues, it generated some very interesting discussion. Some of my colleagues were worried that I would misrepresent the SDL as a panacea for creating perfectly trustworthy voting systems. Let me be clear: this is absolutely NOT the case. While the SDL could help mitigate repeating many of the problems identified in these studies, it’s worth noting that election systems have a number of unusual and unique requirements. For example, voters cannot review their voting records as they would their banking records to ensure that no fraud has been committed – since the ability to do so would typically enable vote-selling and coercion. Alternate techniques are therefore required to allow voters to verify that their votes have been properly counted. Such requirements force the adoption of “extraordinary” techniques that go beyond those of secure software engineering. Furthermore, the expectations of society on the trustworthiness of voting systems are much greater as compared to other types of software (for example: the latest XBOX game title). I’ll further explore differences in how different people think about “degrees of trustworthiness” (aka “assurance” or “robustness”) in a future posting.

Summary

Let me wrap by saying this, building secure software is difficult. Prior to the advent of Trustworthy Computing and the Security Development Lifecycle here at Microsoft, I’d bet that many of the issues noted in these reports would have applied to earlier Microsoft products too. Some might think I’m throwing stones while living in a glass house, but that is not my intent. While Microsoft products are not vulnerability free, we continue to systematically analyze the sources of vulnerabilities in our software. We continue to modify our engineering practices and tools to better identify potential vulnerabilities and mitigate them before software is released. With increasing awareness and concerns over the trustworthiness of computers in general, the entire industry needs to improve. Given the importance of how we choose to organize ourselves as a society and elect representatives to govern us, voting systems are a great place to step up both in the context of the computing industry, and to better serve society.

I believe many of the issues found in these voting systems would not have entered the system if the SDL was used to design and build the voting systems.

Show 001 - An Interview with Avi Rubin

Wed, 19 Apr 2006 13:47:13 +0000

In the debut episode of the Silver Bullet Security Podcast, Gary talks with Avi Rubin, professor of computer science and technical director of the information security institute at Johns Hopkins University. Avi made headlines in 2003 when he revealed glitches in Diebold electronic voting machines.

Links:

A partial transcript of the interview in IEEE Security & Privacy
Avi’s site
Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting, Avi’s forthcoming book
ACCURATE - A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections
Froot Loops and Corn Flakes
Subscribe to IEEE Security & Privacy