2010 automated polls vulnerable to ‘attacks,’ warns IT expert

An internationally renowned information technology (IT) expert yesterday refuted claims by Total Information Management Corp. (TIM) and Smartmatic International Corp. (Smartmatic) joint venture, the winning bidder for the 2010 automated polls, that their hardware and software are fool-proof devices, saying they are vulnerable to attack from hackers all over the world which could render next year’s elections a total failure.

“The 2010 automated polls could be subject to new attack techniques employed by hackers which could include a Denial of Service (DoS), Distributed Denial of Service (DDoS), System Buffer Overflow (SBO), Latest Virus Attacks Generated Almost in Real Time (LVGIRT), Spyware, Unauthorized Front and Appliance Connection and Replication of the Government’s Monitoring Machine to be sold to the highest bidder,” Dante Mara told a forum.

He said a DoS attack on the automated election system (AES) could result in aggregated poll precincts voting results and municipal reports being unable to connect to the provincial capitol aggregators servers, while

a DDOS, which is more serious, could generate more spurious network traffic, increasing the scope and intensity of the legitimate network messages being denied and has the potential of shutting down the whole AES when applied by a determined hacker.

To make his point clear, Mara said the latest attack on Twitter which rendered the Web site inutile for 14 hours causing business losses amounting to $18 million and property damages amounting to $5.4 million, was a DDOS attack, triggered by a sleeper type.

The IT expert added the hacker might be a Filipino as the system used in Twitter was named Cyxymu, which, when read in the vernacular means “Sexy Mo.”

In SBO, a protocol message is sent at a size larger than the buffer size of an application program residing in the server, which then could subvert the program and provide administrator access to the hacker facilitating such attack.

With LVGIRT, the generated data can be erased or cause the hardware to malfunction.

The Spyware, according to Mara, is a potential sleeper program designed to run at an appointed time and date.

Aside from those, Mara said the AES could also be vulnerable to the notorious power outages which usually occur during election days.

He, however, stressed the government could still do something to protect the 2010 automated polls from saboteurs if it could acquire the Secured Audit Network Overlay (SANO) which could issue digital security certificates to all AES hardware and digitally encrypt zero balance registry prior to the start of the voting process.

It could also receive data from all remote data devices, computers and audit applications; execute its own aggregation computation; forward real-time aggregated reports; and protect all servers from the provinces down to the canvassing hub, he added.

To be purchased instead of being leased unlike the Smartmatic-TIM machines, Mara said the SANO could also be customized for future re-use for National Treasury Collection System, backbone for the National Police Clearance System and service delivery and benefit program for all government employees.

Following the Supreme Court decision denying the petition to nullify the Comelec’s award of the poll automation project, Sen. Francis “Chiz” Escudero also yesterday called on the poll body to ensure clean and honest elections in 2010.

“We should now work together to make sure that poll automation will work. We cannot allow a failure of election. We must remain vigilant so the elections will reflect the will of the electorate,” he said in a statement.

“Our objective should be clean automation, not automation for automation’s sake, or we will find ourselves in danger of substituting manual, retail cheating with automated, wholesale cheating.”

Escudero also proposed that Congress convenes five days before June 30 to select a transition president in case there is a failure of elections in May next year.

“We are going to hold automated elections nationwide for the first time in our electoral history. It is our responsibility to make sure that our democracy will survive any worst-case scenario,” he stressed.

“The best-laid plans, as the saying goes, can go awry. Our present laws do not address a possible failure of election for the top two offices in the land,” he added.

To prevent any leadership vacuum resulting from a failure to proclaim the president and vice president, the Senate can elect from among the 12 non-reelectionist senators a president who will assume a transitory role until the issue is settled, the senator said.

This will require a joint resolution by the incumbent Congress which will convene only for that purpose for the last time before June 30, Escudero stressed.

Under the current succession law, the Senate president is second in line, followed by the Speaker of the House of Representatives.

“I share the apprehensions of many about our readiness to fully implement the poll automation law at this time. But since the Supreme Court has spoken, we have to work together to make it work,” he said.

“Our objective should be clean automation, not automation for automation’s sake, or we will find ourselves in danger of substituting manual, retail cheating with automated, wholesale cheating,” Escudero added.

Escudero said he will initiate the measure as soon possible in the Senate. A counterpart resolution on the same issue has also been filed the House of Representatives by Representatives Teodoro Locsin Jr. and Edno Joson. –Charlie V. Manalo, Daily Tribune