Tag Archives: Elections

Security News Bites for the Week Ending April 12, 2019

A New Reason to Not Use Huawei 5G Telecom Equipment

The President has been trying to get our allies to not use Huawei equipment in the buildout of their next generation cellular networks due to concerns that the Chinese government would compromise the equipment.

Now the British spy agency GCHQ is saying that Huawei’s security engineering practices are equivalent to what was considered acceptable in the year 2000.  And, they don’t seem to be getting any better.  Source: BBC .

 

Researchers Figure Out How to Attack WPA 3

Standards for WiFi protocols are designed in secret by members of the WiFi Alliance.  Those members are sworn to secrecy regarding the protocols.  The First version had no security, the next version had crappy security, the current version was hacked pretty quickly.

These protocols are never subjected to outside independent security tests.  Anyone who wants to hack it has to do so treating it as a black box.  And some researchers have done so.

Now WPA3, which is not widely deployed yet, has been compromised by researchers.  One of the attacks is a downgrade attack; the other attacks are side channel attacks.  They also figured out how to create a denial of service attack, even though the new protocol is supposed to have protections against that.

Conveniently, the researchers have placed tools on Github to allow (hackers or) access point buyers to figure out if a specific access point is vulnerable.  Hackers would use the tools to launch attacks.

The WiFi Alliance is working with vendors to try and patch the holes.  The good news is that since there are almost no WPA 3 devices in use, catching the bugs early means that most devices will be patched.  After all, it is highly unlikely that most users will ever patch their WiFi devices after installing them.  Source: The Hacker News.

Amazon Employs Thousands to Listen to Your Alexa Requests

For those people who don’t want to use an Amazon Echo for fear that someone is listening in, apparently, they are right.

Amazon employs thousands of people around the world to listen to your requests and help Alexa respond to them.  Probably not in real time, but rather, after the fact.

The staff, both full time and contractors, work in offices as far flung as Boston and India.  They are required to sign an NDA saying they won’t discuss the program and review as many as 1,000 clips in a 9 hour shift.  Doesn’t that sound like fun.  Source: Bloomberg.

Homeland Security Says Russians Targeted Election Systems in Almost Every State in 2016

Even though President Trump says that the election hacker might be some 400 pound people in their beds, the FBI and DHS released a Joint Intelligence Bulletin (JIB) saying that  the Russians did research on and made “visits” to state election sites of the majority of the 50 states prior to the 2016 elections.

While the report does not provide a lot of technical details, it does expand on how much we know about the Russian’s efforts to compromise the election and it will likely fuel more conversations in Congress.  Source: Ars Technica.

 

Researchers Reveal New Spyware Framework – Taj Mahal

The Russian anti-virus vendor Kaspersky, whom President Trump says is in cahoots with President Putin, released a report of a new spyware framework called Taj Mahal.

The framework is made up of 80 separate components, each one capable of a different espionage trick including keystroke logging and screen grabbing, among others.  Some of the tricks have never been seen before like intercepting documents in a print queue.  The tool, according to Kaspersky, has been around for FIVE YEARS.

While Kaspersky has only found one instance of it in use, given the complexity of the tool, it seems unlikely that it was developed for a one time attack.  Source: Wired.

Facebooktwitterredditlinkedinmailby feather

U.S. Election System Under Attack

O P I N I O N

Christopher Krebs, The Undersecretary for the National Protection and Programs Directorate (NPPD) of DHS said individuals voting rights were safe despite persistent attacks on the voting infrastructure.

He said, that by law, if you show up to vote and there is a problem with your registration,  you have the right to request a provisional ballot.  It can take time and be disruptive, but if you are persistent, you can get a ballot.

Krebs says that they haven’t seen as persistent an effort by the Russians to compromise this year’s election as they saw in 2016 – that statement by itself seems at odds with what his boss, the President has said.

DHS is planning to launch an initiative to manage the risk.

I agree that if you are willing to create a scene, you can get a provisional ballot, but is that really where the risk is?

Certainly, it is possible that an attacker could try to delete voters from the voting rolls, but that seems like a hard way to effect the outcome of the election.  After all, how do you know how that voter will really vote.

Much more likely and not mentioned by Krebs since DHS isn’t doing much about it, is the likely attacks on campaigns web sites and email of candidates and their teams.  When the President says that there is no evidence that Russian interference in 2016 didn’t change any votes, I have no idea how he can prove that.  If what he means is that the Russians didn’t cast any fraudulent ballots one waay of the other on behalf of a voter, I believe that.

If, however, he means that the relentless social media attacks for and against different candidates, illegally funded by Russian controlled front companies recently indicted by the federal government didn’t change people’s choices as to who to vote for, that is completely unprovable and likely just wrong.

For the last year and a half DHS has not processed the security clearance requests of state and local voting officials so that they can receive classified intelligence.  A few officials have gotten their clearances, but many more have not.

All in all the administration is picking and choosing their talking points to make things look better.  Overall, they have done very little to improve the situation as compared to 2016.

When Krebs said that they have not seen Russian interference at the levels of 2016 this year, he should have added the word YET.  This is still early and likely the Russians will increase their efforts in that direction.

I have no clue which side they plan to attack; but which ever side it is, it will be to further their own interests, not ours.

Stay tuned, this is far from over and we don’t have an effective strategy to counter it.

Information for this post came from FCW.

Facebooktwitterredditlinkedinmailby feather

Friday News

It was only a matter of time.  Researchers say that they have discovered “things” on the blockchain.  Not so nice things.  Like child porn.  If true, and I have no reason to doubt the researchers, that would make possession of a copy of the blockchain illegal in 112 countries.  And, since we know that you can’t change the blockchain, now what?  Normally, when the cops find child porn on a web site, they get it removed or shut it down.  Do you have any idea how to shut down a distributed database with tens of millions of copies on every continent of the globe, expect, maybe, not Antarctica.  Me neither.   And think about it.  You could use this technology to distribute any kind of illegal information that you want to.  Hidden in plain sight and unstoppable.  (source: PC Magazine).

Department of Homeland Security Secretary Kirstjen Nielsen testified before the Senate Intelligence Committee this week that they have completed the security clearance process on 20 election officials to be able to share classified intelligence about foreign government attempts to hack into their election systems.  Given there are about 10,000 election jurisdictions, at this rate it may take a while to complete.

Suffice it to say, it would seem that after 14 months, this administration is a tiny little bit behind the 8 ball when it comes to protecting our election process.  (source: Axios).

Possibly in the wake of the Cambridge Analytica “situation”, the Facebook security chief, Alex Stamos quit.  Followed, the next day by Michael Coates, head of security for Twitter quitting.  Followed the next day by Michael Zalewski, Director of information Security Engineering at Google.  Not a great week.  Is someone sending the big guys a message?  (source: National Herald).

Mossack Fonseca, the law firm at the eye of the storm of the Panama Papers leak of millions of documents of the rich and famous announced they are shutting down due to reputational damage, media attention to a company that would rather operate in the shadows and other fallout from their breach.  While their breach was very public, their finances were deep.  However when customers started deserting them like rats deserting a sinking ship, their ship was doomed.  While it took a couple of years, it was inevitable. (source: The Guardian).

The government has filed civil and criminal charges against a former Equifax exec for insider trading.  Jun Ying, a not very smart tech exec at the company heard rumors about a breach and decided it would be a good time to sell all of his vested stock options, netting him almost a million bucks in profit.  And, possibly, ten years at the crossbar hotel.  Not very subtle on his part.  Hopefully only the beginning of going after folks at Equifax, buy who knows.  (source: Reuters)

Facebooktwitterredditlinkedinmailby feather

After 14 Months of Russia Probe, Justice is Going to Study What to Do

If I seem a bit skeptical, that is because I am.  Attorney General Jeff Sessions announced yesterday that the Justice Department  is going to form a committee to study the subject.

Last week the leaders of several of the branches of the Intelligence Community testified before Congress saying, publicly, that the Russians did interfere with the 2016 elections and are already interfering with the upcoming 2018 election,

Given that testimony, the Executive Branch likely felt they had to do something or get blamed when the inevitable does happen this summer and fall.

So, they have formed a team of people inside the Justice Department – the same department that did not do anything to protect the integrity of the 2016 elections, both federal and local.

Some security experts say that the committee lacks focus and a clear mission.

The task force has to deliver its report in June – after many of the primaries are over and only a few months before the general election.

And the problem is not a single problem.  You have fake social media posts, identity theft, election fraud, hacking voting systems and voter rolls, illegal campaign funding and many other issues.

If they started  looking into this last February and reported out last June, that might have given them time to do something before this election, but these are hard problems – distributed problems that are the responsibility of 50 states and 3,500 plus local governments.  There is no way this can realistically fixed between June and, well, last year.

And then, of course, there is the issue of how do we pay for it.

Stay tuned for a report in June.  Are there some things Justice can do without Congress acting?  Likely.  After all, Mueller indicted 13 people, so there are existing laws that are likely being broken.  Probably the number of people that did illegal things is many times that number.

I hope I am wrong and this committee does some good.  We will just have to wait.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

DHS Says Russians Penetrated US Voter Systems in 2016

While the head of cybersecurity at DHS said the details of which states were compromised is classified, she admitted that 21 states were targeted during the 2016 elections and that some of them were penetrated.

Former DHS Secretary Jeh Johnson said 2016 was a wakeup call and now it is up to the government(s) to do something about it.

Even though the President isn’t quite sure of it, DHS says that the Russian government was behind the attacks,

The good news is that there is no EVIDENCE that the voter rolls in those states that the Russians were successful at hacking were changed.

Many people think the 2016 election attacks were merely a test.  That test will likely continue in 2018 with plans to take more aggressive action for the 2020 presidential elections.

Even though Secretary Johnson designated the states’ voting systems critical infrastructure before he left office over a year ago, he says that the states have done little to nothing to actually harden the systems.

The head of DHS cybersecurity disagreed with Secretary Johnson.  She said that the states have taken it seriously.

I am not quite sure that her statement in any way, shape or form conflicts with Secretary Johnson’s statement that the states haven’t actually done anything about it.  You could certainly take the threat seriously and not do anything about it.

The National Association of Secretaries of State say that they are only aware of one state that was hacked.  Depending on your level of cynicism, you could say that means that they are ignorant, either intentionally or unintentionally or are being willfully blind.  Alternatively, you could say that DHS doesn’t know what they are doing.  Since DHS doesn’t seem inclined to provide us with any data, the reader is left to draw his or her own conclusion with regard to what really happened.

In the states’ defense that they don’t know, many of the states complained that DHS wouldn’t share details of the attacks with them, supporting their assertion that they don’t know about the attacks.  DHS says they don’t have clearances to access the classified data.

And, with a level of speed that would make a snail proud, DHS says that now, two years later, they are processing the clearances.  Since it often takes a year to get a clearance, depending on the level of clearance, it is certainly possible that the 2018 midterm elections will be long over before the states see the data and for sure, the window to fix anything will definitely be long over.

Other states are saying they are waiting for DHS to help them (I assume that help from DHS is free;  if they were really concerned they would pay someone to help them).  DHS says there is no waiting list for help and DHS “will get to everyone”.  When they will get to everyone they didn’t say.

How, exactly, the public is supposed to figure out the truth here is completely non-obvious to me.

Some states objected to the feds designating their voting systems as critical infrastructure, preferring, instead, to put their egos ahead of their citizens.  Secretary Johnson pulled even fewer punches saying that the Secretaries that were objecting were being naive and irresponsible to the people they are supposed to serve.  He is not likely to be getting a Christmas card from any of the Secretaries of State next year.

Rex Tillerson, the current U.S. Secretary of State says that the Russians are already meddling in the 2 018 election, a statement that likely puts him at odds with the Oval Office.

Given all of the above, it seems likely that the Russians will continue to successfully meddle in the U.S. election process this year and that the states will have made only minor progress to protect themselves.

Information for this post came from NBC News.

Facebooktwitterredditlinkedinmailby feather

Senators, Staffers Next on Russia’s Cyber Hit List

According to the cyber security firm Trend Micro, the members of the U.S. Senate and their staff could be the next target of the Russian hacking group Fancy Bear – the same group linked to the DNC hack an election meddling across the Middle East  and Europe.

Trend says that digital breadcrumbs found so far in spear phishing campaigns link back to the Russian hacking group,

And, in a way, it makes perfect sense.  If the Russian’s objective is to meddle in elections across the globe, then the U.S. mid-term elections later this year would be a perfect target.  Spear phishing emails are pretty low tech but they lead to compromised userids and passwords (and was pretty lethal during last year’s elections).  Also consider that politicians and bureaucrats are addicted to email.  That makes them  a perfect target.

Some of the emails pretend to be Microsoft Exchange messages warning of expired passwords.  Low tech but pretty effective, unfortunately.

The researchers said that these spear phishing attacks looked a lot like the attacks rolling up to last year’s French elections.

If it ain’t broke, don’t fix it.  If it worked against the DNC,  if it worked against the French.  It is well known art.  It may well work against the Senate.

Senator Sasse (R-Neb) said that he thinks Putin is very happy that Washington is obsessed with partisan politics and is ignoring 2018 and 2020.  He is likely right.  To really fix things will require a lot of work and at least some money – something Washington doesn’t seem to be concerned about.  And it is a very distributed problem.  There are 50 states, 3600+ counties, the feds, government organizations, social media – a lot of targets of opportunities.

Which is not terribly surprising given that, before last year’s election there were only 5 people between both houses that had a computer science degree (I don’t know how the election changed things, but it likely didn’t change much).

Given all of the events coming up in the next year, including the Olympics and elections world wide and the apparent lack of interest in doing anything about it, we should assume that Russia will continue to be successful in their efforts influence politics – conspiracies or not.

Information for this post came from FCW.

Facebooktwitterredditlinkedinmailby feather