[EL] The $45M Hiest from NYC ATMs

[wjk]

The following is my rebuttal to David Jefferson's critique of my comments on Internet voting security vs. the Internet connections exploited in the heist. My original post is "Message 1," below, and Mr. Jefferson's critique is "Message 4," below.
 
First, I did not say, or in any way suggest, as Mr. Jefferson says I did, that "some email-related attack may have been the means of penetration" in the heist.  I don't know how it was done, and neither does Mr. Jefferson or Mr. Pildes (at least at the time the later used the heist news to smear online voting).
 
Second, Mr. Jefferson clouds the issue when he conflates the terms "Internet voting," as commonly used over the past ten years, and "email voting." I discuss this tactic further in my WPSA paper and a blog post at, http://internetvotingforall.blogspot.com/2012/08/common-cause-caught-using-junk-science.html 
 
As I show in the WPSA paper, the 30+ states using email voting for overseas military voters only do so because of the nation-wide irrational Moral Panic over the supposed insecurity of Internet voting -- the flames of which Mr. Pildes has helped to fuel. Currently, there may be no more than two or three states using any form of true Internet voting; that is, the voter using his or her PC or other device to vote on a secure website. The disadvantages of email voting should not be attributed to true Internet voting.  Mr. Jefferson's discussion of "email voting" is a Red Herring.
 
I stand by my statement that [at least competently constructed] Internet voting servers are not connected to email systems. An Internet voting system can be constructed to use a server that is separate from a state's Secretary of State's email system. As I understand, Everyone Counts used its own server to enable the Internet voting system provided for West Virginia's overseas military voters. Email activity in the office of the WV SOS had no connection with the secure voting website; hence, penetration via trick emails was not possible.  Indeed, after her actual experience with managing an online voting system (of which experience Mr. Jefferson has none), WV SOS Natalie Tennant continues to be an advocate for using Internet voting. See, http://www.govtech.com/e-government/Making-the-Case-for-Online-Voting.html
 
Mr. Jefferson seems to be making up a hypothetical and "just so" scary story when he hauls in his talk about attacks on "VPN or RSH" devices getting "the attacker one step closer to the goal of penetrating the election servers themselves."  Internet voting isn't horse shoes.
 
Third, the location of the server can be an important security issue.  In the $45M heist, US banks depended upon far away data centers in India. Our banks presumably had no involvement in hiring personnel or managing those operations. That is not what happened in West Virginia.  As Ms. Tennant has testified,* she knew her personnel, and dealt face-to-face with the people who provided the Internet voting service. She used her professional judgment of character when she trusted the company to do an honest and competent job. That relationship did not exist in the heist case. (*See http://internetvotingforall.blogspot.com/2011/11/cyber-bullying-in-connecticut.html )


Jefferson's reference to the Okaloosa County case, in which the servers were in Spain, is misleading. That was not typical of Internet voting systems, because it was not true "Internet voting." Instead, well guarded dedicated lap tops were used to vote, not the voter's personal equipment.  Also, Florida elections personnel were deeply involved with Scytl, unlike the relationship between US banks and the data center in India. 
 
Public policy debates ought to be conducted without rhetorical tricks. If elite and public opinion are to be well informed, then words should be used with their proper referents. "Email voting" is way different than what they did in West Virginia in 2010, which was "Internet voting."  Internet voting systems can be far more secure than the banking systems in the heist. Indeed, Internet voting has been used nearly 100 times around the world w/o reports of any security incidents. 
 
William J. Kelleher, Ph.D.


 
Message: 1 From: wjk wjkellpro at aol.com

Date: Sun, 12 May 2013 17:00:33 -0400 (EDT)
Subject: Re: [EL] The $45M Hiest from NYC ATMs
To: law-election at department-lists.uci.edu

Recently a comment based completely on ignorance and fear appeared along with a news report in the Law-election Digest, Vol 25, Issue 10.  The news was, "Feds in NYC say cyber gang stole $45M worldwide, hacked into
database of prepaid debit cards" http://electionlawblog.org/?p=50079
 
Posted on May 9, 2013 1:58 pm by Richard Pildes 
 
The goofy comment was, "Next time someone asks you why we can't yet have secure enough electronic voting if we can have ATM machines, send them to this story." 
http://www.washingtonpost.com/business/feds-in-nyc-say-cyber-gang-stole-45-million-by-hacking-into-database-of-prepaid-debit-cards/2013/05/09/8d20a2f2-b8c0-11e2-b568-6917f6ac6d9d_story.html?hpid=z1http://
 
Of course, the Internet's reputation for spreading misinformation like wild fire 
is well-deserved, as this incident shows. Twitter and blogs quickly spread the 
fear mongering far and wide.
 
The first problem is that neither the Washington Post nor the New York Times 
specified how the thieves were able to gain control of the program that sets 
limits on the pre-paid credit cards. The Times reported that "hackers 
infiltrated the system,"
http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html?hp&_r=1&
 
But readers are NOT told how the victim's system was "infiltrated." Was there an 
insider, like when the LA Times was "hacked" a few months ago? Did an official 
in the victim company click on a link in a spoofing email, as happened when the 
Chinese "hacked" Coca Cola?
 
The Washington Post used different metaphors; such as "hackers broke into 
computer networks," and the hackers "breached an Indian firm," and referred to 
"the networks that were penetrated by hackers."
 
Still, no specifics on how the infiltration/breach/breaking into/penetration was 
done.  But, who cares about such silly details?  Here is another opportunity to 
re-enforce the fears about Internet voting - so lets do it!
 
Internet voting servers are not connected to email systems, such as the Coke 
Company's. Nor are Internet voting servers connected to far away or foreign 
servers, such as the "Indian firm" that set the limits on cards that could be 
used in New York ATMs. 
 
In other words, that financial crime has nothing to do with Internet voting 
security issues. To mush the two together is thoughtless fear mongering.  Anyone 
who wants to exercise their gift of Reason so as to clarify their understanding 
of Internet voting security issues would do well to read my paper on the matter, 
presented to the WPSA meeting in March, at
http://ssrn.com/abstract=2229557
 
William J. Kelleher, Ph.D.
Political Scientist, author, speaker,
CEO for The Internet Voting Research and Education Fund 
Email: Internetvoting at gmail.com 
Blog: http://tinyurl.com/IV4All 
Twitter: wjkno1
LinkedIn: www.linkedin.com/pub/william-j-kelleher-ph-d/9/466/687/
 
Author of Internet Voting Now!  
 
Message: 4 From: David Jefferson <d_jefferson at yahoo.com>

Date: Sun, 12 May 2013 23:51:21 -0700
Subject: Re: [EL] The $45M Hiest from NYC ATMs
To: law-election at department-lists.uci.edu


William Kelleher recently tried to undercut a posting by Richard Pildes, in 
which Mr. Pildes suggested that the recent $45 million heist of cash from ATM 
machines all over the world that was enabled by a cyber attack on the bank in 
question should give people pause when they think of the vulnerabilities of 
Internet voting. Mr. Kelleher argued that there is so little in common between 
online banking and Internet voting systems that "that financial crime has 
nothing to do with Internet voting security issues."
 
I beg to differ with Mr. Kelleher. Essentially every security vulnerability in 
an online banking system corresponds directly to a similar vulnerability in 
online voting systems. And because the privacy, security, and transparency 
requirements for online voting are so much more complex and unforgiving than 
those for financial transactions, there are many more risks with online voting 
that have no analog in the financial world. This may seem counterintuitive, but 
for a full explication see my essay "If I Can Shop and Bank Online, Why Can't I 
Vote Online?" at https://www.verifiedvoting.org/resources/internet-voting/vote-online/.
 
But Mr. Kelleher goes on to make serious errors of fact that should be corrected. Although the news media have not described in any detail exactly how  the banking network was penetrated, he nonetheless suggests that some email-related attack may have been the means of penetration, and then argues in flat, authoritative-sounding language that "Internet voting servers are not 
connected to email systems". This is wrong on several counts. 
 
First, most of the Internet voting systems used in the United States not only are connected to email systems, but they actually *are* email systems! Email voting is legal in over 30 states, far more than any other form of Internet voting. Of all of the voting systems ever used in the U.S. email is by far the most vulnerable to 
automated fraud. (See my essay "What about Email and FAX voting?" at 
https://www.verifiedvoting.org/resources/internet-voting/email-fax/.)
 
But even if we confine ourselves to commercial, web-based online voting systems, Mr. Kelleher is still overstating when he writes that "Internet voting servers are not connected to email systems". 
 
He can of course assert that, but he simply cannot know it, and it is unlikely to be true. As long as there is any desktop, laptop, or even mobile device connected to anything in the data center that contains the vote servers, including temporarily via VPN or RSH (sorry for the jargon) then a successful email phishing attack on that device would get the attacker one step closer to the goal of penetrating the election servers themselves. 
 
And there will essentially always be devices in the data center that receive email. 
 
It would be extremely difficult to conduct business otherwise. Note that it is not required that an email-capable device be actually connected to the same subnet as the vote servers for it to be a useful stepping stone in a penetration attack on the heart of the Internet voting system.
 
Finally, Mr. Kelleher makes an essentially irrelevant but also false point that 
"Internet voting servers [are not] connected to far away or foreign servers, 
such as the Indian firm that set the limits on cards that could be used in New 
York ATMs". Of course in the essentially borderless world of the Internet it 
makes little technical difference where servers are physically located, so it is 
not clear what point he is trying to make. 
 
But Scytl, one of the big three Internet voting vendors vying for business in the U.S., is a Spanish company. In the famous Internet voting experiment in Okaloosa County, FL in the general election of 2008 in which Scytl was the vendor, its voting servers were located in Barcelona. So Scytl's vote servers, which collected real U.S. votes in a Presidential election in the swing state of Florida, were not just "connected to far away or foreign servers", they actually *were* far away, foreign servers! 
 
David Jefferson
Computer Scientist
Lawrence Livermore National Laboratory
d_jefferson at yahoo.com
All opinions are my own, and are not endorsed by my employer or any other 
organization I am affiliated with.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://webshare.law.ucla.edu/Listservs/law-election/attachments/20130514/24183c28/attachment.html>