Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Was Halifax’s e-vote hacked?

From: InfoSec News <alerts () infosecnews org>
Date: Mon, 1 Jul 2013 06:12:34 +0000 (UTC)
http://www.thecoast.ca/RealityBites/archives/2013/06/27/was-halifaxs-e-vote-hacked

By Rob Wipond
The Coast
June 27, 2013
It's been several weeks since I revealed evidence that the online voting in last fall's municipal elections in Halifax was not secure. Now I'm starting to wonder, does anyone care? How many people care about defending our most basic pillar of democracy---our elections?
I obtained the damning documents through an Access to Information request to the Canadian Cyber Incident Response Centre (CCIRC) of Public Safety Canada—the federal government agency charged with helping ensure internet safety. Although the documents were heavily censored, they made clear that right up until the day before online voting began on October 6, 2012, an outside security researcher, the CCIRC, the election software vendor (Scytl) and the Halifax Regional Municipality Elections Office were grappling with a myriad of security vulnerabilities.
The documents also made clear that, at the time online voting began, only “some” of those security holes had been in part “mitigated.” Some of the problems, evidently, were never addressed.
HRM didn’t inform the public about any of this. I asked the CCIRC, Scytl and the city to provide evidence that the security problems were solved and the online votes were securely, correctly recorded. The CCIRC and Scytl declined to answer questions, and the city merely provided a report by Ernst & Young.
Unfortunately, from a technical standpoint, that Ernst & Young report was not a security audit, it was a user test. Basically, the city had asked Ernst & Young to confirm that the election software was functioning, but not to investigate how easily the system could be hacked or circumvented. It was like testing to make sure your computer could surf the internet, but not to see if your computer was protected against hackers or viruses. So, any reassurances derived from that report are deeply misplaced. 

[...]


--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/
Previous By Date Next
Previous By Thread Next

Current thread: