Thursday, July 18, 2013

Student Election Hack – Is it a Bad Omen for Internet Voting?



Does the Cal State San Marcos class president election hack mean that Americans should fear Internet voting? Not if you think critically about it.

Facts:
Matthew Weaver, 22, pleaded guilty* to wire fraud, access device fraud, and unauthorized access to a computer. He was sentenced to a year in prison. His crime was to plug keylogging devises into 19 school computers. The devises record computer user's keystrokes without the user's knowledge. Thus he stole the email passwords of more than 740 students. He used this information to vote for himself 630 times during the online student elections in March 2012.

Votes had to be cast from campus computers. Network administrators noticed all the voting activity from one computer. They quickly notified school police, who nabbed Weaver in the act.

Implications:
This news report has fired up David Jefferson’s flare for spinning scary stories. He warns ominously, on the Election Law Blog, that “In a high stakes public election we will not be so lucky [as to catch the crook in the act].”

“Had this been a public election conducted via Internet voting, it would have been much more difficult to identify any problem or to capture the perpetrator, [because] people would vote from their own private PCs.”

Well, that is scary! But how would the crime be carried out? Consider how many votes a crook would have to control to win a presidential election.  In 2012, Obama beat Romney by roughly 4,000,000 votes.  As a comment below reminds us, to win a majority of Electoral votes, a hacker using Weaver’s technique would have to control tens of thousands of votes. Obviously, a guy like Weaver couldn’t run around plugging keylogging devices into that many computers to steal log on info. So, how would it be done?

Leaving his readers hanging, Jefferson skips any detailed discussion of how a crook could steal an online presidential, or other public, election.

Instead, he creatively imagines that if Weaver had “used one of his keylogging devices to capture the password of a system administrator” Weaver could have “then used that password to install keylogger software on other campus computers to capture the students’ passwords.”

Jefferson omits mentioning how Weaver would gain access to the administrator’s computer so he could plug in the devise. Maybe Weaver could don a custodian disguise, and plug it in while pretending to clean the office.

Anyway, Weaver would have had to return to the office to retrieve his device so that he could take it home to download the password. 

Details aside, after Weaver installs his keylogging software into the school network, he has to hope that nobody checks the network event logs before the election. The logs would show the activity, and an alert administrator would remove the software.

Imagination on fire, Jefferson then declares that Weaver didn’t have to cast votes one at a time; instead, he “could have run a program to automate the casting of all of those phony votes.” Of course!

But wait, what if the voting website had a challenge/response authentication mechanism. Weaver’s voting program couldn’t copy words or add numbers automatically. All his efforts would have been for naught. But let us imagine that he could get past this little security challenge. The network administrator would still see the spike in activity coming from one IP address. That signal could be blocked, and could also be traced back to Weaver.

Lesson: 
Jefferson spins a chilling tale, but it requires his readers to suspend their critical faculties to be affective. Is that what you want to do?

PS
Good news! Obama’s Commission on Election Reform has posted my recent scholarly paper on Internet Voting!

The paper recounts the history of Internet voting in the USA, and shows how NIST has misled Congress and the American people about online voting insecurity. I take the same practical approach there that I did here in this blog post.

Also, my book, Internet Voting Now, is listed in the “Research Bibliography” provided to the Commission by CalTec/MIT.

William J. Kelleher, Ph.D.
Political Scientist, author, speaker,
CEO for The Internet Voting Research and Education Fund
Twitter: wjkno1

Author of Internet Voting Now! 
Kindle edition: http://tinyurl.com/IntV-Now

* ABC News -




7 comments:

Anonymous said...

Obama vs Romney was in 2012*

Anonymous said...

Mr. Kelleher makes an elementary blunder in material that he, as a political scientist, really should understand. He says that “To win a presidential election, the crook would have to control millions of votes. In 2010 [sic] Obama beat Romney by 4,000,000 votes.” Mr. Kelleher should remember that in 2000 if a crook flipped a few hundred votes in Florida it would have flipped the entire national presidential election. And again in 2004, it would have sufficed to flip about 60,000 votes in Ohio (not millions). A political scientist really should understand that under the Electoral College winner-take-all system the national popular vote margin is a huge overestimate of the number of votes that have to be flipped to change the election outcome.

But before we get to the technical material Mr. Kelleher writes let me refer you to the blog posting I wrote about the Cal State San Marcos election hack that Mr. Kelleher is responding to.

http://electionlawblog.org/?p=53082

Mr. Kelleher ignorantly ridicules the idea that Weaver might use a key logger to capture a sysadmin’s password, thinking he would have to get access to the sysadmin’s computer. But he would not. All he would have to do is induce the sysadmin to log in from any other computer on which Mr. Weaver had installed the key logger. That could be done by the well-known technique of reporting or faking a network problem with that machine and asking for help.

Mr. Kelleher notes that a challenge response/authentication mechanism would have sufficed to stymie Mr. Weaver and by implication attackers of online public elections. Indeed it would make authentication attacks more difficult. But the fact is that there was no challenge/response authentication in this system (except for a password), so his attack in fact could have been easily automated, contrary to Mr. Kelleher’s hypothetical. Nor is challenge/response used in any of the commercial online voting systems intended for public elections. The reason is simple: Any secure challenge/response systems has to be set up in advance at voter registration time with the voter’s active help in constructing nonobvious challenges and responses. Then the voter has to remember how to answer the challenges weeks, months, or years later when it is time to vote. Challenge/response systems are thus not practical authentication systems for voting, and are generally used in other online systems only as a backup method for password recovery, not as a primary authentication mechanism. Challenge/response systems are fraught with many difficulties that Mr. Kelleher is apparently not aware of, but which would take too much space here to explain.

Strong, practical, remote authentication of the users of online systems, especially online voting systems, is a very difficult and unsolved security problem. And it just one of many on the list of profound security that have to be solved before online voting can be made secure. That list also includes; client side malware, fake voting clients, server penetration attacks, distributed denial of service, insider attacks, automated vote buying, and numerous others.

Mr Weaver’s attack was not like those that will occur if Internet voting is used in public elections. He was thwarted because (1) he was voting from a machine controlled by university IT personnel so that they were both able to notice unusual activity in real time; (2) they were actually able to spy on him remotely in real time as he was casting phony votes; and (3) he was physically local, so a police officer could immediately be dispatched to arrest him red handed while he was still casting phony votes, in the commission of a felony, with therefore no need for a warrant to find additional evidence in his pocket that was full of key loggers! None of these fortunate facts will apply in a real attack on an online public election.

David Jefferson

William J. Kelleher, Ph.D. said...

OK, Mr. Jefferson scores one point for noting that ‘millions’ of votes aren’t needed to win a close presidential election, only tens of thousands. Actually, my paper, the one posted by Obama’s Commission on Election Reform, gives the kind of sophisticated political science analysis of the issue, which can’t be done in the space of a blog post. I discuss the practicalities of cheating in a presidential election based on Internet voting. (Check it out, Dave, and comment on that!)

Maybe I can score a point here: Mr. Jefferson writes, “Any secure challenge/response systems [sic] has to be set up in advance at voter registration time with the voter’s active help in constructing nonobvious challenges and responses. Then the voter has to remember how to answer the challenges weeks, months, or years later when it is time to vote.”

Well, not exactly. Wikipedia says, “Challenge-response protocols are also used to assert things other than knowledge of a secret value. CAPTCHAs, for example, are a sort of variant on the Turing test, meant to determine whether a viewer of a Web application is a real person. The challenge sent to the viewer is a distorted image of some text, and the viewer responds by typing in that text. The distortion is designed to make automated optical character recognition (OCR) difficult and preventing a computer program from passing as a human.”

http://en.wikipedia.org/wiki/Challenge%E2%80%93response_authentication

Ed Dickau said...

This is so simplistic as to be unworthy of any serious read. A massive assault on internet voting can and would be conducted by hacking means that do not reach public discussion or revelation!

Online voting said...

I think you focused very good topic. It is just one of numerous on the register of deep security that have to be solved before online voting can be made secure.

Anonymous said...

You made some good points there. I checked on the web for additional information about the issue and found most
individuals will go along with your views on this web site.



my web page; instant background checks

Antonio Duval said...

The fraudster in the instant case, Mr. Weaver, would never have been able to succeed in compromising even one vote using his method had he been facing but a few of the security elements found in truly secure online voting systems.

Secure systems use Public Key Cryptography (AKA Asymetric Cryptography), which would have thwarted Mr. Weaver. Secure systems also employ unique codes for each candidate, provided to each voter in advance. These codes are used as the voter casts his ballot, and the system texts the codes back to the voter's cell phone upon receipt of his vote, confirming for the voter that his vote was not only received, but cast for the candidate of his choice.

There are several other layers of security that are employed in truly secure voting systems which would have defeated a fraudster who was vastly more sophisticated than the rather primitive Mr. Weaver. These are too many and too technical to discuss here.

My name is Antonio Duval, Jr., and as the founder of iVoteUS.com, I am a fervent advocate of online voting.

iVoteUS.com is developing a phone app that is a politics/elections/voting wizard, and the first step to realization of online voting in the near future.

You can watch a video demonstration of our app on Vimeo or Youtube at:

http://vimeo.com/user13051560/voteonline

http://www.youtube.com/watch?feature=player_detailpage&v=1pxSUo9qjSc


Antonio Duval, Jr.