Update

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

Unsecured Voting

A test conducted by Researchers at the University of California on request of Secretary of State Debra Bowen under a $1.8 million contract on three electronic voting systems which were certified for use in California uncovered major security flaws. The objective was to try and compromise the integrity of the voting systems supplied by Diebold Elections Systems, Hart Intercivic and Sequoia Voting Systems. They not only succeeded in breaching all of the systems, but also concluded that it was likely that there were more security problems that they did not have time to explore because of the limited timeframe of their study. Their findings were worth raising an alarm about. For instance, the testers analyzing the Sequoia e-voting machine were able to gain physical access to the system by removing screws to bypass locks. The testers also discovered numerous ways to overwrite the firmware of the Sequoia Edge system – for example, using malformed font files or doctored update cartridges. Testers were also able to take advantage of vulnerabilities in Diebold’s Windows operating system and take security-related actions that the server did not record in its audit logs. Thus, testers were able to manipulate several components networked to the server, including loading wireless drivers onto the server that could then be used to access a wireless device plugged secretly into the back of the server. Diebold’s physical security was also missing. They were able to bypass the physical controls on the optical scanner.

The testers also found various ways to overwrite Diebold’s firmware. Attacks could change vote totals, among other things. For instance, testers were able to escalate privileges from those of a voter to those of a poll worker or central count administrator, enabling them to reset an election, issue unauthorized voter cards and close polls. The testers did not test the Windows systems on which the Hart election management software was installed because Hart does not configure the operating system or provide a default configuration, notes the report. Instead, Hart software security settings provide a restricted, Hart-defined environment that the testers were able to bypass, which allowed them to run the Hart software in a standard Windows environment. They also found an undisclosed account on the Hart software that an attacker who penetrated the host operating system could exploit to gain unauthorized access to the Hart election management database. The testers were able to overwrite the firmware and access menus that should have been locked with passwords. Other attacks allowed the team to alter vote totals; these attacks used ordinary objects. The team was also able to develop a device that caused Hart’s system to authorize access codes without poll worker intervention. All the vendors have released statements in response to these findings. Among the points in Sequoia’s detailed rebuttal is the argument that the attacks did not simulate a real world scenario. Even after considering these arguments, the results were worse than even the e-voting skeptics had expected. The real threat to these voting systems comes from election insiders. This has been known for years, but election officials and voting machine companies ignore this point. Indeed, this is not the first time the integrity of e-voting machines has been questioned. The nonprofit group Black Box Voting issued a report last year, for instance, that outlined severe security flaws in Diebold machines. A separate study of the Diebold touch-screen voting system, conducted by Princeton University, also found serious security flaws. Diebold has repeatedly said its systems were safe. This latest study should prompt a serious review of both e-voting in general, and the certification process specifically, in Congress and state legislatures.

Using Wi-Fi puts Web accounts at risk

According to research from Errata Security Inc, users who access Google’s Gmail or the Facebook social-networking site over Wi-Fi could be putting their accounts at risk of being hijacked. It’s not just those sites but any Web applications that exchange account information with users could be at risk. This includes blogging sites such as Blogspot and software-as-a-service offerings like Salesforce.com. Most Web sites make use of encryption when passwords are entered but because of the overhead, the rest of the information exchanged between a browser and a Web site is not encrypted. It’s possible to collect cookie information while a user is accessing one of these sites over Wi-Fi using a packet sniffer, which can pick up data transferred between a wireless router and a computer. By collecting cookie information and the session identifier with the packer sniffer and importing it into another Web browser, the hacker can get access to a person’s account allowing a hacker to take over a person’s online identity by creating blog postings and reading e-mail using the victim’s accounts. Meanwhile, the victim is directed to a version of the Web page they intended to visit in a phenomenon called sidejacking. The remedy to this problem is that the users should never use a Wi-Fi hotspot unless they are using VPM (virtual private networking) or SSL (secure sockets layer) to access their accounts.

Hybrid Web worms

Security researchers recently demonstrated how a Web-based worm could spread to a victim’s system and then back to a vulnerable server by cobbling together a mishmash of malicious Web technologies.

Nicknamed as hybrid Web worms, the attack brings together malicious JavaScript techniques, code obfuscation and the addition of a dormant program that only executes to infect vulnerable Web servers. Researchers outlined this technique in a paper at the recently held Black Hat Security Conference. The attack allows Web worms to break out of the virtual box that prevents them from infecting users of only a single Web site.

It’s like a seed; if the worm cannot spread between Web servers — because of firewall rules and other restrictions—then it can wrap up a worm inside of JavaScript and infect other servers from the client.

Techniques for propagating malicious code among a Web site’s visitors have worried security researchers since the Samy worm spread amongst MySpace users in October 2005. As researchers continue to discover more advanced JavaScript techniques, Web worms and other malicious browser-focused code will likely become more of a threat

Malware count to hit 3,00,000 mark

The number of malicious pieces of software floating around the Internet has increased over the years. Security firm McAfee said in 2000 that they had detected over 50,000 items. Then in 2003 the number topped 1,00,000 and now it is estimated that this figure is poised to exceed 3,00,000.

According to McAfee, Bots, adware, spyware and other attacks make up an over $100 billion global market for cybercrime which surpasses drug trafficking as a global issue from a monetary perspective. They found that there is a need to change Internet related policies in the US. It is imperative for the United States to continue to build upon existing legislation to curb the alarming trend of malware and spam. That’s fine for the US, but it isn’t going to put an end to Russian spamming rings.

As far as China goes, a combination of enforcement as evinced by that country’s bust of a major software counterfeiting ring is being counterpointed by Microsoft selling Windows in China for $3 to the Chinese education market.

According to McAfee, laws seem to be functional against cybercrime, and if legislators can tighten any potential loopholes against criminal spammers then all will be in favor of that. Much of the problem rests outside US borders, and until that’s addressed one can expect to see McAfee’s malware count continue to rise.