Information Security News
mailing list archives
Was Halifax’s e-vote hacked?
From: InfoSec News <alerts () infosecnews org>
Date: Mon, 1 Jul 2013 06:12:34 +0000 (UTC)
By Rob Wipond
June 27, 2013
It's been several weeks since I revealed evidence that the online voting
in last fall's municipal elections in Halifax was not secure. Now I'm
starting to wonder, does anyone care? How many people care about defending
our most basic pillar of democracy---our elections?
I obtained the damning documents through an Access to Information request
to the Canadian Cyber Incident Response Centre (CCIRC) of Public Safety
Canada—the federal government agency charged with helping ensure internet
safety. Although the documents were heavily censored, they made clear that
right up until the day before online voting began on October 6, 2012, an
outside security researcher, the CCIRC, the election software vendor
(Scytl) and the Halifax Regional Municipality Elections Office were
grappling with a myriad of security vulnerabilities.
The documents also made clear that, at the time online voting began, only
“some” of those security holes had been in part “mitigated.” Some of the
problems, evidently, were never addressed.
HRM didn’t inform the public about any of this. I asked the CCIRC, Scytl
and the city to provide evidence that the security problems were solved
and the online votes were securely, correctly recorded. The CCIRC and
Scytl declined to answer questions, and the city merely provided a report
by Ernst & Young.
Unfortunately, from a technical standpoint, that Ernst & Young report was
not a security audit, it was a user test. Basically, the city had asked
Ernst & Young to confirm that the election software was functioning, but
not to investigate how easily the system could be hacked or circumvented.
It was like testing to make sure your computer could surf the internet,
but not to see if your computer was protected against hackers or viruses.
So, any reassurances derived from that report are deeply misplaced.
Visit the new and improved InfoSec News website
- Was Halifax’s e-vote hacked? InfoSec News (Jul 01)