California moves to lock down e-voting systems
Controls on three companies' offerings; ES&S decertified
IDG News Service - California's secretary of State has mandated tough new security standards for the state's e-voting systems and curtailed their use, following an independent review of the technology.
"Citizens do not have confidence that elections have been fairly decided because they don't have faith in the integrity of the tools," said Secretary of State Debra Bowen during a midnight conference call, late Friday night.
The state will still allow the use of e-voting systems manufactured by Diebold Election Systems Inc. and Sequoia Voting Systems Inc., but under strict new conditions. Polling stations will not be allowed to have more than one of the Diebold AccuVote-TSx and Sequoia Edge Model systems in place, and county registrars will have to do things like reinstall the devices' software and firmware, reset the machine's encryption keys, and take new measures to prevent physical access to the systems.
Similar security measures are now mandated for Hart InterCivic Inc.'s voting systems, but without the single-machine limitation.
Systems from a fourth e-voting system maker, Election Systems & Software Inc. (ES&S), were decertified after ES&S was late in providing access to its products. The ES&S InkaVote Plus systems, which are used in Los Angeles County, are now being evaluated and could be approved for use in the February 2008 election, the secretary of State said in a statement released after the conference call.
California's review of e-voting has been a rushed affair, since it was kicked off in early May. That's because the state subsequently moved its upcoming presidential primary vote ahead by four months, to Feb. 5, 2008. State law requires that county registrars be given six months notice on any decertification of voting systems, forcing Bowen to come up with decisions by Friday, earlier than she had first anticipated.
E-voting systems were used by between a quarter and a third of California's 8.9 million voters in last November's election, the secretary of State said.
The order comes just days after the release of a state-sponsored review of California's e-voting machines. Led by the University of California, several teams of researchers evaluated the security, accessibility and usability of voting machines. Part of the review was an unprecedented study of the source code of the software used by the state's voting machines.
The researchers' findings were not encouraging for backers of the current electronic voting systems. A "red team" of penetration testers found 15 security problems in the devices. For example, researchers were able to exploit bugs in the Windows operating system used by the Diebold GEMS election management system to circumvent the system's audit logs and directly access data on the machine. They were able to get a similar level of access to Sequoia WinEDS data as well.
Testers were also able to overwrite firmware, bypass locks on the systems, forge voter cards, and even secretly install a wireless device on the back of a GEMS server.
A source-code review, released earlier this week, found problems in all three e-voting systems it evaluated, noting that Diebold's systems were subject to a virus attack.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts