I'm starting with what I did to start this whole thing rolling.
in November, Mohawk held a referendum vote regarding a new healthcare policy for students, that would increase student activity fees. Purpose aside, I took some time out, even early on, in this vote, to determine if this, like previous voting systems, was susceptible to "attack".
(even this requires some back-story, they used a very vulnerable system during a referendum vote for a health and wellness center in 2008, which was nullified, since the system was so vulnerable, and moved to paper voting, they later tested, and used a new voting system for student elections later that school year, based on their initial insecure system, but with a few updates, that students helped render, to make the system less susceptible to "attack". It's worthy of note that this system is nearly, if not completely identical to the initial system that was rendered too insecure to use, and the vote was moved to paper)
blah, long explanation, moving on.
I noticed the same security problem I had with previous systems, and was honestly curious if they had implemented a known, insecure voting system. Knowing as much as I do about networks, computers, servers, webpages, etc, I was genuinely curious; knowing that they could have made several changes, that would not be obvious to me as an outside observer that could have made the system very secure. Not being able to tell, from the outside, if these changes were implemented, I would have to do a little testing.
Several days later, I found some time, and my interest was again focused on the voting system. I took the opportunity to analyse some encrypted traffic, using the sniffing tool "fiddler" for in-stream SSL decrypting. I used the information I gathered and attempted several different methods of accessing the same page, and perhaps submitting some information that wasn't expected to see what results would be achieved. The obvious focus here, was to see if someone, if they were so inclined, could submit false, misleading, or inaccurate votes into the system, and have the system accept them.
After several attempts at this, I found that I could, and I even generated a small script in linux that would utilize the command-line browser "curl" to submit votes in an organized fashion for the purposes of voting for every possible student number. The script ran, and achieved positive results. I obviously didn't let it run till completion, far from it. after I was able to confirm it was getting positive results consistently, I shut it down. My goals were never to sway or alter the outcome of the vote, merely to prove whether or not the system was susceptible to such "attacks".
Knowing what I know about networking and computers, I know that someone with intent to alter the vote, who would be a Mohawk student and have the knowlege and capabilities similar or greater than my own, could be very clever in disguising their submission of misleading votes in such a way it would be nearly impossible to detect. One would accomplish this using a combination of attacks against students to obtain logins and valid security credentials from other students, combined with redirection of connections through use of proxy servers, and random number generators to make the pattern of IDs being used to send misleading votes, more difficult to track. The theory goes that if a random number can be generated that is a valid users ID number (which may take several attempts at least), then you would have arrived at that number by no logical means and without using something that would generate a pattern (eg. 00000, 000001, 000002, etc.) which would be detectable. These precautions would make the misleading voting information difficult to detect, if you would be able to detect it at all.
It's easy to see that if something like this were to exist (and it did) it posed a clear and present danger to the security of the voting system, and the confidence of the results, since someone running an elaborate program to harvest the correct information and submit false or misleading votes, and running this program all day, could potential submit hundreds, if not thousands of illegitimate votes daily. If they're very difficult to detect, then the votes may, and probably would be considered legitimate, and the outcome of the referendum would be swayed dramatically to the will of whomever would create such a program.
I felt it was my duty to uncover this flaw, if it existed, which it did, and when I uncovered it, I slept, then told the administration (specifically the CIO of the college), about the problem.
I still have a copy of that email, which I pulled from the email servers at Mohawk before they locked me out of them... I won't post it here directly, but I have it for reference.
I felt, and still feel like I was doing what was right and good, and doing Mohawk a great service.... both the administration, and the students. I do not regret my actions, but I'm very disappointed by what happened next.
No comments:
Post a Comment