Why internet voting is insecure a case study
1 / 49

Why Internet Voting is Insecure: a case study - PowerPoint PPT Presentation

  • Uploaded on

Why Internet Voting is Insecure: a case study . Barbara Simons. “Those who cast the votes decide nothing. Those who count the votes decide everything.” Joseph Stalin. Accenture chief named head of e-government.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Why Internet Voting is Insecure: a case study' - adamdaniel

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Those who cast the votes decide nothing those who count the votes decide everything joseph stalin
“Those who cast the votes decide nothing. Those who count the votes decide everything.”Joseph Stalin

Accenture chief named head of e government
Accenture chief named head of e-government the votes decide everything.”

  • The Cabinet Office has announced that Ian Watmore, the UK managing director of IT services firm Accenture, is to become the head of e-government. In his new role, Watmore faces the task of delivering efficiency savings while improving the delivery of public services by joining up electronic government services around the needs of customers.

    • Network IT Week, May 25, 2004

A fairy tale
A Fairy Tale the votes decide everything.”

  • 2008 US election: H. Clinton vs J. Bush

  • 527 Americans hostage in Iran

    • Bush wants to invade

    • Clinton calls for negotiations

  • Country evenly divided

  • Internet voting throughout country

The day before the election
The Day before the Election the votes decide everything.”

  • Email from White House warning of computer viruses and providing website for downloading anti-virus software

    • Millions download

    • Email not from WH and contains virus

      • Randomly selects small percentage of votes and changes them to Clinton if had been for Bush

      • Erases itself

Clinton wins
Clinton wins the votes decide everything.”

  • Millions vote before news of virus

  • Bush supporters demand new election

    • No legal provisions

    • Can’t determine which votes modified because of randomness

  • Iranian Govt? Democrats? Femi-Nazis?

  • Teenage hackers and computer scientists suspect

  • Military put on alert

How does the story end

How does the story end? the votes decide everything.”

Is there a backup plan
Is there a backup plan? the votes decide everything.”

  • What happens if after election it is discovered that system may have been compromised?

    • Rerun election? On the same system???

    • Ask those whose votes may have been compromised (if you can figure out who they are) to vote again?

    • What does this do to voter confidence?

E voting is harder than e commerce
E-voting is harder than e-commerce the votes decide everything.”

  • Requires higher level of security

    • Democracy depends on voter confidence

    • Stakes exceedingly high

      • Hundreds of millions of dollars spent on US Presidency election

      • Small fraction would be exceedingly large bribe

    • More challenging

      • May be ok for my spouse to use my credit card, but no ok for my spouse to vote for me

E voting hard
E-voting hard the votes decide everything.”

  • Unlike e-voting, denial of service attack on e-commerce may prevent some sales, but does not invalidate those that succeed

  • May be difficult to detect

    • Anonymity (US) makes impossible to determine if votes correctly counted

    • E-commerce failure can be corrected

      • Amazon sends another book

E voting hard1
E-voting hard the votes decide everything.”

  • How to detect failure?

    • Airplanes crash

    • Books not delivered

    • Outcome doesn’t match exit polls???

Secure electronic registration and voting experiment serve
Secure Electronic Registration and Voting Experiment (SERVE) the votes decide everything.”

  • $22M DoD project for ‘04 elections and primaries

    • 7 states - 50 counties in those states

    • Military and civilians living out of the country

  • http://www.serveusa.gov/public/aca.aspx

Www servesecurityreport org david jefferson avi rubin barbara simons david wagner

www.servesecurityreport.org the votes decide everything.”David JeffersonAvi RubinBarbara SimonsDavid Wagner

Conclusions the votes decide everything.”

  • SERVE contains all security vulnerabilities of paperless touch screen voting machines

  • Internet- and PC-based systems make it vulnerable to many potentially catastrophic well known cyber attacks

  • Attacks could be large scale, launched by anyone from anywhere, including hostile countries

Conclusions the votes decide everything.”

  • Impossible to estimate probability of successful cyber-attack on one election

    • Easy to perpetrate

    • In some cases software available on Internet

    • Major elections tempting targets

  • Vulnerabilities fundamental to architecture of Internet and of PC hardware and software in use today

    • Cannot be eliminated in the foreseeable future

Conclusions the votes decide everything.”

  • Unable to recommend alternative involving Internet voting - all insecure

  • Could appear to work flawlessly

    • Lack of detected successful attacks does NOT prove that there were none

    • “Successful” trial could lead to slippery slope of larger scale, more vulnerable systems

  • Reluctantly recommend immediate shut down of SERVE - was done by DoD

Serve system requirements for voters
SERVE System requirements for Voters the votes decide everything.”

  • Windows 95(?), 98, 2000, ….

  • MS Explorer 5.5 & above or Netscape Navigator 6.x through 7.

  • Internet connection: dial-up modem, cable, DSL, LAN, WAN, etc.

  • Downloads an ActiveX component

Serve con t
SERVE (con’t) the votes decide everything.”

  • Users responsible for maintaining the security of their computers, and

    • voting allowed from public computers with internet access (cybercafes)

  • Voting planned for a national election using proprietary software, secret testing, insecure clients, and an insecure network

Serve con t1
SERVE (con’t) the votes decide everything.”

  • What would have happened if election appeared to go smoothly in ‘04?

Major security problems
Major security problems the votes decide everything.”

  • Software bugs (may or may not be security)

  • Insider attacks

  • Security vulnerabilities of client side of voting equipment

  • Denial of service attack

  • Automated vote buying/selling

  • Man in the middle

Software bugs

Software bugs the votes decide everything.”

Software bugs1
Software bugs the votes decide everything.”

  • Could influence outcome of election

  • All software buggy

    • Security holes could be exploited by hackers

  • Election software is supposed to be certified whenever modifications made

    • Disincentive to fix bugs

    • Hard deadline of election

    • Testing and results are secret

Security example
Security Example the votes decide everything.”

  • Vulnerability in Microsoft Windows Server 2003 software announced July 16, 2003

    • Allow hacker to size control of machine and steal information, delete files, read email

    • Was supposed to be highly reliable and secure

    • Also impacts Windows 2000, NT, and XP

      • Could have been used to compromise some currently used election software

Insider attacks

Insider attacks the votes decide everything.”

Insider attacks1
Insider attacks the votes decide everything.”

  • Anyone with access to vendor’s software, including programmers, executives, and custodians, could insert malicious software

  • Hacker may be able to insert malicious software

  • Malicious software, cleverly hidden, could be very hard to detect or locate

Client side computer vulnerabilities

Client side computer vulnerabilities the votes decide everything.”

Security risks of computers not owned by voter
Security risks of computers not owned by voter the votes decide everything.”

  • Attacker may install malicious software on computers in public locations, e.g. libraries, malls, cybercafes, etc.

  • Increased vulnerability for minorities and economically disadvantaged

Employer owned computer
Employer owned computer the votes decide everything.”

  • 2001 study found 62% of major US corporations monitor employees’ Internet connections

  • > 1/3 store and review files on employee’s computer

  • Additional risk for those without home computers, i.e. economically disadvantaged and minorities

Voter s computer may be insecure
Voter’s Computer may be insecure the votes decide everything.”

  • Computer software

    • Operating systems, games, multimedia applications, etc

    • Any could have malicious code

    • MS Excel 97 contained hidden flight simulator

      • Not found until after release of product

Remote attack on voter s computer
Remote attack on voter’s computer the votes decide everything.”

  • Exploit security vulnerability on computer

  • Take control of voter’s computer via many different programs, e.g. PC Anywhere or BackOrifice

    • Home computers tend to have poorer security than corporate machines, and even corporate computers have been successfully attacked

    • Hackers can automate attacks to scans thousands or even millions for vulnerabilities

Viruses and worms
Viruses and Worms the votes decide everything.”

  • Can install malicious code

  • 2001 Code Red worm infected 360,000 computers in 14 hrs

  • Sapphire/Slammer infected 90% of vulnerable hosts on Internet within 10 minutes

    • Brought down ATMs and caused flight delays

    • Verisign chart

Viruses and worms con t
Viruses and worms (con’t) the votes decide everything.”

  • Virus checking software works only against previously known viruses

  • New worms and viruses spread quickly

  • Easy for programmer to write crude worm - modify code for known worm

  • Small scale worm selectively target smaller population could be hard to detect

How bad can worms be
How bad can worms be? the votes decide everything.”

  • One set of experts estimated that small team of experienced programmers could in a few months’ time develop worm that could compromise majority of Internet connected computers within a few hours

    • Don’t know if would succeed on first attempt or how long would go undetected

  • Once computer infected, all bets are off

Denial of service attacks

Denial of Service Attacks the votes decide everything.”

Denial of service dos attacks
Denial of Service (DoS) Attacks the votes decide everything.”

  • Hacker overloads system so that voter can’t gain access

  • Distributed Denial of Service (DDoS): many machines collaborate to mount joint attack

    • “Zombies”: compromised machines

  • Automated tools widely available

  • Selective disenfranchisement

Examples of ddos
Examples of DDoS the votes decide everything.”

  • CNN, Yahoo, eBay: Feb 2000

    • Lone teenager not on US soil

  • Code Red worm contained code to mount DDoS attack on White House; deflected at last minute (2001)

  • Canadian Internet election disrupted by DoS Jan., 2003

    • Mydoom?

Types of dos attacks
Types of DoS Attacks the votes decide everything.”

  • Flood the network so that it can’t be used

  • Overload web server’s computational resources so it can’t respond to voters

    • Repeated requests to initiate new SSL connections

    • Slow cryptographic protocol can be overwhelmed by enough zombie requests

  • Can’t defend against all possible DoS attacks

May not recognize dos
May not recognize DoS the votes decide everything.”

  • ICANN election

    • People had problems registering

    • Many unable to vote near end

    • Machine capacity issue or DoS?

    • Can’t infer that there were no security problems

    • Some individuals voted multiple times

Automated buying and selling

Automated Buying and Selling the votes decide everything.”

Buying and selling
Buying and selling the votes decide everything.”

  • Provide credentials (passwords, etc) to purchaser who could then vote

    • Defense would be to limit number of votes from single web address

    • Not good defense, since proxy servers could make legitimate voters appear to come from same web address; AOL uses same IP addresses for all users

  • Buyer provide seller with modified version of ActiveX component that guarantees voter’s behavior

Man in the middle or spoofing

Man in the Middle the votes decide everything.”orSpoofing

Man in the middle
Man in the Middle the votes decide everything.”

  • Adversary interposes itself between legitimate communicating parties and simulates each party to the other

  • Achieved by:

    • Controlling client machine

    • Controlling local network

    • Controlling upstream network (eg ISP or foreign gov’t)

    • Spoofing voting server (voter thinks is communicating with correct server, but is not)

    • Attacking Domain Name Server to reroute traffic

Man in the middle can compromise privacy
Man in the Middle can compromise Privacy the votes decide everything.”

  • Use of SSL (an encryption technology) cannot prevent, since man in the middle could act as SSL gateway, forwarding between voter and vote server unaltered

    • Decrypt and re-encrypt to observe results

  • Useful for

    • vote buying/selling

    • Selective disenfranchisement

Michigan democratic party s primary

Michigan Democratic Party’s Primary the votes decide everything.”

Internet Voting an Option

Problems with brief of mich dem party in support of hearing officer s report
Problems with Brief of Mich Dem Party in support of Hearing Officer’s report

  • “Internet voting is secure”

    • Internet not secure - voting not secure

    • Several claims cannot be supported

  • No detection of successful attack doesn’t mean it never happened. It may have happened and been successful.

    • Detecting and foiling 100 attacks doesn’t mean that 10 or 100 haven’t been successful.

The intrusion detection system
The Intrusion Detection System Officer’s report

  • “The IDS filters out and blocks unusual activity on the network, systems or applications.”

  • “While there have been attempted penetrations, the system has worked as designed, and has never been compromised.” (underlining in document)

Problems with ids
Problems with IDS Officer’s report

  • IDS could potentially identify existence of known attack with particular signature, but could do absolutely nothing against new attack that did not look or smell like previous attack

  • IDS makes decent network monitoring devices for observing network behavior, and useful for after the fact forensics, but not that useful as security devices

Problems with ids con t
Problems with IDS (con’t) Officer’s report

  • May detect attack, but not necessarily prevent or recover

  • DDoS might be detectable, but not stoppable by commercial product, especially if massive attack

    • FBI annual survey of Federal agencies 56% networks had been successfully intruded during previous years

  • If no obvious problems, will claim precautions worked, but doesn’t prove anything