marco
projects
Menu:
Last update
Page last updated Fri Jan 4 10:21:52 PST 2008
E-Voting Security
California Top-To-Bottom Review
I was a member of the UCSB Security Group that completed an analysis of the Sequoia electronic voting system as part of a Top-to-Bottom Review of the electronic voting systems used in California. The study was commissioned by California Secretary of State Debra Bowen. As a result of the review, the Secretary of State decertified the current systems and recertified them on condition of use of stricter procedures and security measures.
We acted as a "Red Team" and performed a series of security tests of both the hardware and the software that are part of the Sequoia system to identify possible security problems that could lead to a compromise.
We were able to expose a number of serious security issues. We were able to bypass both the physical and the software security protections of the Sequoia system, and we demonstrated how these vulnerabilities could be exploited by a determined attacker to modify (or invalidate) the results of an election.
Ohio EVEREST Project
I was a member of the WebWise Security team that completed an analysis of the ES&S electronic voting system as part of the EVEREST project. The study was commissioned by Ohio Secretary of State Jennifer Brunner, who issued a series of recommendations and options to address the study's findings.
Our testing consisted of a "red teaming" assessment of the security of the hardware and software that are part of the ES&S system. We were able to identify a number of serious vulnerabilities, and showed how they could be exploited to compromise the integrity of an election by developing a number of attacks. We also demonstrated how a virus could be created to infect and control electronic voting machines.
International Capture the Flag
I'm one of the people involved in the organization of the UCSB International Capture The Flag competition (iCTF).
The iCTF is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants from both the attack and defense viewpoints.
During the iCTF, a number of teams compete independently against each other. We provide each team with an indentical copy of a virtualized network installation (for example, a Linux host). The host includes a number of programs and network services, which we developed and in which we intentionally introduced a number of vulnerabilities. The task of each team, then, is to find the vulnerabilities, fix them without disrupting the normal operations of the programs, and leverage their knowledge about the vulnerabilities to compromise the servers run by other teams.