Q&A: E-voting systems hacker sees ¿particularly bad' security issues
Herbert Thompson took part in a hacking of Diebold voting equipment last year
Computerworld - When Herbert Thompson, director of research at Wilmington, Mass.-based Security Innovation, talks about e-voting security, he speaks from firsthand experience. Security Innovation conducts security testing and Thompson is the co-author of several books, including How to Break Software Security. He volunteered to use his expertise in tests to determine whether it's possible to hack electronic voting gear last May and again last month in Leon County, Fla. With fellow security expert Harri Hursti, Thompson took part in the hacking of an optical scan system made by Diebold Elections Systems Inc., allegedly proving that election results could be changed.
Thompson spoke recently with Computerworld about e-voting reliability. Diebold declined to make anyone available for an interview on the topic, but a spokesman dismissed the concerns raised by Thompson. Diebold's response follows Thompson's comments below.
Can you tell us about some of your e-voting machine hacking activities? On Tuesday, Dec. 13, we conducted a hack of the Diebold AccuVote optical scan device. I wrote a five-line script in Visual Basic that would allow you to go into the central tabulator and change any vote total you wanted, leaving no logs. It requires physical access to a machine, which in many counties isn't very difficult to get -- you have elections offices full of volunteers. In Leon County, they have good policies and procedures in place. But in many counties, where such awareness doesn't exist, that brings up some serious concerns about someone being able to tamper with the results.
Harri Hursti changed the contents of a memory card used in the optical scan device and preloaded it. During the [pre-election testing] procedure, it will tell you there are no votes on the card, but there is executable content on it. If you can get access to the memory card, you can change its logic and have it do whatever you want -- even print a smiley face. That hack was like prestuffing a ballot box to handicap one candidate by giving them negative votes and giving another positive ones.
Is e-voting security a political issue? I'm strictly an independent person donating my time. It's not political. Bad software is the issue. I'm a software security guy. I see a lot of bad software. All software has security vulnerability -- this is just particularly bad. As an election official, you have to be wary when touching a tabulator or a memory card, it has to be treated like a box of live ballots.
Diebold has claimed that the hacks have been unfair. Your response?



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
- Protecting Point of Sale Systems from Targeted Attack
- If you are responsible for protecting retail systems, download this case study to learn how this retailer eliminated the threat of malware on...
- From the Frontline - Preventing APT
- Is your company's network secure? Are your endpoints and servers secured? Before you answer, read this case study on a US Military Command...
- Stop Hackers Before They Attack
- Hacktivism, Identify Theft, Financial Gain, Cyber War - regardless of motivation, stopping today's hackers requires a new proactive approach to protecting endpoints. Learn...
- The four rules of complete web protection
- As an IT manager you've always known the web is a dangerous place. But with infections growing and the demands on your time... All Cybercrime and Hacking White Papers
- WikiLeaks: How am I Affected?
- The latest WikiLeaks episode has raised questions about how organizations and governments protect their sensitive information. While this incident was isolated, it has...
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn... All Cybercrime and Hacking Webcasts