SlideShare uma empresa Scribd logo

How Hack Dutch Elections

Sijmen Ruwhof
Sijmen Ruwhof

In this talk I'll present my findings when researching the security of the Dutch voting system. I quickly found various important security mistakes which would made it very easy to tamper with the results. Based on my research the Dutch government dumped the voting software. In this talk I'll present my findings when researching the security of the Dutch voting system that is running the democratic election process since 2009. I quickly found various important security mistakes which would made it very easy to tamper with the results. Based on my research the Dutch government stopped using the voting software. I'll walk through all the security mistakes and various attack scenario's I found and tell how I would hack the election.

Tecnologia
1 de 66
Baixar para ler offline
How you could hack the Dutch elections … for the last 26 years, and counting (!) Sijmen Ruwhof Freelance IT Security Consultant / Ethical Hacker SHA2017
• Started hacking in 1997: 19 years ago • Since 2005 professional: 12 years ago • 650+ security tests performed Breaking into governmental organizations, banks and high-profile companies to help defend against hackers. Who is Sijmen Ruwhof?
Some companies I work for
• Dutch voting process • Weaknesses • Improvements • International context Agenda
Voting process history
“We’ve heard about computers! They can automate things and save us time! Let’s try it!” 1991-2009
1991-2009
“We hired TNO. They are like IBM, so it’s all fine. Don’t worry, they’re famous.” 1991-2009
• Amsterdam was one of the last cities to adopt voting machines. • Rop Gonggrijp lived in Amsterdam. 1991-2009
• 1989: Author of hacking magazine • 1993: Co-founder internet provider XS4ALL • 1998: Sold XS4ALL to KPN • 1998: Founded hacker company ITSX • 2006: Sold ITSX to Madison Gurkha • 2006: Founded ‘We don’t trust voting machines’ Meet Rop Gonggrijp
• 2006: Rop in Tv broadcast: “Voting machines can be easily manipulated and voting secrecy can be easily circumvented.” • 2006: Secret service: “Well, now you ask us, yes, he has a point.” “Don’t trust voting machines”
• 2006: Cities: “It’s just an opinion. We don’t know Rop. Computers are valuable to us.” • 2006: Minister: “The supplier promises it can fix the issues. We can trust them.” “Don’t trust voting machines”
• 2006: Rop sues the government. • 2007: Judge: “Rop is right. These voting machines can’t be trusted.” • 2008: Government: “We have to obey a judge, so we must go back to pen & paper.” “Don’t trust voting machines”
2009-now
2009-now
2009-now
Fast forward to 2017 >>>
“We heard old cryptography seems to be used, what’s the impact Sijmen?” RTL News
“Wait! What? Software is used? No way.. we use paper! They learned their lesson, right? … right?!!” My initial reaction
RTL News explains: • Voting with pencil & paper. • Manual paper counting. • But then (…) 2009-now
• Each city enters vote totals into computer program. • City delivers USB stick to vote district: 2009-now
1. Local voting office : paper 2. City central voting office : digital 3. 20 voting districts : digital 4. Central election council : digital 2009-now
“This can’t be true.” My reaction
Weaknesses
Starting watching YouTube
Instructor leaks technical info
• One main webserver. • Multiple clients can enter data via local network. Risks: • Multiple network connected computers involved. • No HTTPS. Client-server architecture
• No security policy. • No security checks. • Bring your own computer and USB stick. Any computer will do
But: “WiFi should be turned off.” Internet connected computers
• PDF with hash code is printed. • XML files with vote totals is saved on USB stick. • 1 person transfers results to election district. SHA-1 & XML
• AutoRun • BadUSB • RubberDucky USB attack
SHA1 hash in footer of PDF
Compare SHA1 hash
• Instructor doesn’t mention this important security check at all. • No enforcement to enter the hash code. • The insecure, old and deprecated SHA1 hash algorithm is used. Bad crypto implementation
• Only first four characters have to be filled in. • Limit the strength of the SHA1 key to 2^16 combinations (65,536 possibilities) and delivers almost zero cryptographic strength.
• Password auto completion is on. • Short & weak passwords allowed. • Instructor has username ‘osv’ and probably password ‘osv’. No password policy
Software uses admin privileges
No auto hash check in place
Just mail the results
• Design phase: No IT security expert was consulted. • Test phase: No ethical hacker has reviewed OSV. • It’s partly open source. • Logs aren’t collected on a central server. • No intrusion detection system is active. • OSV integrity is hard to validate & optional. • … List continues
• Some problems already found by student Maarten Engberts in 2011, but ignored (!). • Maarten went full disclosure. Problems ignored for years
• I initially only spend three hours watching YouTube video’s and reading PDF documentation. • Conclusion: “This is absolutely terrible” • RTL is shocked and asks Rop, a professor and another hacker to validate my research: they all agree. Recapitulatory
It’s Groundhog Day again!
• Ignoring: Journalists couldn’t get contact. • Denying: To journalists:“Trust us, it’s safe” • Threaten: To journalists: “We’ll see for who this is going to be a problem.” Response from Election Council
• 2 days after publication: minister bans software. • Cities respond angry: “This can be fixed.” Response to publication
• Minister: “Wow, you guys can yell. Please keep quiet! Elections are coming. Okay, you may use Excel!”
• Cities: “Excel? We want OSV back!” • Vendor: “We can fix it.” • Minister: “Ok. Fix it.” • Vendor: “Ditch the USB sticks and airgap things. Use SHA256. Then it’s okay.” Response to publication
“OSV is indeed very insecure.” Fox-IT is hired
“The elections are in a few weeks and we can’t abort now! Let’s apply some quick fixes.” Government reaction
• Elections were held. • Everybody trusts the output. • No transparency: election council went dark. Current status
• Elections were insecure since 1991. • Why should we trust the output? Can current election be trusted?
Improvements
• Paper should always be in the lead. • Printed PDFs can’t be trusted. • Only use software to validate manual counting. Improvements
• Complete transparency: – Each voting office should publish results on their site and in their physical office. – All processes & procedures should be documented & published. Improvements
• Security awareness program for all employees. • Implement security & fraud monitoring • Test if election can be manipulated. Improvements
• Dutch voting process could be easily hacked since 1991: that’s 26 years, and still counting (!) • We don’t know if someone tampered with results. We can’t check it. Logs are erased after 3 months. This isn’t acceptable. Conclusion
International context
Source: https://www.bloomberg.com/features/2016-how-to-hack-an-election/
Washington Post: “Homeland Security official: Russian government actors tried to hack election systems in 21 states”
• Paper should always be in the lead. • Full transparency. • Computers are not secure enough to run an election. Final words
• Current governments will never admit election insecurity. • So *we* need to fight for and protect our democracy! Final words
Sijmen.Ruwhof.net twitter.com/sruwhof Thanks!

Recomendados

Hoe de Nederlandse verkiezingen de afgelopen 26 jaar gehackt konden worden
Hoe de Nederlandse verkiezingen de afgelopen 26 jaar gehackt konden wordenHoe de Nederlandse verkiezingen de afgelopen 26 jaar gehackt konden worden
Hoe de Nederlandse verkiezingen de afgelopen 26 jaar gehackt konden wordenSijmen Ruwhof
 
Frony Fronius: Exploring ZigBee signals from Solar City
Frony Fronius: Exploring ZigBee signals from Solar CityFrony Fronius: Exploring ZigBee signals from Solar City
Frony Fronius: Exploring ZigBee signals from Solar CityJose Fernandez
 
Testing Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidTesting Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidSteve Branam
 
20100626 Friday Food
20100626 Friday Food20100626 Friday Food
20100626 Friday Foodimec.archive
 
Electronic governance steps in the right direction?
Electronic governance steps in the right direction?Electronic governance steps in the right direction?
Electronic governance steps in the right direction?Bozhidar Bozhanov
 
Reining in the Data ITAG tech360 Penn State Great Valley 2015
Reining in the Data ITAG tech360 Penn State Great Valley 2015 Reining in the Data ITAG tech360 Penn State Great Valley 2015
Reining in the Data ITAG tech360 Penn State Great Valley 2015 Andrew Schwabe
 
Load testing, Lessons learnt and Loadzen - Martin Buhr at DevTank - 31st Janu...
Load testing, Lessons learnt and Loadzen - Martin Buhr at DevTank - 31st Janu...Load testing, Lessons learnt and Loadzen - Martin Buhr at DevTank - 31st Janu...
Load testing, Lessons learnt and Loadzen - Martin Buhr at DevTank - 31st Janu...Loadzen
 
E-voting
E-votingE-voting
E-votingBozhidar Bozhanov
 

Recomendados

Hoe de Nederlandse verkiezingen de afgelopen 26 jaar gehackt konden worden
Hoe de Nederlandse verkiezingen de afgelopen 26 jaar gehackt konden wordenHoe de Nederlandse verkiezingen de afgelopen 26 jaar gehackt konden worden
Hoe de Nederlandse verkiezingen de afgelopen 26 jaar gehackt konden wordenSijmen Ruwhof
 
Frony Fronius: Exploring ZigBee signals from Solar City
Frony Fronius: Exploring ZigBee signals from Solar CityFrony Fronius: Exploring ZigBee signals from Solar City
Frony Fronius: Exploring ZigBee signals from Solar CityJose Fernandez
 
Testing Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidTesting Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidSteve Branam
 
20100626 Friday Food
20100626 Friday Food20100626 Friday Food
20100626 Friday Foodimec.archive
 
Electronic governance steps in the right direction?
Electronic governance steps in the right direction?Electronic governance steps in the right direction?
Electronic governance steps in the right direction?Bozhidar Bozhanov
 
Reining in the Data ITAG tech360 Penn State Great Valley 2015
Reining in the Data ITAG tech360 Penn State Great Valley 2015 Reining in the Data ITAG tech360 Penn State Great Valley 2015
Reining in the Data ITAG tech360 Penn State Great Valley 2015 Andrew Schwabe
 
Load testing, Lessons learnt and Loadzen - Martin Buhr at DevTank - 31st Janu...
Load testing, Lessons learnt and Loadzen - Martin Buhr at DevTank - 31st Janu...Load testing, Lessons learnt and Loadzen - Martin Buhr at DevTank - 31st Janu...
Load testing, Lessons learnt and Loadzen - Martin Buhr at DevTank - 31st Janu...Loadzen
 
E-voting
E-votingE-voting
E-votingBozhidar Bozhanov
 
William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015CSO_Presentations
 
Dark Side of the Net Lecture 4 TOR
Dark Side of the Net Lecture 4 TOR Dark Side of the Net Lecture 4 TOR
Dark Side of the Net Lecture 4 TOR Marcus Leaning
 
Moore vs. May - everything is faster and better: we can fix that
Moore vs. May - everything is faster and better: we can fix thatMoore vs. May - everything is faster and better: we can fix that
Moore vs. May - everything is faster and better: we can fix thatChristian Heilmann
 
How pair programming can strengthen teams
How pair programming can strengthen teamsHow pair programming can strengthen teams
How pair programming can strengthen teamsHugo Messer
 
Ux event ut lab slideshare - v2
Ux event ut lab slideshare - v2Ux event ut lab slideshare - v2
Ux event ut lab slideshare - v2gilesmoore
 
How to (not) build an elections map
How to (not) build an elections mapHow to (not) build an elections map
How to (not) build an elections mapJason Norwood-Young
 
WFH Strategies for the unprepared
WFH Strategies for the unpreparedWFH Strategies for the unprepared
WFH Strategies for the unpreparedBob Coppedge
 
Online Crime Reporting ppt
Online Crime Reporting pptOnline Crime Reporting ppt
Online Crime Reporting pptShirinAkhtar5
 
Danger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureDanger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureTechWell
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsAleksandr Yampolskiy
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-securityStephen Cobb
 
Home Automation System
Home Automation SystemHome Automation System
Home Automation Systemcurrently enjoying the closing of the year and not working
 
6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservicesDynatrace
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draftDamir Delija
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...SaraPia5
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Dmk bo2 k8_ccc
Dmk bo2 k8_cccDmk bo2 k8_ccc
Dmk bo2 k8_cccDan Kaminsky
 
Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Diego Oppenheimer
 
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...Andrew Schwabe
 
Civilian OPSEC in cyberspace
Civilian OPSEC in cyberspaceCivilian OPSEC in cyberspace
Civilian OPSEC in cyberspacezapp0
 
De wereld van cybersecurity & ethisch hacken
De wereld van cybersecurity & ethisch hackenDe wereld van cybersecurity & ethisch hacken
De wereld van cybersecurity & ethisch hackenSijmen Ruwhof
 
Huidige staat van IoT cyber security: consumenten vs zakelijke IoT
Huidige staat van IoT cyber security: consumenten vs zakelijke IoTHuidige staat van IoT cyber security: consumenten vs zakelijke IoT
Huidige staat van IoT cyber security: consumenten vs zakelijke IoTSijmen Ruwhof
 

Mais conteúdo relacionado

Semelhante a How Hack Dutch Elections

William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015CSO_Presentations
 
Dark Side of the Net Lecture 4 TOR
Dark Side of the Net Lecture 4 TOR Dark Side of the Net Lecture 4 TOR
Dark Side of the Net Lecture 4 TOR Marcus Leaning
 
Moore vs. May - everything is faster and better: we can fix that
Moore vs. May - everything is faster and better: we can fix thatMoore vs. May - everything is faster and better: we can fix that
Moore vs. May - everything is faster and better: we can fix thatChristian Heilmann
 
How pair programming can strengthen teams
How pair programming can strengthen teamsHow pair programming can strengthen teams
How pair programming can strengthen teamsHugo Messer
 
Ux event ut lab slideshare - v2
Ux event ut lab slideshare - v2Ux event ut lab slideshare - v2
Ux event ut lab slideshare - v2gilesmoore
 
How to (not) build an elections map
How to (not) build an elections mapHow to (not) build an elections map
How to (not) build an elections mapJason Norwood-Young
 
WFH Strategies for the unprepared
WFH Strategies for the unpreparedWFH Strategies for the unprepared
WFH Strategies for the unpreparedBob Coppedge
 
Online Crime Reporting ppt
Online Crime Reporting pptOnline Crime Reporting ppt
Online Crime Reporting pptShirinAkhtar5
 
Danger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureDanger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureTechWell
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsAleksandr Yampolskiy
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-securityStephen Cobb
 
6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservicesDynatrace
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draftDamir Delija
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...SaraPia5
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Diego Oppenheimer
 
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...Andrew Schwabe
 
Civilian OPSEC in cyberspace
Civilian OPSEC in cyberspaceCivilian OPSEC in cyberspace
Civilian OPSEC in cyberspacezapp0
 

Semelhante a How Hack Dutch Elections (20)

William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015
 
Dark Side of the Net Lecture 4 TOR
Dark Side of the Net Lecture 4 TOR Dark Side of the Net Lecture 4 TOR
Dark Side of the Net Lecture 4 TOR
 
Moore vs. May - everything is faster and better: we can fix that
Moore vs. May - everything is faster and better: we can fix thatMoore vs. May - everything is faster and better: we can fix that
Moore vs. May - everything is faster and better: we can fix that
 
How pair programming can strengthen teams
How pair programming can strengthen teamsHow pair programming can strengthen teams
How pair programming can strengthen teams
 
Ux event ut lab slideshare - v2
Ux event ut lab slideshare - v2Ux event ut lab slideshare - v2
Ux event ut lab slideshare - v2
 
How to (not) build an elections map
How to (not) build an elections mapHow to (not) build an elections map
How to (not) build an elections map
 
WFH Strategies for the unprepared
WFH Strategies for the unpreparedWFH Strategies for the unprepared
WFH Strategies for the unprepared
 
Online Crime Reporting ppt
Online Crime Reporting pptOnline Crime Reporting ppt
Online Crime Reporting ppt
 
Danger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not SecureDanger! Danger! Your Mobile Applications Are Not Secure
Danger! Danger! Your Mobile Applications Are Not Secure
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy Steps
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
 
Home Automation System
Home Automation SystemHome Automation System
Home Automation System
 
6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draft
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Dmk bo2 k8_ccc
Dmk bo2 k8_cccDmk bo2 k8_ccc
Dmk bo2 k8_ccc
 
Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"
 
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
 
Civilian OPSEC in cyberspace
Civilian OPSEC in cyberspaceCivilian OPSEC in cyberspace
Civilian OPSEC in cyberspace
 

Mais de Sijmen Ruwhof

De wereld van cybersecurity & ethisch hacken
De wereld van cybersecurity & ethisch hackenDe wereld van cybersecurity & ethisch hacken
De wereld van cybersecurity & ethisch hackenSijmen Ruwhof
 
Huidige staat van IoT cyber security: consumenten vs zakelijke IoT
Huidige staat van IoT cyber security: consumenten vs zakelijke IoTHuidige staat van IoT cyber security: consumenten vs zakelijke IoT
Huidige staat van IoT cyber security: consumenten vs zakelijke IoTSijmen Ruwhof
 
Cyber Security - Wordt het veiliger of onveiliger?
Cyber Security - Wordt het veiliger of onveiliger? Cyber Security - Wordt het veiliger of onveiliger?
Cyber Security - Wordt het veiliger of onveiliger? Sijmen Ruwhof
 
Cyber terrorisme in Nederland
Cyber terrorisme in NederlandCyber terrorisme in Nederland
Cyber terrorisme in NederlandSijmen Ruwhof
 
De wereld van hacking
De wereld van hackingDe wereld van hacking
De wereld van hackingSijmen Ruwhof
 
Security audits as integral part of php application development (version 2012...
Security audits as integral part of php application development (version 2012...Security audits as integral part of php application development (version 2012...
Security audits as integral part of php application development (version 2012...Sijmen Ruwhof
 
Security audits as integral part of php application development (version 2012...
Security audits as integral part of php application development (version 2012...Security audits as integral part of php application development (version 2012...
Security audits as integral part of php application development (version 2012...Sijmen Ruwhof
 
Beveiligingsaudits als integraal onderdeel van PHP applicatieontwikkeling
Beveiligingsaudits als integraal onderdeel van PHP applicatieontwikkelingBeveiligingsaudits als integraal onderdeel van PHP applicatieontwikkeling
Beveiligingsaudits als integraal onderdeel van PHP applicatieontwikkelingSijmen Ruwhof
 

Mais de Sijmen Ruwhof (9)

De wereld van cybersecurity & ethisch hacken
De wereld van cybersecurity & ethisch hackenDe wereld van cybersecurity & ethisch hacken
De wereld van cybersecurity & ethisch hacken
 
Huidige staat van IoT cyber security: consumenten vs zakelijke IoT
Huidige staat van IoT cyber security: consumenten vs zakelijke IoTHuidige staat van IoT cyber security: consumenten vs zakelijke IoT
Huidige staat van IoT cyber security: consumenten vs zakelijke IoT
 
Cyber Security - Wordt het veiliger of onveiliger?
Cyber Security - Wordt het veiliger of onveiliger? Cyber Security - Wordt het veiliger of onveiliger?
Cyber Security - Wordt het veiliger of onveiliger?
 
Cyber terrorisme in Nederland
Cyber terrorisme in NederlandCyber terrorisme in Nederland
Cyber terrorisme in Nederland
 
De wereld van hacking
De wereld van hackingDe wereld van hacking
De wereld van hacking
 
Security audits as integral part of php application development (version 2012...
Security audits as integral part of php application development (version 2012...Security audits as integral part of php application development (version 2012...
Security audits as integral part of php application development (version 2012...
 
Security audits as integral part of php application development (version 2012...
Security audits as integral part of php application development (version 2012...Security audits as integral part of php application development (version 2012...
Security audits as integral part of php application development (version 2012...
 
Next in security
Next in securityNext in security
Next in security
 
Beveiligingsaudits als integraal onderdeel van PHP applicatieontwikkeling
Beveiligingsaudits als integraal onderdeel van PHP applicatieontwikkelingBeveiligingsaudits als integraal onderdeel van PHP applicatieontwikkeling
Beveiligingsaudits als integraal onderdeel van PHP applicatieontwikkeling
 

Último

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Último (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

How Hack Dutch Elections

  • 1. How you could hack the Dutch elections … for the last 26 years, and counting (!) Sijmen Ruwhof Freelance IT Security Consultant / Ethical Hacker SHA2017
  • 2. • Started hacking in 1997: 19 years ago • Since 2005 professional: 12 years ago • 650+ security tests performed Breaking into governmental organizations, banks and high-profile companies to help defend against hackers. Who is Sijmen Ruwhof?
  • 3. Some companies I work for
  • 4. • Dutch voting process • Weaknesses • Improvements • International context Agenda
  • 6. “We’ve heard about computers! They can automate things and save us time! Let’s try it!” 1991-2009
  • 8. “We hired TNO. They are like IBM, so it’s all fine. Don’t worry, they’re famous.” 1991-2009
  • 9. • Amsterdam was one of the last cities to adopt voting machines. • Rop Gonggrijp lived in Amsterdam. 1991-2009
  • 10. • 1989: Author of hacking magazine • 1993: Co-founder internet provider XS4ALL • 1998: Sold XS4ALL to KPN • 1998: Founded hacker company ITSX • 2006: Sold ITSX to Madison Gurkha • 2006: Founded ‘We don’t trust voting machines’ Meet Rop Gonggrijp
  • 11. • 2006: Rop in Tv broadcast: “Voting machines can be easily manipulated and voting secrecy can be easily circumvented.” • 2006: Secret service: “Well, now you ask us, yes, he has a point.” “Don’t trust voting machines”
  • 12. • 2006: Cities: “It’s just an opinion. We don’t know Rop. Computers are valuable to us.” • 2006: Minister: “The supplier promises it can fix the issues. We can trust them.” “Don’t trust voting machines”
  • 13. • 2006: Rop sues the government. • 2007: Judge: “Rop is right. These voting machines can’t be trusted.” • 2008: Government: “We have to obey a judge, so we must go back to pen & paper.” “Don’t trust voting machines”
  • 17. Fast forward to 2017 >>>
  • 18. “We heard old cryptography seems to be used, what’s the impact Sijmen?” RTL News
  • 19. “Wait! What? Software is used? No way.. we use paper! They learned their lesson, right? … right?!!” My initial reaction
  • 20. RTL News explains: • Voting with pencil & paper. • Manual paper counting. • But then (…) 2009-now
  • 21. • Each city enters vote totals into computer program. • City delivers USB stick to vote district: 2009-now
  • 22. 1. Local voting office : paper 2. City central voting office : digital 3. 20 voting districts : digital 4. Central election council : digital 2009-now
  • 23. “This can’t be true.” My reaction
  • 27. • One main webserver. • Multiple clients can enter data via local network. Risks: • Multiple network connected computers involved. • No HTTPS. Client-server architecture
  • 28. • No security policy. • No security checks. • Bring your own computer and USB stick. Any computer will do
  • 29. But: “WiFi should be turned off.” Internet connected computers
  • 30. • PDF with hash code is printed. • XML files with vote totals is saved on USB stick. • 1 person transfers results to election district. SHA-1 & XML
  • 31. • AutoRun • BadUSB • RubberDucky USB attack
  • 32. SHA1 hash in footer of PDF
  • 34. • Instructor doesn’t mention this important security check at all. • No enforcement to enter the hash code. • The insecure, old and deprecated SHA1 hash algorithm is used. Bad crypto implementation
  • 35.
  • 36. • Only first four characters have to be filled in. • Limit the strength of the SHA1 key to 2^16 combinations (65,536 possibilities) and delivers almost zero cryptographic strength.
  • 37. • Password auto completion is on. • Short & weak passwords allowed. • Instructor has username ‘osv’ and probably password ‘osv’. No password policy
  • 38. Software uses admin privileges
  • 39. No auto hash check in place
  • 40. Just mail the results
  • 41. • Design phase: No IT security expert was consulted. • Test phase: No ethical hacker has reviewed OSV. • It’s partly open source. • Logs aren’t collected on a central server. • No intrusion detection system is active. • OSV integrity is hard to validate & optional. • … List continues
  • 42. • Some problems already found by student Maarten Engberts in 2011, but ignored (!). • Maarten went full disclosure. Problems ignored for years
  • 43. • I initially only spend three hours watching YouTube video’s and reading PDF documentation. • Conclusion: “This is absolutely terrible” • RTL is shocked and asks Rop, a professor and another hacker to validate my research: they all agree. Recapitulatory
  • 45. • Ignoring: Journalists couldn’t get contact. • Denying: To journalists:“Trust us, it’s safe” • Threaten: To journalists: “We’ll see for who this is going to be a problem.” Response from Election Council
  • 46. • 2 days after publication: minister bans software. • Cities respond angry: “This can be fixed.” Response to publication
  • 47. • Minister: “Wow, you guys can yell. Please keep quiet! Elections are coming. Okay, you may use Excel!”
  • 48. • Cities: “Excel? We want OSV back!” • Vendor: “We can fix it.” • Minister: “Ok. Fix it.” • Vendor: “Ditch the USB sticks and airgap things. Use SHA256. Then it’s okay.” Response to publication
  • 49. “OSV is indeed very insecure.” Fox-IT is hired
  • 50. “The elections are in a few weeks and we can’t abort now! Let’s apply some quick fixes.” Government reaction
  • 51. • Elections were held. • Everybody trusts the output. • No transparency: election council went dark. Current status
  • 52. • Elections were insecure since 1991. • Why should we trust the output? Can current election be trusted?
  • 54. • Paper should always be in the lead. • Printed PDFs can’t be trusted. • Only use software to validate manual counting. Improvements
  • 55. • Complete transparency: – Each voting office should publish results on their site and in their physical office. – All processes & procedures should be documented & published. Improvements
  • 56. • Security awareness program for all employees. • Implement security & fraud monitoring • Test if election can be manipulated. Improvements
  • 57. • Dutch voting process could be easily hacked since 1991: that’s 26 years, and still counting (!) • We don’t know if someone tampered with results. We can’t check it. Logs are erased after 3 months. This isn’t acceptable. Conclusion
  • 60. Washington Post: “Homeland Security official: Russian government actors tried to hack election systems in 21 states”
  • 61.
  • 62.
  • 63.
  • 64. • Paper should always be in the lead. • Full transparency. • Computers are not secure enough to run an election. Final words
  • 65. • Current governments will never admit election insecurity. • So *we* need to fight for and protect our democracy! Final words