NBC Reports Seven States Election Data Hacked

NBC is reporting that the Intelligence Community developed substantial evidence that Russian financed attackers compromised the voter registration systems or web sites of seven states to different degrees.

Up until this time DHS has been completely mum about this, saying absolutely nothing.

But now NBC is reporting that the seven states are Alaska, Arizona, California, Florida, Illinois, Texas and Wisconsin.

The officials say that the systems were compromised in different ways and to different degrees.

Those state and federal officials that spoke to NBC claimed that no votes were changed and no voters taken off the voter rolls. They did not, however, provide any evidence to support those claims, so I guess we should trust them.  After all, why would they lie?

After NBC broadcast the story, the Homeland Security acting spin doctor Tyler Houlton said the reporting is not accurate and is actively undermining efforts of the Department of Homeland Security to work in close partnership with state and local governments to protect the nation’s election systems from foreign actors.  He did not say what about it was inaccurate.   Did he mean that there were only 6 states?  OR, that there were 9 states?  We don’t know.

He also said, via Twitter, that DHS has no intelligence that corroborates NBC’s reporting.

Today, Michael Daniel, top cyber security official at the end of the Obama administration, basically corroborated the NBC reports.

Perhaps DHS is telling the truth.  As the states have complained for a year now, DHS is not sharing any information with them.  Maybe the intelligence community is not sharing information with DHS.  If that is the case, both NBC and DHS could be telling the truth.

Regarding the statement that reporting is undermining the efforts to keep us safe, I have a couple of thoughts.

First, it may be useful to not telegraph how much we know to the Ruskies.  Up until now, the only state that we knew had been hacked was Illinois.  Now they know that we know that there are at least seven states.  They can compare this to the list of states that they did hack and say, maybe, “wow, we got away undetected 50%  of them time”.

But from a different standpoint, don’t the American people deserve to know the extent of Russian meddling in our elections?

For those of you who are cynical, you may draw a correlation between the current administration’s repeated efforts to “believe” Putin and disbelieve our own intelligence community and an effort by DHS to withhold information on the degree of Russian hacking.

Is this related, also, to the fact that until last week (when they appointed a committee to look into it) the Justice Department was not doing anything at all to deal with the Russian hacking?

And, is this related to the comment that soon-to-retire Admiral Mike Rogers, head of the NSA and of Cyber Command’s made before Congress that the White House has not asked them to do anything to stop Russian election hacking?

I don’t know the answer, so you are going to have to draw your own conclusions.  However, given the amount of smoke around this subject, there likely is a really, really, big fire.

Information for this post came from NBC News.



Why do people usually use a VPN connection over the Internet?  Usually it is for added security and privacy.  What if a VPN offered security, but even less privacy than without it – would you use it?

Well some people are and probably do not even know it.

In 2013 Facebook bought an Israeli company, Onavo.  Onavo bills itself as a data analytics company – which makes perfect sense why Facebook would purchase it.

But where do they get the data that they want to analyze?

Well that’s easy.  They also make a VPN software product – a virtual private network – that creates a secure tunnel for you to send your Internet traffic over.

However, unlike reputable VPNs which work very hard to collect as little data about you as possible, hence aiding your privacy, Onavo collects as much data as possible about it – to aid Facebook’s mission of shoving more ads down your digital throat.

According to a Wikipedia article (here), Facebook is also using Onavo to internally monitor competitors, influence acquisitions and make other business decisions.

If you have the Facebook iPhone app installed and you click on the menu item for Protect, it will direct you to download Onavo.

It also has an Android app available in the Google Play store.

Facebook says that by collecting as much data as possible about your use of the Internet they can protect you better.  Hmmm, interesting thought.  Other companies seem to do that without having to track what sites you visit.

Many anti-virus products have a browser plugin that looks at the site you want to visit and see if it is malicious.  They don’t need to store the history of what sites you have visited nor do they need to associate those sites with your advertising ID in order to tell if the site is malicious.

Unlike most VPN products that only run when you ask them to run, Onavo tries to stay in your browsing stream all the time.  After all, it cannot collect data on your browsing habits if it is not running.

Onavo says that it may retain your data for as long as you have an account.  Or beyond.  I somehow don’t think that is required to protect you either.

So, if you are looking for more targeted Facebook ads (and ads on those other web sites that use the Facebook ad platform), this is the software for you.

If you are looking for privacy, I am thinking there are probably better alternatives.

Information for this post came from Wired.




EU Introduces Competing Bill to US Cloud Act

When I wrote about the CLOUD Act last week, I expected this to happen;  I just didn’t expect it to happen so soon.

The CLOUD Act (see post) is an attempt by Congress to make it easier for U.S. law enforcement to force companies to respond to subpoenas for data when the data is not located in the U.S.  The CLOUD act is a long way from being passed; in fact it was just introduced.  The concept that underlies it is extraterritoriality, a legal concept that means that Country “A” wants its laws to apply to Country “B”.  In general, this is only enforceable in one of two ways – wage war and defeat the other country (which is kind of dicey) or negotiate a treaty with the other country.  The treaty way is generally preferred and the CLOUD Act creates a path to allow for that kind of treaty to be negotiated.

To get even with the U.S. (maybe?), the E.U. is about to introduce a similar bill – one that would force the U.S. to turn over data stored in the U.S. to EU. member nations.

For bills to become law in the E.U. takes even longer than in the U.S. – possibly two years, so neither of these bills is a done deal yet.

But, given that both sides seem interested in solving this problem, it is possible that, within our lifetimes, it will happen.

The E.U. bill has the same extraterritoriality problem as the U.S. bill, so after both sides pass a law, but not before, treaties will have to be signed and ratified.

The E.U. actually said that their plan in passing this bill was to have more leverage with the U.S. when the treaty negotiation dance starts.

I expect that the E.U. would expect any country that they sign a treaty with to agree to the basic tenants of the General Data Protection Regulation, which goes into effect in the E.U. in May.  The GDPR is at complete odds with the data privacy laws of the U.S., so if that is a cornerstone of the requirement, that would be a difficult pill for President Trump to have to swallow during the negotiations, but I expect that this is the exact intent of the bill.

The current mechanism for getting data from a foreign country is to use the Mutual Legal Assistance Treaty process which is pretty cumbersome and was created long before today’s world of trans-border data flow.

My expectation is that this likely will happen, but as is usually the case, the devil is in the details and, in this case, those details will be one hell of a devil.

Get some popcorn and stay tuned.

Information for this post came from Reuters.

U.S. Customs Cannot Validate e-Passports

For at least 8 years the government has known that the border entry system has a hole large enough to drive a terrorist through, to abuse a phrase, and has not done anything about it.

While the government was twisting the arms of other countries to put chips in their passports – and about a hundred of them do that today – we have not deployed the software needed to validate the security of an e-Passport.  About 50 of those countries have checksums in the e-Passport that would detect digital manipulation and we would never know.

First, it is important to understand that this is not an attack that an amateur could do.  But terrorists, in many cases, have nation-state backing, so that is something they absolutely could do,

At the risk of pointing out the obvious, while the government is intent on spending $20 billion on a border wall, the terrorists can just come in by driving through a border station with a hacked U.S. passport.   Why try to walk for miles through the desert after climbing a really hard to climb wall when you can be waved through a border station by a nice man in a uniform, while in your air conditioned car?

This issue goes back to 2006;  the Government Accountability Office issued a report in 2010.  Still, nothing has been done about it.

Johns Hopkins Cryptographer Matthew Green suggested that the Customs and Border Protection officer is likely to assume the data on the chip is valid and not even look at the pages in the passport.  Of course the terrorist could modify both of these and hackers have already cloned the chips to test their ability to hack passports.

The issue boils down to this.  e-Passports have a chip in them that carries a digital copy of the information printed on the paper passport.  The digital information is cryptographically signed to detect if someone changed the data on that chip.   In the case of the U.S., a terrorist could change the digital information and not be detected.  To maximize the chances of not getting caught, they would also want to change the printed information on the paper passport too, but people have been doing that for decades, at least.  The digital passport is supposed to make forging a passport harder – but not if people don’t check the validity of the digital data.

Information for this post came from Wired.


CLOUD Act Bill Addresses Thorny Issue of Overseas Data Subpoenas

Microsoft has been fighting with the Justice Department for years over some data Justice wants that Microsoft says is stored in Ireland.

Justice says Microsoft can bring it back to the US and then they can subpoena it.  Microsoft says doing that will break EU laws.  The argument goes on.  The current status is that Microsoft won on appeal but it is now going to the US Supreme Court.

The CLOUD (Clarifying Lawful Overseas Use of Data) Act was introduced in the Senate this week.  If it passes, it will modify the Stored Communications Act and will require US companies to turn over emails or other information in the provider’s care, control or custody, even if it is stored outside the US.  OK, that part is clear.

Here is where it gets a bit muddy.

It also allows for the vendor to ask for the subpoena to be quashed if it believes the customer is not a US citizen and  if disclosure provides a material risk that the firm would violate the laws of another country.

Given that caveat, will anything change?  Well, I guess, if US citizens are storing data overseas under the control of a US company in an effort to keep it out of the reach of the Feds, then they aren’t very bright anyway and the Feds can compel the provider to turn over the data, even if it is stored outside the US.

The bill also provides mechanisms to notify foreign governments when a legal request involves one of their citizens and provides a way to initiate a legal challenge to the request.

That may help improve things if the mechanism is better what we have today. There is a mechanism but it is not very speedy.

The bill also will help foreign governments obtain data held in the US by allowing the US government to sign bilateral data sovereignty agreements for cross border digital evidence.  Which countries would be warm to such an idea is not clear.  And, it has provisions like the other country has robust privacy standards.  Other countries might not think WE have very robust privacy standards.

IF such an agreement is reached, the other country has to remove any impediments to US government data requests.

The US is in discussions with the UK over such an agreement right now.  This is not a big surprise given the UK’s recent passing of the new Snooper’s Charter which allows for widespread surveillance and data collection, much like our Patriot Act.

Still, it is not clear what it’s chances of passage are and unless other countries sign up for this bilateral agreement, not much will change.

What is clear is that some countries – and maybe the ones we are most interested in – like China, Russia, North Korea, Ukraine, Venezuela and others – will not agree to anything with us.

Still, it is interesting and we will see what happens to this bill in the coming months,

Information for this post came from The Register.

After 14 Months of Russia Probe, Justice is Going to Study What to Do

If I seem a bit skeptical, that is because I am.  Attorney General Jeff Sessions announced yesterday that the Justice Department  is going to form a committee to study the subject.

Last week the leaders of several of the branches of the Intelligence Community testified before Congress saying, publicly, that the Russians did interfere with the 2016 elections and are already interfering with the upcoming 2018 election,

Given that testimony, the Executive Branch likely felt they had to do something or get blamed when the inevitable does happen this summer and fall.

So, they have formed a team of people inside the Justice Department – the same department that did not do anything to protect the integrity of the 2016 elections, both federal and local.

Some security experts say that the committee lacks focus and a clear mission.

The task force has to deliver its report in June – after many of the primaries are over and only a few months before the general election.

And the problem is not a single problem.  You have fake social media posts, identity theft, election fraud, hacking voting systems and voter rolls, illegal campaign funding and many other issues.

If they started  looking into this last February and reported out last June, that might have given them time to do something before this election, but these are hard problems – distributed problems that are the responsibility of 50 states and 3,500 plus local governments.  There is no way this can realistically fixed between June and, well, last year.

And then, of course, there is the issue of how do we pay for it.

Stay tuned for a report in June.  Are there some things Justice can do without Congress acting?  Likely.  After all, Mueller indicted 13 people, so there are existing laws that are likely being broken.  Probably the number of people that did illegal things is many times that number.

I hope I am wrong and this committee does some good.  We will just have to wait.

Information for this post came from Reuters.