While Super Tuesday was underway in the presidential elections last week, reports surfaced about an electronic voting platform whose security was compromised after the election board invited external researchers to test its systems.
It took coding experts with the University of Michigan only a few hours to compromise the system’s security and “elect” a cartoon character from Futurama to the Washington D.C. election board.
This multistage crack could have been prevented had the developers of the electronic voting system built privileged identity management into the system.
The methodology used by the researchers seems straightforward enough. First they identified that the platform was susceptible to a shell injection attack, and then started writing output to the images directory. Next, the researchers encrypted their IP traffic to stop the Intrusion Detection System (IDS) from triggering.
The final piece in this cracking jigsaw was guessing the login details of the server – thereby getting privileged access to the e-voting platform. The right privileged identity management controls would have eliminated the easily-guessed admin credentials, making it all but impossible for outsiders to access these powerful accounts.
The encryption of the cracking IP traffic is an interesting twist, as it prevented the IDS from spotting the rogue traffic. But, this loophole could also have been closed through the use of deep level packet inspection and heuristic packet analysis. These security processes are increasingly being adopted by large corporations to protect their critical IT systems.
The real safety net on any Internet-facing system – especially public platforms such as electronic voting servers – is the use of privileged identity management . This technology prevents unauthorized users and malicious programs from gaining unrestricted, anonymous access to sensitive data on the network.
A key takeaway from this incident is that the voting board opened up its platform to a public security test and the security was found wanting. There are almost certainly many other public-facing government systems that have similar weaknesses – or worse.
At the end of the day, the Washington D.C. election board should be applauded for its openness which – though unconventional – helped highlight the fact that necessary IT security controls were missing.