SECURITY AND ID THEFT RISK TO MILITARY VOTING-SCHEME UNCOVERED

Internet Voting Revisited:
Security and Identity Theft Risks of the DoD’s
Interim Voting Assistance System

David Jefferson, Avi Rubin, Barbara Simons, and David Wagner
info@servesecurityreport.org
October 25, 2006


We recently learned that FVAP has created a new online system, the Interim Voting Assistance
System (IVAS). IVAS has a similar mission, namely to aid military personnel and overseas
civilians to register and vote in the coming November 7 general election. In this short paper we
present our serious concerns about the security issues posed by this new system.
None of these security concerns is original; all were raised in a DoD internal review, discussed
below.


Risks.
In summary, we see three main risks:

1. Tool One exposes soldiers to risks of identity theft. Sending personally identifiable
information via unencrypted email is considered poor practice. No bank would ask
their customers to send SSNs over unencrypted email, yet Tool One does exactly
that. This problem is exacerbated by potential phishing attacks.

2. Returning voted ballots by email or fax creates an opportunity for hackers, foreign
governments, or other parties to tamper with those ballots while they are in transit.
FVAP's system does not include any meaningful protection against the risk of ballot
modification.

3. Ballots returned by email or fax may be handled by the DoD in some cases. Those
overseas voters using the system sign a waiver of their right to a secret ballot.
However, it is one thing for a voter's ballot to be sent directly to their local election
official; it is another for a soldier's ballot to be sent to and handled by the DoD – who
is, after all, the soldier's employer.


http://servesecurityreport.org/ivas.pdf

I have a strong feeling many many many of these names w/be voting Republican:

VA data files on millions of veterans stolen
By Mary Mosquera, GCN Staff

(Updated) The Veterans Affairs Department today revealed that personal, identifying data for as many as 26 million American veterans was stolen from a VA employee's home in May.

The information is a list of all veterans who served in the military and were discharged since 1975.

http://www.gcn.com/online/vol1_no1/40840-1.html


Other data security breaches
August 2005 The Air Force notifies more than 33,000 airmen that much of their personal information was stolen from the online Assignment Management System. Air Force Personnel Center officials at Randolph Air Force Base, Texas, alerted service and federal investigators to unusually high activity on a single user’s AMS account in June. While the investigation is continuing, AFPC spokeswoman Lt. Col. Michele DeWerth said a malicious user illegally acquired a legitimate user ID and password and used them to gain access to officers’ information.

June 2005 In early 2004, someone accessed current and former Federal Deposit Insurance Corporation employee personal data without authorization. That data included names, dates of birth, salaries, Social Security numbers and length of service. In the subsequent investigation, the FBI found that data of all FDIC employees and former employees has been stolen.

February 2005 The Bank of America Corp. lost data tapes containing personal information on 1.2 million federal charge card holders. The bank acknowledged that it could not locate magnetic tapes used for federal credit card accounts.—Jason Miller

Veterans Affairs warns of massive privacy breach
Robert Lemos, SecurityFocus 2006-05-22

The U.S. government warned on Monday that a database containing sensitive information about veterans and their families had been stolen, after an employee violated policy and brought the data home.

“ To me, it defies credulity that one individual would have all this information and, by however he did it, wound up losing it to a burglar ”

Bernard Edelman, deputy director of government affairs, Vietnam Veterans of America The database contained the names, social security numbers and dates of birth of as many as 26.5 million veterans and their families, according to the U.S. Department of Veterans Affairs, which replaced most of its home page on Monday with a warning about the leak. The agency discovered the violation of policy after the employee's home was burglarized and has put the worker on administrative leave pending an investigation.

http://www.securityfocus.com/news/11393