Jeez.... Again with the CYA stuff!

**Important** - I would like to stress that this demonstration was performed locally on a system totally under my control, and no unauthorized access to any computer system occurred.  The voting database used was the sample obtained from www.blackboxvoting.org, and this election does not reflect data for any election currently taking place.  I want to be very clear that this is only a proof-of-concept demonstration, and at no time was actual voter fraud committed in order to prove a point.  THIS IS A DEMONSTRATION ONLY, very similar to the well-documented demonstration Bev Harris performed for Governor Howard Dean recently on National television.  Also, GEMS software is a trademark of Diebold, and Windows and Access are both copyrights of  Microsoft, Inc.**

REQUIREMENTS:

Windows-based PC with 150megs free disk space and 128megs RAM (minimum)

A copy of MS Access.

The GEMS software - http://freespeech.metacolo.com/GEMSIS-1-18-17.zip is one place to get it.  There are plenty other places on the web.

A Sample Election Database - http://www.blackboxvoting.org/coloradospringscityelection.mdb is one from Colorado Springs, CO.  Again, there are several out there.

With all that out of the way – OK!  Let’s get started!

We remember from before the first thing to do is view the summary report run based on our sample election from Colorado Springs, CO.  This is what the actual, official results looked like before I decided to cast “my vote”.

To get the results, we open GEMS, (username "admin", password "password")

Figure 1 - The opening GEMS screen.

Go to GEMS > Election Summary Report,

Figure 2: Choose the Election Summary Report for our Before Pictures

and here we go!  The official Election Summary Report, as of right now.  Note the new Speedhacking timestamp at 21:09:36 - we'll come back to that in the Audit Log section.

Figure 3: Election summary report – before.

Remember Rule #1 - I have to do the same thing as before on the first Hack.  So we go to:

Figure 4: The c\:program files\GEMSlocalDB folder where all of our valuable data is stored.

Our handily tamper-friendly Access database that is the back end for the entire system.  Potentially hundreds of thousands of votes could be stored here on a central computer with no access control, no passwords, etc.  When we open the database and view the Candidate table inside, we see:

Figure 5: The Candidate table

Ah ha!  Look at the first and second columns - Sallie’s opponent, Linda Barley, was assigned 550 as a candidate number, and Sallie is candidate number 551.

From the CandV Table in the same database, we see that the Race ID is 221, and that their Key IDs are 541(Linda) and 542 (Sallie).  The Key IDs are what we need to change the vote counts for.  Remember that the original vote results were 4209 to 8291, Linda to Sallie.  Let’s change that from a 2/3s victory to a shutout victory for the candidate who should have lost.

Now, we've done this before, but this time I'm just going to change the votes in the SumCandidateCounter Table:

Figure 6: Changing the votes inside the SumCandidateCounter: Table

This is all familiar, so let's run our report.

Figure 7: The new summary report with the results the way I wanted them.

Jeez - that took 4 minutes!  I'm running out of time, but 11,963 votes in four minutes (with screenshots, no less) isn't too bad.  Note the final numbers for District 3 – 7881 to 0.  Just as I expected, I was able to override the wishes of 11,963 voters and replace their ballots with my own.  How hard was that?

But remember, that's not enough.  I want to RUIN my opponent, so let's get back in there and Win Ourselves a MANDATE!

Aight - let's hop back into our Tamper-Friendly database and just go friggin' nuts......

Woo-hoo!  Now there's NO chance for a recount!  Let's check our totals and our timestamps:

Figure 9: The People Have Spoken

Arrgh - I went over my 5-minute mark, but LOOK at the NUMBERS!  Now that's more like it - a Texas-Sized lead!  Muwaaaa-haa-haa-haa!

Let's do the math:

In our first pop in, we changed 11,963 votes.  Second time around, we added 1,615,774, for a new total of 1,627,737 in our column, and a big fat Zero for our opponent.  The people have spoken.

But wait -

What About Those Pesky Audit Trails?

But what if someone notices?  Now that my work fixing the election is done, all that remains is clearing up the audit trail.  Let's check the logs....

From within the GEMS software, let's look at the audit log:

Figure 10: GEMS > Audit Log

Figure 11: Looking for evidence of tampering.  See anything?

Above, we see at 21:09:36 where I viewed the summary report (Figure 3), then closed the GEMS software at 21:10:09.  Then you see the next two summary reports, and the timestamps all match EXACTLY the summary reports above.

Over 1.5 Million votes in six minutes.  No Audit Trail.

I missed my 5-minute target, but pretty dramatic, nonetheless.

Anybody who wants to try this themselves can get the GEMS software and this same sample database from www.blackboxvoting.org or the links earlier in the document.  Go for it!  Try it yourself - you'll see that it works. 

Chuck Herrin, CISSP, CISA, MCSE, CEH

CISSP – Certified Information Systems Security Professional

CISA – Certified Information Systems Auditor

MCSE – Microsoft Certified Systems Engineer

CEH – Certified Ethical Hacker