Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Privileged Access Management Could Have Prevented Voting Crack

Lieberman Software : 13 March, 2012  (Technical Article)
Lieberman Software comments on the e-voting flaw in US elections which could have been prevented with the use of privileged access management
Privileged Access Management Could Have Prevented Voting Crack
As Super Tuesday got under way in the US elections last week, reports started coming in about an electronic voting platform whose security was massively compromised after the election board invited external researchers to test its systems.

Lieberman Software says that it took coding experts with the University of Michigan just a few hours to compromise the system’s security and ‘elect’ a cartoon character from ’Futurama’ to the Washington DC election board.

Philip Lieberman, president and Chief Executive of the security software specialist, says that the multi-stage crack could almost certainly have been prevented had the developers of the electronic voting system built privileged identity management into the system.

“The methodology used by the researchers was precise. First they identified that the platform was susceptible to a shell injection attack, and then they started writing output to the images directory. After that they encrypted their IP traffic to stop the Intrusion Detection System (IDS) from triggering,” he said.

“The final piece in the cracking jigsaw was when they guessed the login details of the server - so granting them high level access to the e-voting platform. The right privileged identity management controls would have eliminated the obviously weak admin credentials, making it all but impossible for outsiders to access sensitive accounts,” he added.

The Lieberman Software president went on to say that the encryption of the cracking IP traffic was an interesting twist, as it prevented the IDS from spotting the rogue traffic.

But, he says, this loophole could also have been closed through the use of deep level packet inspection and/or heuristic packet analysis, which are security processes increasingly being adopted by large corporations to defend their critical IT systems.

Lieberman goes on to explain that the real safety net on any Internet-facing system – and especially with public platforms such as electronic voting servers – is the use of privileged identity management, since this protects organisations against unauthorised users and malicious programs from gaining unrestricted, anonymous access to sensitive data on the network.

The problem that most large organisations face, he says, is that nearly all have powerful, unsecured privileged accounts present in their cross-platform enterprise.

Reducing the level of access to their various functions on all but the most critical of admin accounts – and then limiting these high-privilege admin accounts to specific terminals – dramatically lowers the security risk profile of the organization concerned.

“This isn’t rocket science,” said Lieberman. “It’s the application of multi-level security controls in a cost-effective manner.”

“I think the most interesting takeaway from this high profile incident is that the voting board opened up its platform to a public security test and the security was found wanting. There are almost certainly a great many other public-facing government systems that have similar weaknesses – or worse,” he said.

“At the end of the day, the Washington DC election board should be applauded for its openness which – though unconventional – helped them highlight the fact that necessary controls were missing from their environment,” he added.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo