Information Security News: Officials Probing Possible Theft of Voting Software in Md.

[InfoSec News <alerts () infosecnews org>]

http://www.washingtonpost.com/wp-dyn/content/article/2006/10/19/AR2006101901818.html

By Cameron W. Barr
Washington Post Staff Writer
October 20, 2006

The FBI is investigating the possible theft of software developed by the 
nation's leading maker of electronic voting equipment, said a former 
Maryland legislator who this week received three computer disks that 
apparently contain key portions of programs created by Diebold Election 
Systems.

Cheryl C. Kagan, a former Democratic delegate who has long questioned 
the security of electronic voting systems, said the disks were delivered 
anonymously to her office in Olney on Tuesday and that the FBI contacted 
her yesterday. The package contained an unsigned letter critical of 
Maryland State Board of Elections Administrator Linda H. Lamone that 
said the disks were "right from SBE" and had been "accidentally picked 
up."

Lamone's deputy, Ross Goldstein, said "they were not our disks," but he 
acknowledged that the software was used in Maryland in the 2004 
elections. Diebold said in a statement last night that it had never 
created or received the disks.

The disks bear the logos of two testing companies that send such disks 
to the Maryland board after using the software to conduct tests on 
Diebold equipment. A Ciber Inc. spokeswoman said the disks had not come 
from Ciber, and Wyle Laboratories Inc. said it was not missing any 
disks.

Diebold spokesman Mark Radke and Goldstein said that the labels on the 
disks referred to versions of the software that are no longer in use in 
Maryland, although the Diebold statement said the version of one program 
apparently stored on the disks is still in use in "a limited number of 
jurisdictions" and is protected by encryption. The statement also said 
the FBI is investigating the disks' chain of custody.

Michelle Crnkovich, an FBI spokeswoman in Baltimore, said she had no 
knowledge of an investigation.

In an unrelated development, Maryland state auditors said in a report 
yesterday that the State Board of Elections is not properly controlling 
access to a new statewide database of registered voters or verifying 
what changes are made to it. The report comes at a time of heightened 
concern over the security and effectiveness of electronic voting 
systems.

Legislative auditor Bruce Myers said it was unusual to allow 
"across-the-board access" by local election officials to a sensitive 
database, but Lamone defended the board's practices. In a letter 
released with the Office of Legislative Audits report, she wrote that 
the board "is unaware of any allegations of the falsification of 
additions or deletions to the system."

The FBI investigation into the disks could focus further scrutiny on the 
security of Maryland's electronic voting system.

The disks delivered to Kagan's office bear labels indicating that they 
hold "source code" -- the instructions that constitute the core of a 
software program -- for Diebold's Ballot Station and Global Election 
Management System (GEMS) programs. The former guides the operation of 
the company's touch-screen voting machines; the latter is in part a 
tabulation program used to tally votes after an election.

Three years ago, Diebold was embarrassed when an activist obtained some 
of its confidential software by searching the Internet. The company 
vowed to improve its security procedures to prevent another lapse.

The release of such software poses a risk, computer scientists say, 
because it could allow someone to discover security vulnerabilities or 
to write a virus that could be used to manipulate election results.

In September, computer scientists at Princeton University who had 
obtained a Diebold voting machine demonstrated how a program they had 
created could secretly alter the votes cast on the machine. Diebold 
President Dave Byrd called the demonstration "unrealistic and 
inaccurate" and said it ignored the "physical security" measures used to 
safeguard voting machines.

The Washington Post obtained copies of the disks Wednesday and allowed 
Avi Rubin, a computer scientist at Johns Hopkins University, along with 
a colleague and a graduate student, to review the software on the 
condition that they make no copies of it.

"I would be stunned if it's not real," Rubin said.

Rubin, who has said that electronic voting systems that do not produce a 
paper record of each vote cannot be secured, led a team that produced an 
analysis that pointed out security vulnerabilities in the Diebold 
software found on the Internet in 2003.

Sam Small, the graduate student, said the version of Ballot Station "was 
consistent with what we've seen previously." Small could not gain access 
to the GEMS software because the material on two of the disks was 
protected by a password.

Radke, the Diebold spokesman, said the versions of Ballot Station 
released since the version identified on the disks have many new 
security features. The Diebold statement said "it would take years for a 
knowledgeable scientist" to break the encryption used on the software 
apparently contained on the disks delivered to Kagan. But Rubin said 
"the data and files were not encrypted" on the Ballot Station disk he 
reviewed.

The Office of Legislative Audits report also said the Maryland elections 
board has paid bills submitted by contractors without proper 
documentation and has not taken appropriate steps to safeguard its 
computer network and Web site.

Lamone said, "It seems inappropriate to base findings on a partially 
implemented system," referring to the new MDVOTERS database, which 
Maryland has established to comply with federal law.

She said it is appropriate for local election workers to have access to 
the database and said procedures are in place to verify changes. Lamone 
concurred with the auditors' criticism of her staff's accounting 
practices and said they had "obtained nearly all necessary 
documentation" for contractors' bills.

Providing the sort of local oversight envisioned by the auditors, she 
said, "simply cannot be conducted with existing resources."

Staff writer Eric Rich contributed to this report.

Copyright 2006 The Washington Post Company


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org