Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

California Hammers on E-Voting

Comprehensive audit and penetration test designed to end voters' fears about electronic voting

Debra Bowen is tired of all the hype about vulnerabilities in e-voting systems. And next week, she and a herd of researchers are going to do something about it.

Bowen, the secretary of state for Calif., said yesterday that the state is ready to begin a "top-to-bottom review" of its e-voting systems, using three teams of experts from universities and private companies all over the state. The researchers will review all of the data they can find about hacking electronic polling systems, and they will try to break into the systems themselves.

Just how vulnerable such voting machines are -- and their underlying software -- has been a sore subject debated by politicians, jurists, and technology experts. (See E-Voting Tested on Election Day, E-Voting Hacks Facts, and Diebold Disses Democracy.) Many states have shunned the electronic systems and reverted to punch cards or good old-fashioned paper ballots marked with a pencil.

The Calif. review, which will begin May 14 and run through July, will result in one of three conclusions, Bowen says:

  • Calif.'s systems will be found to be secure, and voters can rest easy.
  • The systems will be found to be flawed but fixable with additional security measures.
  • The systems will be found to be so flawed that they will have to be decertified and eliminated from the state's voting process.

    The review, which will be led by the University of California, will consist of three separate review teams, each with about seven people, Bowen says. Each team will evaluate documents pertaining to e-voting vulnerabilities, conduct a source-code audit on the state's currently-used voting systems, and execute a "red team penetration test" to see if they can break into the systems and tamper with voting results.

    The state will spend about $1.8 million on the review, which is said to be the first of its kind among state governments. Calif. has spent or allocated more than $450 million on computerized voting equipment in the past few years, the state says.

    The tests will not focus solely on the systems used to cast ballots, but will also investigate the systems used to count ballots, including tabulating devices, software, and peripherals, the state says. Among the vendors to be tested are Diebold, ES&S, and Hart Interactive.

    The vendors will be required to submit all currently-certified equipment used in Calif., as well as new systems they hope to sell to the state in the future, according to the state. If a vendor chooses not to submit a particular model or declines to participate in the tests, then the excluded equipment may immediately be decertified.

    The results of the penetration tests will not be made public, but Bowen says the teams will issue reports on their progress. Several other states -- including N.Y. -- are also considering conducting reviews of their voting systems, particularly after Congress' decision last week to investigate anomalies that occurred in Fla.'s 13th district in 2006.

    — Tim Wilson, Site Editor, Dark Reading

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    For Cybersecurity to Be Proactive, Terrains Must Be Mapped
    Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17593
    PUBLISHED: 2019-10-14
    JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
    CVE-2019-17594
    PUBLISHED: 2019-10-14
    There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
    CVE-2019-17595
    PUBLISHED: 2019-10-14
    There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
    CVE-2019-14823
    PUBLISHED: 2019-10-14
    A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
    CVE-2019-17592
    PUBLISHED: 2019-10-14
    The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.