A detailed review of serious security weaknesses in the 2004 Ohio presidential election system has been posted in the Free Press by co-council on the case.

The system appears to have been under-built and then, as the final tally was run, it switched processing over to an unmonitored and insecure location in a different state operated by a company with a close association to the winning candidate.

The King Lincoln Bronzeville v. Blackwell briefs are cited:

The filing also includes the revealing deposition of the late Michael Connell. Connell served as the IT guru for the Bush family and Karl Rove. Connell ran the private IT firm GovTech that created the controversial system that transferred Ohio’s vote count late on election night 2004 to a partisan Republican server site in Chattanooga, Tennessee owned by SmarTech. That is when the vote shift happened, not predicted by the exit polls, that led to Bush’s unexpected victory.

SmarTech, the location of the servers in Tennessee, is perhaps most infamous for hosting Republican Internet domains — not the sort of environment one would expect to be used for a voting system. It was also later the site used by the Bush White House staff “to evade freedom of information laws by sending emails outside of official White House channels”.

The location and partisanship aside, I find it extremely hard to believe there is not a single firewall let alone a DMZ architecture in the network diagrams. It must be a mistake. Were the vote databases really setup on a flat network?

These details of the network have been revealed only after a fight with Connell, who argued that they should be kept a secret while public — yes, it’s a contradiction.

Connell is refusing to testify or to produce documents relating to the system used in the 2004 and 2006 elections, lawyers say. His motion to quash the subpoena asserts that the request for documents is burdensome because the information sought should be “readily ascertainable through public records request”; but also, paradoxically, because “it seeks confidential, trade secrets, and/or proprietary information” that “have independent economic value” and “are not known to the public, or even to non-designated personnel within or working for Mr. Connell’s business.”

It’s not the first time I have heard this odd and duplicitous argument from a network engineer. A District Attorney (DA) recently said he sent a man to jail for a similar argument in a fight with management. The engineer argued that the government network he was working on was copyrighted (public record) but secret.

The parallels continue. This other man, now in jail, had built a Man in the Middle (MitM) architecture. Connell is accused of creating the exact same security flaw. The Free Press cites “IT security expert Stephen Spoonamore”, who gave a sworn affidavit to the court, that the Ohio presidential network design was intentionally designed to allow a MitM attack.

Until now, the architectural maps and contracts from the Ohio 2004 election were never made public, which may indicate that the entire system was designed for fraud. In a previous sworn affidavit to the court, Spoonamore declared: “The SmarTech system was set up precisely as a King Pin computer used in criminal acts against banking or credit card processes and had the needed level of access to both county tabulators and Secretary of State computers to allow whoever was running SmarTech computers to decide the output of the county tabulators under its control.”

Spoonamore also swore that “…the architecture further confirms how this election was stolen. The computer system and SmarTech had the correct placement, connectivity, and computer experts necessary to change the election in any manner desired by the controllers of the SmarTech computers.”

Given the DA explanation of the other case it is possible the outcome of this one might go the same way. It’s a great example of the reality of insider and domestic threats. While much of the news talks about the foreign threats to US government infrastructure, it is always worth considering that weaknesses in networks may be intentionally created by insiders who seek an unfair advantage.

The story should begin with the concluding paragraph of a criminal complaint filed against Lance Moore in the United States District Court, New Jersey

…on or about June 25, 2011, the computer hacking group LulzSec publicized that they had obtained the AT&T Confidential Information and re-circulated it on the Internet

The start of the complaint takes the reader through the leak step-by-step.

1. Convergys, a “relationship management services” company with more than 70,000 employees hired Moore in August 2010 to be a contractor at an AT&T Mobility customer care call center.
2. Moore’s responsibility was “answering calls from AT&T Mobility customers, and troubleshooting their problems”.
3. Moore was granted access to Convergys and AT&T, including VPN.
4. AT&T was alerted on April 16, 2011 to information anonymously posted to Fileape.com that “had been stored on AT&T’s secured servers, which are protected computers as defined in Title 18, United States Code, Section 1030(e)(2).” The value of the leaked information to AT&T “exceeded $5,000”.
5. AT&T reviewed their network egress data and found a system IP that accessed Fileape.com on April 10. The system was associated with 19 Convergys contractors
6. AT&T compared the list of 19 Convergys contractor names to the authentication records on the AT&T Mobility Server that stored the confidential data. Moore’s used his account to access the data “shortly before that same information was uploaded to Fileape.com.
7. AT&T reviewed their network egress data again for Moore’s username. Just before the data was uploaded to Fileape.com, his user account searched Google for “uploading files, file hosting, and uploading zip files”. His username also accessed Fileape.com and pastebin.com “multiple occasions following the April 10, 2011”.
8. AT&T then reviewed the contractor time records from Convergys and found Moore was “present and working” at the times highlighted in the investigation.
9. AT&T questioned Moore. He denied leaking the information and confirmed he was aware of security policy — he had not shared access.

It seems fairly straightforward, but paragraph 17 of the complaint is really the key to the case.

Based on interviews of witnesses in this case, MOORE was authorized to access various portions of the AT&T’s network during the course of his employment, but his access of the AT&T Confidential Information, and subsequent release of the same, exceeded his authorization.

To put it simply, he was not authorized to access the information, but the systems authorized him to access the information.

It’s like he walked though an unlocked door, which of course does not excuse or exonerate Moore, but it brings to light the vulnerability of AT&T data to a call-center contractor.

This information…included thousands of spreadsheets, Microsoft Word documents, Microsoft PowerPoint presentations, image files, PDF files, applications, and other files…related to its 4G network and LTE (“Long Term Evolution”) mobile broadband network, among other topics.”

It’s a story that boils down role-based access control failures, but it’s also a simple log review story about an ISP tracking the use of an internal non-technical user.

With all the log review data in mind it’s unclear why the complaint ends with a vague nod to LulzSec. Although AT&T might take the position that damages are higher when a famous personality circulates stolen information, they could also be trying to deflate the fame of Lulzsec by calling out their association to Moore’s simplistic breach — a combination of “criminal’s are dumb” and “don’t blame the victim” arguments.

It makes sense for them to openly take this position for such a simplistic breach vector because it does not involve regulated information (e.g. PII or EHR). What does AT&T have to lose from challenging the authority of LulzSec to question their or anyone else’s security practices? In other words, had the data been regulated, AT&T might face fines or other sanctions from standards set by a regulator. Instead, they appear to take aim at the philosophy of unauthorized and anonymous access now associated with LulzSec.

The changelog and notes on the libsndfile overflow reveal that the fix was rushed and details of the severity are not yet decided.

> > could provided a specially-crafted PAF audio file, which once opened by
> > a local, unsuspecting user in an application, linked against libsndfile,
> > could lead to that particular application crash (denial of service),
I agree with everything up to here.

> > or, potentially arbitrary code execution with the privileges of the
> > user running the application.
but this is rubbish. The heap gets overwritten with zeros which would
certainly lead to the application segfaulting. However, there is
no way for arbitrary code to be executed on amy sane OS with proper
memory protection.

Furthermore, Secunia when they contacted me about this said they would
release information about this vulernability on the 18th and then ended
up releasing it on the 12th instead which means I had to rush out the
release I was working on (and would have easily had ready for the
18th). That is not the way to win friends and influence people.