Hacking an Internet Voting System

[search555]

Hi Expert people!

Newbie here! Just want to get some tips on how to hack an internet voting system.  I am an IT professional working out of my home country.  And we were commissioned by our embassy to try and hack the internet voting system which our government wanted to implement in a few years time.  Sadly to say, the system is already made and I believe they are just trying to impress the public that the system is well secured because they contacted IT people which are really not into hacking.  As such, I wanted to do my part and scrutinize the system.  If possible, I also want to hack the system to see if its really secured.

So what do I need to know beforehand to prepare for a commissioned hack?

Sorry to ask all these questions.  But my area of expertise is only in SAP security and no where I am versed in internet security. 

[cooper]

Try describing the system/device.

[search555]

Hi Cooper,

Thanks. I dont have the system details yet. We'll be meeting the embassy and election officials this weekend. So perhaps after the meeting I will have more details to share. Really sorry about the lack of it.

Anyway, the only thing that I know now is that the system is created by SCYTL. Their website is http://www.scytl.com/.

[search555]

I was able to find something in SCYTL's website. This what I found. I believe this is the same system which they have setup for us. Any idea?

Client-Server Security on the Internet

To protect any transaction between the client and server over the internet several generic security measures are usually taken.The client device has anti-virus software to protect it from viruses and Trojan horses.

Data passed through the internet is encrypted using Secure Sockets Layer technology or a Virtual Private Network.

A firewall placed between the internet and the servers prevents the entrance of hackers into the servers.

Should anyone gain entrance to the servers, Intrusion Detection Systems can alert the Systems Administrators. And of course, the servers will be protected with anti-virus software.

Electronic Voting with Conventional Security

An electronic voting system is typically more complex than a standard client-server system.

On the server side, there will typically be two separate systems.

The Vote Collection Server where the votes are collected from the internet.. En la demo, este servidor se asocia a la imagen de una urna.

The Vote Tallying Server that receives the votes from the Vote Collection Server and tallies them. En la demo, este servidor se asocia a la imagen de una calculadora.

Of course, an electoral authority is present to oversee the entire process.

The voting process starts when the voter accesses the web page for the election.

The voter logs on with the appropriate credentials (user name and password or PKI or biometrics). The Vote Collection Server sends a personalized virtual ballot to the voter.

The voter makes his choices and sends the completed unsealed vote to the server through the internet in an encrypted SSL connection. The vote emerges unsealed from the SSL connection and is stored in the Vote Collection Server.

The Vote Collection Server continues collecting votes until the close of the election, at which point the votes are transferred to the Tallying Server, that publishes the totals for each candidate.

This can prove to be unsatisfactory to a voter who is concerned that his vote was not included in the final tally, as there is nothing to link his actions on his client device with the final result, except perhaps blind faith.

Other problems result from the fact that the votes are stored without adequate protection on the servers.

Anyone with privileged access to the servers can either see what the votes are and/or change them without being detected.

Any hacker who breaks through the firewall could do the same.

Electronic Voting Secured by Pnyx

The use of Pnyx technology in the previous e-voting scenario would solve these problems.

The philosophy behind Pnyx is to replicate the proven security processes that operate in conventional election systems.

To do this Pnyx adds three modules to a conventional electronic voting platform.

The first Pnyx module is a Mixing Service that ensures that all votes that enter the Vote Collection Server are randomly shuffled. This operation, along with the use of digital envelopes, will ensure the anonymity of the votes. The Mixing Service also performs the important task of creating the unique cryptographic key pair that is used to protect individual ballots. The Mixing Service allows Pnyx to replicate in an electronic voting platform the conventional election practise of distributing trust among members of an electoral board. An electoral board is formed by various parties representing different interests in the election. Only the electoral board operating collectively is authorized to open the voting urn. With Pnyx a qualified majority of the electoral board must present their keys to unlock the votes at the end of the voting period.

The second Pnyx module is the Voting Service that is added to the Vote Collection server to handle the voting protocol with the Voting Client.

Once the voter accesses the election web page the third Pnyx module, the Voting Client, is downloaded to the voter’s browser. The Voting Client asks the voter for his voting credentials, which can be a local digital certificate (generally stored in a smartcard) or a remote digital certificate downloaded from the Voting Service using the voter’s personal identification code and password. Independently of the identification mechanism, the Voting Client always uses the voter’s private key to establish a strong authentication protocol that allows the Vote Collection Server to send the personalized virtual ballot to the client device. The voter makes his choices which are passed to the Voting Client and the Voting Client generates the contents for a voting receipt. The completed vote and the contents of the voting receipt are sealed in a digital envelope. The voting client prepares the voting receipt for its validation by the Voting Service. The voting receipt validation request and the digital envelope are sent securely through the Internet. When the Voting Service confirms reception of the digital envelope, it validates the voting receipt. The Voting Client receives the voting receipt and passes it to the voter. This voting receipt will allow the voter after the election to verify the existence of his vote in the final tally but will not allow vote selling since it does not reveal who the vote was for.

While stored in the Vote Collection server, the votes are securely stored in their digital envelopes that only the Electoral Board can open. This process repeats with all of the voters until the end of the polling period.

At this point, the Electoral Board gathers together and collectively starts the opening of the ballot box. The Mixing Server randomly shuffles the digital envelopes, opens them and breaks the relation between the votes, the voting receipts and the voters, thereby solving the conundrum of strongly authenticating voters while allowing voter privacy.

The digital urn is opened, revealing the votes and the voting receipts within but leaving no possibility of correlation between them. The votes and the voting receipt contents are sent to the tallying application, so that the results can be tallied and published along with the voting receipts.

With the voting receipts Pnyx solves one of the biggest problems with electronic voting systems, that of confidence in the system. All voters can now follow their own vote through to the final count and be sure that the system worked correctly and honestly.

The voters can see for themselves the existence of their voting receipt in the list published after the election. Should the receipt appear in the list, they know that their vote was included in the final tally. Should the receipt not appear in the list, then the voter can present their validated voting receipt to publicly complain about the result. Pnyx also solves the problem of certain people, such as system administrators or electoral authorities abusing their privileges. Reviewing or changing votes in the urn is rendered impossible by locking the votes in digital envelopes and securely logging all voting actions.

Intruders such as malicious hackers that managed to break through the firewall would likewise be prevented from doing any damage.

[mathell]

i did a port scan o the website and this is what i found

dont know if its the server you need or what but it seems like alot of ports opend to just be a web  server

[SomeoneE1se]

i did a port scan o the website and this is what i found

dont know if its the server you need or what but it seems like alot of ports opend to just be a web  server

firstly dude WTF is that?

and next, anyone want to see if they have the source up on the FTP site?

[VaKo]

Well unless HOSTALIA allow anomoys FTP access to there shared hosting accounts I doubt you will be able to get on that FTP. Also, this will just be there public website, all the fancy shit is going to be on in house servers that will most likely be on a VPN. You need to read this: http://www.scytl.com/pdf/PNYXDREWhitePaper.pdf and then identify the likely risks to the system. Such as programers being bribed, crocked election officials with physical access to the machines etc.

edit: @SomeoneE1se |  http://vil.nai.com/vil/content/v_98599.htm

[Sparda]

Isn't this one of those threads that gets locked because it's like "I need to hack my companies web site because they fired me!" sort of thing?

[cooper]

The first Pnyx module is a Mixing Service that ensures that all votes that enter the Vote Collection Server are randomly shuffled. This operation, along with the use of digital envelopes, will ensure the anonymity of the votes. The Mixing Service also performs the important task of creating the unique cryptographic key pair that is used to protect individual ballots. The Mixing Service allows Pnyx to replicate in an electronic voting platform the conventional election practise of distributing trust among members of an electoral board. An electoral board is formed by various parties representing different interests in the election. Only the electoral board operating collectively is authorized to open the voting urn. With Pnyx a qualified majority of the electoral board must present their keys to unlock the votes at the end of the voting period.

I find this 'description' to be rather lacking. It's marketing speak that doesn't explain in any way, shape or form just _what_ this module is doing.

The second Pnyx module is the Voting Service that is added to the Vote Collection server to handle the voting protocol with the Voting Client.

Once the voter accesses the election web page the third Pnyx module, the Voting Client, is downloaded to the voter’s browser.

And what, exactly is this client thing? Flash? Java? ActiveX? Exe (euwww!)?

Does this client run on Linux? Mac OSX? *BSD? What happens when it doesn't?

How much of it is open source? Surely the client app can be inspected by the public at large, or are we supposed to blindly trust a binary blob from some random server?

The Voting Client asks the voter for his voting credentials, which can be a local digital certificate (generally stored in a smartcard) or a remote digital certificate downloaded from the Voting Service using the voter’s personal identification code and password.

Due to the costs involved, you can forget about the smartcard (the reader alone will still cost more than $10, even in bulk. And this is per capita...).

So basically the user up until this point has done 2 things:

- Gone to a website to install the Client.

- Gone to a website, log on with username and password, and received a 'remote digital certificate'.

I think what they mean with 'Remote Digital Certificate' (RDC) that the user generates a key pair, stores the private key someplace safe and provides the website with the public key using a certificate signing request. The server signs the certificate and sends it back. At this point the user has 2 files in his possession: The Private Key (PK) and the signed public key (certificate).

The idea is that further down the line the user transmits his certificate to the Voting Server, which can verify that it was signed by him or an affiliated server using his public key, or that of this affiliated system. From this point on the user can encrypt his data with his PK, and the server can use the user's certificate, already in his possession, to decrypt the received data.

That stuff is all fine and dandy, buttaah.... What happens when the user misplaces one of those 2 files? Say, due to a power outage on the client's side? Can he get a new cert? How many can he get? What happens when someone then tries to vote using a previously sent out PK and certificate?

What happens when due to DNS poisoning the user is sent to a different server? Remember, we're talking John Q. Public here, or 'computer-illiterate drooling beasts' for a more describing name. It's not that hard to get someone at online-voting.com instead of onlinevoting.com and present that individual with an SSL certificate that is valid for that site.

Independently of the identification mechanism, the Voting Client always uses the voter’s private key to establish a strong authentication protocol that allows the Vote Collection Server to send the personalized virtual ballot to the client device.

Exactly. So the server sent the user a ballot using a strongly encrypted link. Now, again, the power fails (damn those airco's). Can the client restart the process? What, exactly IS this 'personalized virtual ballot'? Unless I'm mistaken a ballot should very much _not_ be personalized. When you used to put the paper ballot in the box, it didn't have your name on it, now did it?

The voter makes his choices which are passed to the Voting Client and the Voting Client generates the contents for a voting receipt. The completed vote and the contents of the voting receipt are sealed in a digital envelope. The voting client prepares the voting receipt for its validation by the Voting Service. The voting receipt validation request and the digital envelope are sent securely through the Internet. When the Voting Service confirms reception of the digital envelope, it validates the voting receipt.

What worries me here is that the user interacts with the Voting Client program (and _ONLY_ the Voting Client program). What guarantees are in place that this piece of software does what it is told to do? We may get some answers further down this text, but I doubt it.

Okay, so, Joe Blow User cast his vote, it's wrapped in a digital envelope along with a receipt (?) and sent to the server which checks if the vote cast is valid or not. What on earth do they mean with "validates the voting receipt"?

The Voting Client receives the voting receipt and passes it to the voter.

Why? According to the description the server didn't do anything with it other than verify its contents. When you compromise the VC to always send out, say, "Bush", it's trivial to make it do the same for the receipt. And then provide it to the user again but now saying "Kerry". Does the server sign the receipt? Is there a way, outside of using the VC, to check the cryptographic authenticity of the signed receipt?

This voting receipt will allow the voter after the election to verify the existence of his vote in the final tally but will not allow vote selling since it does not reveal who the vote was for.

Great. But where in the process can I verify that my vote, which is about to be cast, is in fact my vote? When we were using paper ballots, I could look at the piece of paper, see that the correct area was marked, and then dispose of that piece of paper in a transparent box. If, though some freak of nature, I realize I've voted for the wrong person, I can bring back my ballot, ask for a new one, and watch them shred or otherwise invalidate the old one. I can stick around to make sure that the box with my vote in it has all its ballots properly counted. Hell, I might even be able to recognize my ballot in this process.

With this new method I push some buttons, and am forced to trust, on blind faith alone, a binary blob to:

0) actually be the binary blob I'm supposed to be using for this.

1) be talking to the correct server (which could be beyond its control).

2) actually be using all this cryptography stuff.

3) actually be relaying my vote, rather than what some interest group with money to spend would like me to vote.

4) provide me with my own, personal and unique receipt.

5) not search my harddrive for any MP3s or kiddie porn or terror plans or $SIGN_OF_UNRELATED_WRONGDOING.

6) work cleanly around any issues that my own system might have. I mean, great you have antivirus running and updated, but I might not.

7) work cleanly around a catastrophic hardware failure. If my machine catches fire because it's OC'd to the max and the pump in my water cooler just died, can I still go out and vote manually? At what point in the process can I no-longer do this? Can I use an alternate machine available to me to retry? At what point can I no-longer do this?

While stored in the Vote Collection server, the votes are securely stored in their digital envelopes that only the Electoral Board can open. This process repeats with all of the voters until the end of the polling period.

Does 'securely stored' mean that nobody can open my digital envelopes, or does it mean that there is some form of secure storage that holds my vote in a tamper-proof environment? I trust the latter. Please describe where when and how this is stored? What happens when through some course of action (crazy guy putting a bullet through the box, killing all storage mediums) the store becomes unavailable? Is it possible to either insert or remove votes from the store (never mind that it can be detected. Can it be _done_)? What happens when such a tampering attempt is detected?

[cooper]

(My message was too long, so I had to use a second post for the remainder)

At this point, the Electoral Board gathers together and collectively starts the opening of the ballot box. The Mixing Server randomly shuffles the digital envelopes, opens them and breaks the relation between the votes, the voting receipts and the voters, thereby solving the conundrum of strongly authenticating voters while allowing voter privacy.

How does this opening process work?

Why wait until this moment to break this link between voter, vote and receipt? Why not immediately break it when the vote was submitted? The voter can't check if his vote was counted until after the election, so surely he has no reason to want to maintain this link in the mean time.

The digital urn is opened, revealing the votes and the voting receipts within but leaving no possibility of correlation between them. The votes and the voting receipt contents are sent to the tallying application, so that the results can be tallied and published along with the voting receipts.

In what way is this contents sent? How is this data secured, and can the officials verify that their 'digital urn' was correctly sent and used?

The rest of the message looked like even more marketing speak.

[mathell]

i tried to access the FTP and i got in under admin

the guys password was the easiest ever

and i think you are right about the 'not being the actual server' thing

BTW its the thing i use to port scan and ping LARGE packets to people its called hactek

and DUDE again with the long posts

[digip]

A little more about it:

http://h71028.www7.hp.com:80/erc/library/G...ing%20solutions

Its not usefull for a hack, but maybe to point someone towards the hardware/software side of it on google.

[lunex]

I have three issues that are of concern.

1) That document is not targeted to developers and is poorly written for its target audience, any democratic administrative office. It fails to relay any information regarding the security of the clients, the servers, and protocols used.

2) My second concern is in regards to the phrase:

that allows the Vote Collection Server to send the personalized virtual ballot to the client device

This sounds like an innuendo for "This isn't really democracy. Don't concern yourself with the big issues. Vote on these issues instead." Creating individual ballots for each voter would allow the administrative staff to exclude anyone out of any vote for any reason. "You don't get to vote on this bill because you participated in a public protest 12 years ago."

3) If I were to participate in a vote that makes use of this system, and then later use my receipt to check that my vote exists in the voting system, would the existence of that receipt in the voting system ensure that the content of the voting ballot has not be altered?

[digip]

If it is anything like the Diebold machines, I wouldn't use it. I would cast in a late paper ballot that was something like a mail in for people in the military or out of the country, etc.

[SomeoneE1se]

BTW its the thing i use to port scan and ping LARGE packets to people its called hactek

and DUDE again with the long posts

ohh leet haxor

yes god forbid you should read on a forum

</hard day

[search555]

Awesome!!! I am really thankful that I found this website. I really appreciate all the inputs. But hopefully, in 2 days time I can get concrete details. Check out this news story....      http://www.gmanews.tv/story/51247/Hackers-...rity---official

We are so-called "hackers". Problem with that press release is we are only IT professionals expert on our own field. They may be a few who are involve in Internet Security. But I doubt they have the capability to really try and hack the system.

And so, I am soliciting some help from those "white hackers" to test the system to see if its really secured.

More technical info coming in a few days time. THANK YOU ALL!!!!

[mathell]

ohh leet haxor

yes god forbid you should read on a forum

Dude whats that ment to mean ....... if its sarcasm HAHAHA .........if not im really not that much of a hacker

[VaKo]

"and DUDE again with the long posts" should probally read "and DUDE again with the long posts! :-)"

[mathell]

LMFAO i dont even know what to say to that man.... but im reading harry potter so heres a quote from Ron "You pathetic wankers" (lol jokes)

and one from Hermione "You loathsome, despicable cretin" (also jokes)

have fun with your server access

[VaKo]

LMFAO i dont even know what to say to that man.... but im reading harry potter so heres a quote from Ron "You pathetic wankers" (lol jokes)

and one from Hermione "You loathsome, despicable cretin" (also jokes)

have fun with your server access

For gods sake, I was actually defending what you said.

[mathell]

i know but its more fun this way

[VaKo]

i know but its more fun this way

You have been warned, don't post in this thread again unless you have something constructive to add.

Admin

vako@hak5.org

@Everyone else, ignore this, carry on with the topic.

[jollyrancher82]

LMFAO i dont even know what to say to that man.... but im reading harry potter so heres a quote from Ron "You pathetic wankers" (lol jokes)

and one from Hermione "You loathsome, despicable cretin" (also jokes)

have fun with your server access

Harry Dies.