Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Computerized elections, some thoughts

Published: 2005-11-15
Last Updated: 2005-11-17 00:07:47 UTC
by Jim Clausing (Version: 4)
0 comment(s)
This is more of an editorial-type story than most of the breaking news stuff we normally report in the handler's diary, but I've been thinking about it for a while and wanted to see what our readers think.  My thanks to Pedro, for allowing me to post this on his day has handler on duty.

One week ago today was an off-year election here in the US.  It was the first time that my precinct (and county) used the new electronic touch screen voting machines.  In previous years, we used the infamous punched cards that garnered so much attention (and introduced most of us to the concept of hanging chads) in Florida in 2000. I have to admit that as a security professional it was somewhat disconcerting to be using a Windows-based machine to cast my vote on Black Tuesday (the second Tuesday of the month when Microsoft normally releases their patches and security vulnerabilities).  The machines that were used in my precinct were Diebold AccuVote-TSX.  This appears to be the latest incarnation of the system that Avi Rubin, et al, reviewed in their scathing report from July 2003 (also presented at the IEEE Symposium on Security and Privacy 2004). As a 'consumer', I have no way of telling whether many of the concerns raised in that report have been addressed because it doesn't appear that Diebold has been very forthcoming, but there appear to still be some serious problems with them which led to California banning the use of the Diebold machines this fall (see story here).  I suspect that the problems with forged smartcards probably still exist, too, for example.  I was very happy to see that at least one of the conclusions of the report was taken seriously.  The machines in my precinct did produce a paper ballot that I was asked to verify before my ballot was counted (or, at least, before the software claimed that ballot had been recorded).  I assume that those paper ballots would be used in the event a recount was called for, but as the California test demonstrated, if the printers jam or the machine freezes, the paper doesn't really help.  I also note that the Government Accounting Office (GAO) released another very critical report on the state of electronic voting just 2 weeks before the election.  So, what does all of this mean?  I'm not sure.  I believe that electronic voting in some form is the future, but as a security professional, I am keenly aware that there are many obstacles still to overcome.

Update: I've gotten some very thoughtful responses from some of our readers and I'd like to thank all of them.  In particular, I want to thank Gordon for telling me about the link below which was one I was not previously aware of and which suggests that some of the problems may actually be nearer solution than I had previously been aware.  I guess I need to actually sit down and read through some theses/dissertations and patent applications to get a better feel for where the current research is.

A few useful links on electronic voting: (unfortunately, not updated recently)

Bruce Schneier posted some thoughts in his monthly newsletter Crypto-Gram a year ago

Jim Clausing, jclausing /at/
0 comment(s)

New Sober variant in the wild

Published: 2005-11-15
Last Updated: 2005-11-15 22:06:15 UTC
by Pedro Bueno (Version: 2)
0 comment(s)
Yesterday we got some messages about a possible new variant of the Sober virus to be released today. The F-Secure Weblog was one of the sources that posted a press release of the Bavarian Police warning about the new variant. And looks like they got it right...At least according Symantec (calling Sober.S) and F-Secure (calling Sober.V) and CA (calling it Sober.S).
According the first reports received , is is spreading with an email with something that looks like a zipped excel attachment. But, Symantec only says about a zipped I imagine that could be alot of different extensions.
The subject and body may be in english or german. Like the following subjects:

  • Thanks for your registration.
  • Hi, Ich bin's

So, watch out and warn your users.
Thanks to Juha-Matti adn Alex for the updates on this.

Update: McAfee reports 3 different variants since yesterday (which may be today according your time zone...)

Update 2: F-secure just published that they are already detecting 5 new Sober Variants .

Handler on Duty: Pedro Bueno (pbueno //%%// isc. sans. org)
0 comment(s)

Trojan exploiting MS05-053 - TROJ_EMFSPLOIT.A (updated 2005-11-15)

Published: 2005-11-15
Last Updated: 2005-11-15 20:09:55 UTC
by Joshua Wright (Version: 3)
0 comment(s)
UPDATE: In a story reported yesterday (here), TrendMicro apparently now admits their analysts mis-anlyzed this trojan and that it does not actually exploit MS05-053.

Trend Micro is reporting a trojan in the wild (TROJ_EMFSPLOIT.A) that is exploiting the recent MS05-053 vulnerability announced on Tuesday.  The trojan causes EXPLORER.EXE to crash, which isn't so much fun for Windows users.

The Trend Micro notice is available at their site.  Fellow handler Pat Nolan did an excellent write-up of MS05-053 issues and recommendations at

Thanks to the dutiful Juha-Matti for bringing this to our attention.

0 comment(s)

Lynx user? Upgrade it!

Published: 2005-11-15
Last Updated: 2005-11-15 15:59:27 UTC
by Pedro Bueno (Version: 4)
0 comment(s)
If you are a lynx user, prepare yourself to upgrade it.
According to an advisory from iDefense, there is a Command Injection Vulnerability on it, that "could allow attackers to execute arbitrary commands with the privileges of the underlying user.".

Some patch links:

Development version 2.8.6dev.15 has been released to address this issue and is available from the following URLs:

Alternately, an incremental patch is available at:

There is also a workaround (described in the bulletin) for those who can't upgrade.

Disable "lynxcgi" links by specifying the following directive in lynx.cfg:


Handler on Duty: Pedro Bueno (pbueno //%%// isc. sans. org)
0 comment(s)
Diary Archives