Wednesday, August 12, 2009

Diebold Quietly Patches Security Flaw in Vote Counting Software

Via Wired (Threat Level) -

Premier Election Solutions, formerly Diebold, has patched a serious security weakness in its election tabulation software used in the majority of states, according to a lab that tested the new version and a federal commission that certified it.

The flaw in the tabulation software was discovered by earlier this year, and involved the program’s auditing logs. The logs failed to record significant events occurring on a computer running the software, including the act of someone deleting votes during or after an election. The logs also failed to record who performed an action on the system, and listed some events with the wrong date and timestamps.

A new version of the software does record such events, and includes other security safeguards that would prevent the system from operating if the event log were somehow shut down, according to iBeta Quality Assurance, the Colorado testing lab that examined the software for the federal government.

It’s not known if Premier will offer the more secure version to election officials who purchased previous software. The company did not respond to a call for comment Tuesday.

Called the Global Election Management System, or GEMS, the software is used to tabulate votes cast on Premier/Diebold touchscreen and optical-scan machines, among other functions, and is used in more than 1,400 election districts in nearly three dozen states. Maryland and Georgia, which use Premier systems exclusively, count every vote statewide with the software. GEMS runs on the Windows 2003 and Windows XP operating systems.

Official federal voting system standards require audit logs to record all normal and abnormal events that occur on the system.

Premier publicly acknowledged the flaw two months after’s report, in a public hearing last March. When asked by a member of the California secretary of state’s staff if Premier had done anything to address the problem, Justin Bales, general service manager for Premier’s western region said, “No, not yet.”

Bales went on to say that the GEMS logs had been the same since the software was first created more than a decade ago.

“We never, again, intended for any malicious intent and not to log certain activities,” Bales said. “It was just not in the initial program, but now we’re taking a serious look at that.”

No comments:

Post a Comment