Tuesday, August 26, 2008

A Few Hacker Stories To Ponder

US regional bank hacked

Thwarted hack exposes score

By John Leyden

Published Thursday 11th October 2007

Nail down your security priorities. Ask the experts and your peers at The Register Security Debate, September 24 2008.

Hackers infiltrated the systems of Commerce Bank and accessed the records of 20 customers, the US regional bank said today.

The attack by persons unknown was partially thwarted - but not before a database of 3,000 records was hacked into and the data of 20 exposed. Compromised data included personal information such as names, addresses, Social Security numbers, phone numbers and, in a few cases, Commerce Bank account numbers, the Columbia Business Journal reports.

Security staff shut down the attack and called in police to investigate after uncovering the breach a week ago. The FBI is investigating.

The method used in the attack is unclear, and something the bank will be keen that it stays unclear, to avoid the possibility of copycat attacks. There are many avenues of assault, of which one common tactic is to exploit web application vulnerabilities by using SQL injection attacksto access information of back-end databases.

Commerce Bank has apologised for the breach to customers affected by the attack and is offering to pay for two years' credit monitoring. Concerned customers can call +1 877 279 4046 for more info.

The Midwest bank operates 360 branches in Missouri, Illinois and Kansas and an online banking business

Second Life banks hacked in virtual crime wave

Tue Nov 20, 2007 2:31pm PST

By Eric Reuters

Last weekend saw a coordinated series of Second Life bank heists netting hackers L$3.2 million (US$11,500), news first broken by Nobody Fugazi of Early reports suggest the banks were all using copies of the same software to manage their deposits.

“From what I gather from my scripter it was ATM coding that didn’t check for money in people’s accounts before allowing the withdraw,” said avatar Barton Giovinazzo of Giovinazzo Choice Investments, one of at least five virtual banks hit by thieves, in an instant message to Reuters.

Other unsuccessful attempts were also made. “Our sites were under sustained attack … 579 attempts from an IP address in Austin,” said Mike Lorrey (Second Life: Intlibber Brautigan). Lorrey’s bank, BNT Holdings, fended off the attack with its assets intact. Asked about the impact of the thefts on an in-world financials industry already roiled by high-profile defaults, Corey said “I think it will amp up security for those that survive this.”

Got a Second Life scoop? You can meet the reporter in Second Life! Eric Reuters holds office hours in the Reuters Auditorium on Tuesdays at 8:00 am SLT.

40 US banks hacked

March 13 2001

News broke today from the US 'National Infrastructure Protection Center' (NIPC), of an investigation following security breaches at over 40 mostly US based banks, over the last year.

The attacks have successfully exploited known security holes in Microsoft software products used at the banks - and the perpetrators have apparently been able to download lists of customers' credit cards and other data, with which they have attempted to extort money from the banks.

The question as to how even well-funded and security-conscious organisations such as banks, have allowed these vulnerabilities, is a good one but it is NTA Monitor's view that publication of these errors should not precipitate blame and criticism.

Said Deri Jones, of NTA Monitor: "Security and E-Commerce systems are complex - and I would guess all the banks concerned have policies stipulating that up-to-date patches are applied to their systems. So what went wrong? I wouldn't blame the staff or the management unless clear evidence of negligence arises in the future, instead I'd say that maybe some processes need looking at.

"But the real route cause, is likely to be that the banks did not have an adequate security testing (penetration testing) programme in place. Our experience here at NTA Monitor, testing over 300 major blue chip companies across Europe on a quarterly or monthly basis, is that it is only independent testing that confirms the level of security achieved at an organisation.

"It's so easy for a security hole to be inadvertantly introduced when making a change in a corporate's systems - or for new projects to move from development to production with an old patch status.

"Across our customer base, we constantly find big-name clients with excellent security products in use, but with surprising security holes. Conversely, some of our smaller clients often are surprisingly tight.

"At the end of the day, we all have to face the fact that there will never be 100% security but that the best way for an organisation to both find out holes and fix them, before they are exploited and to demonstrate good security practise, is to have a rolling progranmme of security testing from specialists like NTA Monitor. When the black day comes and a breach is exploited - then the client can at least defend itself from claims of negligence - the history of test reports will show `holes found, holes fixed, holes found, holes fixed."'

Distributed by PR Newswire on behalf of NTA Monitor Hacked And Customers CV Data Stolen

March 31 2008 was hacked on Thursday, 27 March, resulting in customer data such as CVs being lost. The hackers accessed the job applications area of the site and downloaded personal information from CVs submitted, including job applications. Most of the stolen information relates to archived CVs rather than those of users currently looking for jobs. The company has been in touch with those affected to warn them of the possibility that they may be contacted by malicious parties. The nature of the potential data lost was a cause for concern.

It is still unknown what information was in the data stolen but CVs tend to contain contact information like phone numbers, which means phone calls by criminals might leave customers more open to attack than unsolicited e-mails.

Most people are reasonably aware about the dangers associated with unsolicited e-mails but they might be more inclined to be more responsive to someone who rang them claiming to be from their bank. Users of to be more wary about potential phone contact made as a result of the breach and to take measures to protect their personal data.

As yet it is still unclear as to how many users of the site were affected. declined to reveal the full scale of the breach as the firm’s investigation into the attack is still ongoing but a spokesperson for the recruitment website said the hack affected “a small percentage” of’s customers.

A 24-hour customer helpline has been set up to deal with any further questions or concerns users of the site may have regarding the breach at 01 6808699. Queries can also be sent via e-mail to

Over 400 Calls Made Using Hacked Federal Emergency Management Agency PBX Network

August 21 2008

A hacker broke into a Homeland Security Department telephone system over the weekend and racked up about $12,000 in calls to the Middle East and Asia. The hacker made more than 400 calls on a Federal Emergency Management Agency (FEMA) voicemail system in Emmitsburg, Md., on Saturday and Sunday, according to FEMA spokesman Tom Olshanski.

The calls, lasting from three up to ten minutes were placed through FEMA’s PBX network, a breach made possible due to an insecurely configured Private Branch Exchange system. FEMA is part of Homeland Security, which in 2003 put out a warning about this very vulnerability.

Calls were made to locations such as Afghanistan, Saudi Arabia, India and Yemen, with Sprint originally detecting the compromise and blocking all outgoing long-distance calls from the location. It appears that the vulnerability was left open by the contractor when the voicemail system was being upgraded. At this point is is unknown who the contractor was or what hole specifically was left open. The hole has since been closed.

It is possible that the hacker did not know he was using FEMA’s network in the first place. There is no shortage of vulnerabilities allowing automated reconnaissance for easily exploitable systems to happen. This type of hacking is low-tech and was popular 10 to 15 years ago. In 2003, Homeland Security and the FBI investigated multiple reports about private industry being breached by these types of hackers. “This illegal activity enables unauthorized individuals anywhere in the world to communicate via compromised U.S. phone systems in a way that is difficult to trace,” according to a department information bulletin from June 3, 2003.

FEMA’s chief information officer is investigating who hacked into the system and where exactly the calls were placed to.

High School Senior Hacks 38000 Private Records

March 27 2008

Police questioned a Broward County student on Tuesday after they said he hacked into the school district’s computer system.

Authorities said a student at Taravella High School in Coral Springs hacked into the Broward County school district’s computer system, gaining access to over 38,000 employees’ detailed, private records information including names, addresses, phone numbers and Social Security numbers, which could put those district employees at risk for identity theft and other crimes.

According to a police affidavit, 18-year-old Michael Wasa admitted that he hacked into the district’s computers from a computer classroom at Atlantic Technical Center, where he was also taking classes.

In his computer, police found the entire Taravella High School database and a folder about making bombs. Police conducted forensic analysis of Wasa’a personal computer while the district employees wait for the results.
Investigators also found hacker programs, student information and software that could falsify credit card information in a school computer Wasa allegedly used last month.

The school district did notify teachers about a week and a half ago. A representative from the district said there is no new information. Pat Santeramo, Broward County Teachers’ Union President, said his inbox was flooded with e-mails from worried teachers. The school district suspended the student for 10 days.

It’s not yet clear how Wasa intended to use the information. He might just be a teenager who gets a kick out of breaking computer codes and hacking into systems as if playing a video game. But the consequences could be deleterious for the people whose personnel files were breached, and the matter should not be taken lightly.

Coconut Creek police said they’re still not sure if Wasa was showing off his computer skills or if he had intended to use the information. No charges have been filed and the incident is still under investigation. The district has warned employees to keep close track of their bank accounts in the meantime.

California Hacker Caught Taking $50K, Penny by Penny

Office-Space style crime makes it to the real world with less-than-perfect results. Maybe the recently charged hacker just needed someone to take a certain employee’s stapler.’ -

In the world of hacking and phishing, there are your slightly unusual attacks, significant but not super eye-catching – there are hackers involved in corporate espionage, zealous nationalists targeting news sites, and rings of malicious Canadian phishers who aren’t content to just go ice fishing. However, every once in a while a story about a hacker really stands out from the rest.

The story of Michael Largent’s hacking victories and eventual downfall is one of those sort of stories. Largent fulfilled the pop-culture dream that was popularized in such movies as Office Space and Superman 3 – stealing a large sum of money, $50,000 to be exact, a few pennies at a time.

Largent used a massive fraud scheme to trick Google Checkout and online brokers like E-trade and Schwab to send him the sum, a few cents at a time. The fraud was made possible by a common practice relatively unknown to the general public. When users open up accounts with these sites, the site sends a tiny payment from a few cents to a few dollars to the user. The payment is meant to verify that the user has access to the account and that it’s active.

By opening 58,000 such accounts, Largent funneled money through the channels into a few private bank accounts. Largent raked in $8,000 from Google’s Checkout alone.

In the end, his activities were noticed by his bank. The bank contacted him and Largent incredibly told them the entire story. He claimed that he had read the terms carefully and believed he was legally safe. He said what he was doing was not wrong and that he needed the money to pay off his debts.

Hackers Have a Bad Week

It may not be the worst week ever, but things aren’t going well for hackers and ID thieves. For more security news see:

Those with a degree are on the fast track to promotion… Apply for over $180,000 in tech scholarships.

Technically Largent was right – almost. What he was doing in practice was not wrong, but the fact that he used false names to do it was illegal. Largent used false names such as cartoon characters, entered fake addresses, and used fake social security numbers. These offenses opened him up to wire, mail, and bank fraud charges.

It looks as if Largent may soon be headed to “federal pound me in the…” as a certain employee in the movie Office Space exclaimed. He is currently out of jail on bail and is awaiting the charges. Interestingly Google is not pursuing damages currently and the police are not planning on charging him for the money obtain from Google Checkout. The case of Largent just goes to show you sometimes there’s a reason why a scheme that seems too good to be true hasn’t been tried more often.

Valve Hacker Caught by Police Forces

After one year and many millions spent, genius hacker is caught by the police

30th of June 2008,

If you are interested in hacking news, then you must know about 20 years old hacker MaddoxX - the guy managed, one year ago, to hack a third party Valve file server

called Steam Cyber Cafe and posted online an archived file that included credit card numbers, transaction amounts, the company's supposed bank balance, and data that allowed the creation of cyber cafe certificates - which means some really nasty things.

"We also don't want money from VALVe," he wrote on the No-Steam forum last year, according to website Shacknews. "We want a simple message on their site." However, the website's administration had a different reaction than the one anticipated by MaddoxX: they have created an email address meant to encourage citizens to help the authorities track him down. We don't know if that specific e-mail was the reason he got caught (actually, we really doubt it had anything to do with it).

But the guy did not stop there - he also hacked an Activision website and downloaded an early version of Enemy Territory: Quake wars but did not leak the game (according to reports, this would've cost the developers $25 million). He also stole credit card data from an English ticket site (no less than 50,000 credit cards) and, according to the police, spent about 13 million Euros playing online poker and shopping for notebooks, flat screens and MP3 players. Stuff he probably sold after the purchase.

But, as it usually happens in such cases, MaddoxX was eventually caught by the Dutch police in the small town of Maastricht (a police unit called Team High Tech Crime). It is unclear at the moment what will happen to the 20 years old teen, but the future doesn't look too bright: he hacked two major websites and spent way too many millions of euros - that were not his.

Largest Hack and Identity Theft in the U.S.

Defendants face life in prison

6th of August 2008,

11 men of different nationalities pulled a large-scale scam on nine major U.S. retailers, such as OfficeMax, Boston Market, Barnes & Noble, Sports Authority and Forever 21. Three Americans, one Estonian, three Ukrainians, two Chinese, one man from Belarus and one whose origins are not yet known are responsible for hacking into the wireless networks of these enterprises. After gaining illicit access to them, the hackers stole credit and debit card numbers by using "sniffers," which are utility programs that keep track of the network activity.

The numbers, together with other private information, like passwords and account data, were sold to other criminals from the U.S. and some Eastern European countries. In order to make the numbers usable at any ATM, the hackers encrypted them on blank cards. The money transfers were performed via certain Eastern European bank accounts, which made them go unnoticed for quite a long time.

After their actions were discovered, the 11 men were charged with "computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy" for their participation in the scheme, as the United States Attorney's Office revealed in a press release.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said Attorney General Mukasey. "It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers." he added, underscoring that the lawbreakers had no chances of getting away with their crimes to begin with, given that hackers are increasingly in the spotlight these days.

The exact amount of money that was withdrawn from ATMs was not disclosed by the officials. They offered, instead, some information regarding the maximum penalty the defendants risk being sentenced to. If convicted on all charges, at least some of the leaders of the network face life in prison.

Hackers Take the US Banking Industry by Storm

Citibank and Microsoft to blame?

2nd of July 2008,

Three hackers, Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva, managed to get access to Citibank ATM machines placed in 7-Eleven stores and steal $2 million. Citibank is not the only one to blame since the entire system is owned and operated alongside two other companies (Cardtronics Inc. and Fiserv Inc.). All the attacks took place from September 2007 until March the current year. The hackers are just now being brought to justice, all of them being charged with conspiracy and fraud.

It seems that the hackers managed to acquire the PIN numbers of numerous Citibank customers by targeting the back-end computers that determine whether a withdrawal is legitimate or not. They did not attack the ATM itself, but a 3rd party processor. The exact number of clients affected by the hackers is yet to be determined. What we do know is that a total of 5,700 Citibank ATMs are placed in 7-Eleven shops all across the US.

Citibank representatives have declined to comment in regard to how the hackers were successful. This statement was issued: "We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts". If you are a Citibank customer and this affects you, the bank will most likely contact you with detailed info as well as issue you a new debit card.

The Microsoft Corporation has also come under scrutiny because the Windows OS is used as a building block for the ATM infrastructure. The bank can remotely access the ATM and diagnose it or even repair it. The network must be set up in a secure way and all PIN numbers must be kept confidential. There are industry standards in this regard, but not all financial institutions follow them.

Avivah Litan, security consultant with Gartner (a company that specializes in providing IT management solutions) had this to say: "PINs were supposed to be sacrosanct - what this shows is that PINs aren't always encrypted like they're supposed to be. The banks need much better fraud detection systems and much better authentication."

40 Million Credit Card Numbers Hacked

Data Breached at Processing Center

June 18, 2005

More than 40 million credit card numbers belonging to U.S. consumers were accessed by a computer hacker and are at risk of being used for fraud, MasterCard International Inc. said yesterday.

In the largest security breach of its kind, MasterCard officials said all credit card brands were affected, including 13.9 million cards bearing the MasterCard label. A spokeswoman for Visa USA Inc. confirmed that 22 million of its card numbers may have been breached, while Discover Financial Services Inc. said it did not yet know if its cards were affected. MasterCard officials said consumers are not held responsible for unauthorized charges on their cards, and that other sensitive personal data, such as Social Security numbers and birth dates, were not stored in the hacked system. So far, no evidence of fraudulent charges has emerged, they said.

The breach occurred late last year at a processing center in Tucson operated by CardSystems Solutions Inc., one of several companies that handle transfers of payment between the bank of a credit card-using consumer and the bank of the merchant where a purchase was made.

CardSystems' computers were breached by malicious code that allowed access to customer data, said Josh Peirez, a MasterCard senior vice president.

Peirez said MasterCard is certain only that 68,000 of its numbers were taken by the hacker over an unknown amount of time before the breach was discovered. But because the hacker had access to the full database, it is difficult to say how many more numbers may have been taken, he said.

He said the breach was not confirmed until about two weeks ago.

MasterCard said it has begun notifying banks that issue its cards, which in turn are responsible for notifying cardholders.

A teeming black market for stolen credit card numbers allows thieves to make quick purchases, pinning the loss on merchants, which do not get paid when the charge is discovered to be fraudulent. Identity theft experts said credit card numbers, even those that are canceled, have value because they can be used to help establish the credentials of a thief seeking to pose as a consumer to obtain other sensitive personal data.

Officials at MasterCard and Visa accused CardSystems of not meeting agreed-upon computer security standards. Peirez said CardSystems is being given a short time to make corrections.

"We have requirements," Peirez said. "In this case, it does not seem those standards were being followed."

Visa spokeswoman Rhonda Bentz said CardSystems did not comply with Visa's security rules when the breach occurred, though she would not elaborate on what went wrong.

In a written statement, CardSystems said it discovered the breach on May 22 and notified the FBI the next day.

"We are sparing no effort to get to the bottom of this matter," the statement said.

Bentz said Visa did not announce the breach, which it learned about in the past two weeks, because "we have an agreement with the FBI that we do not make an announcement in the middle of an investigation . . . and we hope MasterCard's jumping the gun does not do anything to jeopardize the investigation."

An FBI spokesman declined to comment other than to confirm that the agency is working on the case.

The breach is the latest in a spate of such announcements from a variety of organizations, including banks and companies that buy and sell personal data, universities and government agencies. In some cases information was lost, in others stolen, but the breaches have put identity theft atop the list of priorities for several members of Congress. Many of the cases involved Social Security numbers.

"Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly," Sen. Charles E. Schumer (D-N.Y.) said in a news release.

Peirez said MasterCard supports extending data security laws that apply to financial institutions to any entity that handles consumer information, such as transaction processors and data brokers.

MasterCard also supports a national law requiring that consumers be notified when their information is breached and there is significant risk of identity theft.

But Dan Clements, chief executive of Inc., a privacy protection organization, said financial institutions lack any incentive to take more responsibility for the problem.

Not only do credit card companies and banks that issue cards bear no losses for fraudulent purchases, but banks charge merchants for reversing unauthorized charges.

"It's a revenue stream for them," Clements said.

And of course last but not least of your problems.

How to Hack a Diebold Voting Machine

Posted August 1, 2006

Scientists’ Tests Hack Into Electronic Voting Machines in California and Elsewhere


Published: July 28, 2007

Correction Appended

Computer scientists from California universities have hacked into three electronic voting systems used in California and elsewhere in the nation and found several ways in which vote totals could potentially be altered, according to reports released yesterday by the state.

The reports, the latest to raise questions about electronic voting machines, came to light on a day when House leaders announced in Washington that they had reached an agreement on measures to revamp voting systems and increase their security.

The House bill would require every state to use paper records that would let voters verify that their ballots had been correctly cast and that would be available for recounts.

The House majority leader, Representative Steny H. Hoyer, Democrat of Maryland, and the original sponsor of the bill, Representative Rush D. Holt, Democrat of New Jersey, said it would require hundreds of counties with paperless machines to install backup paper trails by the presidential election next year while giving most states until 2012 to upgrade their machines further.

Critics of the machines said that some of the measures would be just stopgaps and that the California reports showed that security problems needed to be addressed more urgently.

The California reports said the scientists, acting at the state’s request, had hacked into systems from three of the four largest companies in the business: Diebold Election Systems, Hart InterCivic and Sequoia Voting Systems.

Thousands of their machines in varying setups are in use.

The reports said the investigators had created situations for each system “in which these weaknesses could be exploited to affect the correct recording, reporting and tallying of votes.”

Voting experts said the review could prompt the California secretary of state, Debra Bowen, to ban the use of some of the machines in the 2008 elections unless extra security precautions were taken and the election results were closely audited.

Matthew A. Bishop, a professor of computer science at the University of California, Davis, who led the team that tried to compromise the machines, said his group was surprised by how easy it was not only to pick the physical locks on the machines, but also to break through the software defenses meant to block intruders.

Professor Bishop said that all the machines had problems and that one of the biggest was that the manufacturers appeared to have added the security measures after the basic systems had been designed.

By contrast, he said, the best way to create strong defenses is “to build security in from the design, in Phase 1.”

The reports also said the investigators had found possible problems not only with computerized touch-screen machines, but also with optical scanning systems and broader election-management software.

Professor Bishop and state officials cautioned that the tests had not taken into account the security precautions that are increasingly found in many election offices. Limits on access to the voting systems and other countermeasures could have prevented some intrusions, Professor Bishop and the officials said.

Industry executives said that the tests had not been conducted in a realistic environment and that no machine was known to have been hacked in an election. The executives said they would present more detailed responses on Monday at a public hearing.

Ms. Bowen said yesterday that it was vital for California to have secure machines for its presidential primary in February. She said she would announce by next Friday what actions she would take.

The findings could reverberate in Washington, where the full House still has to vote on the measure and the Senate plans to take up a similar bill this year.

Concerned about security, House and Senate Democratic leaders said they wanted to require a shift to paper ballots and other backup records to increase confidence that votes would be accurately counted.

State and local officials have argued that it is too late to make many of the changes without creating chaos next year. Advocates for the blind and other disabled voters say better equipment needs to be developed to enable them to vote without help from poll workers, as federal law requires.

In trying to balance all the concerns, Mr. Hoyer and Mr. Holt decided to delay the most sweeping change, a requirement that every ballot be cast on an individual durable piece of paper, from next year to 2012.

To ensure that all machines would have some paper backup, they agreed to require hundreds of counties in 20 states to add cash-register-style printers to their touch-screen machines for 2008 and 2010 or switch to optical-scanning systems that count paper ballots. New York, which has delayed replacing its lever machines, would have to buy a new system by November 2008.

Advocates for the disabled praised the compromise. For many disabled people to vote independently, the advocates said, the touch-screen machines need to be modified to include audio files that can read back the completed ballots, while the ballot-marking devices used with the optical scanning systems have to be changed to feed ballots automatically.

Ralph G. Neas, president of People for the American Way, a group that helped broker the deal, said the bill offered hope for an end to “unaccountable, unverifiable and inaccessible voting.”

Mr. Holt said the measure could “keep the country from going through another election where Americans doubt the results.”

Critics say the California findings suggest that Congress should press for a quicker shift from the touch screens to optical scanning, in which voters mark paper ballots. Advocates of those systems say that the paper ballots would be less vulnerable to manipulation than the paper trails generated by the touch-screen computers and that they would hold up better for manual recounts.

Correction: July 31, 2007

Because of an editing error, an article on Saturday about three electronic voting systems that were hacked in California misstated a requirement in a House bill meant to ensure that there is a paper record of each vote cast in the 2008 and the 2010 federal elections. It gives counties that now have paperless touch-screen machines the option of attaching printers to them or switching to optical-scanning systems that count paper ballots. Attaching printers is not the only choice.

Also, the article gave an incorrect spelling in some copies for the given name of California’s secretary of state, who said her state must have secure machines for its presidential primary in February. She is Debra Bowen, not Deborah.

Devastating hack proven

December 13, 2005

UPDATE Dec. 16: Volusia County (FL) joins Leon in dumping Diebold. Due to contractual non-performance and security design issues, Leon County (Florida) supervisor of elections Ion Sancho has announced that he will never again use Diebold in an election. He has requested funds to replace the Diebold system from the county. On Tuesday, the most serious “hack” demonstration to date took place in Leon County. The Diebold machines succumbed quickly to alteration of the votes. This comes on the heels of the resignation of Diebold CEO Wally O'Dell, and the announcement that stockholder's class action suits and related actions have been filed against Diebold by four separate law firms. Further “hack” testing on additional vulnerabilities is tentatively scheduled before Christmas in the state of California.

Finnish security expert Harri Hursti, together with Black Box Voting, demonstrated that Diebold made misrepresentations to Secretaries of State across the nation when Diebold claimed votes could not be changed on the “memory card” (the credit-card-sized ballot box used by computerized voting machines.

A test election was run in Leon County on Tuesday with a total of eight ballots. Six ballots voted "no" on a ballot question as to whether Diebold voting machines can be hacked or not. Two ballots, cast by Dr. Herbert Thompson and by Harri Hursti voted "yes" indicating a belief that the Diebold machines could be hacked.

At the beginning of the test election the memory card programmed by Harri Hursti was inserted into an Optical Scan Diebold voting machine. A "zero report" was run indicating zero votes on the memory card. In fact, however, Hursti had pre-loaded the memory card with plus and minus votes.

The eight ballots were run through the optical scan machine. The standard Diebold-supplied "ender card" was run through as is normal procedure ending the election. A results tape was run from the voting machine.

Correct results should have been: Yes:2 ; No:6

However, just as Hursti had planned, the results tape read: Yes:7 ; No:1

The results were then uploaded from the optical scan voting machine into the GEMS central tabulator, a step cited by Diebold as a protection against memory card hacking. The central tabulator is the "mother ship" that pulls in all votes from voting machines. However, the GEMS central tabulator failed to notice that the voting machines had been hacked.
The results in the central tabulator read:

Yes:7 ; No:1

This videotaped testing session was witnessed by Black Box Voting investigators Bev Harris and Kathleen Wynne, Florida Fair Elections Coalition Director Susan Pynchon, security expert Dr. Herbert Thompson, and Susan Bernecker, a former candidate for New Orleans city council who videotaped Sequoia-brand touch-screen voting machines in her district recording vote after vote for the wrong candidate.

The Hursti Hack requires a moderate level of inside access. It is, however, accomplished without being given any password and with the same level of access given thousands of poll workers across the USA. It is a particularly dangerous exploit, because it changes votes in a one-step process that will not be detected in any normal canvassing procedure, it requires only a single a credit-card sized memory card, any single individual with access to the memory cards can do it, and it requires only a small piece of equipment which can be purchased off the Internet for a few hundred dollars.

One thousand two hundred locations in the U.S. and Canada use Diebold voting machines. In each of these locations, typically three people have a high level of inside access. Temporary employees also often have brief access to loose memory cards as machines are being prepared for elections. Poll workers sometimes have a very high level of inside access. National elections utilize up to two million poll workers, with hundreds or thousands in a single jurisdiction.

Many locations in the U.S. ask poll workers to take voting machines home with them with the memory cards inside. San Diego County (Calif) sent 713 voting machines/memory cards home with poll workers for its July 26 election, and King County (Wash.) sent over 500 voting machines home with poll workers before its Nov. 8 election.

Memory cards are held in a compartment protected by a small plastic seal. However, these simple seals can be defeated, and Hursti has found evidence that the memory card can be reprogrammed without disturbing the seal by using a telephone modem port on the back of the machine.

The Hursti Hack, referred to as “the mother of all security holes” was first exposed in a formal report on July 4. (

Diebold has insisted to county and state election officials that despite Hursti’s demonstration, changing votes on its memory cards is impossible. (Public records from Diebold, including threat letter to Ion Sancho:

On Oct. 17, 2005 Diebold Elections Systems Research and Development chief Pat Green specifically told the Cuyahoga County (Ohio) board of elections during a $21 million purchasing session that votes cannot be changed using only a memory card. (Video of Pat Green: Over the objections of Cuyahoga County citizens, and relying on the veracity of Diebold’s statements, the board has chosen to purchase the machines.

According to Public Records obtained by Black Box Voting, Diebold has promulgated misrepresentations about both the Hursti Hack and another kind of hack by Dr. Herbert Thompson to secretaries of state, and to as many as 800 state and local elections officials.

Stockholder suit filed by the law offices of Stull, Stull & Brady and also by Scott and Scott.

Stull Stull & Brady lawsuit:


Diebold CEO resigns:

Volusia County dumps Diebold too

Orlando Sentinel

DELAND -- Diebold voting machines will soon be history in Volusia County. After a nearly five-hour hearing today, County Council members voted to replace its Diebold machines with an entirely new system manufactured by Election Systems & Software.

The move, which will cost more than $2.5 million just for the equipment, was prompted by a federal mandate to buy at least one handicapped-accessible voting machine per precinct by Jan. 1. But the only such devices approved for use in Florida are ATM-like touch-screen machines that don't use paper ballots. But a majority of County Council members want devices that use paper.

The agreement approved Friday on a 4-3 vote allows the county to trade in the paperless touch screens for an ES&S-supported ballot-marking device with an accessible touch-screen called AutoMark if it gets approved for use in Florida. That would cost an additional $150,000.

If AutoMark certification doesn't happen by April 1, the county has the option to get out of the entire contract with ES&S and get a full refund.

Chairman Frank Bruno, Art Giles, Carl Persis and Dwight Lewis voted for the ES&S contract. Council members Joie Alexander, Bill Long and Dwight Lewis opposed it.

The vote ends a nearly year-old debate in Volusia County about how to comply with the federal Help America Vote Act, which mandates accessible voting devices.

KUDOS TO SUSAN PYNCHON, Florida Fair Elections Coalition

Voting Machines Can Never Be Trusted, Says GOP Computer Security Expert