• Recommend:
• 0 Comments

All Star Site Plays Hardball With Hackers

Major League Baseball lets fans vote online, but how secure is electronic balloting?

By Michael Meehan, PCWorld   

Last year, MLB collected 1 million online ballots--the most since it kicked off electronic balloting in 1996. The organization hopes to double that number before this year's July 2 deadline, according to MLB spokesperson Pat Courtney.

But All-Star officials are trying to reach that goal without repeating last season's incident when a fan from Carver, Massachusetts, tried to stuff 39,000 votes for Boston Red Sox shortstop Nomar Garciaparra through the online balloting system.

"Baseball clearly, coming off last year's issue, was concerned about this," says Tim O'Mara, senior vice president of operations for SeasonTicket.com, which is in charge of this year's electronic tabulations.

Fans will be allowed to cast 25 electronic ballots from a single e-mail address. That's an average of one for each home game during the balloting period.

All addresses will be verified, daily audits of the votes will be performed, and the totals will be posted daily, rather than in real time, to allow for those audits to take place, O'Mara explains.

"We're confident [hackers are] not going to cast an illegal vote that gets counted," he says.

O'Mara says he believes the e-mail addresses will provide enough information to perform the needed security but refused to reveal details of how that will work.

Last year, the culprit was caught when his votes came in too quickly from a single IP address.

Sliding Past Security?

But security experts aren't as confident as O'Mara that the new system will ward off hackers. Setting up a program to delay the votes and randomize the IP addresses wouldn't prove too difficult to an experienced hacker, says Rob Clyde, vice president for security management at Axent Technologies.

"They can punch up a routine and just let it run for a few days," Clyde said.

Michael Rothman, executive vice president of security firm SHYM Technology says the All-Star site will pose a ready-made target for "anybody who can sling together a JavaScript."

"Technology's amazing," he says. "It's bringing a level of efficiency in fraudulent activities that used to be done with just brute force."

Rothman says SeasonTicket.com was on track in creating digital identification. Clyde also suggests intrusion detection software and keeping core activities secure behind a firewall.

Yet baseball fans have tried to stuff All-Star ballots for decades. When added to a hacker community that loves a challenge, the All-Star ballot sticks out like a bull's-eye.

"We know somebody's going to try something," O'Mara says.