You are here: Home

How the Electronic Voting Machine of India can be compromised

May 6, 2014 by Leave a Comment

As India votes in the biggest elections in the world, here is a simplified summary of a research paper published in 2010, written by a set of researchers from University of Michihan and NetIndia Pvt Ltd Hyderabad. Hari Prasad, one of the lead authors was charged with possession of a stolen EVM and jailed for his role in the research conducted with a stolen EVM.

The experiments conducted by the authors go on to prove different types of attacks possible on the EVM (Electronic Voting Machine), including pre and post voting. evm

Before voting: The control unit displays the candidates’ vote totals. A part was replaced. They show how a substitute malicious part could output different election results. This component can be programmed to steal a desired percentage of the votes in favor of a chosen candidate, so that it does not become obvious that the election was compromised. It is similar to good old capturing of booths and then casting a few votes for others while casting most for the desired candidate.

After voting: A small clip-on device was added to manipulate the memory inside the machine. Votes stored in the EVM between the election and the public counting session can be changed by using a specially made small device. The EVM has so called ‘read-only’ memory used only for storage of votes. However, the researchers were able to read and write memory from an external interface. The researchers developed a small clip with a chip on the top to read votes inside the memory and manipulate the data by swapping the vote from one candidate to another.

For those who have read this far, here are specific attacks successfully conducted on the EVM:

Dishonest Display Attack: The researchers designed and developed a lookalike display unit, and switched it in an EVM. This display can be manipulated remotely via an android app they developed. The display unit was cheap to manufacture and took minutes to replace.

Clip-on Memory Manipulator Attack: This attack can steal votes and violate ballot secrecy. However it involves physical tampering with the EVM and attaching a small device. Such tampering is difficult but can be achieved with the help of some malicious insider. Once a small device is clipped on, the EVM can be remotely controlled to change the vote counts and to steal the actual votes stored in it.

Scalability: Like many other computer science problems, stealing an election is a problem of availability. In the National elections in one constituency typically close to one million voters can cast the votes. The voting happens in very small units called booths with a few thousand voters in each. To make any significant difference in the result, thousands of booths need to be compromised. Such skiled attackers and sophisticated equipment cannot be mobilized without raising suspicion. The Election Commission of India has come up with similar argument to completely disregard the merit of the research.

SecurityDen view: The attacks are serious and the paper has a lot of merit. Instead of throwing some charges and arresting the researcher, the government should have encouraged design criticism and attack demonstrations to ensure credibility of the elections. Western countries have gone back to the paper ballot due to these security vulnerabilities. However these attacks involve physical tampering with the EVMs. Given that thousands of EVMs are lying in government warehouses for years when not in use, such attacks are possible but hard to scale.

Reference: Security Analysis of India’s Electronic Voting Machines

Twitt
Filed Under: Security Research

Microsoft Internet Explorer Zero Day Bug: key events

May 3, 2014 by Leave a Comment

Here is the timeline of the now fixed Microsoft Zero Day Bug:

ie bug

Copyright: bubblenews

April 9, 2014: Microsoft stops supporting Windows XP.

 April 26, 2014: Microsoft announces the bug, originally discovered by FireEye

 April 28, 2014: The U.S. government issued an advisory warning people not to use Microsoft’s browser.

April 30: 2014: Microsoft offers advisory to deal with the zero day bug.

May 02, 2014: Microsoft fixes the bug: It is believed that the CEO of Microsoft was involved in the decision making. This makes this bug extremely high profile and propels the importance of security to another level.

What was the bug about: A zero-day bug or attack takes advantage of a security vulnerability on the same day that the vulnerability becomes publicly known. There are “zero days” between the time the vulnerability is discovered and the first attack. This is one of the biggest zero day bug ever. According to Microsoft, the bug “may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.” Simply put, if the user is using particular versions of Windows XP and IE (versions 6 to 11) , attackers could lure the user to a malicious websites then run any code on the system, possibly taking complete control. The impact was huge as about a fourth of Windows users use the versions involved.

What it now means to XP and IE users: Most users need to do nothing as the fix will be downloaded automatically, next time they connect to the internet. But those who have disabled automatic updates need to apply the update manually.

Broader impact:  Earlier, Mashable’s Lance Ulanoff called on Microsoft CEO Satya Nadella to reverse course with “One Last Patch” for Windows XP. Such a move would make Nadella “the temporary hero of millions of hapless Windows XP users,” and if presented in the right way, would underscore the security risks associated with remaining on Windows XP, Ulanoff said. By those standards Nadella has rescued 25% of the world! However this goes on to show that a critical security issue can put a major corporation under pressure to work on patches an products which it had decided not to support.

 

References:
1. Time: Microsoft Fixes Internet Explorer Security Bug

2. venturebeat.com: U.S. government urges caution after Microsoft reveals dangerous Internet Explorer bug

Beginners guide to terms used:
Zero Day Attack

 

Twitt
Filed Under: Security News, Web Security

Heartbleed explained

April 21, 2014 by 3 Comments

 

heartbleed

heartbleed

OpenSSL is the most popular open source cryptographic library and SSL/TLS implementation used for encryption including for the traffic on the internet. OpenSSL has a module called heartbeat, which is responsible for the synchronization between two entities, say two servers on the internet. Heartbeat is the way for a computer to be sure the other is still up and running so that if there is no heartbeat, it does not communicate further with the dead/unavailable computer.
Since the vulnerability is found in the heartbeat module it got its name “Heartbleed”.  The problem is caused due to a very small piece of code:

memcpy(bp, pl, payload); //copy data of size payload from p1 to pb

bp is a place on the server computer, pl is where the actual data the client sent as a heartbeat is, and payload is a number that says how big pl is. It works unless payload value is maliciously lower than actual. If payload value is passed as 128 KB when it is really supposed to be 0 KB,  memcpy earmarks a 128 KB-sized memory at bp that contains some data, supposed to be overwritten and hence erased. But in this case none of the old data at bp gets overwritten, because there is nothing to replace it since pl is actually empty.  The  data was sitting in bp prior to the heartbeat, gets passed back to the client. This data could contain private keys, passwords or other sensitive information.

This is not the first such problem or breach, but the potential impact is huge, perhaps bigger and more widespread than any other similar vulnerability.  The heartbleed has exposed many private keys, the secrecy of which forms the very foundation of Asymmetric encryption used by SSL/TLS.

What it means to internet users – Google and Facebook have announced that their users and services were not impacted. Yet users were advised to change passwords as a precaution. Such vulnerabilities remind us that in security nothing can be taken for granted and any assumptions of fool proof security can be dangerous. What is secure today can and will be broken tomorrow.

References:
1. Heartbleed.com
2. Existentialize.com

Beginners guide to terms used:
OpenSSL
SSL/TLS

Twitt
Filed Under: Bugs and Attacks, Web Security

SecurityDen.com is launched

April 20, 2014 by 2 Comments
securityden.com

securityden.com

Computer security is one of the fastest growing fields within Computer Science. Within the last two years the frequency and scale of corporate data breaches have grown manifold. Security is the number one concern in enterprise movement to the cloud. There is no dearth of security magazines journals and blogs. Yet very few focus on simplifying the complex issues of security in a simple language.

securityden.com is being launched with the mission  to simplify computer security for software professionals and for computer users. The blog shall include but not be limited to everyday security topics, security news, cloud security, threat modeling, book reviews and advice for newcomers to the field of computer security. Our vision is to be among top 10 security related blogs in the world  by 2015.

Unless otherwise indicated, the blogs will be written by Shreyas Kumar. Shreyas holds an MS degree in Computer Science from Texas A&M University where he wrote a unusual and widely acclaimed thesis on “Patterns in the daily diaries of 41st President George Bush”. He has completed his PhD coursework from University of California Santa Cruz and is writing his thesis on “Threat modeling for the cloud”. Shreyas has over 14 years of industry experience in India, Singapore and USA in product development. He has designed and taught a university level course on Java security and holds a CISSP certification.

Social media presence:
Facebook 
Twitter
Pinterest
LinkedIn

We hope our prospective readers find the blog useful. For any suggestions please email admin@securityden.com

Twitt
Filed Under: Security News, SecurityDen