[ISN] New Security Woes for E-Vote Firm

From: InfoSec News (isnat_private)
Date: Thu Aug 07 2003 - 22:59:44 PDT

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary"

    http://www.wired.com/news/privacy/0,1848,59925,00.html
    
    By Brian McWilliams
    Aug. 07, 2003
    
    Following an embarrassing leak of its proprietary software over a file
    transfer protocol site last January, the inner workings of Diebold
    Election Systems have again been laid bare.
    
    A hacker has come forward with evidence that he broke the security of
    a private Web server operated by the embattled e-vote vendor, and made
    off last spring with Diebold's internal discussion-list archives, a
    software bug database and more software.
    
    The unidentified attacker provided Wired News with an archive
    containing 1.8 GB of files apparently taken March 2 from a site
    referred to by the Ohio-based company as its "staff website."
    
    Representatives of Diebold Election Systems, one of the largest
    electronic voting systems vendors with more than 33,000 machines in
    service around the country, said the company is still investigating
    the security breach and reviewing the contents of the archive.
    
    Director of Communications John Kristoff said the stolen files
    contained "sensitive" information, but he said Diebold is confident
    that the company's electronic voting system software has not been
    tampered with.
    
    "Thus far we haven't seen anything that would be of use to anyone
    trying to affect the outcome of an election," he said.
    
    But experts said the appearance of the archive of purloined files from
    the staff site raises new questions about Diebold's attention to the
    security of its intellectual property.
    
    "They claim they keep everything secure, but this shows the lax nature
    of their procedures. This just blatantly flies in the face of good
    security," said Rebecca Mercuri, a computer science professor at Bryn
    Mawr College who opposes the use of electronic voting systems.
    
    The anonymous attacker said he broke into the Diebold staff site,
    which was located at https://staff.dieboldes.com, after reading in
    January about how unauthorized outsiders had copied source code and
    documentation from an insecure FTP site operated by the company at the
    Internet address ftp://ftp.gesn.com.
    
    "In a few short minutes I had access to their replacement for the FTP
    site, their 'secure' web," wrote the hacker.
    
    Last month, researchers at Johns Hopkins University used source code
    from the FTP site to publish an analysis of what they claimed were
    serious security problems in Diebold's AccuVote-TS voting terminal.  
    Diebold attempted last week to rebut (PDF) the researchers' charges.
    
    The archive of internal Diebold Election Systems mailing lists taken
    from the staff site includes thousands of messages dating from January
    1999 through March 2003. The lists contained internal company
    discussions of product support issues, new software announcements and
    general company announcements.
    
    "We do not believe there is any real security threat, but perception
    matters a great deal in this business!" wrote Pat Green, Diebold
    Election Systems' director of research and development, in a Feb. 7
    message to the company's "support" discussion list. Green was
    announcing the temporary shutdown of the Diebold staff site.
    
    Two days before, on Feb. 5, activist Bev Harris detailed in an article
    at New Zealand news site called Scoop how she had freely accessed
    thousands of files from Diebold's FTP server.
    
    The hacker did not reveal how he subsequently breached the security of
    the Diebold staff site, which used SSL encryption. The file archive
    included source code to a login page that included a March 2 welcome
    message to one of the firm's election support specialists, suggesting
    the attacker may have compromised the employee's account.
    
    Judging from internal mailing list discussions, Diebold management was
    either unaware of proper information security practices, or chose to
    ignore them out of expediency, experts said.
    
    "There is no sane reason to put the corporate jewels on an
    Internet-facing server. They were basically asking to be hacked," said
    Jeff Stutzman, CEO of ZNQ3, a provider of information security
    services. "This is the kind of behavior you expect of a startup
    company that's only concerned about selling their first product."
    
    But Kristoff said the staff server housed only compiled, executable
    programs, and not the raw source code to Diebold's election systems.  
    He said it was "an oversight" that source code was available to the
    public from the FTP server in January.
    
    The Diebold discussion-list archives included other warnings of
    potential security problems. In May 2000, Diebold Election Systems'
    systems engineer manager Talbot Iredale posted a message to the
    support list chiding employees for placing software files on the
    special "customer" section of the FTP site without password-protecting
    them. That section of the site was created for delivering program
    updates and other files to election officials and other customers.
    
    "This potentially gives the software away to whom ever (sic) wants
    it," wrote Iredale.
    
    On Dec. 2 last year, Diebold Election Systems' webmaster Joshua
    Gardner announced to the list that the FTP site finally was being
    eliminated and replaced by the staff site. Gardner explained that the
    FTP site had been "accessible to the outside world with no
    restrictions on access, and no provisions for logging user activity.  
    FTP was a security risk, and I have shut it down for this reason."
    
    Yet nearly eight weeks later, Internet users apparently still were
    able to access the FTP site without a password and to download
    proprietary software and manuals.
    
    Kristoff said Diebold has shut down the FTP and staff sites, and the
    company no longer provides customers or field personnel with access to
    Diebold software over the Internet. Instead, software and proprietary
    data has been distributed by CD-ROM since January, he said.
    
    Even if unauthorized individuals were able to access and modify voting
    system source code, some e-voting experts downplay the impact of such
    theoretical threats. After the earlier problems at Diebold's FTP site,
    Brit Williams of the Center for Election Systems at Kennesaw State
    University published a report last April noting (PDF) that some
    states, such as Georgia, carefully review source code prior to use in
    electronic voting systems.
    
    But Stutzman said Diebold's Internet security problems necessitate
    that the company hire a "Big Five-caliber" firm to conduct a thorough
    inspection of its software code, and to insure that malicious
    outsiders have not tampered with it.
    
    "To gain credibility back, they - have to do a line-by-line audit to
    make sure that their intellectual property is still sound," said
    Stutzman.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 01:07:35 PDT