RISKS Digest 28.23

Thursday 28 August 2014

Why Internet voting is a very dangerous idea

Marc Ambinder via PGN <>

Date: Thu, 28 Aug 2014 15:11:47 PDT

Marc Ambinder: *The Week*, 28 Aug 2014

Unless you're one of those ornery folks who believe that only politically engaged Americans should vote, there aren't many good reasons to oppose efforts to expand access to the ballot. Voter fraud is quite rare, and voting fraud—an organized effort to illegally disrupt elections—is hard to organize. So you might think that any restriction on the way someone can vote will unfairly marginalize potentially legitimate voters.

That's true, with one big exception: Internet voting.

No doubt—nationwide Internet voting has an intuitive appeal. It would decrease the costs of elections. It would dramatically increase turn-out. It would allow marginalized communities to avoid harassment at polling sites. It would speed the vote count. A majority of voters regularly endorse the idea.

There are two main reasons, though, why Internet voting is, at best, a dream best realized 20 years in the future—if ever.

The Internet is not secure. It does not matter whether results are sent to an air-gapped system, because there's plenty of technologies that jump air-gaps, and we know that big governments (like ours) use them to spy.

It does not matter whether complicated identification schemes involving fingerprints and complex PINs are used to verify identities. Every end of the system is vulnerable to cyber-attack; the browsers, the software, the processing, and even the commands you type into the computer to register to vote. Man-on-the-side attacks, spoof ballots, denial-of-service attacks -- there is absolutely no way to create a closed system that would filter out bad code.

It does not matter whether previous (small-scale) experiments have been successful. An American Internet election would be a ripe target for hackers belonging to nation-states, criminal gangs, and all sorts of people who spend their days looking for the latest vulnerability to exploit.(How many times has Microsoft had to update Internet Explorer to fix a major bug in the past two years? What confidence could you possibly have?)

It's hard to steal elections conducted in person or with ballots printed on something that isn't made up of invisible electronic bits. It would be much easier to steal, alter, or influence elections that are conducted online. Technology may never advance to the point where our online transactions are safe enough. For some activities, like online shopping, we're willing to allow a margin for error. If someone steals our credit card number and uses it to make online purchases, we'll probably discover it quickly. We gossip about friends because we're pretty sure that they're not going to hack into our caches. We conduct politics online because if someone hijacks our identity, we can get the word out quickly.

Voting, however, is more intrinsically sacred than e-commerce, and really, any of these other activities. There would not be any way to know whether a virus or a hacker changed your vote after you voted, even if you were able to print out a receipt for your vote at home and turn that in for later auditing.

Bubble-in optical scan-voting systems are vulnerable to hacking, but the paper ballot remains intact. You can screw with the computers that read the ballots and screw with the software that counts them, but you can't change the laws of physics, unless you somehow steal paper ballots in advance and treat them with magic disappearing ink that would...actually, I can't come up with even a fanciful way for an election using optically scanned ballots to be stolen or fudged on a massive scale. That's why election supervisors who know their stuff tend to want to use them.

Security is the major concern, but access is another. Until almost every eligible voter has equal access to a computer, Internet voting would raise the political power of the connected majority over the non-networked minority; the richer over the poorer, the people who would still have to send in a mail-in ballot or travel to a polling location. Unless the advent of Internet voting were accompanied somehow by a mass online enfranchisement, the vote would be unforgivably skewed, and skewed against those who are traditionally screwed by obstacles to voting anyway.

For some small groups, Internet voting makes sense. Military computer networks tend to be harder to hack than the regular old Internet, and without some type of Internet-based balloting, a large number of registered voters overseas might be disenfranchised. Even here, though, the Internet is best used to facilitate the distribution of ballots, but not necessarily to receive them or send them back to be counted.

With Internet voting, elections could be stolen even before they were held.

Denmark's most devastating hacker attack

zapkatakonk1943 <>

Date: Thu, 28 Aug 2014 12:27:16 +0200

Denmark's most devastating hacker attack could have been prevented from escalating if the national police Rigspolitiet and the IT company CSC had reacted to a critical report by Deloitte in June 2012, Politiken reports.

By the time Deloitte had warned authorities that their systems were sensitive to cybercrime, hackers had already gained access to personal data from the driving licence database and a register of wanted persons in the Schengen Region.

Over a period lasting at least four and half months in 2012, the hackers stole four million Danish driving licence ID numbers from the police database. However, it took a tip-off from the Swedish authorities nine months later, in March 2013, before the Danish police and CSC realised the seriousness of the case.

dr.phil. Donald B. Wagner, Jernbanegade 9B, DK-3600 Frederikssund Denmark Tel. +45-3331 2581

JPMorgan and Other Banks Struck by Cyberattack

Monty Solomon <>

Date: Wed, 27 Aug 2014 23:49:33 -0400

The hackers stole gigabytes of data, including account information. It is not yet clear if the attacks were financially motivated or part of a cyberespionage campaign.

[PGN mutters once again, why is it that almost every computer-based system is innately vulnerable to attack/misuse/compromise/..., whereas governmental coercion would like to have additional backdoors in everything? When is "good" security really good enough? The answer seems to be NEVER, and this suggests we are in real trouble for the indefinite future. Stay tuned to RISKS for more of the same in reporting such items, REPEATEDLY. Your frustrated moderator regrets that so much of the Risks Forum has devolved into sad tales of security woe.]

Feds warn first responders of dangerous hacking tool: Google Search

Sean Gallagher <>

Date: Aug 27, 2014 7:47 PM

Sean Gallagher, Ars Technica, 27 Aug 2014

In a restricted intelligence document distributed to police, public safety, and security organizations in July, the Department of Homeland Security warned of a malicious activity that could expose secrets and security vulnerabilities in organizations' information systems. The name of that activity: *Google dorking*.

“Malicious cyber actors are using advanced search techniques, referred to as Google Dorking, to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks,'' the for-official-use-only Roll Call Release warned. “By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.''

That's right, if you're using advanced operators for search on Google, such as or filetype:xls, you're behaving like a `malicious cyber actor'. Some organizations will react to you accessing information they thought was hidden as if you were a cybercriminal, as reporters at Scripps found out last year. Those individuals were accused of `hacking' the website of free cellphone provider TerraCom after discovering sensitive customer data openly accessible from the Internet via a Google search and an “automated “ hacking tool: GNU's Wget.

But this warning from the DHS and the FBI was mostly intended to give law enforcement and other organizations a sense of urgency to take a hard look at their own websites' security. Local police departments have increasingly become the target of `hacktivists'. Recent examples include attacks on the Albuquerque Police Department's network in March following the shooting of a homeless man and attacks on St. Louis County police networks in response to the recent events in Ferguson, Missouri.

Bad queries

It's true that Google hacking, or `dorking', has been used by hackers and penetration testers for years. Just as the National Security Agency can use its XKeyscore surveillance data as a targeting system for more intrusive attacks on intelligence targets, hackers can use Google to find and target vulnerable sites—including ones where the work of hacking has already been done for them. A single query based on the signature of a common PHP-based `shell' malware can be used as a backdoor to access the operating system of affected websites. This search turns up a list of two dozen sites that have been hacked with the backdoor left open-most of them in Russia and Romania.

David Helkowski, the consultant who hacked the University of Maryland's website and gained access to personal data in a university database, told Ars that he used Google advanced search to discover pages within UMD sites that allowed arbitrary Web executable files to be uploaded to them. Google searches allowed him to discover exploits that pre-existed on the site. ...

"Microsoft ships replacement patch KB 2993651 with two known bugs"

Woody Leonhard via Gene Wirchenko <>

Date: Thu, 28 Aug 2014 11:36:01 -0700

[I am still running windows XP. The doom that we XP users were going to face does not seem to have materialised. However, on the Windows 8 front, it appears to be rather more exciting.]

Woody Leonhard | InfoWorld, 28 Aug 2014 Microsoft re-releases botched MS14-045/KB 2982791 'Blue Screen 0x50' patch, buries tip to manually uninstall first patch, and introduces more problems.

Stealing Encryption Keys Through the Power of Touch

Peter Bright <>

Date: Wed, 27 Aug 2014 12:13:30 -0400 (EDT)

Peter Bright, Ars Technica, 21 Aug 2014 via ACM TechNews; Wednesday, August 27, 2014

Tel Aviv University researchers have demonstrated a side-channel attack against the GnuPG encryption software that enables them to access decryption keys by touching exposed metal parts of laptop computers. The metal parts of a laptop, such as the shielding around a USB port, are notionally all at a common ground level, but this level undergoes tiny fluctuations due to the electric fields within the laptop. These variations can be measured, and this can be used to leak information about encryption keys. Although this measurement has been demonstrated by directly attaching a digitizer to a metal part of the laptop, the researchers showed they could retrieve information with connections at the far end of shielded USB, VGA, and Ethernet connections. They also demonstrated that a person in contact with metal parts of the laptop can in turn be connected to a digitizer, and the voltage fluctuations can be measured, a technique that works better in hot weather because of the lower resistance of sweaty fingers. The researchers reported their findings to the GnuPG developers, and the software has been modified to reduce some of the information leaked this way. However, even with the alteration, the software is not immune to this side-channel attack, and different encryption keys can be distinguished from one another.

The Future Could Work, if We Let It

Matthew Kruk <>

Date: Thu, 28 Aug 2014 03:09:22 -0600

Leaving Money and Privacy on the Table

Adam Tanner via Monty Solomon <>

Date: Wed, 27 Aug 2014 23:59:39 -0400

Adam Tanner's “What Stays in Vegas'' looks at online data mining, how companies collect personal information to remain competitive and where invasion of privacy begins.

Why zero-day bounties won't secure the Internet

Henry Baker <>

Date: Thu, 28 Aug 2014 08:22:19 -0700

FYI—"nothing backfires quite like a bounty"

"Bounties" for zero days and bugs not only won't work, *they will make the problem much, much worse,* and bounty proposals only serve to demonstrate the folly of ignoring history. Bounties have been well-studied by economists under the terms "Cobra Effect", "Perverse Incentive" and "Moral Hazard", and the results aren't pretty.

The "Freakonomics" radio show & podcast did the best presentation of these issues, and I highly recommend listening to it, rather than reading the transcript (omitted here by PGN—much too long for RISKS).

The Cobra Effect: A New Freakonomics Radio Podcast Stephen J. Dubner, 11 Oct 2012

[... rest truncated ... PGN]

Regarding Tesla's cash cow

danny burstein <>

Date: Wed, 27 Aug 2014 18:59:22 -0400 (EDT)

All of us watching the encroachment of solar power into the electrical grid are well aware of the very serious problem they have. Aside from the general economic issue, the big concern is that solar power is intermittent and can cut out at any second.

Utilities *must* be able to supply the electrical demand at the exact moment customers call for it. Hence the huge incentives they provide to customers (for example, hospitals) with "emergency generators" to turn on their own power plants at 3 pm on a hot summer day, and, so to speak, "drop off" the grid.

The next step in the process is when utilities pay the hospitals (again, just one simple example) additional money if they have extra generation capacity and can actually backfeed into the grid at those peak demand periods. Or the similar hefty payouts to companies with quick-action (and highly polluting) "peaking" generators.

This fluctuation and need for quick power adjustments becomes even more critical when the base generating supply is intermittent, like, well, with solar and wind.

The utilities would love it if every home had a 25 kw-hr battery pack in the garage which they could charge up (with an associated bill, of course) with lots of power during low demand periods (say, 2 am), give them a slow charge at modest demand periods (say, 10 am), and cut back to zero at high demand (that aforementioned 3 pm on a hot summer day). They'd drool over the added option to not only stop pumping in the electrons at 3 pm, but to also draw them back.

However, just the "shut off" choice, without the withdrawal, would make them smile with glee.

So Mr. Musk, where's my payoff for supplying the utilities with that big storage battery? Where's their handout to my community for the 1,000 batteries, or 25 megawatt-hours, of storage? Why should your company and the utilities get all the payouts?

Baker's doesn't?

via PGN <>

Date: Wed, 27 Aug 2014 16:51:56 PDT

One of our regular readers offered these comments on Henry's item Henry Baker quotes:

> "the 40,000 Tesla vehicles already on the US roads contain about > 3.3 gigawatts of storage capacity..."

Wrong unit. If they were gasoline-fueled vehicles, he'd be describing the size of the fuel tank in gallons per hour.

[Henry's curious gigawatt analogy was also noted by danny. PGN]

Henry then writes: > I encourage Professor Norman to get involved in taking back the Internet > where we all live and work, and to help make it an expression of a free and > democratic society which respects the First, Fourth, Fifth and Fourteenth > Amendments.

The Internet where *I* live has no business respecting *any* part of the US Constitution. Especially the Second Amendment.