ThomasCantrell.com Tech Blog

Another voting machine hack courtesy of ArsTechnica. The researchers were able to hack a Sequoia AVC Advantage voting machine by a sneaky buffer overflow attack:

The AVC Advantage has several characteristics that make it more secure than many other voting machines. It has hardware mechanisms that prevent it from running code from RAM. This effectively protects against attacks that involve arbitrary code injection. To circumvent this security measure, the researchers used a technique called return-oriented programming that involves co-opting bits of code that are already in the system.

By chaining together small snippets of regular code from the system ROM, it becomes possible to perform more sophisticated and specialized operations—such as redirecting votes—without having to inject malicious code. …

The cost of this effort, is scary low:

The researchers were able to devise and implement this hack in roughly 16 man-months of labor without having any access to the actual source code or non-public documentation. It worked flawlessly on actual devices during tests and could be used by a sufficiently motivated individual to manipulate the outcome of a real election. The team estimates that a comparable hack could be funded in the private market for as little as $100,000.

This is amazing research with a scary result. Sequoia is obviously trying to do the right thing by restricting execution to ROM. However, it appears that this is not even close to enough for two reasons.

Reason one: attacks only get better. If these voting machines have a shelf life of ten years, then they need to be designed to be resiliant for those ten years.

Reason two: security is an economic proposition. An election is probably worth at least billions of dollars if it could even be monetized. The hack costs only $100,000 which is quite cheap for this kind of exploit.

There is a odd thing that happens when you have 23 students in a classroom. It is quite possible that at least one of them has the same birthday as another (in fact the probability is about 50%). This is called the Birthday Paradox.

This concept has parallels in cryptography, where you are counting on two people to not hold the same random numbers. I ran across a a little calculator for these kind of events:


Perhaps this is a little too “Number Theory geeky,” but I find this calculator quite cool and useful.

I can’t help thinking about IPsec VPNs as I read this Dilbert:

For those of you who have ever tried to set up a VPN for the first time, you’ll know what I mean. I don’t mean one of those wimpy VPNs that your network administrator sets up, but a real IPsec VPN with all the settings and proposals.

It’s often hundreds of settings that have to match identically other VPNs in order for the VPN to work. If a single one of these settings is off, the negotiation fails and the VPN does not come up. True, it’s not hard after you’ve done a few. However, that’s if you survive the pure frustration of setting up the first one. You could easily end up stabbing yourself.

Is the IETF IPsec working group just a shim for a secret government military plot designed to drive it’s enemies insane? You decide.

From SC Magazine:

Visa announced on Friday that it has removed Heartland Payment Systems and RBS WorldPay — two payment processors that have announced massive data breaches in recent months — from its list of service providers compliant with payment industry guidelines.

“That could be a pretty significant event because retailers are obligated to use PCI compliant service providers,” Avivah Litan, a distinguished analyst at Gartner, told SCMagazineUS.com on Friday. “It’s almost like saying all their customers have to leave them.”

And then:

Rich Mogull, founder of IT security consultancy Securosis, said in an email Friday to SCMagazineUS.com that the PCI assessment process needs revamping.

“What we see is that although no PCI-compliant company seems to ever get breached, many are certified and then found non-compliant after the breach,” he said. “Thus, it’s clear the certification process is flawed. While I don’t expect certification to impart immunity from attack, decertifying all these companies seems disingenuous.”

This raises an interesting point: can a company be both compliant and non-compliant at the same time. I think this can be. It depends on how you measure.

I have no background on the PCI standard, but I suspect there may be different places where measurements can differ from one audit to another. The external auditor is likely paid by the company, and therefore has an interest in proving that the company is compliant. The VISA auditors after the security breach have the exact opposite incentive. Their goal is to prove the vendors non-compliant in order to prove the validity of the standard. For this reason, I almost guarantee that most hacked vendors will prove non-compliant PCI after hacked.

However, I don’t want to move the spotlight from Heartland Payment System who allowed themselves to still be breached. It’s quite possible that compliance didn’t last past the PCI audit. According to SC Magazine, hackers infiltrated the network soon after Heartland’s April 2008 PCI audit. It begs the question: how immune are audits like PCI to snapshot compliance? Can a company become compliant only when audits are performed? This is what Visa’s top risk officer, Ellen Richey, says about Heartland as quoted in SC Magazine:

“I’m sure everyone in this room has read the headlines questioning how an event of this magnitude could still happen today,” she said, according to a transcript of her speech. “The fact is, it never should have…As we’ve all read, [Heartland] had validated PCI compliance. But it was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack.” (Italics mine)

Finally, there is some argument that the PCI standard itself created this problem. There seems to be some noise on forums that assert that the PCI standard does not require end-to-end encryption. I’m not sure if this is true, but if it is, this means the implicit security standard at Heartland could have been “don’t worry, be crappy.” If this is the case, then may have just followed the PCI standard enough to get certified, but not enough to actually mitigate risk.

Last week I got a notice that my debit card was getting canceled due to a security breach at Heartland Payment Systems. I did a little googling, and came across their official site for the breach. While I am never sympathetic to those who are careless with my data, I was really surprised and a bit discusted at the details revealed by the press releases on the site.

From a press release on January 20th, 2009:

After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.

Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

And from a press release on January 27th, 2009:

“Heartland has been working on the development of end-to-end encryption, but in light of our recent data breach and the impact cyber fraud has had on the public and processors nationwide, we are ramping up our efforts,” Carr continued. “To do this, we are forming a dedicated internal department and have named Steven M. Elefant, a well-known expert in point-of-sale payments, executive director.”

These press releases make me sad because they speak of security problems and solutions that were developed ten to twenty years ago. “End-to-end encryption” is implemented in a plethora of protocols, IPsec and TLS to name a few. As for the “program designed to flag network anomalies in real-time,” this is a little newer and has been incapsulated in various different IDS products this last decade. In other words, the press release sings out to me “oops. We didn’t realize we were vulnerable, now we should be doing what others have told us we should be doing for a long time.”

I pick on Heartland Payment Systems mostly because they are a credit card processing system. They are not one single store, like TJ Maxx’s data breach of 2007. This is a provider who’s very sales story is: “The Highest Standards” and “The Most Trusted Transactions.” These are posted prodominately on their main page. Any one who works in the credit card or banking transaction industries must know by now that since their transactions are virtual money, security must forefront in their minds. They are the exact target of oversees hackers, as they are the gatekeepers to the money.

My conclusion is that from the technologies mentioned in their press releases they should have known better. After all, they are high-risk company for computer fraud. This is why Heartland Payment Systems is in my dog house.

As I mentioned, I am studying for the CISSP. It’s been an enjoyable journey thus far of security topics.

One thing I’m noticing in my study is that there are two ways to work through this certification. The first is self-study. One studies through a text. My book is approximately 1200 pages. The second way is a training class. These classes cost about $4,000-$5,000 and take a week of time. However, after the intense “boot camp” you will be ready to take the test and get your certificate.

I started off thinking that I would self-study all my way to the CISSP. After all, I’m about 250 pages through my first read of the 1200 pages. However, even if I study well, I am beginning to see the value of taking the training class as well. The idea is that I would study all the material myself and use the training class as review. If my employeer will pay, then this is a great idea. If my employeer doesn’t pay, then I fear training classes be too expensive.

Certainly $4,000-$5,000 is expensive, but when you are like me thinking of 3-6 months of study, perhaps the course is worth it. Again, the goal is to at the end of the day not just get the certification, but to have a better picture of the security landscape.

I decided I needed to professionally further myself and I grabbed a copy of All in One CISSP by Shon Harris. After going through one of the twelve sections of the CISSP exam, I am convinced that CISSP is harder than I thought. However, I think it will be a road well worth it.

I thought it would be easy. After all, I have been going to security conferences and interacting with network security protocols and cryptography for the past three years. While I am pretty young in the security community, I figured if I could whip out an implementation of AES in a few minutes, I would be okay for this certification.

Then the book came in the mail, in a large box. The study guide for the test is approximately 1200 pages. At this moment I was struck with humility. While I may know a bit, I also have a lot to learn.

In the coming weeks, I will try to reflect on what I learn. Sometimes, I will not be able to reflect in full, as I work under NDA for my employeer and our customers.