Category: Internet Security Issues

Experts demonstrate how to hack email voting

Security researchers say they have developed an interesting trick to take over Gmail and Outlook.com email accounts – by shooting down victims’ logout requests even over a supposedly encrypted connection.
And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we’re told.

Thanks to a friend for passing on this link to a ‘how to’ demonstration from last summer’s Black Hat 2013:  Gmail, Outlook.com and e-voting ‘pwned’ on stage in crypto-dodge hack – Once you enter, you can never leave logout <read>

Security researchers say they have developed an interesting trick to take over Gmail and Outlook.com email accounts – by shooting down victims’ logout requests even over a supposedly encrypted connection.

And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we’re told.

Ben Smyth and Alfredo Pironti of the French National Institute for Research in Computer Science and Control (INRIA) announced they found a way to exploit flaws in Google and Microsoft’s web email services using an issue in the TLS (Transport Layer Security) technology, which encrypts and secures website connections.

Full details of the attack are yet to be widely disseminated – but it was outlined for the first time in a demonstration at this year’s Black Hat hacking convention in Las Vegas on Wednesday.

In short, we’re told, it uses a TLS truncation attack on a shared computer to block victims’ account logout requests so that they unknowingly remain logged in: when the request to sign out is sent, the attacker injects an unencrypted TCP FIN message to close the connection. The server-side therefore doesn’t get the request and is unaware of the abnormal termination….

The attack does not rely on installing malware or similar shenanigans: the miscreant pulling off the trick must simply put herself between the victim and the network. That could be achieved, for example, by setting up a naughty wireless hotspot, or plugging a hacker-controlled router or other little box between the PC and the network.

The researchers warned that shared machines – even un-compromised computers – cannot guarantee secure access to systems operated by Helios (an electronic voting system), Microsoft (including Account, Hotmail, and MSN), nor Google (including Gmail, YouTube, and Search).

Maybe you use some other email system. But maybe that is a system that has yet to be hacked, publicly. If you send in a vote, what system does your recipient use?

Cognitive Dissonance? Not in Connecticut when it comes to the Internet

In psychology, cognitive dissonance is the discomfort experienced when simultaneously holding two or more conflicting cognitions: ideas, beliefs, values or emotional reactions. In a state of dissonance, people may sometimes feel “disequilibrium”: frustration, hunger, dread, guilt, anger, embarrassment, anxiety, etc – Wikipedia

The state fails at protecting data, legislators to get lesson in Internet security, N.I.S.T experts say unsafe the Internet is not safe for voting, the N.S.A. and others can look at practically anything, yet local registrars, the Secretary of the State, and the State Military Department can protect Internet voting by Legislative decree.

In psychology, cognitive dissonance is the discomfort experienced when simultaneously holding two or more conflicting cognitions: ideas, beliefs, values or emotional reactions. In a state of dissonance, people may sometimes feel “disequilibrium”: frustration, hunger, dread, guilt, anger, embarrassment, anxiety, etc – Wikipedia

The state fails at protecting data, legislators to get lesson in Internet security, N.I.S.T experts say unsafe the Internet is not safe for voting, the N.S.A. and others can look at practically anything, yet local registrars, the Secretary of the State, and the State Military Department can protect Internet voting by Legislative decree.

As CTVotersCount readers know, the Legislature passed Internet voting over the objections of the Secretary of the State. Choosing not to define it but to leave it up the Secretary and Military Department to define a secure way to accomplish it. Despite the concerns of virtually every Computer Scientist and experts from the National Institute of Standards. Who will implement the actual voting? 169 local municipalities, many with (very) part-time registrars? The Secretary of the State with the help of the State IT function?  Two more interesting events this week:

The Motor Vehicle Department inadvertently released the names of job applicants on its web site, making hacking into their computers unnecessary. Courant:  DMV Snafu Posts 400 Job Applicants’ Personal Info On State Website <read>

The state Department of Motor Vehicles’ commissioner has sent individual letters of apology to about 400 job applicants whose names, home addresses, phone numbers, email addresses and exam scores were posted on the DMV’s official website by mistake…

The DMV had intended to post a job announcement on its website about 1 p.m. on Aug. 27 for the position of “Information Technology Analyst 2.” But the following morning, someone from the DMV’s human resources unit discovered that instead of the job-vacancy posting, “a file with a spreadsheet containing the names and other information of candidates who had passed the examination for this title had been posted,” [Commissioner Melody A.] Currey said in the letter.

Wednesday at 1:00pm, in the Legislative Office Building: State Capitol Police Dept.: Internet Safety for Legislators & Staff. Apparently consisting of:

An “Internet Safety” training program available to all legislators and legislative employees. This comprehensive program is designed to heighten awareness on protecting yourself and your family from internet and technology crimes.

Sounds like a good idea. But would a similar training be available or even feasible for military and their dependents eligible for Internet voting, across the counter, the world, under the sea, and in combat situations?  Let alone election officials in 169 towns, if they become responsible for Internet voting?

For more read some of your past posts on Internet Voting or Internet Security

 

Electronic voting as safe as electricity and nuclear power?

In a recent Hartford Courant Op-Ed, Arthur House, chair of the Connecticut Public Utilities Regulatory Authority and previous Director of Communications of the Director of National Intelligence addressed cyber threats to public utilities. We cannot help but compare the concern of Mr. House for our utilities ability to protect the infrastructure, with the sure confidence of our Governor and Legislature in the ability of the Secretary of the State and local election officials to develop systems, at no cost, to make the Internet safe for online voting. Democracy is at least as important as the infrastructure.

In a recent Hartford Courant Op-Ed, Arthur House, chair of the Connecticut Public Utilities Regulatory Authority and previous Director of Communications of the Director of National Intelligence addressed cyber threats to public utilities: State Utilities Girding Their Cyber Defenses <read>

Cyber offense and defense are rapidly evolving forms of warfare. Our public utilities are among the target s foreign powers have penetrated. Our vital public services are vulnerable. U.S. national security leadership has seen the exercise of cyber probes and weaponry, some in overt military action and others, including foreign actions in the United States, more exploratory — “battlefield preparation,” in military terms.

For public utilities and the states that regulate them, cyber threats risk denial of electricity, water, natural gas and telecommunications. Our state emergency managers include cyber threats in their portfolio of hurricanes, ice storms, other natural disasters and physical sabotage. Cyber threats present a new dimension to emergency management with potentially devastating consequences and without the certainty of adequate defenses…

.Connecticut is intensifying its work with its public utilities, which long ago started their cyber defense programs and initiated planni ng for dealing with disruption. Several strengthening steps are possible, such as requiring utilities annually publish a statement from a reputable security company affirming (or not) that the company takes reasonable steps to ensure cyber security.

The most difficult adjustment lies with all of us — understanding and accepting the reality of cyber vulnerability and its unpredictable consequences. In the past, Americans have been able to take action, find reasonable solutions and do what makes sense without giving up the essential. We can do it with cyber, but it’s time to kick into gear.. The threat is real, and the work will be demanding.

We cannot help but compare the concern of Mr. House for our utilities ability to protect the infrastructure, with the sure confidence of our Governor and Legislature in the ability of the Secretary of the State and local election officials to develop systems, at no cost, to make the Internet safe for online voting. Democracy is at least as important as the infrastructure.

If elections can be protected at no cost, what about the electric grid?

Tongue in cheek, we note that this may be a major redundancy in effort and expense by utility regulators, since the Legislature has mandated that the Secretary of the State and the Military Department come up with a plan to provide secure electronic voting to the military by October 1st. The Secretary is also mandated in that bill to not only come up with the plan but to implement it without any expenditure!

When we see everybody from the CIA to Lockheed Martin and the Bank of America being hacked, along with concerns for our grid from our utility regulators, it’s pure hubris to think that our elections could not be compromised.

An article in the Courant last week highlights the risks to our electric grid and the plans slowly moving forward to enhance its security: State Plan For Cyber Threats To Electric Grid Taking Shape – Utilities Cooperating With Regulators On Plan <read>

Dan Esty, the state’s energy commissioner, sat across a conference table from Art House, Connecticut’s head utility regulator, in the bunker of the State Armory in Hartford last July for a drill that simulated a statewide response to a major hurricane.

Esty, with other state officials and utility executives nearby, asked whether House remembered exercises like these from his days doing intelligence work for the federal government.

“There are two kinds of drills I’ve done in Washington,” House said. There’s the predictable type of emergency, like hurricanes and ice storms, that the state needs to be ready for. And then there’s the unpredictable.

“I worry more about unforeseen type, like a cyber attack,” he said.

That conversation, the two officials said, seeded a quickening and serious discussion of the state’s liability to hackers that would aim to control or damage critical facilities, like the electric grid. House, chairman of the state’s Public Utilities Regulatory Authority, is drafting a plan with utilities on how to prepare for, address and respond to cyber attacks.

“Cyber probes are a fact of life,” House said in an interview this week. “Connecticut needs to look at it in terms of defense. Are we doing everything we can?”…

Federal security officials warn that electronic attacks on these critical facilities could create “the potential for large-scale power outages or man-made environmental disasters” and cause “physical damage, loss of life and other cascading effects that could disrupt services,” the Department of Homeland Security’s deputy inspector general, Charles Edwards, said in a congressional testimony last month…

In Connecticut, House plans for a rough draft of the state’s cybersecurity plan to be finished by Labor Day, with a final version completed by January 2014. It will examine how state utilities could build up their electronic defenses against cyber attacks as well as how private and municipal emergency managers should be prepared in the event of such an attack.

A major piece of the state’s cybersecurity efforts will lean on the federal intelligence and security resources that track and investigate cyber attacks, said House, adding that his previous work for the U.S. National Geospatial-Intelligence Agency will aid in the state’s efforts. “Cyber defense is not a matter of geography. It’s a matter of national defense. It goes across state line and across industries.”

Joel Gordes, president of West Hartford energy consultancy Environmental Energy Solutions, has long called for attention to the cyber security issue. He cites testimonies attached to names like Defense Secretary Chuck Hagel, Former Defense Secretary Robert Gates and Former CIA Director Leon Panetta that raised concerns about the issue, concluding that it’s about time Connecticut takes a clear-eyed look at cyber security.

“When we see everybody from the CIA to Lockheed Martin and the Bank of America being hacked, it’s pure hubris to think that our electric grid could not be compromised,” he said…

Data sharing was one of inspector general Edwards’ concerns. He said that the Department of Homeland Security’s cyber security office needs to consolidate its information sharing efforts with other agencies and the private sector to “ensure that these stakeholders are provided with potential [industrial control systems] threats.”

A group of energy companies and public and private groups expressed concerns about the timeliness of federal assessments on cyber threats, specifically noting that they feel that “a great deal of time might elapse until stakeholders were made aware of the same of similar incident that could affect their systems.”

Tongue in cheek, we note that this may be a major redundancy in effort and expense by utility regulators, since the Legislature has mandated that the Secretary of the State and the Military Department come up with a plan to provide secure electronic voting to the military by October 1st. The Secretary is also mandated in that bill to not only come up with the plan but to implement it without any expenditure!

For the utilities “A major piece of the state’s cybersecurity efforts will lean on the federal intelligence and security resources that track and investigate cyber attacks”, however, we doubt that support would do much good since experts at Homeland Security and NIST claim that Internet voting cannot be made save.

For more details on the feats to be accomplished by the Secretary of the State and Military department, see our recent post: Governor Malloy: Please Veto Internet Voting Bill

To paraphrase Mr.House,

When we see everybody from the CIA to Lockheed Martin and the Bank of America being hacked, along with concerns for our grid from  our utility regulators, it’s pure hubris to think that our elections could not be compromised.

U.S. says it will not export tools to interfere in politics

Even the cicadas must know by now that the U.S. is engaged in massive collection of data on phone calls, emails, web access, and banking transactions. Those who a week ago were criticized as ‘conspiracy theorists’ for claiming the Government had such massive secret spying programs will now be criticized as ‘naive’ for not knowing this was going on all along. What more can we say? What can we add that has relevance to elections and election integrity?

Even the cicadas must know by now that the U.S. is engaged in massive collection of data on phone calls, emails, web access, and banking transactions. Those who a week ago were criticized as ‘conspiracy theorists’ for claiming the Government had such massive secret spying programs will now be criticized as  ‘naive’ for not knowing this was going on all along. What more can we say? What can we add that has relevance to elections and election integrity?

Today, there are two articles, an op-ed, and an engaging cartoon in the New York Times:

U.S. Helps Allies Trying To Battle Iranian Hackers <read>
How The U.S. Delved Deeper Via Technology <read>
Your Smartphone is Watching You <read>
The Strip: Secret Agent Smartphone <read>

Restating the Obvious

Internet voting is unsafe and not guaranteed to be secret. Our voting is most vulnerable to insiders.

  • Iranian, Chinese, or Al Qaeda hackers attempting to compromize a U.S. election have a more difficult job changing votes.
  • Foreign and outsider efforts are likely to be detected if they change votes or disrupt a Federal election – detected and reversed or mitigated.
  • I really don’t care if foreign governments or terrorists know who I voted for, not sure they care, few would be intimidated by their potential to find out.
  • But insiders are are another matter. They have an easier job. Their legitimate access and sanctioned unconstitutional or illegal access is less likely to be detected or prosecuted.

We can only suggest that anyone who trusts politicians and other insiders to never use every tool available, or trusts that Internet voting is somehow immune from compromise has a serious case of cognitive dissonance. Unfortunately, when it comes to Internet voting that virus has infected our entire state Legislature. While we are pleased that Connecticut’s entire Congressional Delegation have expressed concerns with the NSA spying, we doubt that they are convinced that Internet voting is unsafe.

Thanks For Small Assurances

In the 1st article, we learn:

Officials pledge that computer hardware and software eventually provided to allied nations will be evaluated to avoid providing the type of defensive systems that also can be used for domestic surveillance or to punish political opponents.

We find nothing particularly surprising in this statement. Yet, for ‘naive’ readers, let me regain the skeptical mantle of ‘conspiracy theorist’ by pointing out:

  • This assurance is presumably given by some of those same “officials” who until a few days ago claimed that the U.S. does not have these secret spying programs, that now claim that they are not a big deal, yet hid their existence and still hide the questionable legal justifications.
  • I’d love to see how systems that allow foreign surveillance can be released that cannot be used for domestic surveillance. For the technically challenged, consider that Saudi Arabia could ‘rendition’ its domestic spying or political manipulation to Japan or South Korea in return for a bit of oil.
  • Are we saving the software that allows domestic surveillance and punishing opponents for our own domestic use?
  • Since it is not mentioned, are we exporting software that could manipulate election results?
  • Would a country that would work to overthrow foreign leaders through a coup, and openly work to change election results, hesitate to punish foreign politicians, or manipulate foreign election results? (Hint e.g.: Google “Chavez Coup CIA”)
  • Would insiders from top leaders, to individuals with  the keys to the kingdom, hesitate to manipulate U.S. elections?

Once again, those who would call this farfetched have little knowledge of U.S. History and the fallibility of human nature. Our Democracy was designed to defeat human nature with checks and balances, with the bill of rights, including transparency, individual privacy, and a subsidized free press.

What Can They Know And How Can They Use It?

The op-ed provides a chilling summary, including:

 It is at least possible to participate in online culture while limiting this horizontal, peer – to – peer exposure. But it is practically impossible to protect your privacy vertically — from the service providers and social media networks and now security agencies that have access to your every click and text and e – mail. Even the powerful can’t cover their tracks, as David Petraeus discovered. In the surveillance state, everybody know s you’re a dog.

And every looming technological breakthrough, from Google Glass to driverless cars, promises to make our every move and download a little easier to track. Already, Silicon Valley big shots tend to talk about privacy in roughly the same paternalist language favored by government spokesmen. “If you have something that you don’t want anyone to know,” Google’s Eric Schmidt told an interviewer in 2009, “maybe you shouldn’t be doing it in the first place.”

The problem is that we have only one ma jor point of reference when we debate what these trends might mean: the 20th – century totalitarian police state, whose every intrusion on privacy was in the service of tyrannical one – party rule. That model is useful for teasing out how authoritarian regimes will try to harness the Internet’s surveillance capabilities, but America isn’t about to turn into East Germany with Facebook pages.

For us, the age of surveillance is more likely to drift toward what Alexis de Tocqueville described as “soft despotism” o r what the Forbes columnist James Poulos has dubbed “the pink police state.” Our government will enjoy extraordinary, potentially tyrannical powers, but most citizens will be monitored without feeling persecuted or coerced.

So instead of a climate of pervasive fear, there will be a chilling effect at the margins of political discourse, mostly affecting groups and opinions considered disreputable already. Instead of a top – down program of political repression, there will be a more haphazard pattern of politically motivated, Big Data – enabled abuses. (Think of the recent I.R.S. scandals, but with damaging personal information being leaked instead of donor lists.) In this atmosphere, radicalism and protest will seem riskier..

The second article some chilling details:

Accompanying that explosive growth has been rapid progress in the ability to sift through the information. When separate streams of data are integrated into large databases — matching, for example, time and location data from cellphones with credit card purchases or E – ZPass use — intelligence analysts are given a mosaic of a person’s life that would never be available from simply listening to their conversations. Just four data points about the location and time of a mobile phone call, a study published in Nature found, make it possible to identify the caller 95 percent of the time…

Industry experts say that intelligence and law enforcement agencies also use a new technology, known as trilaterization, that allows tracking of an individual’s location, moment to moment. The data, obtained from cellphone towers, can track the altitude of a person, down to the specific floor in a building. There is even software that exploits the cellphone data seeking to predict a person’s most likely route. “It is extreme Big Brother,” said Alex Fielding, an expert in networking and data centers…

So,

  • They can find every candidate we have contributed to. Every email  we have sent. Pretty much every event, protest, or meeting we have attended.
  • Every ‘conspiracy theory’ we have believed or investigated along with ‘naive’ views we have held, every contradictory statement, and link us to others with all sorts of views we may or may not agree with.
  • Every donation, medical condition, every mistake, or misstatement we have ever made.
  • Bad enough that they will know every Facebook post and every (sort of) public statement, but also anything  written or said candidly, casually, or unthinkingly.
  • Are we sure that potential employers or potential friends or allies will not find this information or  be given that information to  harm us or them?

Online voting bill moves while Cyber Security Command outlines risks

Here in the land of steady habits, we are ready to move forward with blinders at the ready, apparently confident that our registrars, town clerks, and state IT department will never discover any attacks on on our voting systems, email systems, or fax machines.

On Friday the Government Administration and Elections Committee voted to draft H.B. 6111, for “online voting” putting it one step behind the bill from the Veterans Affairs committee bill for “email and fax voting”.

Meanwhile from the New York Times: Security Leader Says U.S. Would Retaliate Against Cyberattacks <read>

General Alexander’s testimony came on the same day the nation’s top intelligence official, James R. Clapper Jr., warned Congress that a major cyberattack on the United States could cripple the country’s infrastructure and economy, and suggested that such attacks now pose the most dangerous immediate threat to the United States, even more pressing than an attack by global terrorist networks…

General Alexander has been a major architect of the American strategy on this issue, but until Tuesday he almost always talked about it in defensive terms. He has usually deflected questions about America’s offensive capability, and turned them into discussions of how to defend against mounting computer espionage from China and Russia, and the possibility of crippling attacks on utilities, cellphone networks and other infrastructure…

“In some cases,” Mr. Clapper said in his testimony, “the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.” He said it was unlikely that Russia and China would launch “devastating” cyberattacks against the United States in the near future, but he said foreign spy services had already hacked the computer networks of government agencies, businesses and private companies.

Two specific attacks Mr. Clapper listed, an August 2012 attack against the Saudi oil company Aramco and attacks on American banks and stock exchanges last year, are believed by American intelligence officials to have been the work of Iran.

Here in the land of steady habits, we are ready to move forward with blinders at the ready, apparently confident that our registrars, town clerks, and state IT department will never discover any attacks on on our voting systems, email systems, or fax machines.

Another day, more internet heists revealed

We and others have posted several times, debunking the frequently repeated statement that “If we can use ATMs and the Internet for banking, why can’t we use the internet for voting”. The answers are 1) Voting is a different application and riskier; and 2) Internet banking is not safe, banks loose billions to electronic fraud every year, yet it is less than they make and save using the Internet.

We and others have posted several times, debunking the frequently repeated statement that “If we can use ATMs and the Internet for banking, why can’t we use the internet for voting”.  The answers are 1)  Voting is a different application and riskier; and 2) Internet banking is not safe, banks loose billions to electronic fraud every year, yet it is less than they make and save using the Internet.

A new story of heists by an individual: Alleged ZeuS Botmaster Arrested for Stealing $100 Million from U.S. Banks <read>

A 24-year-old Algerian man remains in a Thai jail awaiting extradition to the United States, where he is suspected of masterminding more than $100 million in global bank heists using the ZeuS and SpyEye Trojans.

Malaysian authorities believe they’ve apprehended the hacker Hamza Bendelladj, who they say has been jetsetting around the world using millions of dollars stolen online from various banks. He was arrested at a Bangkok airport enroute from Malaysia to Egypt…

Bendelladj is suspected of stealing funds from 127 U.S. banks in the past six years using ZeuS- and SpyEye-infected machines to drain accounts in minutes. Victims are said to have been compromised through fake financial Web pages between December 2009 and September 2011. The FBI, which has been hunting for the hacker behind the schemes for three years, has not released details of alleged crimes listed in arrest warrants awaiting the man after he is extradicted to the agency’s Georgia division…

During the event, Bendelladj reportedly beamed and joked about his ranking as an international criminal. He earned the moniker “the happy hacker” because of numerous photos that all show him smiling broadly in photos taken during his airport arrest.

Review some of our past posts on threats to Internet voting <here>

“Perfect Citizen” demonstrates risk of Internet for voting

Another government testament to the risks we face with dependency on the Internet for vital systems. We hope in this particular case that the effort is actually increasing the safety of systems we all depend upon.

CNet: Revealed: NSA targeting domestic computer systems in secret test <read>

Another government testament to the risks we face with dependency on the Internet for vital systems. We hope in this particular case that the effort is actually increasing the safety of systems we all depend upon.

Newly released files show a secret National Security Agency program is targeting the computerized systems that control utilities to discover security vulnerabilities, which can be used to defend the United States or disrupt the infrastructure of other nations.

The NSA’s so-called Perfect Citizen program conducts “vulnerability exploration and research” against the computerized controllers that control “large-scale” utilities including power grids and natural gas pipelines, the documents show. The program is scheduled to continue through at least September 2014.

The Perfect Citizen files obtained by the Electronic Privacy Information Center and provided to CNET shed more light on how the agency aims to defend — and attack — embedded controllers. The NSA is reported to have developed Stuxnet, which President Obama secretly ordered to be used against Iran’s nuclear program, with the help of Israel.

U.S. officials have warned for years, privately and publicly, about the vulnerability of the electrical grid to cyberattacks. Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, told a congressional committee in February: “I know what we [the U.S.] can do and therefore I am extraordinarily concerned about the cyber capabilities of other nations.” If a nation gave such software to a fringe group, Dempsey said, “the next thing you know could be into our electrical grid.”

As we have pointed out before, the Internet is vulnerable, states, counties, cities have nowhere near the capabilities of large utilities and the Federal government to protect their networks. Unlike, online banking which is subject to frequent successful attacks, Internet voting attack is harder to detect and correct. Here a story of a voting related Internet breakdown in a state system that was detected, yet authorities remain unable to determine a cause.

For those who are legitimately skeptical of Government security, we point out that Stuxnet was likely developed by our Government and is itself subject to undetected theft, as are any reports of infrastructure vulnerability documented by this “Perfect” program.

Canadian election disrupted in broad daylight

What value is an attack that everyone sees? That depends. Courts have been reluctant to grant re-votes, for good reasons. Results of a vote can depend strongly on the other races and issues on a ballot, get out the vote efforts, and even the weather.

Canadian Broadcasting story: NDP gives up: convention cyber attacker remains a mystery <read>

The source of the cyber attack that disrupted voting at the NDP’s leadership convention in March remains a mystery, and further investigation to find out who was responsible has been dropped.

The NDP was the victim of what’s known as a distributed denial of service attack when thousands of members were trying to vote online throughout the day on March 24. These kinds of attacks result in websites crashing or slowing down because the server is flooded with bogus requests for access.

Legitimate voters couldn’t access the NDP’s website to vote and organizers ended up extending the time allotted for each voting round, delaying the final result until hours after it was expected. Thomas Mulcair was finally declared the winner at about 9 p.m.

Scytl Canada, the company contracted to run the voting, quickly detected what was going on soon after voting began that day and reacted accordingly. They were able to keep the voting going by increasing the system’s capacity and by blocking some of the bogus IP addresses.

Scytl, an international company based in Spain, conducted a forensic analysis after the convention but came up dry when trying to pinpoint exactly who was behind the co-ordinated campaign.

Several points worth noting and much to be learned from this story:

  • A denial of service attack is about as simple as it gets. No insider knowledge required, no understanding of the details of the target application, no new technology to invent.
  • Denial of service has its limitations. No votes are stolen, although many can be suppressed. The attack is obvious and will be detected.
  • This was a highly professional system by a leading vendor. That was not enough to prevent the attack, yet expertise and preparation may have been a factor in limiting the disruption.
  • In this case the disruption was moderately successful, in a relatively small election. A strong denial of service attacks have shut down highly regarded systems for  longer periods, hours and days.

What value is an attack that everyone sees?  That depends. Courts have been reluctant to grant re-votes, for good reasons. Results of a vote can depend strongly on the other races and issues on a ballot, get out the vote efforts, and even the weather.  An apparently semi-successful attack like this one could be successful if it biased the results toward those who could be expected to have the time, opportunity, and inclination to keep trying, or those expected to vote at particular times of the day, or those expected to vote online if it is an alternative to in-person voting. Perhaps there is suppression in just one area with voters strongly favoring one party or ballot proposition, or there is a local contest that would be expected to have a different result it re-voted separately from a national or state-wide election. There is also the possibility of braking news just before or after the election that would change the result on a later vote.

Where Common Sense fails: Do insider attacks require a sophisticated conspiracy?

In this post, we address where Common Sense fails. Where what seems obvious to individuals and election officials is often counter to the facts or science. Those that are unfamiliar with technology and a specific area of science often overestimate how difficult or easy specific things are to accomplish.

Note: This is the fifth post in an occasional series on Common Sense Election Integrity, summarizing, updating, and expanding on many previous posts covering election integrity, focused on Connecticut. <previous> <next>

We frequently hear versions of the following comments, often from election officials:

“It would take a very sophisticated operation to steal an election. Computer experts with access to the election system.”

“Our staff is trusted and they don’t have that level of expertise.”

“You are a conspiracy theorist, you just don’t trust election officials, and the security of our voting machines”

To some of these charges I plead guilty and with others items beg to disagree:

  • I do believe in the existence and possibilities of fraud by conspiracy, yet in the case of election integrity argue that compromising an election does not require the existence of a conspiracy of the sort implied by the current definition of conspiracy theory. In fact, individuals have been convicted or exposed for small to moderate size conspiracies.
  • I do trust most election officials. The problem is that many election officials express and request blind trust of all election officials. This despite regular instances of errors by officials, and occasional successful prosecution of various election officials for criminal violations. Unless election officials are cut from a different class than other citizens and public officials, some of the time, some of them will make errors, and others will comitt fraud, sometimes without prosecution, and sometimes undetected.
  • It does not require a sophisticated operation to steal an election. Fraud would not necessarily require computer experts with access to the election system.

In this post, we address where Common Sense fails. Where what seems obvious to individuals and election officials is often counter to the facts or science. Here we have to be careful trusting our own initial views and those of honest officials, we need to be open to the idea that we may not individually have all the answers -willing to listen to, if not completely trust, scientists and the facts. (We are not just talking about elections here, but many other areas which are critical to democracy and life.)

Those that are unfamiliar with technology and a specific area of science often overestimate how difficult or easy specific things are to accomplish. As we often confuse conspiracy and conspiracy theory, we often confuse the meanings of theory, between the common meaning of theory and a scientific theory. They are as different as a Pat Robertson theory of earthquakes and the germ theory of disease.

For instance, people often think technologists can do anything such as solve the nuclear waste problem, cure all cancer, make smoking safe, produce clean coal, or provide safe internet voting. These are all hard problems that have, so far, eluded teams of the best scientists. I frequently recall a friend in middle school, in the late 1950’s, who had no concerns with smoking, saying “By the time I get lung cancer in 30 or 40 years, science will have a cure”.

Once even “scientists” believed with the right recipe sea water could be turned into gold. In the dark ages of the 1950’s it was believed it would be possible to predict the weather and the economy, if only we had enough data and the right programs. Since then, with the advent of Chaos Theory, we have learned both are impossible, yet that fact has provided us the opportunity to deal with the economy and weather more rationally and realistically. Since the 30’s or 40’s we have also known that it is impossible to prove that any computer software/hardware system is accurate and safe – there is no recipe possible. (And thus it is also impossible to build a computer or communications system that is provably safe. In practice, we can see from failed attempts of government and industry that the best systems are, in fact, regularly compromised, providing practical as well as theoretical reasons to avoid trusting any computer/communications system.)

On the other side, many things are much easier than the public and many elections officials believe. Smart individuals and small groups continue to create computer viruses and hack into the best systems of the most sophisticated government agencies and industries. On the easy side, the U.S. Government believes, apparently with good reason, that a single Army Private could access and steal a huge number of confidential documents from many Federal agencies. (That he was a low level insider with lots of access, just emphasizes how vulnerable systems are to a single insider and that it would take steps in addition to a safe computer system, even if that were possible, to protect us from an insider.)

How often have we each gone to an expert with what we viewed as a tough problem, only to have it solved quickly and inexpensively? For example: Recently, my condominium unit needed a new main shut-0ff valve. The maintenance staff and I believed it would be a big job requiring service interruption to dozens in my neighborhood requiring a shut-off of a valve in the street. Enlisting the help of a general plumbing contractor, the contractor simply froze my pipe while installing a new valve.

When it comes to election machine hacking, online voting, and conventional stealing of votes it is relatively easy in many jurisdictions to compromise the vote, especially when it only requires a single insider. Some attacks take extensive technical knowledge which many hackers possess and could help or intimidate a single insider to execute or could simply get a job in election administration. Other attacks take very little technical expertise. When officials misjudge how easy it is for attacks to be accomplished, when officials don’t understand technology, it makes it all the easier for a single trusted insider.

One company, LHS, programs all the election memory cards for Connecticut and other states. LHS’s President said that we are safe from hacked cards because he has no employees with software expertise (including himself). There are several fallacies in this:
— How would he know if a particular employee has technical expertise?
— It is not all that hard to miss-program memory cards.
— A single employee could gain outside technical help or be intimidated to do what an outsider demands.

Similarly, many election officials would claim we are safe because they do not have computer experts on their staff. Once again, how would they know how much it would take and what a person does not know?

As for outsider attacks, one example: To our knowledge, in only one instance, a Internet voting system was subjected to a open, public security test. It was compromised extensively and quickly. Even if it had not been compromised so easily or was subjected to a more extensive test it would hardly be proven safe, hardly be safe from attack by insiders.

In our view, the best we can do realistically is voter created paper ballots, counted in public by machine, a printout of results in public, followed by a secure ballot chain of custody, followed by effective independent post-election audits, and where necessary complete recounts.  All transparent.

Finally, we need to emphasize the requirement for a “secure ballot chain-of-custody” or at least a reasonably secure system making it difficult for single insiders to compromise ballots. For those with blind trust in security seals we provide presentations by an expert <view> and examples of quick  seal compromise by that same expert and an amateur <read>