by Edwin T
The peer reviewed article i choose for this week was about security testing voting systems. The authors discussed a few vulnerabilities for the DRE or direct-recording electronic voting machine and how they can affect election day. The authors found buffer overflows in the DRE system and by exploiting them it was very easy to completely take it over. Also, the DRE systems do not have the necessary means to detect any malicious software or a change in firmware. If malicious firmware is installed in the DRE system, it can activate on election day and modify a subset of ballots so they seem as if they were for the preffered candidate. There’s the “careful voter” scenario, where the voter will submit his ballot and a review screen will appear with the name of the preferred candidate and not the one the voter voted for. If the voter catches the mistake, the firmware will allow the voter to edit the submition. At this point, the firmware will consider itself found and will not change the ballots for a period of time or voters before it starts again. Another of the many scenarios in the article was the “After the Fact Vote”. For this scenario the voter places his vote normally, then the firmware will print a voided ballot and will re-print the ballot with a vote for the preferred candidate.
I chose this article becase we’ve been talking about SQL injection in class. Although it does not relate to databases, it does relate to systems in general.
This article really interests me because security testing seems to be under-estimated when it shold be high priority. Stealing an election is very possible based on the findings of this article. Groups such as Anonymous go around exploiting vulnerabilities as they please, i believe more people need to be aware of security measures in order to reduce the vulnerabilities.
Balzarotti, D., Banks, G., Cova, M., Felmetsger, V., Kemmerer, R., Robertson, W., Valeur, F., & Vigna, G. (2010). An Experience in Testing the Security of Real-World Electronic Voting Systems. IEEE Transactions on Software Engineering, 36, 453-473.