[EL] The $45M Heist from NYC ATMs - Cushman

[wjk]

Mr. Cushman (reprinted below) has clearly stated the choices to be made when considering Internet voting security, as seen from within his interpretative framework.  But, while it must be considered, that is not the only way to define the Internet voting situation. Equally important, in my opinion, to the techno-centered point of view is the social science interpretation. 
 
In my paper, at http://ssrn.com/abstract=2229557, I argue, inter alia, that attack scenarios must be addressed by individual type and as social practices, if threat realities are to be clearly understood, and rational threat assessments formed.  That is, both technically and as social practices, a DoS attack is different than a vote changing attack, and both are different than a tabulation changing attack. Among the variables to be considered are the degree of technical sophistication required to execute the attack, the complexity of the situation, the financial costs of executing the attack, the chances of being caught by law enforcement, and the rewards of succeeding at the attack.  
 
For example, the rewards of immediate financial profit make attacks on financial targets appealing. But the rewards for attacking an election do not have the same immediacy, except for the winning candidate or party.  Highly sophisticated thieves can conduct their own operation; hence, the chances of law enforcement discovering their conspiracy are relatively limited. But the typical candidate and/or party elites usually lack the sophistication to conduct an online election crime on their own.  They have to shop around for experts to hire. This raises the chances of being caught; hence, assuming rationality, reducing the likelihood that they will attempt such a foolhardy crime. 
 
As to the complexity of the situation, a vote tabulation attack on an election for the governor of California would require the penetration of numerous servers, not just one. Suppose California has 54 counties, some sharing servers, some with multiple servers, and some with one server.   The conspiracy would have to involve enough computer expert villains to simultaneously break into enough servers to engender a majority vote w/o raising the suspicion of local experts. 
 
I’m glad Jack mentioned “paranoia” as a test for the reasonableness of an attack scenario.  In my judgment, the California scenario meets that criterion. See my paper for more discussion on such scenarios.  My conclusion is that, yes, life itself is a risky situation, theoretically, attacks can happen, but when the practicalities of online election attacks are considered as social practices, then the Boogey Man Mr. Jefferson and his ilk scream about can be seen as a cageable tiger, and the democratizing potential of online elections becomes worth the risk.
 
William J. Kelleher, Ph.D.
Political Scientist, author, speaker,
CEO for The Internet Voting Research and Education Fund 
Email: Internetvoting at gmail.com 
Blog: http://tinyurl.com/IV4All 
Twitter: wjkno1


------------------------------

Message: 23
Date: Thu, 16 May 2013 11:06:35 -0400
From: Jack Cushman <jcushman at gmail.com>
Subject: Re: [EL] The $45M Heist from NYC ATMs - Hall
To: wjk <wjkellpro at aol.com>
Cc: law-election at department-lists.uci.edu
Message-ID:
	<CAEv_OHXsfcDGSe6sgmfYN25jyqC6hGkk7BYpwAQ+xuAKeTnR4A at mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"

>
> Over the past few years nearly 100 trials of Internet voting have been
> conducted w/o any reports of security breaches. ...
>


> Here is a testable hypothesis: the ones who have actually built successful
> Internet voting systems believe it can be done; while the ones w/o such
> experience are positive it can?t be done.


This line of argument -- that internet voting has been successfully
conducted in the past without reports of security breaches, and therefore
"can be done" -- is not really responsive to the security concerns around
internet voting. No one doubts that internet voting *can* be conducted in a
*particular* election without a security breach in fact occurring. The
technology for asking computer users their opinion and then recording that
opinion on a large scale is well-understood. *See, e.g.,* [image: Inline
image 1]

The pessimists' claim, instead, is: internet voting cannot be conducted
such that it is possible to prove in advance that a security breach is
impossible, or that it is possible to prove afterward whether one has
occurred. In order to rebut this claim, you need to show that internet
voting can be conducted in a mathematically secure way even assuming your
adversary controls both the client computer and the server.

This is because of a number of well-understood and intractable problems in
computer security which make it impossible to assume you have either a
secure client computer or a secure server. For example:

1) Local infections. In the United States, approximately 30% of computers
are infected with
malware<http://www.infoworld.com/t/cyber-crime/malware-infects-30-percent-of-computers-in-us-199598>.
Numbers are similar worldwide. If malware is running on your local
computer, the *only* way you can be confident that your vote was not
intercepted and modified is if your vote is independently communicated back
to you on a different device; you cannot trust anything you see on your
screen. So at a minimum, the nearly 100 tests you are referring to above
contained only 70% reliable votes; the others could have been cast by
botnet owners, most likely Russian organized crime. You have no way of
knowing whether or not that in fact occurred; you must simply rely on the
(reasonable in this case) hope that Russian organized crime had no
incentive to interfere with the elections where internet voting was used.

2) Zero-day exploits. Any remote voting scheme will rely on a stack of
technologies, such as SSL encryption between the browser and server, a web
server like Apache, a server-side programming language like (but hopefully
not) PHP, a database like (but probably not) MySQL, etc. The ones I
mentioned are interesting because they have been used for many years on
millions of computers handling important jobs or lots of money. And
each<http://www.informationweek.com/security/vulnerabilities/serious-ssl-vulnerability-found/221600478>of
them <http://www.cvedetails.com/cve/CVE-2010-0425/> has
had<http://www.cvedetails.com/cve/CVE-2012-1823>vulnerabilities
discovered <http://www.securiteam.com/exploits/5AP3G0K8VU.html> in the last
few years that would allow for an attacker to subtly modify votes, either
by interfering with messages in transit, or by remote code execution to
modify requests and responses on the server. A well-designed system will
include some redundancy of course, but its security claims will ultimately
come down to "this works assuming SSL is secure and assuming Apache is
secure" and so on. The assumption of security regarding technologies of
that complexity has been *uniformly* proved false.

"Sure," you say, "but our system will be run by experts who ensure the
latest security updates are applied. What is the likelihood that some
hacker has access to an Apache vulnerability no one else knows about yet?"
And it turns out the likelihood is rather good, because there is a gray
market selling that kind of exploit to governments around the
world<http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html>,
with a premium on exclusivity.

3) Targeted attacks on individuals. Targeted hacking attacks can be
incredibly sophisticated -- such as the high-profile one last
August<http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/>where
hackers combined weaknesses in Amazon and Apple's security processes
to gain access to a Google email account for the pressing purpose of
posting racist messages on the owner's Twitter. Another example is Chinese
spear phishing attacks -- this first-person account by a nonprofit working
on Taiwan issues in Washington,
DC<http://www.lottaworld.com/2009/04/ghostnet-social-malware-spear-phishing-and-social-engineerin>,
which had fake emails sent out under its name that were tailored to the
sender, but that actually contained malware, is fascinating. It is simply
unrealistic for anyone, including a security expert, to assume that they
can protect their own computer from a concerted effort by people *pretending
to be their friends and colleagues* to break in. So it is also unreasonable
to assume that the computers of the programmers and system administrators
running voting systems will be uncompromised.

4) Hardware attacks. Like, I don't know, back doors added to microchips by
overseas manufacturers<http://www.schneier.com/blog/archives/2012/05/backdoor_found.html>.
This gets into the realm of paranoia, but we're only talking about a few
machines that need to be compromised at the hardware level, so there are
plausible physical attacks here.

I am not aware of a way to prove, for a particular system, either in
advance that none of these attacks are possible, or afterward that none of
them has occurred.

--

OK so: all of this is getting at the fundamental weakness that internet
voting rests the entire outcome of your election on a few hundred physical
devices running astronomically complex software and, by definition,
accessible from anywhere in the world. In order to be comfortable with that
situation, you need a protocol where: (1) you assume that users' computers
are compromised by malware; (2) you assume that communications between
those computers and the servers may be modified in transit; (3) you assume
that the server software is vulnerable to zero-day remote code execution
exploits; (4) you assume that the administrators of the system themselves
may be using compromised computers; and (5) you assume that the hardware
itself may be vulnerable to sabotage. And then you need to clearly explain
how the system will work so that *even if all of those things are true*, we
are still quite confident that the resulting election is no less inaccurate
than it is with current technology.

Of course people are working on that -- there are a bunch of interesting
cryptographic systems<http://uwspace.uwaterloo.ca/bitstream/10012/5992/1/Clark_Jeremy.pdf>that
might allow sophisticated voters to verify that their vote was not
corrupted on the server, without verifying what it was. And there are some
systems <http://www.infsec.ethz.ch/people/michschl/material/icegov2012.pdf>that
might even allow voters to confidently vote without trusting their own
computers -- although they seem to rely on users going through ridiculous
gyrations to vote, or else typing in secret numbers communicated to them by
some separate trustworthy channel, such as mail or a phone system. These
systems have downsides, but would at least allow us to know after the fact
that tampering had occurred, so we could hold a new election.

If what you're actually saying is: don't worry about online security,
because I have an online voting system that is affordable, user-friendly,
and cryptographically secure over untrusted platforms while remaining an
improvement over existing voting methods, then that's interesting. If what
you're saying is that you don't need to solve that problem, because teams
of computer experts have successfully collected votes from small groups of
people in the past without being aware of any security breaches, that
doesn't get you very far.

Best,
Jack



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://webshare.law.ucla.edu/Listservs/law-election/attachments/20130516/252bea72/attachment.html>