November 25, 2015

Jeremy Epstein


Berkeley releases report on barriers to cybersecurity research

I’m pleased to share this report, as I helped organize this event.

Researchers associated with the UC Berkeley School of Information and School of Law, the Berkeley Center for Law and Technology, and the International Computer Science Institute (ICSI) released a workshop report detailing legal barriers and other disincentives to cybersecurity research, and recommendations to address them. The workshop held at Berkeley in April, supported by the National Science Foundation, brought together leading computer scientists and lawyers, from academia, civil society, and industry, to map out legal barriers to cybersecurity research and propose a set of concrete solutions.

The workshop report provides important background for the NTIA-convened multistakeholder process exploring security vulnerability disclosure, which launched today at Berkeley.  The report documents the importance of cybersecurity research, the chilling effect caused by current regulations, and the diversity of the vulnerability landscape that counsels against both single and fixed practices around vulnerability disclosures.

Read the report here.


VW = Voting Wulnerability

On Friday, the US Environmental Protection Agency (EPA) “accused the German automaker of using software to detect when the car is undergoing its periodic state emissions testing. Only during such tests are the cars’ full emissions control systems turned on. During normal driving situations, the controls are turned off, allowing the cars to spew as much as 40 times as much pollution as allowed under the Clean Air Act, the E.P.A. said.”  (NY Times coverage) The motivation for the “defeat device” was improved performance, although I haven’t seen whether “performance” in this case means faster acceleration or better fuel mileage.

So what does this have to do with voting?

For as long as I’ve been involved in voting (about a decade), technologists have expressed concerns about “logic and accuracy” (L&A) testing, which is the technique used by election officials to ensure that voting machines are working properly prior to election day.  In some states, such tests are written into law; in others, they are common practice.  But as is well understood by computer scientists (and doubtless scientists in other fields), testing can prove presence of flaws, but not their absence.

In particular, computer scientists have noted that clever (that is, malicious) software in a voting machine could behave “correctly” when it detects that L&A testing is occurring, and revert to its improper behavior when L&A testing is complete.  Such software could be introduced anywhere along the supply chain – by the vendor of the voting system, by someone in an elections office, or by an intruder who installs malware in voting systems without the knowledge of the vendor or elections office.  It really doesn’t matter who installs it – just that the capability is possible.

It’s not all that hard to write software that detects whether a given use is for L&A or a real election.  L&A testing frequently follows patterns, such as its use on dates other than the first Tuesday in November, or by patterns such as three Democratic votes, followed by two Republican votes, followed by one write-in vote, followed by closing the election.  And the malicious software doesn’t need to decide a priori if a given series of votes is L&A or a real election – it can make the decision when the election is closed down, and erase any evidence of the real votes.

Such concerns have generally been dismissed in the debate about voting system security.  But with all-electronic voting systems, especially Digital Recording Electronic (DRE) machines (such as the touch-screen machines common in many states), this threat has always been present.

And now, we have evidence “in the wild” that the threat can occur.  In this case, the vendor (Volkswagen) deliberately introduced software that detected whether it was in test mode or operational mode, and adjusted behavior accordingly.  Since the VW software had to prospectively make the decision whether to behave in test mode as the car engine is operating, this is far more difficult than a voting system, where the decision can be made retrospectively when the election is closed.

In the case of voting, the best solution today is optical scanned paper ballots.  That way, we have “ground truth” (the paper ballots) to compare to the reported totals.

The bottom line: it’s far too easy for software to detect its own usage, and change behavior accordingly.  When the result is increased pollution or a tampered election, we can’t take the risk.

Postscript: A colleague pointed out that malware has for years behaved differently when it “senses” that it’s being monitored, which is largely a similar behavior. In the VW and voting cases, though, the software isn’t trying to prevent being detected directly; it’s changing the behavior of the systems when it detects that it’s being monitored.


How not to measure security

A recent paper published by Smartmatic, a vendor of voting systems, caught my attention.

The first thing is that it’s published by Springer, which typically publishes peer-reviewed articles – which this is not. This is a marketing piece. It’s disturbing that a respected imprint like Springer would get into the business of publishing vendor white papers. There’s no disclaimer that it’s not a peer-reviewed piece, or any other indication that it doesn’t follow Springer’s historical standards.

The second, and more important issue, is that the article could not possibly have passed peer review, given some of its claims. I won’t go into the controversies around voting systems (a nice summary of some of those issues can be found on the OSET blog), but rather focus on some of the security metrics claims.

The article states, “Well-designed, special-purpose [voting] systems reduce the possibility of results tampering and eliminate fraud. Security is increased by 10-1,000 times, depending on the level of automation.”

That would be nice. However, we have no agreed-upon way of measuring security of systems (other than cryptographic algorithms, within limits). So the only way this is meaningful is if it’s qualified and explained – which it isn’t. Other studies, such as one I participated in (Applying a Reusable Election Threat Model at the County Level), have tried to quantify the risk to voting systems – our study measured risk in terms of the number of people required to carry out the attack. So is Smartmatic’s study claiming that they can make an attack require 10 to 1000 more people, 10 to 1000 times more money, 10 to 1000 times more expertise (however that would be measured!), or something entirely different?

But the most outrageous statement in the article is this:

The important thing is that, when all of these methods [for providing voting system security] are combined, it becomes possible to calculate with mathematical precision the probability of the system being hacked in the available time, because an election usually happens in a few hours or at the most over a few days. (For example, for one of our average customers, the probability was 1×10-19. That is a point followed by 19 [sic] zeros and then 1). The probability is lower than that of a meteor hitting the earth and wiping us all out in the next few years—approximately 1×10-7 (Chemical Industry Education Centre, Risk-Ed n.d.)—hence it seems reasonable to use the term ‘unhackable’, to the chagrin of the purists and to my pleasure.

As noted previously, we don’t know how to measure much of anything in security, and we’re even less capable of measuring the results of combining technologies together (which sometimes makes things more secure, and other times less secure). The claim that putting multiple security measures together gives risk probabilities with “mathematical precision” is ludicrous. And calling any system “unhackable” is just ridiculous, as Oracle discovered some years ago when the marketing department claimed their products were “unhackable”. (For the record, my colleagues in engineering at Oracle said they were aghast at the slogan.)

As Ron Rivest said at a CITP symposium, if voting vendors have “solved the Internet security and cybersecurity problem, what are they doing implementing voting systems? They should be working with the Department of Defense or financial industry. These are not solved problems there.” If Smartmatic has a method for obtaining and measuring security with “mathematical precision” at the level of 1019, they should be selling trillions of dollars in technology or expertise to every company on the planet, and putting everyone else out of business.

I debated posting this blog entry, because it may bring more attention to a marketing piece that should be buried. But I hope that writing this will dissuade anyone who might be persuaded by Smartmatic’s unsupported claims that masquerade as science. And I hope that it may embarrass Springer into rethinking their policy of posting articles like this as if they were scientific.


Too many SSNs floating around

In terms of impact, the OPM data breach involving security clearance information is almost certainly the most severe data breach in American history. The media has focused too much on social security numbers in its reporting, but is slowly starting to understand the bigger issues for anyone who has a clearance, or is a relative or neighbor or friend of someone with a clearance.

But the news got me thinking about the issue of SSNs, and how widespread they are. The risks of SSNs as both authentication and identifier are well known, and over the past decade, many organizations have tried to reduce their use of and reliance on SSNs, to minimize the damage done if (or maybe I should say “when”) a breach occurs.

In this blog post, I’m going to describe three recent cases involving SSNs that happened to me, and draw some lessons.

Like many suburbanites, I belong to Costco (a warehouse shopping club ideal for buying industrial quantities of toilet paper and guacamole, for those not familiar with the chain). A few months ago I lost my Costco membership card, so I went to get a new one, as a card is required for shopping in the store. The clerk looked up my driver’s license number (DL#) and couldn’t find me in the system; searching by address found me – but with my SSN as my DL#. When Costco first opened in my area, SSNs were still in use as DL#s, and so even though my DL# changed 20 years ago, Costco had no reason to know that, and still had my SSN. Hence, if there were a Costco breach, it’s quite possible that in addition to my name & address, an attacker would also get my SSN, along with some unknown number of other SSNs from long-term members. Does Costco even know that they have SSNs in their systems? Perhaps not, unless their IT staff includes old-timers!

A recent doctor’s visit had a similar result. The forms I was asked to fill out asked for my insurance ID (but not my SSN), however the receipt helpfully provided at the end of my visit included my SSN, which I had provided the first time I saw that doctor 25 years ago. Does the doctor know that his systems still have SSNs for countless patients?

Last fall I did a TV interview; because of my schedule, the interview was taped in my home, and the cameraman’s equipment accidentally did some minor damage to my house (*). In order to collect payment for the damage, the TV station insisted on having my SSN for a tax form 1099 (**), which they helpfully suggested I email in. I had to make a decision – should I email it, send it via US mail, or forgo the $200 payment? (Ultimately I sent it via US mail; whether they then copied it down and emailed it, I have no idea.) I got the check – but I suspect my SSN is permanently in the TV station’s records, and most likely accessible to far too many people.

These cases got me thinking where else my SSN is floating around, perhaps in organizations that don’t even realize they have SSNs that need to be protected. The grocery store probably got my DL# decades ago when it was still my SSN so I could get a check cashing card, and that number is probably still on file somewhere even though I haven’t written a check in a grocery store for 10 or 20 years. The car dealer that sold me my car five years ago has my SSN as part of the paperwork to file for a title with the Department of Motor Vehicles, even if they don’t have it from my DL#. Did they destroy their copy once they sent the paperwork to DMV? I’m not betting on it. I cosigned an apartment lease for my daughter before she had her own credit history close to 10 years ago, and that required my SSN, which is probably still in their files. I met a sales person 20 years ago who had his SSN on his business card, to make it easier for his customers in the classified world to look him up and verify his clearance. (I probably have his business card somewhere, but luckily for him I’m not very organized so I can’t find it.) Many potential employers require an SSN as part of a job application; who knows how many of those records are floating around. Luckily, many of these files are paper records in a file cabinet, and so mass breaches are unlikely, but it’s hard to know.  Did any of them scan all of their old files and post them on a file server, before destroying the paper copies?

As many people have suggested, it’s time to permanently retire SSNs as an authenticator, and make them just an identifier. Unfortunately, that’s much easier said than done. Todd Davis, CEO of Lifelock, famously put his SSN on his company’s advertising, and was then the victim of identity theft. We all know that the “last four” of your SSN has become a less intrusive (and even less secure!) substitute authenticator.

So what should we do? If you’re a CIO or in a corporate IT department, think about all the places where SSNs may be hiding. They’re not always obvious, like personnel records, but may be in legacy systems that have never been cleaned up, as is probably the case for Costco and my doctor. And once you get finished with your electronic records, think about where they’re hiding in paper records. Those are certainly lower risk for a bulk theft, but they’re at some risk of insider theft. Can the old (paper) records simply get shredded? Does it really matter if you have records of who applied for a job or a check cashing card 15 years ago?

I’m not optimistic, but I’ll keep my eyes open for other places where SSNs are still hiding, but shouldn’t be.

(*) Since you insist: one of the high intensity lights blew up, and the glass went flying, narrowly missing the producer. Two pieces melted into the carpet, ruining small sections. The staff were very apologetic, and there was no argument about their obligation to reimburse me for the damage. The bigger damage was that I spent an hour being interviewed on camera, and they used about 10 seconds in the TV piece.

(**) Yes, I know they shouldn’t need an SSN for reimbursement, but I unsuccessfully tilted at that windmill.


Decertifying the worst voting machine in the US

On Apr 14 2015, the Virginia State Board of Elections immediately decertified use of the AVS WinVote touchscreen Direct Recording Electronic (DRE) voting machine. This seems pretty minor, but it received a tremendous amount of pushback from some local election officials. In this post, I’ll explain how we got to that point, and what the problems were.

As one of my colleagues taught me, BLUF – Bottom Line Up Front. If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.
[Read more…]


Heartsick about Heartbleed

Ed Felten provides good advice on this blog about what to do in the wake of Heartbleed, and I’ve read some good technical discussions of the technical problem (see this for a particularly understandable explanation).

Update Apr 11: To understand what Heartbleed is all about, see XKCD. Best. Explanation. Ever.

In this brief posting, I want to look at a different angle – what’s the scope of the vulnerability? [Read more…]


Wall Street software failure and a relationship to voting

An article in The Register explains what happened in the Aug 1 2012 Wall Street glitch that cost Knight Capital $440M, resulted in a $12M fine, nearly bankrupted Knight Capital (and forced them to merge with someone else). In short, there were 8 servers that handled trades; 7 of them were correctly upgraded with new software, but the 8th was not. A particular type of transaction triggered the updated code, which worked properly on the upgraded servers. On the non-upgraded server, the transaction triggered an obsolete piece of software, which behaved altogether differently. The result was large numbers of incorrect “buy” transactions.

Bottom line is that the cause of the failure was lack of careful procedures in how the software was deployed, coupled with a poor design choice that allowed a new feature to reuse a previously used obsolete option, which meant that the trigger (instead of being ignored of causing an error) caused an unanticipated result.

So what does this have to do voting? [Read more…]


Google Glass vuln in QR codes and ballot marking applications

Reading recently about a vulnerability in Google Glass that can be exploited if a victim takes a picture of a malicious QR code made me think about one of the current trends in absentee balloting. A number of localities in the US are trying out absentee ballot schemes where a voter goes to a website and makes his/her choices through a web form, then prints out a ballot that contains his/her choices as a marked ballot plus a barcode (typically a 2D QR code). The ballot is then mailed back to the locality with whatever signature forms are required. When the ballot arrives at the locality, election officials scan the QR code to duplicate the ballot showing the voter’s choices, (hopefully) compare that the voter selections actually match the marks, and then the ballot goes forward. (Commercial products with this feature include Everyone Counts and Scytl.)
[Read more…]


Internet Voting Security: Wishful Thinking Doesn’t Make It True

[The following is a post written at my invitation by Professor Duncan Buell from the University of South Carolina. Curiously, the poll Professor Buell mentions below is no longer listed in the list of past & present polls on the Courier-Journal site, but is available if you kept the link.]

On Thursday, March 21, in the midst of Kentucky’s deliberation over allowing votes to be cast over the Internet, the daily poll of the Louisville Courier-Journal asked the readers, “Should overseas military personnel be allowed to vote via the Internet?” This happened the day before their editorial rightly argued against Internet voting at this time.

One of the multiple choice answers was “Yes, it can be made just as secure as any balloting system.” This brings up the old adage, “we are all entitled to our own opinions, but we are not entitled to our own facts.” The simple fact is that Internet voting is possible – but it is definitely NOT as secure as some other balloting systems. This is not a matter of opinion, but a matter of fact. Votes cast over the Internet are easily subject to corruption in a number of different ways.

To illustrate this point, two colleagues, both former students, wrote simple software scripts that allowed us to vote multiple times in the paper’s opinion poll. We could have done this with repeated mouse clicks on the website, but the scripts allowed us to do it automatically, and by night’s end we had voted 60,000 times. The poll vendor’s website claims that it blocks repeated voting, but that claim is clearly not entirely true. We did not break in to change the totals. We did not breach the security of the Courier-Journal’s computers. We simply used programs instead of mouse clicks to vote on the poll website itself.
[Read more…]


How much does a botnet cost, and the impact on internet voting

A brief article on how much botnets cost to rent (more detail here) shows differing prices depending on whether you want US machines, European machines, etc. Interestingly, the highest prices go to botnets composed of US machines, presumably because the owners of those machines have more purchasing power and hence stealing credentials from those machines is more valuable. Even so, the value of each machine is quite low – $1000 for 10,000 infected US machines vs. $200 for 10,000 random machines around the world. [Reminds me of my youth where stamp collectors could get packets of random canceled stamps at different prices for “world” vs. specific countries – and most of the stuff in the world packets was trash.]

So what does this have to do with voting? Well, at $1000 for 10,000 infected American machines, the cost is $0.10/machine, and less as the quantity goes up. If I can “buy” (i.e., steal) votes in an internet voting scheme for $0.10 each, that’s far cheaper than any form of advertising. In a hard-fought election I’ll get a dozen fliers for each candidate on the ballot, each of which probably costs close to $1 when considering printing, postage, etc. So stealing votes is arguably 100 times cheaper (assuming that a large fraction of the populace were to vote by internet), even when considering the cost of developing the software that runs in the botnet.

Granted, not every machine in a botnet would be used for voting, even under the assumption that everyone voted by internet. But even if only 10% of them are, the cost per vote is still very “reasonable” under this scenario.

And as John Sebes responded in an earlier draft of this posting:

“You compared digital vote stealing costs to the costs of mere persuasion. What about the costs of analog vote stealing? It’s all anecdotal of course but I do hear that the going rate is about $35 from an absentee vote fraudster to a voter willing to sell a pre-signed absentee ballot kit. Even if the bad guys have to spend 100 of those dimes to get a 1-in-a-hundred machine that’s used for i-voting, that $10 is pretty good because $10 is cheaper than $35 and it and saves the trouble of paying the gatherers who are at risk for a felony.”