Internet Voting – Safe or Not?

If you ask the Department of Homeland Security, FBI or the Election Assistance Commission, they say Slow down, bucko.

Securing Internet voting is hard to do. Very hard to do.

Internet voting falls into several categories:

  • Sending ballots digitally to voters
  • Sending ballots digitally, marking them only and printing out the results to return the old fashioned way
  • Ballots that are both sent and received digitally

There are dangers to all of these, but the most dangerous is the last.

Some states are experimenting with digital voting in limited ways – say in primaries or for voters with disabilities.

There is a lot of attractiveness to online voting. For one thing, it is simpler for the end user. After all, I don’t understand the attractiveness of waiting on a line with hundreds of strangers for several hours to cast a vote that might take a minute or two if it could be done safely online.

Of course it would cost states billions to upgrade their antique voting management process to support digital voting – ignoring the security issues.

But think about it this way –

Who would want to change your ballot anyway? The answer is that the list is very long from nation states, to competitive candidates to people who want to cause chaos to any number of people.

Then the other problem. Over the last 10 years we have been working very hard to figure out how to be technically able to verify votes that are cast at polling centers on PCs. Finally, many states, but not all, are requiring these PCs (they call them voting machines, but they are really just Windows or Linux PCs) to print out a slip of paper with your votes on them. Some, including Colorado, requires these slips to have human readable text that allows the voter to read the receipt and say “yup, those are the people that I voted for”. Some receipts have just a QR code on it. How does that help the voter know whether his or her vote was recorded correctly.

When it comes to pure digital voting, how would you know if the digital ballot you completed was ever received by the county clerk or whether it was changed, somehow, along the way? Currently, no way at all.

If the clerk sends you a ballot and you print it out and return it by mail or in person, it is, maybe, possible to hack, but not in any large way, so the risk is lower.

At some point we will get to all digital voting, but it will take time.

There are too many folks that would really like to undermine the confidence of the American public in the outcome of the election .

Just this year the President has said time and again that even plain old paper ballots sent and returned by mail are a major fraud problem. Colorado has been doing just that for 5 years now with no evidence of major fraud, but lets assume for the moment, that voting on paper ballots with ink via the mail does increase fraud by some percentage. Imagine what the President might say about fully digital voting.

Credit: Washington Post

Cyber Insurance Demand Heats Up

Insurance brokers and industry attorneys say that cyber insurance is heating up.

They are seeing both an uptick in CLAIMS and an uptick INQUIRIES, likely as a result of an uptick in attacks.

Actually, the uptick in attacks is more like a flood since Covid-19 came around. Note that many of them won’t be detected until business as usual resumes – whenever that is.

The issue is that the move to work at home has increased the attack surface, for a lot of reasons, including the fact that companies did not have the time to plan for it.

At least some of you have cyber policies, so here are some questions to be asking. For those of you buying, this is a great time to ask questions.

First of all, do you have the right coverages. We have seen many policies that do not include ransomware coverage. Kind of a problem these days.

Insurance broker Marsh says that they are not seeing Covid-19 exclusions (or more generally pandemic exclusions) – yet.

But they are seeing carriers asking more questions – for example about disaster recovery and business continuity – things that would be very important to have during a ransomware attack and which, if not in place, will definitely cost the carrier a lot of money to spin up in real time.

Aon says they are seeing more scrutiny during underwriting. The carriers are asking about whether prospects have adequate security measures in place for remote working.

Then there is that wonderful catchall – do you maintain reasonable security measures? That is something that your lawyer and your insurance company’s team of lawyers can argue about for a long (expensive) time.

Zurich insurance says that businesses who are dealing with the pandemic should focus on risk mitigation and conduct cyber risk assessments to identify their specific risks.

Then there are basic questions like the definition of a computer network. Is your employee, using his or her personally owned computer, running on his or her personally owned WiFi connection, considered part of your computer network? What about personally owned hardware? Is it covered?

Whether the carrier wins that argument or not, they may try to wear you down.

And you need to understand what coverage you have when it comes to breach response costs. There may be sub-limits and restrictions and those costs may be deducted from the total coverage available.

Will there be coverage if your employee’s home WiFi was compromised years ago, the employee didn’t do anything to secure it or detect the breach and you get hit for a CCPA breach lawsuit for data leaking out that way? Running, potentially, in the millions.

These are all risks that you need to understand and before a breach would be a really good time to do that.

Credit: Law360

Security News for the Week Ending May 15, 2020

Pitney Bowes Hit By Ransomware for 2nd Time in 7 Months

Pitney Bowes has verified that it has been hit by a ransomware attack for the second time in 7 months. This time it is the maze ransomware, which steals data before encrypting your systems. Sometimes ransomware hackers leave their hooks in a victim’s system so they can come back later and cause more pain. Again I ask – are you ready? Credit: Computer Weekly

U.S. To Accuse China of Trying To Steal Vaccine Data

The U.S. says – no surprise – that other countries such as China, Vietnam and even South Korea are trying to steal vaccine research, treatments and testing. Other than warning businesses that other countries are trying to steal our stuff, it is not clear what the government can or plans to do. Credit: MSN

Security May Be Victim to Business Downturn

If fairness, all costs have to be justified during a business downturn and security costs are one of those costs.

As companies layoff employees and downsize, security teams are at risk because they don’t tie directly to revenue.

But all you need to do is as a company that had even a small breach and spent, say, $1 million on it, whether saving the salary of that dedicated security team member made sense in hindsight.

The bad news is that the hackers understand this and they will watch for companies that are not paying attention.

Of course, that does not mean that every company is spending every security dollar wisely. Probably not. Credit: WSJ

Ransomware is Getting to be Like Commercial Software with Feature Releases

Something tells me that this is not a good thing, but ransomware software is big business. As a result developers are enhancing their software with new releases. The Sodinokibi (REvil) software has added a new feature that allows it to encrypt files, even if they are open and locked by another process. The ransomware kills the process or processes that are locking the file and then encrypt it, after stealing a copy first. Adding features seems to work for companies like Google and Microsoft…. Credit: Bleeping Computer

FBI Reportedly Asks Apple for Contents of Senator Burr’s iPhone

Senator Burr, is being investigated for selling stocks after he was briefed on the Coronavirus as the chairman of the Senate Intelligence Committee. The FBI asked for his phone, which his attorney gave them. Apparently the FBI was able to get a warrant after they asked Apple for the contents of Burr’s iCloud account. Apple seems to be willing to give the cops your iCloud data, which they can decrypt, if the cops remember to ask in time. It has been reported that in late January and early February, Burr and his wife sold between $600,000 and $1.7 million worth of stock. The market started it’s nosedive around February 20th. Credit: CNet

The Conundrum of Privacy Tracing Apps

States in the US and countries around the world are racing to contain the Covid-19 virus. Everyone knows that is a war. We have won or maybe are winning some of the battles in that war, but the war is far from over.

One “weapon” in that war is contact tracing. If we find an infected person, we would like to know who that person came in contact with since they became infected. That way we can test those people and see if they are infected. And so on and so forth.

Some countries, like China, don’t care about people’s privacy.

China is installing video surveillance cameras outside the door of people’s apartment that are under quarantine. You leave your apartment and the authorities will arrest you or, perhaps, you just disappear.

Google and Apple have a strategy and implemented, jointly, software that would trace the contacts of other phones that also had the software on it, but will keep the data local. If you become infected, you can give the government that data. The problem with this is that the government doesn’t get to own a massive database of your location and contact data, which is a problem for them. They like lots of data.

Utah rejected the Google/Apple strategy in favor of some software written by a startup. The company they chose was a social media startup. The company has 50 employees and wrote the app in three weeks with no oversight and no review. What could possibly go wrong? Do you remember the Iowa Caucus software?

The interesting story about the Utah experiment is that only 2% of Utah residents have opted to install the software. Experts say that you need about 60% for the data to have much use.

Other countries, like Singapore, South Korea and Israel are using existing data from credit card transactions, GPS data and surveillance cameras.

The UK’s National Health Service also rejected the Google/Apple solution, but leaked NHS documents show that they have privacy concerns. Part of their concern is that the data is self reported (other than the location itself) and may not even be correct.

Reuters has an article talking about the issues and the competing solutions.

When I started writing this I thought it would be controversial, but now that it is done, I am thinking it is less so.

Everyone has to decide for him or herself whether they trust the government to track them and collect terabytes of data that they will likely keep forever.

While some of these technologies claim that the data is anonymized, think about this. If the data is anonymous, how do they use it to find the infected people? And data scientists have shown, through many examples, that it is virtually impossible to truly anonymize data. If I have datapoints for your house, your work, your church and your gym, for example, I will de-anonymize that data.

I don’t have the answer. In fact, I don’t think there is a right answer. Everyone has to decide what is right for them.

What I think I can say is that it is highly unlikely that apps, written in a couple of weeks under intense pressure and enormous quantities of data collected by governments with very little advance planning will be secure. Even when companies and governments have lots of time and resources, apps and data are not very secure. To confirm this, all you need to do is check the news on a daily basis.

No easy answers. Sorry.

So You Think Your Open Source Software is Good?

I bet there is a large chunk of the folks reading this that will say that we don’t use open source software.

And then there is another large chunk that says we’re good; all up to date.

My guess is that both of these statements are wrong.

Synopsys did a study and found these two inter-related statistics:

99% of commercial software programs examined included at least one open-source component, so those of you who checked the first statement, unless you are part of the 1%, are wrong.

91% of those commercial software products contained OUT OF DATE or ABANDONED open-source code. So those of you you checked the second statement – you, too, are likely wrong.

I know you are probably tired of me beating on the software bill of materials drum, but I will keep doing it until the problem is fixed.

Synopsys says that of the 1,250+ software codebases that they reviewed, 91% contained components that were either more than FOUR YEARS OUT OF DATE or had seen NO DEVELOPMENT ACTIVITY IN THE LAST TWO YEARS.

Basically, we are making it very easy for the hackers to break in. Do you think that the code that is four years out of date had no bugs in it four years earlier? That doesn’t count the code that is three years out of date or two years out of date.

If hackers weaponize patches within 7 days of release on average, what do you think happens with code that is 4 years out of date?

This audit was of commercial software. Open source software is likely just as bad.

75% of the audited codebases included open source components with KNOWN VULNERABILITIES.

What could possibly go wrong?

49% contained HIGH RISK vulnerabilities.

Part of your vendor risk analysis needs to include auditing whether the vendor has a secure software development process and whether they have a software bill of materials management process.


What is the likelihood that all of your vendors – including cloud vendors – are in that one percent?

I’d say the likelihood is zero percent. Credit: ZDNet

Finally, Intelligent Explanation of Why Using Huawei 5G is Dangerous

President Trump has been trying to get other countries to follow his thoughts on punishing China by banning Huawei from participating in their 5G networks with almost no one following his wishes.

The UK, however, is using a different approach.

Tobias Ellwood, a member of the UK Parliament and the Chairman of the Defence Committee says this:

First, Russia and China are likely to work in partnership over the next decade with China telling Russia where the holes are and Russia exploiting them. This is not a complete surprise, but interesting.

The more important issue is this.

Ellwood says that Huawei has, and I quote, pisspoor software development practices.

He went on to wonder why Huawei is so shoddy in their cybercecurity engineering. He suggested out loud that maybe they just don’t care about it and it is not important to them. Further, he went on to ponder that maybe it is related to the fact that their price point is so low.

If you believe Ellwood and it seems almost logical, using Huawei equipment in our 5G network is bad not because Huawei is in bed with the Chinese government – they probably are, but then again, AT&T was in bed with the US spy agencies until that was exposed by Edward Snowden, so that is not exactly news. Companies are usually required to cooperate with the governments in the countries that they are located in and do business in.

Rather, using Huawei is a bad idea because they write crappy software – much like we did TWENTY YEARS AGO. We have learned because our market demanded it. Ellwood says that they just don’t care. They will care, however, if people stop buying their stuff.

With Huawei, many governments are buying their equipment because it is cheap, not because it is good.

When it comes to 5G, that might not be a really bright idea.

After all, if their software is as secure as a screen door on a submarine, then attacks from China are just one country we need to worry about.

Every country’s intelligence agency (and hackers too) will try to attack every other country’s networks. The smart countries will work to secure their networks. We know that our so-called friends like Korea, France and Israel, among others, all spy on us.

THIS is a much better reason not to use Huawei equipment.

What may be the case – just speculation – is the the NSA has been listening in on Huawei networks around the world but can’t really say that, so they have to sort of make up a reason not to use it.

Whatever the rest of the story is, it seems that not using Huawei is in each country’s own best interest.

Contemplate that. Credit: The Register