New Security Woes for E-Vote Firm

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/privacy/0,1848,59925,00.html

By Brian McWilliams
Aug. 07, 2003

Following an embarrassing leak of its proprietary software over a file
transfer protocol site last January, the inner workings of Diebold
Election Systems have again been laid bare.

A hacker has come forward with evidence that he broke the security of
a private Web server operated by the embattled e-vote vendor, and made
off last spring with Diebold's internal discussion-list archives, a
software bug database and more software.

The unidentified attacker provided Wired News with an archive
containing 1.8 GB of files apparently taken March 2 from a site
referred to by the Ohio-based company as its "staff website."

Representatives of Diebold Election Systems, one of the largest
electronic voting systems vendors with more than 33,000 machines in
service around the country, said the company is still investigating
the security breach and reviewing the contents of the archive.

Director of Communications John Kristoff said the stolen files
contained "sensitive" information, but he said Diebold is confident
that the company's electronic voting system software has not been
tampered with.

"Thus far we haven't seen anything that would be of use to anyone
trying to affect the outcome of an election," he said.

But experts said the appearance of the archive of purloined files from
the staff site raises new questions about Diebold's attention to the
security of its intellectual property.

"They claim they keep everything secure, but this shows the lax nature
of their procedures. This just blatantly flies in the face of good
security," said Rebecca Mercuri, a computer science professor at Bryn
Mawr College who opposes the use of electronic voting systems.

The anonymous attacker said he broke into the Diebold staff site,
which was located at https://staff.dieboldes.com, after reading in
January about how unauthorized outsiders had copied source code and
documentation from an insecure FTP site operated by the company at the
Internet address ftp://ftp.gesn.com.

"In a few short minutes I had access to their replacement for the FTP
site, their 'secure' web," wrote the hacker.

Last month, researchers at Johns Hopkins University used source code
from the FTP site to publish an analysis of what they claimed were
serious security problems in Diebold's AccuVote-TS voting terminal.  
Diebold attempted last week to rebut (PDF) the researchers' charges.

The archive of internal Diebold Election Systems mailing lists taken
from the staff site includes thousands of messages dating from January
1999 through March 2003. The lists contained internal company
discussions of product support issues, new software announcements and
general company announcements.

"We do not believe there is any real security threat, but perception
matters a great deal in this business!" wrote Pat Green, Diebold
Election Systems' director of research and development, in a Feb. 7
message to the company's "support" discussion list. Green was
announcing the temporary shutdown of the Diebold staff site.

Two days before, on Feb. 5, activist Bev Harris detailed in an article
at New Zealand news site called Scoop how she had freely accessed
thousands of files from Diebold's FTP server.

The hacker did not reveal how he subsequently breached the security of
the Diebold staff site, which used SSL encryption. The file archive
included source code to a login page that included a March 2 welcome
message to one of the firm's election support specialists, suggesting
the attacker may have compromised the employee's account.

Judging from internal mailing list discussions, Diebold management was
either unaware of proper information security practices, or chose to
ignore them out of expediency, experts said.

"There is no sane reason to put the corporate jewels on an
Internet-facing server. They were basically asking to be hacked," said
Jeff Stutzman, CEO of ZNQ3, a provider of information security
services. "This is the kind of behavior you expect of a startup
company that's only concerned about selling their first product."

But Kristoff said the staff server housed only compiled, executable
programs, and not the raw source code to Diebold's election systems.  
He said it was "an oversight" that source code was available to the
public from the FTP server in January.

The Diebold discussion-list archives included other warnings of
potential security problems. In May 2000, Diebold Election Systems'
systems engineer manager Talbot Iredale posted a message to the
support list chiding employees for placing software files on the
special "customer" section of the FTP site without password-protecting
them. That section of the site was created for delivering program
updates and other files to election officials and other customers.

"This potentially gives the software away to whom ever (sic) wants
it," wrote Iredale.

On Dec. 2 last year, Diebold Election Systems' webmaster Joshua
Gardner announced to the list that the FTP site finally was being
eliminated and replaced by the staff site. Gardner explained that the
FTP site had been "accessible to the outside world with no
restrictions on access, and no provisions for logging user activity.  
FTP was a security risk, and I have shut it down for this reason."

Yet nearly eight weeks later, Internet users apparently still were
able to access the FTP site without a password and to download
proprietary software and manuals.

Kristoff said Diebold has shut down the FTP and staff sites, and the
company no longer provides customers or field personnel with access to
Diebold software over the Internet. Instead, software and proprietary
data has been distributed by CD-ROM since January, he said.

Even if unauthorized individuals were able to access and modify voting
system source code, some e-voting experts downplay the impact of such
theoretical threats. After the earlier problems at Diebold's FTP site,
Brit Williams of the Center for Election Systems at Kennesaw State
University published a report last April noting (PDF) that some
states, such as Georgia, carefully review source code prior to use in
electronic voting systems.

But Stutzman said Diebold's Internet security problems necessitate
that the company hire a "Big Five-caliber" firm to conduct a thorough
inspection of its software code, and to insure that malicious
outsiders have not tampered with it.

"To gain credibility back, they - have to do a line-by-line audit to
make sure that their intellectual property is still sound," said
Stutzman.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.