The Vote is Very Hackable

Apologies readers for the limited posts last week.  I was attending the annual BlackHat cybersecurity conference in Las Vegas with several clients.  It’s a fantastic event if you actually want to talk with all sorts of hackers from White Hat to the Black hat variety and they are from all over the world.  And since they are all in one place, they do try to out-do each other (many prominent security analysts and journalists bring burner phones for the event and a Bluetooth hack happened the last day of the show which overlapped with DefCon and a few of my friends had to deal with changes to the contact information in their bank account information and emails sent to their contact list with nasty content).

Hacking voting machines, voter registration rolls and the networks of candidates was a widely popular topic.

It’s hard to do the topic full justice but these links will highlight what a serious problem it is.  https://siliconangle.com/2018/08/10/black-hat-hacks-voting-machines-satellites-pacemakers-come/  and https://www.darkreading.com/black-hat/black-hat-usa-2018–a-history-of-voting-machine-vulnerabilities-and-persistent-hacks/d/d-id/1331985 and this report is worth reading:  https://www.defcon.org/images/defcon-25/DEF%20CON%2025%20voting%20village%20report.pdf.  There’s a video in this story worth watching: https://www.pcmag.com/news/363035/what-can-we-learn-from-a-terrible-voting-machine.  Not scary enough?  See these: https://www.bing.com/videos/search?q=hacking+voting+machines&&view=detail&mid=15CAA13452685E3A40F115CAA13452685E3A40F1&&FORM=VRDGAR and https://www.bing.com/videos/search?q=hacking+voting+machines&&view=detail&mid=86D8AAD4582AA8C2D30386D8AAD4582AA8C2D303&&FORM=VRDGAR.

From Silicon Angle:  “One of the strategic questions very much in the news these days surrounds whether foreign governments have been meddling in U.S. elections. As voters prepare to go to the polls in November, the potential for remote manipulation of voting machines remains a real and present danger.

On Thursday, Carsten Schuermann, associate professor at IT University of Copenhagen, offered his forensic analysis of eight decommissioned WINVote machines used in a number of state elections for over a decade. His findings were not encouraging. The security researcher found machines with open ports using a 2002 version of Windows XP that had not been updated, along with system drives accessible using the password “abcde.”

He also discovered downloaded MP3 files playing Chinese songs on one machine and more than sixty files modified during a one-hour period on another. Both voting machines were used for gubernatorial elections in Virginia. At one point, there were 4,000 WINVote machines installed in states across the country, according to Schuermann.

“It’s kind of strange that there are MP3 files like this on a voting machine,” Schuermann said. “It’s not very good.”

From DarkReading.com:

For the past decade, researchers have been discovering vulnerabilities of voting machine models, even holding hacking competitions to publicly test theories and demonstrate exploit paths. Recent allegations of voting machine tampering, nation-state interference and other security breaches surrounding the United States Presidential Election have increased awareness and attention on voting policies and machine weaknesses.

Carsten Schuermann, Associate Professor at IT University of Copenhagen will present “Lessons from Virginia – A Comparative Forensic Analysis of WinVote Voting Machines” at Black Hat USA 2018. In this Briefing he will detail issues of the “WinVote” machines, widely regarded as the worst voting machines made and prevailing gaps in the technology that could be impacting voting security today. Decommissioned after the 2015 elections in Virginia, WinVote machines have since been gathered and analyzed to aid in developing more stable and credible machines. Most notable,

Potentiality to breach voting machines brings to the forefront possible flaws in the federal testing and certification process and the overall integrity of the entire electoral process.

Protecting the integrity of the election process is expensive.  It costs millions for states to protect their voter rolls and election systems, and the Republican Congress recently cut funding that does just that.  From Wired:

Now in its second year, the Voting Machine Hacking Village at the DefCon security conference in Las Vegas features a new set of voting machines—all of which will actually be used in the 2018 midterm elections—for attendees to analyze and attack. But as eager attendees get to work familiarizing themselves with the devices and revealing their weaknesses, another call has emerged from the Village as well: Finding bugs is great. But you also need the money to fix them.

Election officials can’t act on findings about voting machine and voting infrastructure vulnerabilities, DefCon speakers noted on Friday, if they don’t have the money to replace obsolete equipment, invest in network improvements, launch post-election audit programs, and hire cybersecurity staff. Some progress has come, but not enough, and too slowly.

“While I thank the United States Congress for appropriating $340 million last month, let me be abundantly clear, we need more resources,” said Alex Padilla, the secretary of state of California and the state’s top election official. “All the things that we know we have to do, all the things that I’m going to learn and observe when I go down to the Village after this panel, to implement and act on all of these findings, recommendations, and discoveries we need official resources.”

After all, it took nearly two decades for Congress to appropriate that recent election security windfall; it came from the 2002 Help America Vote Act. “That’s butterfly ballot hanging chad money, not cyberthreats 2016, 2018, 2020 money,” Padilla says. In recent months, Congress has failed to pass various bills that would fund election security and infrastructure improvements ahead of the midterms. And though the bipartisan Secure Elections Act has been steadily gaining momentum in the Senate—and was introduced through a companion bill in the House on Friday—it is likely still months away from potentially becoming law.

After months of silence on the topic, the Trump Administration said at the end of July that it would “continue to provide the support necessary to the owners of elections systems—state and local governments—to secure their elections.” Department of Homeland Security top cybersecurity official Jeanette Manfra echoed that sentiment at DefCon on Friday, noting that election officials “do a lot with not a lot of resources, and now they’re on the front lines trying to deal with a lot of these issues. They can’t do it alone.”

In Orange County, ROV chief Neal Kelley has four professionals dedicated to security of our voting rolls and process — twice as many as Cook County, Illinois. And the OC ROV leverages additional support from Orange County’s IT security operations.  “There’s no finish line here in securing critical systems,” said Kelly.  “We work closely with the Department of Homeland Security on this.”  Neal thinks four professionals is adequate; I think the county ought to double resources here.  Orange County is actually a model program for securing the Vote and Kelly spoke at DefCon about his program.  Learn more about what OC does for election voting protection here:  https://www.ocvote.com/election-library/

What will remain a critical problem is securing the campaign network operations of political candidates.  Clinton aide John Podesta clicked on a phishing message and opened the door to hackers infiltrating Hillary Clinton’s campaign network.  I know of one OC Congresional candidate who had the campaign network hacked, but I’m not saying who.  Money is always tight on campaigns and IT security hardware/software/support is expensive.  It’s something that State parties and the DNC need to provide support and money for endorsed candidates in key federal and statewide election races.  The consequence is more hacking from Russia, China, North Korea and even Israel. The consequence of hacking can mean a loss.

Consider this press release on the state of Internet security:

SAN FRANCISCO, June 26, 2018 (GLOBE NEWSWIRE) — While consumers and businesses expand their use of social media and electronic services to record levels, many of America’s most knowledgeable security professionals don’t believe that individuals will be able to protect their privacy and online identity, even with precautionary measures and new regulations such as GDPR.

These findings and more are outlined in Black Hat USA’s new research report entitled, Where Cybersecurity Stands. The report, compiled from the fourth installment of Black Hat’s Attendee Survey, includes critical industry intel directly from more than 300 top information security professionals. This year’s report delves into hot topics including the rise in concern over privacy issues, election hacking, U.S. Federal Government ability to handle cyber threats, nation state attacks, the buzz around cryptocurrency profit, and the belief that the nation’s critical infrastructure is still increasingly at risk.

Is Privacy a Lost Cause?
Now more than ever cybersecurity professionals are questioning the future of privacy and the safety of personal identity as a result of the recent Facebook investigation, development of GDPR and various data breach reports. Influenced by these factors, only 26% of respondents said they believe it will be possible for individuals to protect their online identity and privacy in the future – a frightening opinion as it comes from experts in the field, who in many cases are professionally tasked with protecting such data. They’ve also reconsidered their Facebook usage – with 55% advising internal users and customers to rethink the data they are sharing on the platform, and 75% confessing they are limiting their own use or avoiding it entirely.

InfoSec Community Weighs in on Politics
IT security professionals have very little confidence in the federal government’s ability to understand and respond to critical cybersecurity issues. Only 13% of respondents said they believe that Congress and the White House understand cyber threats and will take steps for future defenses. Respondents also cite foreign affairs as an issue – 71% said that recent activity emanating from Russia, China, and North Korea has made U.S. enterprise data less secure. And with the upcoming elections in mind, more than 50% believe that Russian cyber initiatives made a significant impact on the outcome of the 2016 U.S. presidential election.

Bitcoin, Malicious Hacking, Technology and More
This year’s report dives deeper into the inner thoughts of today’s cybersecurity professionals, as a result, additional key insights were brought to the surface. One topic was whether ethical hacking would be prevalent considering the rise of bug bounty programs – nearly 90% still believe in the importance of coordinated disclosure, making it clear that hackers within the Black Hat community are still looking to help in the fight against cyber crime. Respondents were also asked to weigh in on all the craze around cryptocurrency, with more than 40% expressing that they do not think that investing in Bitcoin and other cryptocurrencies is a good idea. This is an interesting data point considering all of the recent buzz around profits being made through the practice. Professionals also raised a new concern around the effectiveness of technologies currently in use.  Among a list of 18, only three technologies were cited as effective by security professionals – encryption, multifactor authentication tools and firewalls.  Passwords, one of the most widely used technologies, were dubbed ineffective by nearly 40% of respondents.

Fear of Major National Critical Infrastructure Breach Still on the Rise
Last year, Black Hat reported that 60% of security professionals expected a successful attack on U.S. critical infrastructure – that data point has risen almost 10% in 2018. Who do they think will likely be behind such an attack? More than 40% of those surveyed believe that the greatest threat is by a large nation-state such as Russia or China. The thought that such an attack will be successful, again, stems from the industry’s lack of confidence in the current administration – only 15% of respondents said they believe that U.S. government and private industry are adequately prepared to respond to a major breach of critical infrastructure.

Additional Key Findings

  • Following the enactment of European GDPR privacy regulations, 30% say they don’t know if their organizations are in compliance; another 26% do not believe they are subject to GDPR
  • Staying consistent over the past five years and across the U.S., Europe and Asia – nearly 60% believe they will have to respond to a major security breach in their own organization in the coming year; most still do not believe they have the staffing or budget to defend adequately against current and emerging threats.

Download the Full Research Report
Findings from the Black Hat community make it apparent that there are serious fears around privacy on both professional and personal levels. The report also calls for further action by the U.S. Government in order to secure confidence in the nation’s ability to protect itself from a range of anticipated attacks. To learn more about these findings and other reported intel, download a copy of Where Cybersecurity Stands, here: blackhat.com/latestintel/06262018-where-cybersecurity-stands.html

About Black Hat
For more than 20 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and Asia. More information is available at: blackhat.com. Black Hat is organized by UBM, which in June 2018 combined with Informa PLC to become a leading B2B information services group and the largest B2B Events organizer in the world.

To learn more and for the latest news and information, visit www.ubm.com and www.informa.com.

***

A side note; I met one of my favorite trade editors on Friday morning for a ride to the airport.  We drove to the Trump Hotel in Las Vegas and it’s remarkable close to a large adult bookstore (seems appropriate); we Valet-parked my truck loaded with anti-Trump bumper stickers and headed in for a bad cup of coffee and to see the gift shop.  Unlike January 2017, where almost all of the merchandise came from countries other than the US, all the new Trump merch was actually made in America.  My family was in New York City at the same time and Trump Tower was surrounded with armed police/security.  Big guns.  Big presence.  The Trump Hotel had none of that sort of security presence.  My truck came back from Valet unscathed; all my bumper stickers intact.  Elect a clown, expect a circus.

  1 comment for “The Vote is Very Hackable

  1. Edgar Kaskla
    August 15, 2018 at 5:01 pm

    Very interesting stuff, even if I do not understand completely how this is all done. I would also direct readers to a recent Rolling Stone article about hackers who targeted the Democratic side of the primary in Dana Rohrabacher’s district. Yes: the guy who loves Putin. I wonder who did the hacking?

    https://www.rollingstone.com/politics/politics-news/california-election-hacking-711202/

Comments are closed.