Tag Archives: Election Security

Security News for the Week Ending October 18, 2019

Less Than Half of Mississippi State Agencies Even Have a Cybersecurity Policy

In Mississippi’s first ever state cybersecurity audit, the state auditor reported dismal results.   54 state agencies did not respond to the audit.   38% of those responding did not encrypt sensitive data.  22 agencies had not conducted a third party security risk assessment.  11 did not even have a cybersecurity policy plan.  Overall, over half of the respondents (remember 54 agencies did not even respond) were less than 75% compliant with state law.  State agency heads know that, unlike you or me, they are not going to get hauled into court for breaking the law and if they get fined, it isn’t their money.  I wonder how typical this is in other states.  Source: Govtech

 

Karma Wins

Dark web website BriansClub (named after former WaPo journalist turned security author, columnist and speaker Brian Krebs, but which has no relation to him) was hacked,

BriansClub is in the business of selling stolen credit cards and apparently they do very well, thank you.  In the first 8 months of this year, the site sold about 9 million stolen credit cards netting the site’s operator $126 million (in 8 months).   If we assume an average loss to the credit card issuer of $500, that represents a $4 billion loss.

But now hackers hacked the hacker and stole 26 million credit cards from them.  Needless to say, BriansClub can’t ask the cops for help.

Remember that this is only ONE site on the dark web, so you can kind of get an idea of the massiveness of online fraud.

Krebs shared this data with the fraud folks from the credit card industry, so hopefully they can shut off these cards and make live a little better for the victims.

Source: Brian Krebs

 

Hotel [NON] Security

Kevin Mitnick, the Chief Hacking Officer of security training company KnowBe4, posted a video on YouTube about the security – or more accurately the lack of security – of hotel room safes.  I always assumed that they had backdoors because people are pretty likely to forget whatever they set the combination to.

On the other hand, why bother to change the backdoor combination from all zeros.  See the video on YouTube.

 

One Of President Trump’s Websites Was Leaking Donor Information and Open to Attack

One of the President’s web sites left a debugging tool enabled which allowed an attacker to hijack the site’s email server and intercept, read or send emails from that domain.  Trump’s website is one of hundreds that have left the tool enabled.

The researcher who discovered it worked very hard – much harder than he should have had work to – in order to get the Trump campaign to fix the bug.  How long the data on the site was exposed is unknown.  Source: Threatpost.

 

Samsung Issues Alert for Fingerprint Reader Fail

Apparently Samsung is in trouble because if you put a silicone gel screen protector on the front of your S10 anyone’s fingerprint will unlock the phone.

Samsung’s response was that you should only use official Samsung accessories.  FAIL!!!   Early Samsung branded screen protectors had a hole over the fingerprint sensor to fix this problem.  Why fix the problem if you can die cut the screen protector for a whole lot less?

Samsung is working on a fix, but this is another example of convenience over security.  Fingerprint and facial scan readers on inexpensive (relatively) consumer devices are low security.  In fact, biometrics should never be used to authenticate you, only to identify you.  Source: Ars

 

Georgia Patches Election Web Site Two Days Before Elections – Calls it Normal

I am not sure who we should be more concerned about – us or them.

The Georgia Secretary of State, who is also running for Governor, has accused the Democrats of unsuccessfully trying to hack the state’s election system and referred it to the FBI.

Propublica is reporting that Kemp, the Secretary of State, quietly patched (it is reported that they rewrote the code on  (How extensive that might be is unclear).  the web site on Sunday after saying the site was secure and had no vulnerabilities.

Kemp said that State Democrats had committed possible cyber crimes after the Dems were notified by someone that he had found gaping security holes in the state’s voter information web site.

A Kemp spokesman denied vulnerabilities existed in the state’s voter lookup site and said that they could not reproduce the problem.

Propublica validated part of the tipster’s claim but other parts did not work after the state made fixes to the web site less than 48 hours before the midterm elections.

On top of all that, on Monday, Kemp’s spokesman claimed that they made changes to the site to support volume, but experts claim that the changes she said were made were, in fact,  not made.

From an operational stability viewpoint you would NEVER make a change that close to a major event for fear of breaking something.  Georgia likely has been testing and retesting their web site and other IT systems for months to make sure that nothing breaks today and to make major changes a day or two before the election likely meant that they did, in fact, find serious problems and felt that they had to fix them.  Minor problems would have been ignored because the very last thing that Kemp would want would be for the site to be down or go down on election day.

The Democrats, for their part, claim they forwarded the information to the FBI, Homeland Security and the State of Georgia by mid-day Saturday.

A more likely explanation for Kemp’s actions is that he is not happy that they reported the problem the the FBI and Homeland Security rather than quietly telling him so he could fix it without telling anyone.  Now he is both embarrassed and has a reputation problem after saying the site is secure.

Welcome to politics in America.  By the way, who knows if the Chinese and Russians were aware of or abused these security holes.  No one is saying.

Information for this post came from Propublica.

 

 

 

In Honor of Election Day

First of all, if you haven’t already voted, please vote!

Time did a nice piece on election security (see link at the end).  In a somewhat self-serving statement, Homeland Security Secretary Kirstjen Nielsen said that she FELT confident that this year’s election would be the most secure election we have ever had.  Ignoring for a moment that the paper ballots that we used for the first 150 plus years of our country are probably way more secure than what we are doing now and while I appreciate her feelings, they really don’t give me a lot of confidence.

That being said, we probably have improved the security of the election process since the last presidential election.  If she had said that we have the most secure election we have ever had since 2016, I would probably agree with her, but that would not offer a good sound bite.

Secretary Nielsen said that no matter that the U.S. Intelligence community and law enforcement officials sounded the alarm last month about ONGOING efforts by Russia, China and Iran to influence our elections, that is different.  Her view of election security is limited to hacking of voting machines, not changing the outcome of the election.

While my rant above is possibly a bit harsh, it does point out something that is important.

We need to be concerned about changing the outcome of the election, whether that is by hacking voting machines, spreading disinformation or voting early, voting often, as it was said about Chicago under Mayor Daley.   What matters is that this is our election and not Russia’s.  Or China’s.

It is good that we haven’t seen any sustained effort by foreign powers to hack voting machines.  That, to me, is the absolute hardest way to change the election.  Maybe hacking the central tabulating system at the County or State level might make sense, but hacking individual machines – that is a lot of work.

Time says that 44 states and the District of Columbia did participate in a three day exercise this past summer to put election systems to the test.  Part of the exercise was to test the Fed’s ability to share hacking data with local election officials.  All that seems like a good thing.

Since the Feds, under President Obama, declared election systems critical infrastructure, over the objections of many local officials (fearing that the feds were saying that they were not doing a good job), the Feds created an Information Sharing and Analysis Center or ISAC for Election Infrastructure as a formal way to share information all around.  Another good idea.

1,300 of the 8,880 local election jurisdictions are participating in this system.  Why the rest are not is scary.  Maybe these should publish their membership list so the voters can vote on that!

The Feds have developed a threat detection system that they use called Einstein.  All Federal Internet connections use it and while it is not perfect, it is way better than was was being done before.  Einstein has a cousin called Albert (cute huh?) that the Feds have given (or sold, it is not clear) to 43 states to help them detect threats.  These two are similar in function but completely different implementations.  Still both achieve the same goals – look at Internet traffic and try to ferret out the bad guys.  See this article in Fedscoop for info on Albert.

The Feds also offered to conduct a penetration test of election infrastructure for the states.  Only 21 states asked for help.  While some states do their own pen tests, if you can get another one for free, exactly why wouldn’t you accept?  Unless you were worried.

DHS is also doing remote weekly scanning for 36 state and 94 local governments and providing them with vulnerability reports.

The fact that everyone has not asked for help is just an indication that, for politicians, ego often wins.

Oregon solved the problem (as does Colorado).  Oregon uses paper ballots.  Hack that from Russia! Of course there are counting machines, but hopefully they are not on the Internet.

I do believe, in spite of the above, that we have IMPROVED the security of election systems somewhat since 2016, but there is a long way still to go.  The ExpressPoll-5000 voting machine still uses a root password of “password” and a master administrator password of “pasta” .  That’s got to be pretty secure, no?

And of course, we really have not done much about the disinformation campaigns, which are way easier than hacking a voting machine and, apparently, pretty effective.

The Cybersecurity 202 newsletter talks about disinformation campaigns like Twitter “news” that says that Immigration officials will be at polling stations to check citizenship status which might deter legal immigrants that don’t want to be hassled or hacks to local election or news sites.  We have also seen disinformation email campaigns telling people to go to the wrong place to vote.  DHS says check your information source, but sometimes that is easier said than done.

What do you think?

Information for this post came from Time.