On Wednesday November 30th, I accompanied a group of registered voters to perform a recount of precinct votes at the Lehigh County board of elections, and was quite surprised by what I found in the back room. A Dell server, vintage 2006 running Windows Server 2000 Service Pack 0. A company called ElectionIQ manages the database on this server. As of 12-12-2016 8:39 pm, http://electioniq.net/about-us/ has Lorum Ipsum, or scrambled text on the bottom of the page, what a nice touch. I was informed this machine has never been updated and is not connected to the internet. Imagine that. Later on it was revealed that this machine does connect using a Microsoft ssh key, to the department of state in Harrisburg. Having becoming familiar with our state IT infrastructure does not give me a lot of confidence. In February of 2004, it was revealed by Microsoft that portions of the source code to Windows 2000 was stolen and released by still unknown parties. That source code can be found on TPB and other such sites. Windows 2000 SP0 also has support for raw sockets. basic information on raw sockets can be found at https://en.wikipedia.org/wiki/Raw_socket Using packet crafting tools with raw sockets makes for an interesting pentesting experience. Windows 2000 reached its end of life in July 2010. And the vulnerabilities still continue to pile up.
Looking carefully on the lower right hand corner of this first picture, it appears there are 3 network connection icons, one of which is disconnected. Also, for a computer not connected to the internet, why is there a program called “AVServer” running? This computer is ripe for intrusion. It’s a good thing I wear a white hat.
Looking at the above picture, you can see other programs installed on the desktop such as “Nero” , “Adobe Audition”, and “Adobe Acrobat” Each program or process running on a server could, in theory, be exploited to gain control of a system. It is common consensus among IT professionals that, when running any kind of server, that only ESSENTIAL programs be installed and permitted to run.
This picture shows, on the lower left hand corner, an Ethernet dongle connected to the diebold machine.
Here is a better view of the network dongle.
This last picture displays the two boxes found on top of the Dell server. The top, white box appears to be a 3com Ethernet switch or hub. The black box below it appears to be a “Digi PortServer 2b” . When I asked about these boxes, I was told the top one was just for machines and the bottom was for absentees. Full disclosure here. In my examination last Wednesday, the only thing I touched was my smartphone.
These videos below were taken from the recount at Lehigh county PA on Wednesday.
the server explanation = https://youtu.be/xbkWg5LbsyM
the server explanation part 2 = https://youtu.be/zh2Ch24A-is
get up screenshot = https://youtu.be/lwMEjSsJHRI
Roberts contribution – https://youtu.be/sjiXDz8Ix4w
Around the 36 minute mark, it is revealed that usb flash drives are used to transfer databases. Now, imagine for a moment you are walking along past the water cooler. You look down and, “Oh Joy” a USB stick is laying on the ground. What is your first thought that comes to mind? Porn? You want to plug it into a computer?. It’s perfectly natural to do that. But think about this. Most usb drives have a file in there root directory structure called “autorun.inf” and most windows operating systems, by default, will AUTOMATICALLY execute any instructions listed in autorun.imf, including any malware instructions listed. USB drives are a classic point of intrusion. First, establish a position on a host. Then call out to the internet for reinforcement viruses. Most computer virus infections out there are “blended” threats composing of droppers, payloads, and finally rootkits. Once a rootkit is installed, total pwnage has occurred and most drastic measures need to be taken to regain control of the infected pc.
But wait, there’s more.
Not all usb flash drives are created equally. Featured recently on Hackaday, http://hackaday.com/2015/03/11/killer-usb-drive-is-designed-to-fry-laptops/ This Killer usb drive will fry any computer it connects to. So please think about that the next time you find a usb flash drive.
The meeting with the Lehigh County Board of Elections occurred on November 30th. Ali Frick presented to the board the importance of a forensic audit. Despite the server running Windows Server 2000 service pack 0, and there use of Microsoft ssh keys, they denied the audit. Video link of the Lehigh County board of elections is below.
On Monday December 12 2016, Judge Paul S. Diamond issues a 31 page order detailing her denial of Jill Stein’s petition. The link is here, https://www.scribd.com/document/333985717/Pennsylvania-Order#from_embed But there is so much wrong with that decision, it will take another post to count the ways.
And now, the piece de resistance, is this little gem from the PA Department of State. Following this link, http://www.dos.pa.gov/VotingElections/Documents/Voting%20Systems/Conditions/AccuVote%20TSX%20w%20Assure.pdf will lead the reader to download and / or open a pdf that describes what the PaDOS mandates for machines that sets out the most recent conditions for Pennsylvania’s certification of the AccuVote TSX machines and GEMS central tabulator software, which Lehigh County uses.
One more thing. A server admin has to defend his domains 24/7. Pwnage and downtime are not options. The advance persistent threat, or APT, only has to score once. Therefore, time and tide always favor the attacker. To defend against such attackers requires eternal vigilance. In closing, I will quote from Montgomery Scott “The more you overthink the plumbing, the easier it is to clog it up”
More to come soon. I will be updating this at least several times in the near future.