Student hijacks election, case highlights internet voting vulnerability

A former Cal State student was sentenced to one year in jail for hacking a student election, to gain positions which pay much better than most town council positions in Connecticut. Two excellent articles by Doug Chapin: Cautionary Tale: Student Gets Jail Time for Stealing Online School Election <read> and a follow-up by David Jefferson: <read>

The gist of the story from Chapin:

Technically, this isn’t the kind of election news I usually blog about (because it doesn’t involve a public election) but I thought it was worth sharing … From UTSanDiego:

A former Cal State San Marcos student who rigged a campus election by stealing nearly 750 student passwords to cast votes for himself and friends was sentenced Monday in federal court to a year in prison …Weaver, 22, of Huntington Beach was a third-year business student when he carried out the elaborate plan to win election as president of the school’s student council in March 2012. He pleaded guilty this year to three federal charges, including wire fraud and unauthorized access to a computer …

The plan to steal the election was months in the making.

On Weaver’s computer, authorities found a PowerPoint presentation from early 2012, proposing that he run for campus president and that four of his fraternity brothers run for the four vice president spots in the student government. The presentation noted that the president’s job came with an $8,000 stipend and the vice presidents each got a $7,000 stipend.

Weaver also had done a bit of research, with computer queries such as “how to rig an election” and “jail time for keylogger.”

A month before the election, Weaver purchased three keyloggers — small electronic devices that secretly record a computer user’s keystrokes [pictured above – ed.].

Authorities said Weaver installed keyloggers on 19 school computers, stole passwords from 745 students and cast ballots from the accounts of more than 630 of those victims.

The plot was discovered, however, when technicians spotted unusual activity on the last day of the election period:

Using remote access, technicians watched the computer user cast vote after vote. They also watched as the user logged into the account of a university official and read an email from a student complaining that the system would not let her vote.Weaver had already cast a ballot from the student’s account, which was why she couldn’t vote.

The techs called campus police, who found Weaver at the school computer. He had keyloggers with him and was arrested.

The student didn’t help himself when he engaged in an elaborate cover-up afterwards

Jefferson adds several cautionary concerns that the hacker could have been a bit smarter and been less likely to be caught or the hack discovered, and that a similar public election hack would have been more difficult to discover, concluding:

In the many debates on the subject of Internet voting it is important not to allow anyone to use this Cal State San Marcos student election experience to argue that online public elections can be made safe because those who would cast phony votes will be caught. Mr. Weaver’s actions were detected because he was voting from computers controlled by the university IT staff, and he was identified and caught because he was not even minimally technically skilled in the techniques that could have distanced him from the crime. In a high stakes public election we will not be so lucky.

What would we add?

We would add that one of the key (pun intended) vulnerabilities in online voting is in the user id’s and passwords required for voting.

What if Matthew Weaver had spent his time getting a job in the computer lab and obtained the list of passwords from a central server and then made some timely changes to alter logs of the ip addresses used for voting?

The now famous D.C. Hack among other things demonstrated that even outsiders have the possibility of gaining a list of voters and their passwords.

One of those pesky details that would confront Connecticut Secretary of the State, Denise Merrill and the Sswtate Military Department when they design a safe online voting system for Connecticut.  If they choose web based voting, how in the age of Bradley Manning access can they insure that military computers and individuals’ computers are safe for internet voting? How can they assure that passwords sent through the mail arrive in time, to the intended recipient, and uncompromised?


Leave a Reply

You must be logged in to post a comment.