Can The Ruskies REALLY Hack Our Elections?

With all the news lately about the Russians trying to change the outcome of the elections (like, I might add, the U.S. has been trying to do around the world for decades – think of the Shah in Iran, the Congo elections, Chile and many others – see here), the real question is can the election really be hacked.

The Pew Charitable Trust published a great piece on the subject which should make you think about the subject.

Here are my thoughts on the subject.  Feel free to comment.

#1 – As a concept, there is no “single point of failure” in the American election system.  That is both its strength and its weakness.  According to Pew, there are 10,000 election entities, mostly (by sheer numbers) counties and cities.  These organizations are, at best, loosely affiliated with each other.  The Clerk in Wichita, KS likely doesn’t even know the Clerk in Fort Smith, Arkansas, except maybe by chance and, for sure the systems used by the two cities are not, in any way, connected.

#2 – Your local voting machine is NOT connected to the Internet.  In fact it is not connected to much of anything.  It is likely loaded with it’s ballot by a flash drive, created at the Clerk’s office.  At the end of the election day, the results are read out on each machine and probably called into each individual election office, manually.  The machines are then locked up and driven to a warehouse, where they are stored, more or less securely until the next election.  Could you compromise that flash drive at creation time?  Likely.  Probably without a huge amount of effort.  But even if you do, that would only be used within a single election PRECINCT.  Not exactly an easy way to change the outcome of a Presidential election.

#3 – While we are on the subject of Presidential elections, the easiest way to change the outcome of that election is by way of fake news, promoted by influencers.  Not the fake news that the current office holder talks about, but rather real fake news.  The average voter assumes, for the most part,that whatever they read, if it supports what they believe, is likely true – it just reinforces their existing beliefs, without regard to whether those beliefs are correct. Or not. That is certainly what Russia did in 2016.  Those efforts can effect a change in the election results.

#4 – it doesn’t require flipping very many votes to change the outcome of a single election.  In this week’s PA-18 House election, the difference between winning and losing was around 627 votes.  Out of 250,000 or so votes.  So, if, via fake news, you can flip the minds of less than a thousand voters, you have just changed the outcome of an election.  That is probably a  lot easier and a lot cheaper than trying to hack voting machines.

“That keeps me awake at night,” said Nancy Blankenship, the clerk for Deschutes County, Oregon.

That quote gives me some hope regarding fending off the bad guys.

On the other hand, this quote worries me.  This clerk either is so clueless about technology that she should not have the job or is sticking her head in the sand.  In either case, it is a problem.

Sara May-Silfee, the director of elections for Monroe County, a community of 170,000 in eastern Pennsylvania, said she knows her county is secure, even if her state was one of 21 states targeted by Russian hackers in 2016.

“I can’t even begin to tell you how they’d hack us,” she said. “Nothing is hooked up to anything. How could anybody hack us? I’m not worried about anything. Sometimes it seems like a lot of hullabaloo.”

I wonder how she KNOWS her county is secure?  Perhaps the same way Target knew?  Or Home Depot knew?  Part of the problem is that County clerks are political animals.  Usually elected.  Highly unlikely from a technical background.

I saw an article earlier today that the Air Force was lamenting that they could not find good cyber security folks.  After all, they pay $37,000 a year plus allowances and benefits.  Someone who is competent could likely make 50% to 100% more in the private sector and not have to worry about having to listen to the whims of politicians who have no idea about tech, even though they feel the need to flap their gums about the subject.

#5 – in many locations, the vast majority (if not all) of the ballots are done via mail.  ON PAPER.  The old fashioned way.  Could you steal the ballots out of the mail?  Maybe?  But if you do, are you helping the candidate you favor?  Or hurting that candidate?  Could you hack that voting process?  Unlikely.

#6 -Could you compromise the central ballot counting process in any given city or county?  Maybe, but likely not easily.

#7 – Hackers could break into central state voter databases and add names, delete names or make changes.  This is one of the things that the Russians were reported to have been trying to do during the 2016 elections.  Is this possible?  Apparently, at least to a degree.  What backups, cross checks and security  measures any given voter database has, is, of course, unknown.  Reports have it that the Russians were successful at doing this, at least to some extent, in several states.

#8 – Many electronic voting machines still do not have a paper confirmation printout.  What this means is that there is NO way for the voter to know what the voting machine actually registered and no way for voting officials to verify the vote count.  THIS IS A BIG PROBLEM.  Without some independent means to verify the vote count, it is all a big guess.

At the hacking conference Defcon, there has been a contest for the last few years for hacking voting machines.  Every year, every single machine gets hacked.  Sometimes in just a few minutes.  In fact, it has been so embarrassing to voting machine manufacturers that they have resorted to threatening people who sell voting machines on the used market.  If the organizers of Defcon can’t get machines, they can’t embarrass the voting machine manufacturers.  If I was a manufacturer, I wouldn’t count Defcon’s organizers out yet.

Suffice it to say, this system is far from perfect.  However, hacking the tech is not only hard but will also have limited effect.  There is no central place to attack; no website to compromise.  Still, that doesn’t mean you can’t do anything.  Think back to PA-18 this week.  Only 600+ votes separated the winner from the loser.

Information for this post came from The Pew Charitable Trust.

Facebooktwitterredditlinkedinmailby feather

Ransomware, The Gift That Keeps On Giving

Just a few years ago most people had not even heard about ransomware.  Today, if you have not been hit by a ransomware attack, you certainly have heard about attack after attack.  Ranging from massive attacks that affected companies like Fedex and Merck pharmaceuticals to  hospitals to little mom and pop stores, ransomware is the scourge of our technical world.

There really is one major reason for ransomware attacks – money.  If you pay the ransom, even what you perceive to be a small  one, it sustains the attacker’s morale and encourages more attacks.

Although no one really knows the statistics, people do  make educated guesses.  According to security firm Kaspersky, In Q1 2016 an individual was attacked every 20 seconds; a business was attacked every 2 minutes (I assume that most of these attacks were NOT successful).  By Q3 2016, those numbers were 10 seconds and 40 seconds respectively.

In Q1 2017, 60% of all malware payloads were ransomware, according to malwarebytes.

And, according to Cybersecurity Ventures, ransomware damages are predicted to exceed $5 billion in 2017 when the stats finally come in.  That includes a billion dollars for WannaCry alone.

People are paying millions in ransom as well.

See this article for more stats.

So why are we seeing the increase in ransomware?

#1 – as credit card companies improve their security, it is becoming harder to cash in on stolen credit cards.  Hackers are turning to other ways to make money.

#2 – Complex hacks to steal data and then monetize it are becoming harder and riskier as companies up their games when it comes to cybersecurity.

#3 – The emergence of Bitcoin and other crypto-currencies have made it easier for hackers to get paid in a way that is difficult to trace, if done correctly.

So here are some thoughts about dealing with ransomware.

In two recent attacks at organizations with a few thousand user devices each, ransomware spread quickly.  In these cases several thousand devices were compromised in an hour.  That doesn’t give you much time to detect the attack, never mind respond to it.

In the first organization, they did not have robust detection software and so the attack ended when all of the vulnerable machines were compromised.  The other organization did detect it and were able to take some machines offline and save them, but still many machines were compromised.

Here in Colorado, the Colorado Department of Transportation was hit by a ransomware attack twice in a period of a week or two.  Weeks later, many of their computers are still only useful as doorstops.

Lets assume you get attacked and are not able to stop it (by the way, there are likely better ways to contain an attack than that decades old anti virus software that you are using) – then there are two options.

First, you don’t pay the ransom.  Assuming you have good backups and depending on the size of the organization, it could take weeks to months to recover all of your systems.

Assuming you do pay the ransom you only have 50/50 odds of getting a key that will successfully decrypt your devices.

But in either case, have you really eliminated the malware on those computers and have you closed the flaw that allowed the ransomware attack to work and spread?  PROBABLY NOT!

The best technique for preventing successful ransomware attacks is training your users.  Clicking on links and opening attachments are likely the two most common ways to get infected.

There is software that can improve the odds of stopping an attack, but that software is likely NOT what you are using today.

The next thing that you have to have is a very robust incident response program.

When I speak at seminars I talk about the Sony attack disaster.  A few months before that, there was a similar attack that you likely never heard of – because they have a great incident response program and empowered individuals to take actions.  The organization was the Sands Hotel and casino and IT security made the decision to start literally unplugging computers from the network.  They had people running through the casinos pulling cables.  The result was a greatly diminished attack.

On the other hand, a local municipality in the Denver area was hit by a denial of service attack and once they got approval to disconnect from the Internet,  it took them hours to figure exactly how to do that.    A lot of damage can be done in hours.  You need to have the plan in place and the approval pre-made so that you can make decisions in minutes, preferably less.

Two different organizations, two different outcomes.

Given the trends, it is more likely than you might like that your organization will get hit by a ransomware attack.  How devastating that attack is will be based on how prepared you are.

How prepared are you?

Information for this post came from SecurityInfoWatch.

Facebooktwitterredditlinkedinmailby feather

What If Security Products Offered Warranties?

Most of the time software license agreements say “we are not responsible for anything that might happen”.  In fact, most license agreements say that it is up to the user to figure out if the software is even appropriate for whatever the user plans to use it for.

So what would happen if a software vendor offered, say, a ONE MILLION DOLLAR warranty?

Well, you no longer have to wonder.

SentinelOne ( ), maker of endpoint protection software (the next generation of anti virus software), has started offering a million dollar warranty if their customer’s computers are infected by ransomware while their software is active.

They are that confident of their product.  They use AI and machine learning to stop attacks.

SentinelOne decided that they needed a differentiator.  Providing a warranty would be an impressive difference in a very crowded software segment with 60 competitors.

However, last year there were four vendors offering a warranty;  this year there are 18, so that difference is losing a little bit of its punch.  SentinelOne is likely responsible for that.

If this trend continues, this could be a great event for users.

Getting SentinelOne’s management to agree to offering a warranty was a bit of a challenge, but Jeremiah Grossman , the guy who did the convincing, had things figured out.

First you have to model your losses, understanding what the likelihood is of the product failing.

Then you have buy reinsurance against catastrophic losses.  The reinsurance, he said, cost them less than $25,000 a year.  A pretty cheap marketing cost.

SentinelOne said they had no losses in the last year.  That, by itself, is pretty impressive.

While $1 million is a lot of money, the average cost to recover from a midsize breach is between $3 million and $7 million, so that $1 million, while it should be a good sales tool, is not the end game.

Enter warranty V2.  Details still being worked out.

Still, if this is a trend, maybe there is an end to the insanity of software licenses – caveat emptor, buyer beware.

That, if it happens, would be a wonderful change.  I have my fingers, and toes, crossed.

Information for this post came from SearchSecurity at TechTarget.


Facebooktwitterredditlinkedinmailby feather

2018 Hasn’t Started Out So Great

In January researchers disclosed a pair of twenty year plus old flaws, Spectre and Meltdown.  While Meltdown seems to mainly affect Intel chips and is relatively each to fix, Spectre affects everything from Intel chips to smart light bulbs and is extremely difficult to fix (see here).

Fast forward to this month …..

This week, in a pretty sketchy announcement, researchers claim that they have found 4 different related flaws that only affect AMD chips.  The flaws were found by a team of Israeli researchers who only gave AMD 24 hours to review their findings.  Compare this to the six months that Intel had to review the Meltdown and Spectre research.  They have not provided any details, publicly, of the flaws.

The researchers call the flaws Ryzenfall, Masterkey, Fallout and Chimera.  And they gave them cute logos.

The concept of responsible disclosure says that researchers are supposed to tell vendors about flaws in advance of the public disclosure so they have the possibility of fixing it before it becomes public and the hackers get to start figuring how to create an attack around it.

In this case they gave AMD 24 hours.  That is not enough time to understand the problem, never mind fix it.

On their web site, the researchers disclosed that they may have “an economic interest in the performance of” (AMD).  I guess that means that they shorted the stock before the dropped the bombshell.

There is some good news however, which may indicate this is being overhyped by the researchers.  The attack cannot be done remotely.  It cannot be done locally if the user does not have access to the system.  It cannot be done locally, even with access to the system, unless you are an administrator on the system.  That greatly reduces the ability to exploit the flaws.

But there is also some bad news.  It is possible that at least one of the flaws is not fixable.

Only time will tell.

What this does mean, at least for now, is that users of AMD based systems should be extra careful about doing things (like opening strange emails or attachments or clicking on sketchy links) that would increase the odds of them falling victim to an attack because if they do, the consequences might not be pretty.

Information for this post came from Techcrunch.


Facebooktwitterredditlinkedinmailby feather

Yahoo Breach Victims Can Sue

Here’s a thought.  If the lawsuit against Yahoo succeeds and the award is $10 per victim, that would be a $30 billion judgement.

The breach, you may remember, was publicly disclosed after Verizon agreed to buy Yahoo but before the deal closed.  As a result of the announcement the price was lowered by $350 million, but there were also some changes to the terms.

The changes were not all announced publicly, but likely some of the changes were related to who gets to pay for fines and penalties.

*IF* the plaintiffs win and the award is $30 billion –  two VERY BIG ifs – and even if the two companies split the $30 billion, then that $350 million discount won’t seem like much of a deal.  All of this is a big if.

For years judges dismissed these lawsuits out of hand saying that the plaintiffs didn’t suffer imminent harm or didn’t have standing at all.

In this case, the judge is someone who is familiar with both high tech and very public trials – she presided over the Apple-Samsung trial, among others.

The judge, Lucy Koh, said that it is reasonable that the plaintiffs might have chosen a different email provider if they had known that Yahoo’s email system had weaknesses.

She also said that the plaintiffs were going to be allowed to try and prove that the liability limits in Yahoo’s terms of service were unconscionable given the allegations that Yahoo knew it’s security was horrible and didn’t do much about it.

It is going to be years before anything is likely settled, but we are seeing more and more that judges are no longer siding with companies blindly saying there is nothing that companies can do to prevent breaches.

Obviously no one knows what the outcome of this trial and appeals will be, but if the plaintiffs win and if there is a big award, it would set an interesting precedent.  This case is being tried in the 9th Circuit, which is in the  heart of Silicon Valley.  If the plaintiffs win, it will definitely get the attention of every tech company in the valley.

I have heard that Yahoo did not have any cyber risk insurance.  If true, they could be digging deep in the couch cushions to pay for the trial, appeal and possible verdict.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Hey Cortana! Install Malware. Infect this Computer.

There are some possible downsides to personal virtual assistants.

What if an attacker could use Cortana or Alexa to infect your computer?

As these assistants become more widespread, the likelihood of an attack goes up.

Screen locks do work.  Sort of.  They tend to stop nosy cube-mates and possibly evil maids, but beyond that, they are marginal.

Two Israeli researchers have figured out a way to get Microsoft’s Cortana to do their dirty work.

But the fact that they did it with Cortana is, I think, only a matter of opportunity.

They used Cortana to exploit a well known Windows “feature”.

Could they use Google Assistant to exploit an Android feature or Siri to exploit an Apple feature.  This just proves it can be done.

We saw this last year when a neighbor used Siri to unlock the house next door.  Siri was listening and more than happy to trigger the smart lock to open the door.

In this case they used the Windows “Feature” that when Windows sees a new network adapter, whether the system is locked or not, it installs the drivers.  The researchers plugged in a device that was designed to look like a USB network adapter.  After the system installed the network drivers (which, in reality, was enough to compromise the PC), they told Cortana to open a web browser and go to a malicious web site where it downloaded and installed malware.

Apparently, you can tell Cortana to only respond to your voice, but you have to train it to do that, so most people don’t do that.

Absent that, for some strange reason, the assistant will respond to voice commands, even if the computer is locked.  That makes absolutely no sense to me.  Locked SHOULD mean locked.

Microsoft changed that feature after the researchers explained what they did.

You say that the attack is not very subtle because someone nearby would hear the attacker issue the commands.

All of the assistants respond to high frequency sounds – high enough that the people nearby couldn’t hear, but the computer microphone would pick up the sound.  This is also a known feature called a Dolphin Attack and has been known for years.

The attack also works by playing an audio file over the computer’s speakers.

Microsoft’s so called fix was to direct all browsing requests through Bing, but they still process commands on locked computers, meaning that the computers are still susceptible to a different attack.  As I said – my opinion – locked should be locked.  Period.

This is likely to get worse before it gets better.

Information for this post came from Motherboard.


Facebooktwitterredditlinkedinmailby feather