D.C. Web voting flaw could have led to compromised ballots
Flaw in Digital Vote by Mail system let ballots be accessed, modified, replaced
Computerworld - A major security flaw in D.C.'s new Digital Vote by Mail system allowed researchers to access, modify and completely replace marked ballots in the system.
The flaw was discovered by security researchers at the University of Michigan during public tests of the system last week, a discovery that prompted election officials in the District of Columbia to scale back their use of a Web application for overseas voters in next month's elections.
The ability to change ballots was one among several issues discovered during the tests, which are scheduled to go on until the end of this week.
According to Alex Halderman, an assistant professor of computer science at the University of Michigan, the flaw allowed the researchers to access the database username and password and the public key used to encrypt ballots. In addition, researchers found they could install a backdoor on the server for viewing and recording votes and the names of those who cast them, Halderman said in a blog post yesterday.
To show they had complete control of the system, the researchers even tweaked the application so that voters would be greeted with the University of Michigan fight song when they landed on the vote confirmation page.
Halderman described the vulnerability as a shell injection flaw in the ballot upload function. "If this particular problem had not existed, I'm confident that we would have found another way to attack the system," he wrote.
D.C.'s new Digital Vote by Mail system is designed to let military personnel and U.S. civilians who are overseas to receive and cast ballots over the Web using a previously provided PIN to authenticate themselves.
The system is designed to let voters print out a ballot from the Web, fill it out and send it back to their precincts via postal mail. It also allows overseas voters to send a copy of their marked ballot back via e-mail or fax.
A third option would have allowed them to use the Web application to digitally mark the ballot before sending it back in encrypted fashion to election officials in their precincts via the Web.
Following the discovery of the security flaws, officials at D.C.'s Board of Elections and Ethics announced this week that they will not allow voters to use Digital Vote by Mail to send back ballots. While voters can still download ballots via the application, they will need to choose one of the other options to send it back.
Paul Stenbjorn, director of information service for the board, today said that the decision means the most controversial portion of the system will not be used in upcoming elections. Given that election day -- Nov. 2 -- is now less than four weeks away, the board has decided not to allow digital ballot return.
"We have redeployed the public testing, but it is only for the non-controversial half, where voters can download blank ballots," he said. Stenbjorn went on to say that the public testing is being done precisely to uncover the kinds of issues discovered by the researchers.
The system will be available for more testing after this year's elections to weed out all issues and correct them, he said. "Hopefully they can tell us not only what is wrong but help" fix the problems, he said.
D.C.'s Digital Vote by Mail system is one of many that are being implemented around the country in response to the Military and Overseas Voter Empowerment (MOVE) Act of 2009. It is the first, though, to be based entirely on open-source technology.
Digital Vote by Mail is based on software from the Open Source Digital Voting Foundation, a group developing voting systems based on open-source technology. It's written using the Ruby on Rails framework and runs on an Apache Web server and MYSQL database, according to Halderman.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Government IT in Computerworld's Government IT Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
If you use ‘password,’ one the worst passwords, as your password, fail to keep antivirus protection updated and don’t bother to deploy security patches to close critical vulnerabilities, then maybe you should consider working for the cybersecurity-clueless federal government; you’d fit right in, according to Senator Tom Coburn's cybersecurity and critical infrastructure report.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Changing the Way Government Works: Four Technology Trends that Drive Down Costs and Increase Productivity
- This paper discusses four technology-based approaches to improving processes and increasing
productivity while driving down department and agency costs.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses
- IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center
- IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results
- Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data
- HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data... All Government IT White Papers
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- All Government IT Webcasts