RE: [ISN] Ehrlich Orders Voting System Security Study

From: InfoSec News (isnat_private)
Date: Thu Aug 07 2003 - 22:58:10 PDT

  • Next message: InfoSec News: "[ISN] Computer Co-location Facility Vulnerabilities"

    Forwarded from: Pete Simpson <pete.simpsonat_private>
    
    Note from the John Hopkins report that "we only inspected unencrypted
    source code that we believe was used in Diebold's Acc-Vote-TS voting
    terminal...We did not have the source code to Diebold's GEMS back-end
    election management system."
    
    Who are Science Applications International Corp?  Can they be trusted
    as competent and impartial in this exercise?
    
    If you found the John Hopkins report on the security of the touch
    screen ballot box a joke. Then check out the insecurity of the
    back-end GEMs system. It will have you in hysterics.
    
    Excerpts from the full report "Inside A U.S. Election Vote Counting
    Program " http://www.scoop.co.nz/mason/stories/HL0307/S00065.htm
    
    After the polls close, poll workers transmit the votes that have been
    accumulated to the county office. They do this by modem.
    
    At the county office, there is a "host computer" with a program on it
    called GEMS. GEMS receives the incoming votes and stores them in a
    vote ledger. But in the files we examined, which were created by
    Diebold employees and/or county officials, we learned that the Diebold
    program used another set of books with a copy of what is in vote
    ledger 1. And at the same time, it made yet a third vote ledger with
    another copy.
    
    Apparently, the Elections Supervisor never sees these three sets of
    books. All she sees is the reports she can run: Election summary
    (totals, county wide) or a detail report (totals for each precinct).
    She has no way of knowing that her GEMS program is using multiple sets
    of books, because the GEMS interface draws its data from an Access
    database, which is hidden. And here is what is quite odd: On the
    programs we tested, the Election summary (totals, county wide) come
    from the vote ledger 2 instead of vote ledger 1, and ledger 2 can be
    altered so it may or may not match ledger 1.
    
    Now, think of it like this: You want the report to add up only the
    actual votes. But, unbeknownst to the election supervisor, votes can
    be added and subtracted from vote ledger 2. Official reports come from
    vote ledger 2, which has been disengaged from vote ledger 1. If one
    asks for a detailed report for some precincts, though, the report
    comes from vote ledger 1. Therefore, if you keep the correct votes in
    vote ledger 1, a spot check of detailed precincts (even if you compare
    voter-verified paper ballots) will always be correct.
    
    And what is vote ledger 3 for? For now, we are calling it the "Lord
    Only Knows" vote ledger.
    
    CAN THE VOTES BE CHANGED?
    
    Here's what we're going to do: We'll go in and run a totals report, so
    you can see what the Election Supervisor sees. Then we'll tamper with
    the votes. I'll show you that our tampering appears in Table 2, but
    not Table 1. Then we'll go back and run another totals report, and
    you'll see that it contains the tampered votes from Table 2. Remember
    that there are two programs: The GEMS program, which the Election
    Supervisor sees, and the Microsoft Access database that stores the
    votes, which she cannot see.
    
    The GEMS election file contains more than one "set of books." They are
    hidden from the person running the GEMS program, but you can see them
    if you go into Microsoft Access. You might look at it like this:
    Suppose you have votes on paper ballots, and you pile all the paper
    ballots in room one. Then, you make a copy of all the ballots and put
    the stack of copies in room 2.
    
    You then leave the door open to room 2, so that people can come in and
    out, replacing some of the votes in the stack with their own.
    
    You could have some sort of security device that would tell you if any
    of the copies of votes in room 2 have been changed, but you opt not
    to.
    
    Now, suppose you want to count the votes. Should you count them from
    room 1 (original votes)? Or should you count them from room 2, where
    they may or may not be the same as room 1? What Diebold chose to do in
    the files we examined was to count the votes from "room2."
    Illustration:
    
    If an intruder opens the GEMS program in Microsoft Access, they will
    find that each candidate has an assigned number:
    
    One can then go see how many votes a candidate has by visiting "room
    1" which is called the CandidateCounter:
    
    Now let's put our own votes in Room2. We'll put CandidateX ahead by a
    nose, by subtracting 100 from CandidateY and adding 100 to CandidateX.
    Always add and delete the same number of votes, so the number of
    voters won't change.
    
    Notice that we have only tampered with the votes in "Room 2." In Room
    1, they remain the same. Room 1, after tampering with Room 2:
    
    Now let's run a report again. Go into GEMS and run the totals report.
    If you run a detail report, you'll see that the precinct report pulls
    the untampered data, while the totals report pulls the tampered data.
    This would allow a precinct to pass a spot check.
    
    
    CAN THE PASSWORD BE BYPASSED?
    
    At least a dozen full installation versions of the GEMS program were
    available on the Diebold ftp site. The manual, also available on the
    ftp site, tells that the default password in a new installation is
    "GEMSUSER." Anyone who downloaded and installed GEMS can bypass the
    passwords in elections. In this examination, we installed GEMS,
    clicked "new" and made a test election, then closed it and opened the
    same file in Microsoft Access.
    
    One finds where they store the passwords by clicking the "Operator"
    table.
    
    One can overwrite the "admin" password with another, copied from
    another GEMS installation. It will appear encrypted; no worries, just
    cut and paste. In this example, we saved the old "admin" password so
    we could replace it later and delete the evidence that we'd been
    there. An intruder can grant himself administrative privileges by
    putting zeros in the other boxes, following the example in "admin.
    
    How many people can gain access? A sociable election hacker can give
    all his friends access to the database too! In this case, they were
    added in a test GEMS installation and copied into the Cobb County
    Microsoft Access file. It encrypted each password as a different
    character string, however, all the passwords are the same word:
    "password." Password replacement can also be done directly in Access.
    To assess how tightly controlled the election files really are, we
    added 50 of our friends; so far, we haven't found a limit to how many
    people can be granted access to the election database.
    
    Using this simple way to bypass password security, an intruder, or an
    insider, can enter GEMS programs and play with election databases to
    their heart's content.
    
    CAN THE AUDIT TRAIL BE ALTERED?
    
    Britain J. Williams, Ph.D., is the official voting machine certifier
    for the state of Georgia, and he sits on the committee that decides
    how voting machines will be tested and evaluated. Here's what he had
    to say about the security of Diebold voting machines, in a letter
    dated April 23, 2003:
    
    "Computer System Security Features: The computer portion of the
    election system contains features that facilitate overall security of
    the election system. Primary among these features is a comprehensive
    set of audit data. For transactions that occur on the system, a record
    is made of the nature of the transaction, the time of the transaction,
    and the person that initiated the transaction. This record is written
    to the audit log. If an incident occurs on the system, this audit log
    allows an investigator to reconstruct the sequence of events that
    occurred surrounding the incident.
    
    In addition, passwords are used to limit access to the system to
    authorized personnel." Since Dr. Williams listed the audit data as the
    primary security feature, we decided to find out how hard it is to
    alter the audit log.
    
    Note that a user by the name of "Evildoer" was added. Evildoer
    performed various functions, including running reports to check his
    vote-rigging work, but only some of his activities showed up on the
    audit log.
    
    It was a simple matter to eliminate Evildoer. First, we opened the
    election database in Access, where we opened the audit table:  Then,
    we deleted all the references to Evildoer and, because we noticed that
    the audit log never noticed when the admin closed the GEMS program
    before, we tidily added an entry for that.
    
    Access encourages those who create audit logs to use auto-numbering,
    so that every logged entry has an uneditable log number. Then, if one
    deletes audit entries, a gap in the numbering sequence will appear.
    However, we found that this feature was disabled, allowing us to write
    in our own log numbers. We were able to add and delete from the audit
    without leaving a trace. Going back into GEMS, we ran another audit
    log to see if Evildoer had been purged:
    
    
    As you can see, the audit log appears pristine.
    
    In fact, when using Access to adjust the vote tallies we found that
    tampering never made it to the audit log at all.
    
    Although we interviewed election officials and also the technicians
    who set up the Diebold system in Georgia, and they confirmed that the
    GEMS system does use Microsoft Access, ***is designed for remote
    access,*** and does receive "data corrections" from time to time from
    support personnel, we have not yet had the opportunity to test the
    above tampering methods in the County Election Supervisor's office.
    
     From a programming standpoint, there might be reasons to have a
    special vote ledger that disengages from the real one. For example,
    election officials might say they need to be able to alter the votes
    to add provisional ballots or absentee ballots. If so, this calls into
    question the training of these officials, which appears to be done by
    The Election Center, under the direction of R. Doug Lewis. If election
    officials are taught to deal with changes by overwriting votes,
    regardless of whether they do this in vote ledger 1 or vote ledger 2,
    this is improper.
    
    If changing election data is required, the corrective entry must be
    made not by overwriting vote totals, but by making a corrective entry.
    When adding provisional ballots, for example, the proper procedure is
    to add a line item "provisional ballots," and this should be added
    into the original vote table (Table 1). It is never acceptable to make
    changes by overwriting vote totals. Data corrections should not be
    prohibited, but must always be done by indicating changes through a
    clearly marked line item that preserves each transaction.
    
    Proper bookkeeping never allows an extra ledger that can be used to
    just erase the original information and add your own. And certainly,
    it is improper to have the official reports come from the second
    ledger, which may or may not have information erased or added.
    
    But there is more evidence that these extra sets of books are illicit:
    If election officials were using Table 2 to add votes, for provisional
    ballots, or absentee voters, that would be in their GEMS program. It
    makes no sense, if that's what Diebold claims the extra set of books
    is for, to make vote corrections by sneaking in through the back door
    and using Access, which according to the manual is not even installed
    on the election official's computer.
    
    Furthermore, if changing Table 2 was an acceptable way to adjust for
    provisional ballots and absentee votes, we would see the option in
    GEMS to print a report of both Table 1 totals and Table 2 so that we
    can compare them. Certainly, if that were the case, that would be in
    the manual along with instructions that say to compare Table 1 to
    Table 2, and, if there is any difference, to make sure it exactly
    matches the number of absentee ballots, or whatever, were added.
    
    Using Microsoft Access was inappropriate for security reasons. Using
    multiple sets of books, and/or altering vote totals to include new
    data, is improper for accounting reasons. And, as a member of
    slashdot.org commented, "This is not a bug, it's a feature."
    
    
    -----Original Message-----
    From: InfoSec News [mailto:isnat_private]
    Sent: 07 August 2003 08:35
    To: isnat_private
    Subject: [ISN] Ehrlich Orders Voting System Security Study
    
    
    Forwarded from: William Knowles <wkat_private>
    
    http://www.washingtonpost.com/wp-dyn/articles/A25673-2003Aug6.html
    
    
    
    ----------------------------------------------------------------------------------
    Clearswift monitors, controls and protects all its messaging traffic in 
    compliance with its corporate email policy using Clearswift products. 
    Find out more about Clearswift, its solutions and services at 
    www.clearswift.com.
    **********************************************************************************
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 01:14:38 PDT