InfoSec Philippines

Information Security, Technology News and Opinions

Comelec challenges hackers

Posted by Daniel Tumalad on March 17, 2009

Taken from The Philippine Star (www.philstar.com), 17 March 2009:

Try to hack into automation machines, Comelec challenges hackers
By Sheila Crisostomo

MANILA, Philippines – The Commission on Elections (Comelec) yesterday challenged hackers to try to hack into the voting and counting machines that will be used in next year’s elections, but expressed confidence that they would fail.

Comelec executive director Jose Tolentino said they are very confident the security features of the precinct count optical scan (PCOS) machines would be able to thwart hackers.

“Even in the first level, we can already detect any tampering,” noted Tolentino, who is also the project manager of poll automation.

Read full article:

http://www.philstar.com/Article.aspx?articleId=449326&publicationSubCategoryId=63

[ In any aspect of Security, giving out this sort of challenge is usually unwise and inappropriate as it may prove to be dangerous but nevertheless, it’s entertaining. ]

Advertisements

6 Responses to “Comelec challenges hackers”

  1. dts said

    Comments made by
    Patrick Dailey CISSP, GCFA, IT Audit and Security Consultant – Managing Director at DigiThreat Solutions
    [http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=29343049&gid=1851931]

    From an IT project management point of view, 80,000 machines with source code, voter information data, vote data, and other information will be installed throughout the country. Additionally, the provision of transmission of data to a centralized location (presumably via Internet) will have to be procured from each location where the machines are installed. Supplies of ballot paper, training, technical support, and warehousing are all part of this project, and all aspects of this project need to be completed by May 10th, 2010 (417 days from now). The winning bidder is announced on April 27th, 2009, giving the bidder 378 days to complete all tasks.

    To say that this project is ambitious would be an understatement – let’s do the math. It will require that the winning bidder install the machines, the software, and (hopefully) test an average of over 200 machines a day, travel not included. This does not account for machines that are dead on arrival. Internet access will need to be procured at locations throughout the country. Ever tried to get an Internet connection procured in a remote province? It can take months to get a reliable connection even in Metro Manila. What about remote islands that offer no Internet service whatsoever?

    Logistics will also play a major role – while slightly less than 2000 mothballed counting machines from the 2004 election are sitting in four floors of storage (costing taxpayers P30 million a year), how much storage will 80,000 counting machines require? If the same size of machines and stacking capability is utilized as is the current storage, it will require 160 floors, or roughly 40 hectares, of storage space. Phasing the storage of equipment in warehouses will add to the complexity of the project, and delivery of machines and other materials to the end location to install (and coordinating with the installers) would almost require a Ph.D. in logistics, if there was such a degree. Add training and technical support to the equation, and you have an extremely difficult project. I have no reason to doubt Mr. Tolentino when he has confidence in the bidders capabilities, but this type of project would stretch many large multi-national companies. Simply put, whoever wins this project has their hands very full, and I do wish them the best of luck.

    Assuming the bidder can survive the project demands and logistics, they will then have to contend with the security risks that are involved with this undertaking. While “hackers” are the “in” thing to talk about, they are a very small subset of the overall security risks. Here are some very basic IT security questions the winning bidder should be asking before even bidding on the project:

    -Are there a defined information security policies and procedures for this project?
    -What is the overall network architecture of this project, including systems, ports, data transmission, data locations, and other pertinent information? Where are its weak points?
    -Will firewalls be a part of the architecture? What is blocked? What is allowed? What is needed?
    -Are wireless technologies utilized? If so, is it secured, or can someone sit outside the precinct offices and modify the votes?
    -Is SMS an option being considered, and if so, what is being done to secure SMS?
    -How does the transmission of data occur? Is it encrypted? If so, how?
    -Is data transmission from one location to another vulnerable to man-in-the-middle or other attacks? If you do not know what a man-in-the-middle attack is, it is probably recommended that you not bid on this project.
    -What happens if there is no electricity, or there is an outage during the middle of the election? What happens if there is an Internet/telco outage? Is there a detailed continuity and/or recovery program? If so, does the introduction of people handling the data provide added risk?
    -How is the centralized data secured? Is it centralized on a SQL database? If so, how secure is your SA password and how vulnerable are you to SQL injection attacks?
    -What if there are discrepencies between the vote tallies at the precinct, and the vote tallies that ends up being stored at the centralized location? What happens?

    Many more IT questions could and will be asked, but the IT questions go well beyond the source code of the application. The source code could be absolutely fine, but if the underlying architecture has problems, then there are significant risks. It’s like building a mansion on an unstable slope – it might look good, but will crumble at the first sign of stress.

    In a case such as elections, people pose an additional risk. Some questions to ask include:

    -Will all programmers, installers, and other employees undergo background checks to help ensure that they cannot be compromised by third parties?
    -How are devices physically secured from being compromised? Are guards watching them? If so, do they know what to look for? Or are they part of the problem?
    -What if it weren’t typical “hackers”, but a foreign government trying to ensure that their preferred candidate gets elected? If you think that is far-fetched, then why were both the campaigns of John McCain and Barack Obama hacked by a foreign entity last year while leading up to the election? Why is the Chinese government repeatedly alleged to be hacking into foreign government systems?

    The project scope, risks, and huge budget make this an extremely difficult endeavor. While Mr. Tolentino makes some pretty bold statements, it’s ultimately up to the winning bidder to follow through on the assertions he has made. Our company, as I am sure many other information security companies, would love to see the finished product. However, the source code is only a small component of the overall product and project, and will not give an overall picture of the security of the 2010 elections.

  2. Thank you for sharing this dts. It’s a well thought-of response that has many agreeable key points. Perhaps it would be in everyone’s interest (for the sake of transparency) for Mr. Tolentino to shed light on comelec’s plans on how they would implement the entire system with regards to the measures they will undergo to assure security. I’m not talking about detailed plans, just a high-level roadmap would do. It may not be enough for many people, but for me it would be a good initiative. I’m still trying to be optimistic and as Mr. Daily bids, I hope everything goes well.

  3. Mr. Dailey will not be bidding – he has no desire to attempt career suicide : – )

  4. Oh sorry about that, correction: Mr. “Dailey”. It’s nice to know that there are still people taking time to notice and taking time to write such a response to this ballot computerization issue. And I hope the right people get to read it and take the points into consideration.

    btw, I meant “bid” as “to wish” probably a poor term of choice. 🙂

    Regards,

  5. trinity said

    Hello

    I’ve been doing computer stuff since 1989, programming and developments on any type of operating systems; hacking wired and wireless systems; I’m also the one (codename: trinity) who hacked all smart-wifi base stations access points and AP-clients on last 2004-2005; For smart-wifi subscribers, if you had experience 2mbps bandwidth connection then I was the one who touched it and after a times destroyed almost every base station and AP-clients that I could reach on remote.

    This year I’m jobless, and I have heard 1 million pesos will be rewarded to the one had hack the system.

    Watch out!

    Trinity!

  6. trinity said

    This is a challenge for all Filipino hackers, if there is a hundred or tens, its fine. The important thing that they know Filipinos are very good in terms of computer technology.

    Oh!
    One more thing, I was also involve in hacking some website’s that shutdown for a couple of days. hmp!

    Z.u.zun online hackers!
    Trinity!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: