IT Security News and Opinion
Saturday May 25th 2013
Auto Discovery Webinar

Washington DC E-Voting Hack Could Have Been Prevented

While Super Tuesday was underway in the presidential elections last week, reports surfaced about an electronic voting platform whose security was compromised after the election board invited external researchers to test its systems.

It took coding experts with the University of Michigan only a few hours to compromise the system’s security and “elect” a cartoon character from Futurama to the Washington D.C. election board.

This multistage crack could have been prevented had the developers of the electronic voting system built privileged identity management into the system.

The methodology used by the researchers seems straightforward enough. First they identified that the platform was susceptible to a shell injection attack, and then started writing output to the images directory. Next, the researchers encrypted their IP traffic to stop the Intrusion Detection System (IDS) from triggering.

The final piece in this cracking jigsaw was guessing the login details of the server – thereby getting privileged access to the e-voting platform. The right privileged identity management controls would have eliminated the easily-guessed admin credentials, making it all but impossible for outsiders to access these powerful accounts.

The encryption of the cracking IP traffic is an interesting twist, as it prevented the IDS from spotting the rogue traffic. But, this loophole could also have been closed through the use of deep level packet inspection and heuristic packet analysis. These security processes are increasingly being adopted by large corporations to protect their critical IT systems.

The real safety net on any Internet-facing system – especially public platforms such as electronic voting servers – is the use of privileged identity management . This technology prevents unauthorized users and malicious programs from gaining unrestricted, anonymous access to sensitive data on the network.

A key takeaway from this incident is that the voting board opened up its platform to a public security test and the security was found wanting. There are almost certainly many other public-facing government systems that have similar weaknesses – or worse.

At the end of the day, the Washington D.C. election board should be applauded for its openness which – though unconventional – helped highlight the fact that necessary IT security controls were missing.

What are your thoughts on the security of e-voting? Share your comments below. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.

FacebookTwitterLinkedInDeliciousTechnorati FavoritesDiggBlogger PostGoogle ReaderShare
Post Published: 16 March 2012
Author: Philip Lieberman
Found in section: Latest IT News, Security Best Practices

Tags: , ,

Previous Topic:
Next Topic:

Leave a Reply


eight + = 10

Follow Us

    Follow us on Twitter            Follow us on LinkedIn

  Visit our YouTube Page              Identity Week RSS Feed
Visit the Lieberman Software Website

Archives

Recent Comments

Tags

Administrator Password Application-to-Application Credentials Application Security Cloud Computing Cloud Security CSO cyber-attacks cyber attack Cyber Security data breach Data Breaches Datacenter Security Data Security default password disaster recovery enterprise security Governance Risk and Compliance hacktivism Identity Management insider threat Insider Threats Internet security IT Audit IT Auditing Compliance Reports IT Marketplace IT Outsourcing IT security IT Security Threats online privacy Password Security PCI-DSS Compliance privileged account credentials privileged account management privileged accounts Privileged Identities privileged identity management regulatory compliance RSA Securing Legacy Applications Security Management SIEM smart card smartphone security stolen credit card Stuxnet