New Security Woes for E-Vote Firm
By Brian McWilliams Aug. 07, 2003 Link(active as of 10/28/06): http://www.wired.com/news/privacy/0,1848,59925,00.html Following an embarrassing leak of its proprietary software over a file transfer protocol site last January, the inner workings of Diebold Election Systems have again been laid bare. A hacker has come forward with evidence that he broke the security of a private Web server operated by the embattled e-vote vendor, and made off last spring with Diebold's internal discussion-list archives, a software bug database and more software. The unidentified attacker provided Wired News with an archive containing 1.8 GB of files apparently taken March 2 from a site referred to by the Ohio-based company as its "staff website." Representatives of Diebold Election Systems, one of the largest electronic voting systems vendors with more than 33,000 machines in service around the country, said the company is still investigating the security breach and reviewing the contents of the archive. Director of Communications John Kristoff said the stolen files contained "sensitive" information, but he said Diebold is confident that the company's electronic voting system software has not been tampered with. "Thus far we haven't seen anything that would be of use to anyone trying to affect the outcome of an election," he said. But experts said the appearance of the archive of purloined files from the staff site raises new questions about Diebold's attention to the security of its intellectual property. "They claim they keep everything secure, but this shows the lax nature of their procedures. This just blatantly flies in the face of good security," said Rebecca Mercuri, a computer science professor at Bryn Mawr College who opposes the use of electronic voting systems. The anonymous attacker said he broke into the Diebold staff site, which was located at https://staff.dieboldes.com, after reading in January about how unauthorized outsiders had copied source code and documentation from an insecure FTP site operated by the company at the Internet address ftp://ftp.gesn.com. "In a few short minutes I had access to their replacement for the FTP site, their 'secure' web," wrote the hacker. Last month, researchers at Johns Hopkins University used source code from the FTP site to publish an analysis of what they claimed were serious security problems in Diebold's AccuVote-TS voting terminal. Diebold attempted last week to rebut (PDF) the researchers' charges. The archive of internal Diebold Election Systems mailing lists taken from the staff site includes thousands of messages dating from January 1999 through March 2003. The lists contained internal company discussions of product support issues, new software announcements and general company announcements. "We do not believe there is any real security threat, but perception matters a great deal in this business!" wrote Pat Green, Diebold Election Systems' director of research and development, in a Feb. 7 message to the company's "support" discussion list. Green was announcing the temporary shutdown of the Diebold staff site. Two days before, on Feb. 5, activist Bev Harris detailed in an article at New Zealand news site called Scoop how she had freely accessed thousands of files from Diebold's FTP server. The hacker did not reveal how he subsequently breached the security of the Diebold staff site, which used SSL encryption. The file archive included source code to a login page that included a March 2 welcome message to one of the firm's election support specialists, suggesting the attacker may have compromised the employee's account. Judging from internal mailing list discussions, Diebold management was either unaware of proper information security practices, or chose to ignore them out of expediency, experts said. "There is no sane reason to put the corporate jewels on an Internet-facing server. They were basically asking to be hacked," said Jeff Stutzman, CEO of ZNQ3, a provider of information security services. "This is the kind of behavior you expect of a startup company that's only concerned about selling their first product." But Kristoff said the staff server housed only compiled, executable programs, and not the raw source code to Diebold's election systems. He said it was "an oversight" that source code was available to the public from the FTP server in January. The Diebold discussion-list archives included other warnings of potential security problems. In May 2000, Diebold Election Systems' systems engineer manager Talbot Iredale posted a message to the support list chiding employees for placing software files on the special "customer" section of the FTP site without password-protecting them. That section of the site was created for delivering program updates and other files to election officials and other customers. "This potentially gives the software away to whom ever (sic) wants it," wrote Iredale. On Dec. 2 last year, Diebold Election Systems' webmaster Joshua Gardner announced to the list that the FTP site finally was being eliminated and replaced by the staff site. Gardner explained that the FTP site had been "accessible to the outside world with no restrictions on access, and no provisions for logging user activity. FTP was a security risk, and I have shut it down for this reason." Yet nearly eight weeks later, Internet users apparently still were able to access the FTP site without a password and to download proprietary software and manuals. Kristoff said Diebold has shut down the FTP and staff sites, and the company no longer provides customers or field personnel with access to Diebold software over the Internet. Instead, software and proprietary data has been distributed by CD-ROM since January, he said. Even if unauthorized individuals were able to access and modify voting system source code, some e-voting experts downplay the impact of such theoretical threats. After the earlier problems at Diebold's FTP site, Brit Williams of the Center for Election Systems at Kennesaw State University published a report last April noting (PDF) that some states, such as Georgia, carefully review source code prior to use in electronic voting systems. But Stutzman said Diebold's Internet security problems necessitate that the company hire a "Big Five-caliber" firm to conduct a thorough inspection of its software code, and to insure that malicious outsiders have not tampered with it. "To gain credibility back, they - have to do a line-by-line audit to make sure that their intellectual property is still sound," said Stutzman.