Tag Archives: Elections

2020 Election Audits Costing Millions but Not in the Way You Think

Arizona’s Republican led state Senate hired Cyber Ninjas to review the election results for Maricopa County. Unfortunately, these ninjas had no experience doing election audits and, apparently, not much experience doing any kind of forensic investigating. They did not maintain custody of the equipment, they did not maintain surveillance on the equipment and they allowed unauthorized people to access the equipment.

The result? The state decertified the equipment which means that the County needs to replace all of it. Since it was leased, they have to buy out the lease from Dominion. And then destroy it. In a deal with the state, which threatened to withhold $700 million in state funding if the county didn’t turn over their routers, the state Senate agreed not to do that if the county agreed to pay the $3 million to replace the election equipment. Credit: AZCentral

In Pennsylvania, another fight broke out when the state started a similar audit. The Pennsylvania Department of State said that they would decertify all voting equipment in all 67 counties in the state if the chain of custody was broken. The state says that could cost up to $40 million. Credit: Reuters

The FBI is investigating a situation in Lake County, Ohio, where a private laptop was connected to the state network in the office of the Board of Commissioners Chairman John Hamercheck, allowing this person to capture network traffic. This is similar to the investigation going on in Mesa County, Colorado. Credit: Washington Post . This data was given to MyPillow guy and used at his August non-cyber-symposium event where he was supposed to show us how the election was hacked and did not.

As I reported the other day, in the Mesa County investigation, images of the hard drives of the county’s election counting equipment were uploaded to the Internet. Images of all of the counties passwords were also posted on the Internet.

The Wall Street Journal is reporting that Iranian Hackers breached the network of newspaper chain Lee Enterprises to test modifying and creating content in the chain’s newspapers. The Justice Department recently indicted these hackers.

All of these, along with other similar events, are costing governments across the country millions of dollars in investigation costs, added labor including overtime, additional security expenses, legal expenses, replaced equipment, downtime and other costs.

All of this money is coming out of taxpayers’ pockets.

While this may be justified, if this was done within channels – which the people wanting the audits don’t trust, the cost would dramatically less.

This is just the tip of the iceberg. All of the recounts, all of the audits, even if they are done within channels still cost tens of millions – probably hundreds of millions.

Of course there is no tally of all of these costs. But you and I get to pay for them.

Security News for the Week Ending November 19, 2021

Old Scams Never Die, They Just Get a Fresh Coat of Paint

Scammers have been posing, according to a warning by DHS, as Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI) agents in San Antonio. The scammers call the mark, pretending to be HSI and tell them there is a problem with their passport and if they just pay the scammer/HSI agent some money, the problem will go away. They threaten that they will be arrested if they don’t pay. The victim’s passport, they say, was involved in a crime and police will be dispatched to their house to arrest them. Marks can call the ICE tip line at 866-347-2423 if they are able to “mark the mark”, so to speak. This type of scam is decades old; the only things that change are the targets and the agency who the scammers claim to represent, although DHS is a popular one. Credit: Infosecurity

Hackers Use Real FBI Email Account to Send Spam Cyberattack Spam

I don’t think this qualifies as a hack. Instead it is really poor software design. The FBI runs a portal for law enforcement, but until Saturday anyone could sign up for an account. The prankster sent out at least 100,000 emails and the FBI was flooded with calls. For admins, it was hard to disregard the alert since it came from the real FBI email server and was signed with DMARC. A bit of a black eye for the FBI and they only said that they were working on fixing the hole. Their temporary fix was to shut the system down. Probably a good idea. The hacker talked to Brian Krebs and explained what he did and why. To point out crappy security. Credit: Brian Krebs

Election Conspiracy Theory Lives On

For those of us in Colorado, there is a full blown election conspiracy fight still going on. Tina Peters, the election official in Mesa county, the reddest part of the state, is in the middle of a fight for her political life. A Republican, she was booted out of her role as election chief by Jena Griswold, a Democrat and the state’s chief election official. Griswold appointed another Republican to oversee Mesa County’s elections. So far, the courts have sided with the state. Peters did things like turn off the cameras in the secure counting area and made covert copies of the disk drives from the counting machines Somehow, copies of all of her voting system passwords and a copy of the rogue disk drive image were posted on the Internet for anyone to download. She says that she doesn’t know how that happened. Her legal expenses are being paid for by the MyPillowMan. Check out the story here.

CISA About to Name Members of New Advisory and Investigation Panels

DHS’ CISA officially created the Cybersecurity Advisory Committee this month. It was authorized in the 2021 NDAA. The committee is limited to 35 people and must include one each from 12 key industries including finance, tech, communications and healthcare. The remaining slots will be appointed by CISA’s director. The Cyber Safety Board was created by executive order this year and will operate similar to the way the NTSB examines transportation accidents. It will include both Govies and private sector people and will convene when needed. Credit: The Record

Security News for the Week Ending October 30, 2020

Louisiana National Guard Called in to Help Local Election Officials

According to tips, the state of Louisiana had to call out the National Guard after some number of small government offices across the state were hit by ransomware. Experts say the tools have the hallmarks of the North Koreans, so all of the major attackers – Russia, China, Iran and now North Korea – are all trying to compromise our elections. This problem is not going away. Credit: Business Insider

Attacks on Cryptocurrency Continue

A hacker stole $24 million of cryptocurrency service Harvest Finance, a company that allows users to arbitrage cryptocurrencies. The company was hit by a $570 million “bank run” after the attack. They claim they know who the attacker is. One more time, software has bugs and can be exploited. Who would have thunk? Credit: Coindesk

Ransomware Disables GA. County Election Database

This is both good news and bad news. Hall County, GA was hit by a ransomware attack earlier this month. The attack, disabled the voter database, along with other systems like phones. The county claims that they will still be able to run the election because they can manually verify signatures from voter registration cards. They are also using a state database that was not affected. This points out that attacking some small county in a state is probably not the best way to change the outcome of an election. Credit: Gainesville Times

Trump Website Briefly Defaced

One of the campaign’s websites was briefly defaced Tuesday night and the site was replaced by a message similar in style to the messages put on a website that the government seizes. The message looked like this:

Image

Of course the site had not been seized and it was returned to its normal state after a little while. To be honest, I am surprised not more has occurred given the other events going on in the country. This seems pretty childish, but we don’t know if the warning on the site is true; stay tuned.

Regarding the hack, CISA Director Chris Krebs said on Twitter, “Like I said yesterday, website defacements are noise. Don’t fall for these attempts designed to distract, sensationalize, and confuse. Ultimately they’re trying to undermine your confidence in our voting process.” Credit: Variety

Wisconsin Repubs Say Hackers Duped Them Out of $2 Million+

The Wisconsin Republican Party says that hackers scammed them out of more than $2 million of donors’ money using very traditional business email compromise attacks creating fake invoices from real vendors and paid to the hackers’ bank accounts. The Wisconsin Dems say that they have been targeted by over 800 attacks, but so far, none (that they know of) have been successful. Credit: AP

Security News for the Week Ending October 23, 2020

Iran or Russia – Who Should We Worry About?

The FBI and the US government’s Cybersecurity and Infrastructure Security Agency on Thursday issued a joint warning that a Kremlin hacking crew is probing or breaking into systems belonging to the US government and aviation industry.

The joint advisory states that the team, known as Energetic Bear among other monikers, has been specifically going after US state, local, territorial, and tribal (SLTT) government networks, as well as aviation, since at least September 2020. We’re told:

It appears the goal of the Russians is to obtain the necessary inside information or access to systems to ultimately stir up civil unrest and distrust in the results of the November 3 US elections. Credit: The Register

Snowden Granted Permanent Residency in Russia

The AP is reporting that Russia has granted Edward Snowden permanent residency status. Basically, Putin poked Trump in the eye with a sharp stick two weeks before the election. In what is clearly a calculated political move by former KGB operative Putin, he decided to do this right before the U.S. Presidential election, rather than wait a couple of weeks. Is this an effort by Putin to affect the election? Don’t know, but I am pretty sure it is not a coincidence. Credit: AP

WordPress Forced Updates to Entire Base of Site Due to Plug-in Bug

A critical bug in the Loginizer plug-in which would allow a hacker to bypass the login process caused WordPress to force an emergency update to its entire user base. While some admins whined about the forced update, Loginizer says that 89% of its installations have been updated. Forced updates have been used, rarely, by every major software vendor – inclusing Apple and Microsoft on a more frequent basis – because users just don’t deal with patches quickly, much of the time. Credit: ZDNet

MicroChipping Humans – Its a Thing and Soft of Illegal in a Few States

Apparently, embedding microchips in humans is a thing in some places. Some employers are doing that to employees – voluntarily at this point, to act as a replacement for badge. But a badge you can leave at home if you are off work. A microchip is on 24×7.

As a result, 7 states have passed laws making MANDATORY chipping of humans illegal. And it is a variety of states. You would expect California to ban that, but also Utah. Maryland, New Hampshire, North Dakota, Oklahoma and Wisconsin round out the list. Michigan is working on becoming number 8. Interesting.

How Might Russia Interfere with the Elections?

There are a number of obvious ways like compromising the election software that voters use to vote, but that is likely to be hard to do.

They are spreading disinformation which may cause Americans to not trust the election process and therefore not vote. That is much easier to do and some of our elected politicians are helping them do this.

They might compromise the voting management software that the counties use to tabulate and report on the vote. We saw a recent incident with that from one of the leading voting software vendors. There is no indication that this hack was based in Russia, but that is certainly possible.

But then there is the easy way to compromise things.

Spam and malicious emails.

One clerk in rural Texas, Hamilton county, has been sending out spam and infected emails recently. Their email system was compromised.

What if that happened to a big county? Or several? Or many?

In this case, voters got official looking emails with an attachment and in the email was a supposed password for the attachment. Some people, I am sure, are likely to open an attachment like that. It contained malware.

A recent study showed that way too many election entities were using home grown, old, obsolete or insecure email systems and many were not using email security best practices.

This county clerk only has 3 people in the office. Combine Covid with this mess and the office basically stopped.

Homeland Security (DHS) has been working with election officials to improve things but with many small jurisdictions, they don’t have the money or the resources to tackle the problem, even if the DHS part is free.

Unfortunately, the bad guys, whether nation state or others, are likely going to take the easiest route to cause problems and that is not likely to be trying to change the ballot in 10,000 voting jurisdictions.

They may just try the tried and true method of spam. After all, that has been working for decades. Credit: Propublica

Election Security Status

With elections less than two months away and lots of stories about election hacking, what is the real story.

Unfortunately, the real story is classified so even if I did know, which I don’t, I couldn’t tell you. The government won’t admit that straight out, but they know a whole lot more than they are telling us.

But at this year’s Billington Cybersecurity Summit, experts talked about their opinion about what is so. Here is some of what they said.

Chris Krebs, head of DHS’s CISA and the government’s point person on election security says that we have turned the corner in a really meaningful way. Chris is a good guy, a smart guy and no one’s fool, so I think he honestly believes that.

What has CISA done? Well one big change from 2016 is that at least this time the vast majority of election officials (there are around 10,000 election entities in the U.S.) are no longer sleeping at the switch. That is a big improvement but it doesn’t fix the problem. At least they know that there is a problem.

Since the last election, CISA is working with a lot of election officials in every state. Not every official by a long shot. CISA says that they are working on supporting 8,800 election officials, whatever that means.

Remember that there is a lot of tech. There are voter registration systems, election night reporting systems, vote processing systems, public web sites and, of course, voting machines. This is far from a complete list. You also have voting tech vendors. Some of them, like one of the biggest, ES&S is completely scared. They are so scared that they are arguing before the Supreme Court that researchers who try to find bugs in their software should be thrown in jail. Is that really the smartest response? Better we should leave those bugs there for the Chinese and North Koreans to abuse. But their ego and reputation is much more important than the safety of your vote. Maybe they should spend more money on security instead of lawsuits.

One thing that is absolutely true is that way more votes will have an audit trail. In part this is due to the fact that many more people will be voting by mail. Nearly 75% of voters will be allow to vote by mail. We don’t know yet how many will. Each of those votes will be auditable. In addition, more and more voting machines will create a HUMAN READABLE audit trail for votemasters to use to verify your vote. It used to be that many voting machines had no audit trail at all so there was nothing to recount. Then there were voting machines that created a 3D barcode, but since you couldn’t read that, there was no way to know if your vote was recorded correctly. Or at all. Now most voting machines create an audit trail that says that I voted for, say, Sue for Secretary of State. You can look at that piece of paper before you deposit it in the ballot box and see if that is really who you voted for.

The states asked for a lot more money than Congress gave them to bolster election security. They got less than a half billion when the amount needed was 1-2 billion or maybe more. There are a lot of small election districts that have a zero dollar security budget and zero security expertise.

This time disinformation campaigns are much more of an issue than hacking voting machines. It is a lot more cost effective. We already saw that the Russians stood up an entire fake media organization to create and publish fake information to attempt to shift the conversation. If they can do that, it is way more cost effective.

At the same time, social media is getting a little bit better about kicking the disinformers off their platforms. Since chaos builds traffic and traffic is money, they really don’t want to do that at all, but they know that if they don’t at least make a half-hearted attempt at it, Congress will legislate what they do and they sure don’t want that.

All in all, we are better than 2016. Significantly better. The biggest issue is still human beings because they believe what they want to believe and don’t fact check what they are reading.

There is still a lot of room for improvement, but at least we are fighting the battle. Credit: CSO Online