Search This Blog

Monday, May 20, 2013

A Thought on the Proposed Built-In Wiretap Capability

The paper CALEA II: Risks of Wiretap Modifications to Endpoints raises very good points about the dangers of requiring vendors to build a wiretap capability into communications technology. I wanted to add a thought.

Let’s say that this capability is built in. As the above paper noted, an attacker can exploit the wiretap capability (which is, of course, simply a known, built-in vulnerability) to monitor the conversation. This may, or may not, alarm law enforcement authorities who are pushing for adding this capability. What should alarm them is that their conversations can also be monitored — that is, the attackers can keep tabs on the law enforcement authorities who are trying to catch the attackers! In other words, the tool intended for catching criminals can also be used to monitor the attempts to catch them.

Saying that vendors can build the vulnerability in such a way that only authorized eavesdroppers (read: law enforcement authorities) can use it underestimates the resourcefulness of attackers, and overestimates the capacity of humans both to design procedures that are flawless, and to carry out those procedures. Quoting from another report [1]:

Finally, no security should ever rely solely on secrecy of defensive mechanisms and countermeasures. While not publishing details of security mechanisms is perfectly acceptable as one security mechanism, it is perhaps the one most easily breached, especially in this age of widespread information dissemination. Worse, it provides a false sense of security. Dumpster diving, corporate espionage, outright bribery, and other techniques can discover secrets that companies and organizations wish to keep hidden; indeed, in many cases, organizations are unaware of their own leaking of information. A perhaps classic example occurred when lawyers for the DVD Copyright Control Association sued to prevent the release of code that would decipher any DVD movie file. They filed a declaration containing the source code of the algorithm. One day later, they asked the court to seal the declaration from public view — but the declaration had been posted to several Internet web sites, including one that had over 21,000 downloads of the declaration! [2] More recently, Fox News reported that information posing “a direct threat to U.S. troops … was posted carelessly to file servers by government agencies and contractors, accessible to anyone online” [3], and thefts of credit card numbers and identities are reported weekly and growing in number.

So, the alternative is to give law enforcement communications tools without these eavesdropping capabilities. Now, there are two sets of communications technology out there: those with built-in wiretaps, and those without built-in wiretaps. How long the market for the latter can be restricted to law enforcement is anyone’s guess, but there is no doubt that those wiretap-free tools will become available to people not engaged in active law enforcement. Restrictions on that type of technology fail quickly.

This point, I think, strengthens what the above paper is saying. Not only does it pose “serious consequences for the economic well-being and national security of the United States” as the paper says, it also hampers the effectiveness of law enforcement.

References

  1. M. Bishop, “Overview of Red Team Reports”, Office of the Secretary of State of California, 1500 11th St, Sacramento, CA 95814 (July 2007); available at http://www.sos.ca.gov/voting-systems/oversight/ttbr/red-overview.pdf
  2. Declan McCullagh, “DVD Lawyers Make Secret Public”, Wired News (Jan. 26, 2000); available at http://www.wired.com/politics/law/news/2000/01/33922
  3. Associated Press, “Government Agencies Posting Sensitive ‘Need to Know’ Material Online”, Fox News (July 12, 2007); available at http://www.foxnews.com/story/0,2933,289011,00.html

Friday, May 10, 2013

Internet Voting? Not Yet -- From an Election Point of View

[[This blog post discusses Internet elections from the point of view of how the election process might work. It’s similar to my blog entry of Monday, April 22, 2013, but presented from a different point of view (and has additional information.]]

The time for Internet voting has not yet arrived. Someday it may be a good idea, but we have many security problems to solve, and we will have to decide whether to change how elections are run.

To see why, let’s look at how Internet voting will work. When you go to vote, you will use your home computer, a work computer, or some other device to connect to an election server. That server will transmit a ballot back to you. You mark the ballot appropriately to cast your votes, and then the computer transmits the completed ballot back to the election server. The election server then processes the ballot, counting the votes.

Now let’s look at each step in this process.

First, you need to get the ballot from the election server. You have to connect to the election server and provide information to ensure you get the right ballot. In order to do this, you will need to supply your voting address and, possibly, prove your identity.

Let’s see what this means. During Election Day, when you open your browser and type in the Election Office’s web site, you get a message saying the web site is unavailable. You’re thrilled so many people are voting, so you go to work. While there, you try to vote again, with the same result. This happens whenever you try to cast your vote throughout the day. That evening, at 7:55pm (just before the polls close), you try to vote from home one last time. Again, the web site is “unavailable”. Oh, well.

What you just read is a description of a “denial of service”" attack. They are actually fairly common, and extremely easy to launch. In fact, recently many banks (such as U.S. Bank, Bank of America, Wells Fargo Bank, CitiBank, and American Express) [1-3] were victims of such attacks. But the banks have an advantage that election offices don't: lots of servers and lots of money. They can hire teams of cybersecurity experts to respond to these attacks, and can reroute traffic to geographically widely distributed servers to mitigate some of the effects of the attack. Even so, the banks all experienced slow-downs that affected customer use of their web sites.

Given that most Election Offices have 1 or 2 people whose job involves cybersecurity (among other functions) and would have a single server to handle Internet voting, not being able to connect to the election server over the Internet is very realistic. And as the above news articles note, these attacks are easy to launch — from anywhere in the world.

In fact, this has happened. During Hurricane Sandy, New Jersey allowed voters to request email ballots by sending an email to county email addresses set up for this purpose. But the email addresses which received the emails were quickly overwhelmed, and email requests for ballots were bouncing [4,5]. And this was not an attack; it was simply voters requesting email ballots — requests that were never received.

Next, let’s look at how you would retrieve a ballot. You give your voting address, and the election server transmits the appropriate ballot. But how do you know you are talking to the correct election server, and not a fake one?

Someone could send you a fake ballot from a bogus election server. Such a ballot could cause the votes you cast through that ballot to be changed before the ballot is transmitted to the election server. This sounds surprising, but remember that PDF files contain programming instructions that tell the computer how to draw the image on the screen. And that same language can tell the program reading the image to count votes differently than displayed; or they can add markings and cover them up when displayed.

So how do you know the votes you enter on your computer are what is sent to the server? Aside from rigging the ballot files, it is very easy to write programs that alter information; indeed, the infamous computer virus does exactly this. And while antivirus programs are very effective in countering viruses that they know about, they do not protect you against new viruses or other nasty programs on your system. There are many ways to introduce these programs, including having you go to a web site that looks like your bank’s (for example). When you get there, the site has you download something to improve service — and presto!, the malefactors have just put a virus on your system.

With smartphones this is even easier, because we all download apps and run them. The protection most smartphones offer is minimal, so writing an app to cast your vote (suitably doctored, of course) is easy. To get you to download it, the perpetrator sends you an email saying that your election official has set up a web site that you can go to for the app — and when you download it, you really download the doctored app. The election official, of course, did not send this letter.

So you need to be sure that, once you have marked the ballot, the marks you make are the ones that the vote counting system and software will count.

Now let’s say you supply your authentication information to validate who you are, so the election server will send you the right ballot. If you are communicating with a bogus election server, it now has all the information it needs to vote for you — it simply discards your ballot, logs in to the real election server as you, and casts its votes.

How can you be sure you are talking to the right election server? Presumably the county will supply that web address. But if the address comes in an email, it would be easy for some group to send you specially crafted email that displayed the right address as a link — but when you click on the link, it takes you to a completely different web site. This technique is called phishing (or, in this context, spearphishing) and is remarkably effective. This is widely believed to be the way attackers recently took over the Associated Press twitter news feed — and they then posted a fake news story about President Obama being injured by explosions at the White House, causing Wall Street to panic [6].

Instead, if the address doesn’t come in an email, the attackers may send an email on the night before the election that looks like it comes from the elections office, but is an attack as described above. This would probably trick a large number of people, who would be grateful that the elections office was providing a more convenient way of getting to the web page rather than forcing the user to type the full web address into the browser.

Okay, let's assume you are now talking to the real election server. Once you have cast your votes, they have to be transmitted to the election server. (If you haven't given the authentication information yet, you will have to do so now.) This means the ballot must be sent through the Internet. How does it get there? This is called “routing”, and the route the ballot takes depends on a lot of factors that change constantly. Unless specific methods are used to transmit the ballot, the ballot could get lost, or altered, or someone along the way could read it.

The method that has to be used is the same one that you use to talk to your bank — basically, it is an encrypted connection. These connections require the server to send something called a “certificate” that is signed by a trusted agency. But what agency, and how will you know that the certificate is valid? If the certificate is too old, your browser will tell you, and may refuse to allow you to proceed. But many institutions don’t keep their certificates up to date (it costs money for that), so when you see a notice saying “certificate expired”, you may be talking to the right election server. You don't know. Worse is the situation where the certificate is valid but from an unknown agency. How much can you trust that the agency really checked that the elections office asked for the certificate? Someone once had a highly reputable agency issue a new certificate for Microsoft — but he had no connection to Microsoft [7]. (The problem was discovered quickly, and no harm appeared to have been done. We may not be so fortunate in a Presidential election.)

Okay, now your vote has arrived at the election server. The election server has a lot to do, and must do it correctly. That you have voted now needs to be recorded, and in a way that does not indicate which ballot you case. Somehow the two must be decoupled. So, when your ballot arrives at the server, your name is marked as having voted, and the ballot must be digitally signed by the election server to ensure it is not changed after it is received. Then the ballot must be counted or moved to a system that will do the counting. Any error in all this will compromise your vote, your privacy, and/or the accuracy of the results.

The election server is connected to the Internet, of course — and the Internet that you use to connect to the election server is the same one that people around the world can use to connect to it. This includes attackers who want to break into the server, see the data that is there, and change it or the programs on the server to corrupt the results of the election. And attackers succeed at breaking into very well-maintained computers at high-security government agencies, and covering their tracks well. U.S. defense contractors, the Pentagon, other government agencies, financial institutions, and many major corporations have had their systems and web servers compromised [8-11]. These organizations have lots of security expertise and lots of money. They can hire teams of cybersecurity experts to detect attacks, analyze them, repair or reinstall corrupted systems, (attempt to) recover corrupted data, and figure out how to prevent the attacks from recurring. Of course, these responses take time to carry out. Election offices simply do not have these financial, human, or technical resources. Nor do they have the time, because during an election people vote for a fixed period of time (usually 14 hours or so). Thus, ensuring that an election server connected to the Internet is secure simply is infeasible.

Finally, the procedures to be followed to maintain the server's security must be well thought out and followed meticulously. This is a critical, and often overlooked, point: security experts know that a “system” is not secure; a “system” is secure when used in a specific way. A good way to think of this is to consider how safe a car is. When the driver obeys the traffic laws, she is (usually) quite safe. But if she runs red lights, she is not. Similarly, if the Internet voting system procedures are poorly done, or do not take into account the bad things that can prevent voting or corrupting the ballots, poor "system" security is the least of the problems.

It's tempting to assume that you can simply have someone get a ballot, fill it in, scan it into a PDF (or somehow get it into electronic form), and email it back to the county Elections Office. But the same problems arise. Change “election server” to “email server” above, and the description of how someone returns the ballot is the same whether a web browser on a home computer sends it to the (election) server, or a mail program sends it to the (email) server. And if the ballot is to be downloaded or emailed to the voter by an election official, you again have all the problems of getting the ballot as before.

The quest for Internet voting is a good one; but before the body politic decides that it should be implemented, the dangers and problems of it must be known, discussed openly, and a conscious decision made that the consequences of those problems are acceptable. A pilot study using a real election does not provide this information for several reasons. First, no reputable computer security expert will ever attack a voting system during an election (it’s a crime), so we cannot test the security of the system and its procedures as actually used. Second, enabling detection of some attacks requires a complete record of what happens — including how you voted. Before this type of recording is done, the body politic must decide that how you voted can become known, and accept the attendant risks of vote selling and voter intimidation. Third, a very sophisticated attack could well be undetectable — so how would we know the votes were compromised? And so forth. (See my blog entry for Wednesday, April 24, 2013 for a more detailed explanation of this.)

Whether these difficulties can ever be overcome is a very deep, complex question requiring research in technology, human behavior, social organization, political considerations, and legal matters. What is absolutely certain is that, until they are overcome, we should not conduct civic elections over the Internet.

As for my credentials: I am a professor of computer science at the University of California at Davis, where I am a co-director of the Computer Security Laboratory. I have been in the field since 1978. I have been studying electronic and Internet voting since 2004, when I participated in the RABA study of electronic voting systems for the State of Maryland [12]. I was also one of the co-leaders of the technical part of the California Secretary of State's Top-to-Bottom Review of voting systems certified for use in the State of California [13]. Currently, the National Science Foundation is funding our research on election processes [14,15]. Our group works with election officials in Yolo and Marin Counties.

Any opinions expressed in this note are those of the author, and not necessarily those of anyone else.


[ 1] "3 More Major US Banks Report Possible Cyber Attacks," NBC News (Sep. 27, 2012); available at http://www.nbcnews.com/technology/technolog/3-more-major-us-banks-report-possible-cyber-attacks-6126050

[ 2] M. Lennon, "Wells Fargo Says DDoS Attack Disrupting Online Banking Website," Security Week (Mar. 26, 2013); available at http://www.securityweek.com/wells-fargo-says-ddos-attack-disrupting-online-banking-website

[ 3] B. Acohido, "Amex Latest U.S. Major Bank to Get Knocked Offline," USA Today (April 2, 2013); available at http://www.usatoday.com/story/tech/2013/03/29/american-express-denial-of-service-hack/2030197/

[ 4] "Christie Administration Announces E-Mail and Fax Voting Available to New Jerseyans Displaced by Hurricane Sandy," State of New Jersey (Nov. 3, 2012); available at http://www.state.nj.us/governor/news/news/552012/approved/20121103d.html

[ 5] B. Sullivan, "New Jersey's Email Voting Suffers Major Glitches, Deadline Extended to Friday," NBC News (Nov. 6, 2012); available at http://usnews.nbcnews.com/_news/2012/11/06/14974588-new-jerseys-email-voting-suffers-major-glitches-deadline-extended-to-friday

[ 6] J. Steinberg, "Twitter, The Associated Press, and Phishing: Why Breaches Still Occur," Forbes (Apr. 26, 2013); available at http://www.forbes.com/sites/josephsteinberg/2013/04/26/twitter-the-associated-press-and-phishing-why-breaches-still-occur/

[ 7] "Unauthentic 'Microsoft Corporation' Certificates," CERT Advisory CA-2001-04, Pittsburgh, PA (Mar. 30, 2001); available at http://www.cert.org/advisories/CA-2001-04.html

[ 8] M. Riley & B. Elgin, "China Cyberspies Outwit U.S. Stealing Military Secrets," Bloomberg (May 1, 2013); available at http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html

[ 9] G. Wyler, "Pentagon Admits 24,000 Files Were Hacked, Declares Cyberspace A Theater Of War," Business Insider (July 14, 2011); available at http://www.businessinsider.com/pentagon-admits-24000-files-were-hacked-declares-cyberspace-a-theater-of-war-2011-7#ixzz2SAYL2pqp

[10] M. Schwartz, "U.S. Labor Dept. Website Hacked, Serves Malware," Information Week (May 1, 2013); available at http://www.informationweek.com/security/attacks/us-labor-dept-website-hacked-serves-malw/240153984

[11] D. Smith, "Bank of America Hacked By Anonymous: Hackers Leak 'Secrets' About Executives, Salaries, And Spy Activities," International Business Times (Feb. 28, 2013); available at http://www.ibtimes.com/bank-america-hacked-anonymous-hackers-leak-secrets-about-executives-salaries-spy-activities-1107947

[12] "Trusted Agent Report Diebold AccuVote-TS Voting System," RABA Innovative Solution Cell, Columbia, MD (Jan. 20, 2004); available at http://nob.cs.ucdavis.edu/~bishop/notes/2004-RABA/2004-RABA.pdf

[13] M. Bishop, "Overview of Red Team Reports," Office of the California Secretary of State (July 2007); available at http://www.sos.ca.gov/voting-systems/oversight/ttbr/red-overview.pdf

[14] "TC:Medium:Collaborative Research: Technological Support for Improving Election Processes," award from the National Science Foundation tot he University opt California at Davis (Sep. 15, 2009); abstract available at http://www.nsf.gov/awardsearch/showAward?AWD_ID=0905503

[15] "EAGER: Collaborative: Process-Based Technology to Support Comparison and Evaluation of the Security of Elections," award from the National Science Foundation tot he University opt California at Davis (Oct. 1, 2012); abstract available at http://www.nsf.gov/awardsearch/showAward?AWD_ID=1258577