[ISN] E-Vote Software Leaked Online

From: InfoSec News (isn@private)
Date: Thu Oct 30 2003 - 02:01:55 PST

  • Next message: InfoSec News: "[ISN] Black Hat Briefings Announcement"

    http://www.wired.com/news/privacy/0,1848,61014,00.html
    
    By Kim Zetter
    Oct. 29, 2003
    
    Software used by an electronic voting system manufactured by Sequoia
    Voting Systems has been left unprotected on a publicly available
    server, raising concerns about the possibility of vote tampering in
    future elections.
    
    The software, made available at ftp.jaguar.net, is stored on an FTP
    server owned by Jaguar Computer Systems, a firm that provides election
    support to a California county. The software is used for placing
    ballots on voting kiosks and for storing and tabulating results for
    the Sequoia AVC Edge touch-screen system.
    
    The security breach means that anyone with a minimal amount of
    technical knowledge could see how the code works and potentially
    exploit it. According to a computer programmer who discovered the
    unprotected server, the files also contain Visual Basic script and
    code for voting system databases that could allow someone to learn how
    to rig voting results. The programmer spoke on condition of anonymity.
    
    Jaguar blocked public access to the FTP site late Wednesday.  
    Representatives from Jaguar did not return calls for comment.
    
    Sequoia said it was disturbed that the proprietary code had been
    accessed in an "inappropriate manner," and went on to blast Jaguar in
    an e-mail to Wired News about the security gaffe.
    
    "While this breach of security is grossly negligent on the part of the
    county's contractor, the code that was retrieved is used to accumulate
    unofficial results on election night and does not compromise the
    integrity of the official electronic ballots themselves," wrote
    Sequoia spokesman Alfie Charles.
    
    Peter Neumann, lead computer scientist at the Stanford Research
    Institute, said the exposed code could allow someone to plant a Trojan
    horse in the system's compiler -- the program that translates the code
    for use by the computer -- that would be undetectable to anyone
    reading the code.
    
    The files on the server also revealed that the Sequoia system relies
    heavily on Microsoft software components, a fact the company often has
    been coy about discussing since Microsoft software is a frequent
    target of hackers.
    
    Jaguar, based in Riverside, California, left the data unencrypted and
    unprotected. The FTP server allowed anyone to access it anonymously.
    
    Once a visitor gained access to the server, a small note stated that
    the server was meant for employees and clients of Jaguar. However, the
    company's own website directed visitors to the FTP server and noted
    that "our '/PUB' directory is stuffed with many of the files that we
    use." The website has since been changed by Jaguar.
    
    Sequoia's AVC Edge voting machines were used in California's Riverside
    County for the 2000 presidential election and for last month's
    California gubernatorial recall election. The system also has been
    used in counties in Florida and Washington state.
    
    It's the second time this year that voting machine code has been
    leaked on the Internet.
    
    In January, source code for the AccuVote-TS system made by Diebold
    Election Systems was found on an unprotected FTP server belonging to
    the company.
    
    Researchers at Johns Hopkins and Rice universities who read the
    Diebold code found numerous security flaws in the system and published
    a report (PDF) that prompted the state of Maryland to conduct its own
    audit of the software.
    
    A key difference between the Diebold and Sequoia leaks has to do with
    the type of code used. The Diebold code was source code, a raw form of
    code that contains programmer notes and comments and allows anyone to
    quickly see how a system works.
    
    The Sequoia code is binary code, which is already compiled with the
    comments and other information stripped away. It's working code, which
    means that the program must be reverse-engineered, or taken apart, in
    order to understand how it works. This is not hard to do, but it takes
    more time than working with source code. The Johns Hopkins researchers
    were able to write their report on the Diebold code in two weeks. The
    Sequoia code would take at least two months, the researchers said.
    
    But even binary code reveals a lot of information about a program,
    said Avi Rubin, one of the Johns Hopkins researchers who wrote the
    report on the Diebold system.
    
    "With binary code you can create most of the program and analyze it,"  
    he said. "All the information about what the program does is there.  
    Maybe 60 percent of what you can get from the source code you can also
    get from the binary."
    
    On its website, Sequoia makes a point of stating that its system is
    much more secure than the Diebold system, since it doesn't rely on
    Microsoft software. The website reads: "While Diebold relies on a
    Microsoft operating system that is well known and understood by
    computer hackers, Sequoia's AVC Edge runs on a proprietary operating
    system that is designed solely for the conduct of elections."
    
    In fact, the system uses WinEDS, or Election Database System for
    Windows. WinEDS runs on top of the Microsoft Windows operating system.  
    According to Sequoia, "WinEDS is used to administer all phases of the
    election cycle, create electronic ballots for the AVC Edge, and tally
    early voting, as well as official election and absentee votes."
    
    The system also appears to use MDAC 2.1, or Microsoft Data Access
    Components, which was found in the WinEDS folder on the server. MDAC
    is code used to send information between a database and a program.  
    According to the computer programmer who discovered the FTP server
    containing the Sequoia code, version 2.1 was found to be insecure. He
    said Microsoft currently distributes an upgraded version 2.8, which
    has been available since August, but the version on the Jaguar site
    doesn't include a patch to fix the security problems.
    
    Also, because MDAC is off-the-shelf software, it's not subject to the
    same certification processes and audit that is standard for
    proprietary voting software.
    
    Neumann, the security expert, said, "This means that anyone could
    install a Trojan horse in the MDAC that won't show up in the source
    code." Jaguar employees, Sequoia employees or state election officials
    could insert code that wouldn't be detectable in a certification
    review of the code or in security testing of the system, he said.
    
    Neumann said this points to the necessity for using only voting
    machines that provide a voter-verifiable paper trail.
    
    "The idea of looking at source code to find problems is inherently
    unsatisfactory," he said. "You need to use a machine with
    accountability and an audit trail."
    
    The source who discovered the unprotected server containing the
    Sequoia system code said the files include Visual Basic script, which
    is uncompiled script that can be changed very quickly and easily.
    
    "You can swap out a file and plant a Trojan horse in this," he said.  
    "There's also SQL code in there that sets up a database. The SQL gives
    you details about the database that you can use to alter the contents
    of the database."
    
    The companies making electronic voting systems long have said that
    their systems are proprietary and their code needs to remain secret in
    order for the systems to be secure.
    
    Cindy Cohn, an attorney at the Electronic Frontier Foundation, said
    information gained from the discovery of the Diebold and Sequoia codes
    indicates the exact opposite.
    
    "Our society and our democracy is better served by open voting
    systems," she said. "The way to create a more secure system is to open
    the source code and to have as many people as possible try to break
    into the system and figure out all the holes. The clearest way to have
    an insecure system is to lock it up and show it to only a few people."
    
    Cohn said her organization is trying to convince election officials
    and companies to make their systems more secure. "That doesn't seem to
    be happening," she added. "So I have a lot of admiration for these
    people who are taking it upon themselves to try to figure out whether
    these machines are secure. I think we are all better off because of
    researchers who are taking the time to say the emperor doesn't have
    any clothes."
    
    Rubin said the focus shouldn't be on keeping systems secret but on
    creating systems that are more secure so they can't be easily
    exploited or rigged for fraud.
    
    "This argument that everything needs to be kept secret is not viable
    because the stuff does get out whether companies intend it or not," he
    said. "Now two out of the three top companies have leaked their
    system.
    
    "Scientists are being made to feel afraid to look at these things
    which in the end will be bad for our society. Why shouldn't everyone
    want scientists to look? If there's any feeling that there may
    actually be danger to our elections, how can we not be encouraging
    researchers to look at our systems?" Rubin said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Oct 30 2003 - 04:31:43 PST