Princeton Report Rips N.J. E-Voting Machines as Easily Hackable
Computerworld (10/27/08) Weiss, Todd R.
Electronic-voting machines used in New Jersey and elsewhere are unreliable and potentially prone to hacking, concludes a new report from Princeton University and other groups. The 158-page report was ordered by a New Jersey judge as part of an ongoing dispute over the machines.
The e-voting machines can be “easily hacked” in about seven minutes by anyone with basic computer knowledge, according to the report. The vulnerability could enable fraudulent firmware to steal votes from one candidate and give them to another. The machines can be hacked by installing fraudulent software contained in a replacement chip that can be installed on the main circuit board, which would be very difficult to detect, the report says.
The major problem is that there are numerous opportunities in the storage, distribution, and deployment of the machines where an unauthorized person could access and manipulate them without being detected. Princeton University Andrew Appel, one of the authors of the report, says that such vulnerabilities cast doubts about the accuracy and reliability of the machines.
A group of public interest organizations are plaintiffs in a lawsuit against the state of New Jersey, arguing that the machines should be discarded because they cannot meet state election law requirements for security and accuracy. State officials who support the machines say they are adequate for the job.
I think it’s interesting that I immediately think that the Republicans would hack the voting machines. Leftover Watergate paranoia bias?
A Photo That Can Steal Your Online Credentials
IDG News Service (08/01/08) McMillan, Robert
Researchers at the Black Hat computer security conference in Las Vegas next week will demonstrate an attack that could steal online credentials from users of popular Web sites. The attack uses a new type of hybrid software file the researchers have dubbed a GIFAR. By placing the file on Web sites that allow users to upload images, the researchers can circumvent security precautions and take over the Web page users’ accounts.
GS Software’s John Heasman says the GIFAR is a Java applet in the form of an image. GIFAR is a contraction of the graphics interchange format (GIF) and Java Archive (JAR), the two file types that make up the applet. The researchers will demonstrate how to create the GIFAR, while omitting a few details to prevent it from being used for a widespread attack. To a Web server, the file looks exactly like a GIF file, but a browser’s Java virtual machine will open the file like a JAR file and run it as an applet, giving the attacker an opportunity to run Java code on the victim’s browser, which treats the applet as though it was written by the Web site’s developers.
The researchers say the attack could work on any site that allows users to upload files, possibly even sites that are used to upload banking card photos or sites such as Amazon.com. The GIFAR attack can be prevented by improving filtering tools so Web sites can detect the hybrid files, and Sun could also improve the Java runtime environment.
I actually had a couple of those show up as followers, but it was easy to tell they were spam so I just blocked them. But I can see if you had a lot of followers (6,000 as opposed to 16, like me) it would be easier to miss and a lot more time consuming.
Reprinted from Crypto-Gram, by Bruce Schneier [schneier@SCHNEIER.COM]
On April 27, 2007, Estonia was attacked in cyberspace. Following a
diplomatic incident with Russia about the relocation of a Soviet World
War II memorial, the networks of many Estonian organizations, including
the Estonian parliament, banks, ministries, newspapers and broadcasters,
were attacked and — in many cases — shut down. Estonia was quick to
blame Russia, which was equally quick to deny any involvement.
It was hyped as the first cyberwar: Russia attacking Estonia in
cyberspace. But nearly a year later, evidence that the Russian
government was involved in the denial-of-service attacks still hasn’t
emerged. Though Russian hackers were indisputably the major instigators
of the attack, the only individuals positively identified have been
young ethnic Russians living inside Estonia, who were pissed off over
the statue incident.
You know you’ve got a problem when you can’t tell a hostile attack by
another nation from bored kids with an axe to grind.
This article goes on for another 4 pages but if you’re interested, you can read the rest of it on Bruce’s blog, at http://www.schneier.com/crypto-gram-0805.html
Front page for Crypto-Gram: http://www.schneier.com/crypto-gram.html