Windows OS on Voting Machines not Pen Tested
If you had the job of security testing a voting machine that ran Windows, would you certify it without a penetration test?
November 11, 2004
Server hardening is not a simple task, and a voting machine in some cases is just another windows box. While I'm not a consirpacy nut or anything some details posted on BlackBoxvoting.org have to get your attention. For example, according to documents obtained by them via the Freedom of Information act, the voting machines used in Florida were not tested with any form of penetration test at all. The consultant they hired to do the job checked the box "Not Applicable". Now I don't know about you, but I would think that these boxes, some of which can be accessed via RRAS, should be intensely tested in this area.
As stated at Blackboxvoting.org:
"The most important test on the ITA report is called the “penetration analysis.” This test is supposed to tell us whether anyone can break into the system to tamper with the votes.
“Not applicable,” wrote Shawn Southworth, of Ciber Labs, the ITA that tested the Diebold GEMS central tabulator software. “Did not test.”"
I can't imagine putting a static web server behind a firewall without at least a rudimentary test of well known vulnerabilites, strong passwords, etc - so how much more would you do for a voting machine and it's related server systems?
This story is trying to sprout legs and this is squarly in the zone of Window security experts.
-brett hill
About the Author
You May Also Like