Worm attacked voter database in notorious Florida district

Brad Friedman

May 16, 2007 (Computerworld) The computer database infrastructure of Sarasota County, Fla., was attacked by a notorious Internet worm on the first day of early voting during the 2006 election, which featured the now-contested U.S. House race between Democrat Christine Jennings and Republican Vern Buchanan in Florida's 13th Congressional district.

In the early afternoon hours on Monday, Oct. 23, 2006, an Internet worm slammed into the county's database system, breaching its firewall and overwriting the system's administrative password. The havoc brought the county's network -- and the electronic voting system which relies on it -- to its knees as Internet access was all but lost at voting locations for two hours that afternoon. Voters in one of the nation's most hotly contested Congressional elections were unable to cast ballots during the outage, since officials were unable to verify registration data.

Remember Slammer?

An incident report filed by the county explains the intrusion and temporary havoc wrought by the virus.

According to the two-page report (download PDF), a server on Sarasota County's database system was attacked by "a variant of the SQL Slammer worm." Once infected, as the report details, the server "sent traffic to other database servers on the Internet, and the traffic generated by the infected server rendered the firewall unavailable."

[Note regarding the PDF: The incident occurred on Oct. 23, 2006, and the incident report was filed on Oct. 24, 2006. The second reference to the incident date as "10/14/06" is a typo, as confirmed by Sarasota County information security analyst Hal Logan, a member of the team filing the report.]

In a separate document, titled "Conduct of Election Report, Sarasota County General Election, November 7, 2006" there are two different Internet service outages mentioned, though the viral attack described in the Sarasota County database security team's report -- the attack that was presumably the source of one of those outages -- is not described or even mentioned specifically in that report. It's still unclear what the second incident referred to in that report may be.

The SQL Slammer Worm, commonly known as Slammer, was discovered in 2002. In January of 2003, when it was first triggered, the virus brought Internet systems down across the world in a matter of minutes. Though most systems vulnerable to the attack have since been patched by a fix provided by Microsoft prior to the initial 2003 attack, the Sarasota County machine that was attacked and subsequently spread an infection that overtook the network infrastructure "was completely unpatched. Essentially it was missing five years’ worth of security updates," according to the October 24, 2006, incident report.

Effects and disclosures

A network security specialist who works for the county and who was part of the team that authored the incident report explains that the damage was contained once the server where the infection struck was taken offline. He believes that beyond the initial damage and the ensuing two hours during which the system became largely unusable --- temporarily making it next to impossible for elections officials to verify residency of voters --- there was no lasting effect on the voting systems used in the 13th District's election or in other races in Sarasota County.

But questions remain about whether the incident was disclosed to the parties challenging the election via discovery. In several previous instances, documents believed relevant to the case were found to have been withheld from the plaintiff's attorneys by the Sarasota Election Supervisors office.

One such document was a bug warning issued by ES&S, the manufacturer of the touch-screen voting machines used in Sarasota County. That warning went unheeded by the county, and the problem it outlined could well have been related the many problems voters had registering votes correctly on the touch-screen machines during the election.

In addition, a set of stipulations made by the company to the county prior to their release of the ES&S iVotronic source code to a state-convened panel of computer scientists was also withheld. The panel was commissioned to investigate the still unexplained, extraordinarily high number of reports of votes that were cast but unrecorded by the touch-screen systems in the District 13 Congressional race.

Delayed reaction

Though the worm intrusion occurred on the first day of early voting, two weeks prior to Election Day on Nov. 7, major structural changes called for in the wake of the attack were postponed until after Election Day according to both the incident report and an e-mail sent on Nov. 8 to John Kennedy, network administrator for the Sarasota County Supervisor of Elections office. That e-mail, written by Hal Logan, an information security analyst at Sarasota County's Suncoast Technology Center, was forwarded to the Supervisor of Elections Kathy Dent on Nov. 9.

Dent mentioned nothing about the attack in her state-mandated "Conduct of Election" report, signed on Nov. 18.

(When I called the Sarasota County Supervisor of Elections office seeking a comment from Dent, an employee initially told me that Dent was in the office, but after I gave my name, I was put on hold and then told she wasn't available. A request to return the call and another voice message the next day were never returned.)

"We have some configuration changes lined up to prevent this type of incident from happening again, and we will begin implementing them next week," Logan wrote in the e-mail he sent the day after the election, in which he described the outage and included the incident report. "Normally they would have been done sooner, but we wanted to wait until after Election Day."

Logan stated earlier this week that the reason for the delay at the time was identified as a "configuration freeze" policy concerning "anything that could affect voting" in the lead-up to Election Day, and he said that the vulnerability was contained after the affected system was taken offline.

He stressed that the network affected was the county's database system, which was used by elections officials at precincts to "verify residence of voters," but that "the Supervisor of Elections maintains their own network for voting data," which is separate from the network which was attacked.

"Had there been any reason to believe that things could remotely affect elections systems, we would have handled it differently," Logan said in explaining why they felt comfortable waiting until after Election Day to make broader configuration changes beyond taking the infected server offline, resetting admin passwords, and taking other immediate steps -- such as reviewing systems logs and monitoring "traffic leaving the system" -- to ensure the damage was contained.

Passwords in peril

When the SQL Slammer worm was first discovered, an advisory posted at the Web site of the U.S. Department of Homeland Security's U.S. Computer Emergency Readiness Team (CERT) stated the following:

Compromise by the worm confirms a system is vulnerable to allowing a remote attacker to execute arbitrary code as the local SYSTEM user. It may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain Administrator access to the victim system.

The Sarasota incident report confirms that the attack succeeded in changing the administrator password for the county's database system.

When asked if such a worm sent to the system could be used to mask a more nefarious purpose, such as an attempt to hack into the voting system in some fashion, Logan acknowledge that "it's a possibility."

"That's how hackers would normally work," the security expert explained. "Get access to one machine to test the system to see how the rest of the system works."

But if hacking further into the system or planting a virus elsewhere was the hope, Logan believes that it's unlikely that the attack would have been successful. "Our network doesn't share copper or wire with the Supervisor of Elections' network. That's by design for exactly that reasoning," he told me.

The attorneys from the various groups challenging the election on behalf of voters and losing candidate Christine Jennings in Sarasota, however, have so far not indicated that they were made aware of the either the issue or the incident report, nor have they said whether or not the state or Dent has disclosed any of the information to the legal team contesting the election.

A race challenged

The race is being challenged both in Florida state court as well as in the U.S. House of Representatives under the Federal Contested Elections Act.

Republican Vern Buchanan was ultimately certified as the winner over Democrat Jennings by just 369 votes. An ongoing investigation by state officials has been unable to determine the cause of some 18,000 so-called undervotes (votes that were reportedly cast but not recorded) registered only on Democratic-leaning Sarasota's touch-screen voting systems.

The unusually high undervote rate, approximately 18% of the total, has been the subject of much speculation. Normal undervote rates -- in the neighborhood of 2% -- were reported for other races in Sarasota that used the same touch-screen ballots as the ones with the 18,000 undervotes in the Buchanan-Jennings contest. The undervote rate was also around 2% in absentee voting that used paper ballots for the same election in the same county.

The second time around?

I asked Logan if he was unaware of a second "separate occasion" when the county's Internet access went down, affecting the "secure connection through the county's internet service provider to the registration database to verify voter's eligibility," as referred to in the county's "Conduct of Election Report."

"On two separate occasions, the county's internet service went down," according to the report describing a "County Level Internet Outage."

When queried about what a second outage could be, Logan said that when system administrators first became aware of the problem at 12:55 p.m. on Oct. 23, they thought it was a hardware issue and rebooted the system while they hurried to the data center to look into it. "We rebooted, and that brought us back up," he said, "but by the time we got to the data center, it was back down again."

"Beyond that, I don't remember anything else during this most recent election," he said. "If anything did happen, I do know that it wasn't anything that involved any security equipment."

Since Dent has not returned calls, it hasn't been possible to determine whether the outages referred to in that report were related to the one referred to in the incident report concerning the worm attack or if they are different outages entirely.

Contractors in the mix

In early October, just prior to the November election, the county contracted with a company called IT Convergence for "upkeep, maintenance and performance" work on its database system, according to Logan. At the time, the older, unpatched server was not accessible to the network, but it was assigned a network address once IT Convergence came on board so the contractor would be able to monitor all of the county's systems.

Logan says that the older server struck by the worm had previously been set to be removed from the system entirely. "It was a little embarrassing having something that old get on our systems," he told me, "But at same time, it was on an old server scheduled to be decommissioned."

So was the Sarasota County system targeted by someone? Or was this just a random worm bouncing around the Net that just happened to hit the newly vulnerable server, by coincidence, on the first day of early voting.

Though he clearly believes nothing untoward came of the attack, Logan agrees the timing was interesting. "It would make somebody raise an eyebrow," he said.

Brad Friedman is an investigative journalist, blogger, proprietor of The BRAD BLOG, and an authority on issues related to American election integrity.

Copyright © 2007 Computerworld Inc. All rights reserved.