Electronic Vulnerability

Georgia voter registration system crisis touches Connecticut

Georgia Secretary of State, Brian Kemp, just launched an investigation of the Democratic Party of Georgia, after their consultant pointed out a serious vulnerability in Georgia’s voter registration system/database: Kemp’s Aggressive Gambit to Distract From Election Security Crisis

This touches Connecticut because the vendor for Georgia’s system, PCC, is located in Bloomfield Connecticut and supplies Connecticut’s voter registration and election night reporting systems. It is not certain that the reports so far accurately portray PCC’s role in Georgia and if any of the same vulnerabilities apply to the Connecticut’s system. From our understanding Connecticut has paid a lot of attention to the security of our voter registration system and that PCC supplies the software by is not involved in its operation. We have reached out to the Secretary of the State’s Office suggesting that they address the relevance of the Georgia report to Connecticut.

The front line of election security in Connecticut has about 169 weak points

Last week, West Haven paid a $2,000 ransom to hackers to unlock its computer systems. In a statement from the city, the ransom was characterized as a “one-time fee.” The word-choice here reveals an oversimplified view of the reality of ransomware, a cyberattack in which hackers lock data and demand payment.

First, West Haven was lucky to regain access to its systems after paying the ransom. Fewer than a quarter of ransomware victims actually get their files back after paying up. More often, hackers pocket the money and leave the data scrambled.

The notion of a “one-time fee” also fails to account for reputation damage and loss of trust. A city like West Haven — which is already navigating difficult financial straights — needs to rally community support. A blunder like this undermines the momentum it was building…

 

Here’s How Russia May Have Already Hacked the 2018 Midterm Elections

New article from Newsweek: Here’s How Russia May Have Already Hacked the 2018 Midterm Elections  <read>

They are talking about PA, but the same could apply to Connecticut:

Even though Bucks County’s Shouptronics aren’t wired, hackers have several ways of compromising them. The most direct and effective way would be to replace a computer chip in the machine that holds instructions on what to do when voters press the buttons with one that holds instructions written by hackers.

Do Connecticut’s Tamper-“Evident” Seals Protect Our Ballots?

Experts and amateurs have long claimed that so called, tamper-evident seals are easy to defeat.

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

Often, as a computer scientist, I forget that what a very small minority know that becomes almost intuitive, is far from obvious to others approaching magic, a deluded conspiracy, or amateur science fiction.

Any sufficiently advanced technology is indistinguishable from magic. – Arthur C. Clarke
This article from Bloomberg News is a case in point.

The Crisis in Election Security by Kim Zetter

The feature in the NYTmes Magazine by Kim Zetter:  The Crisis of Election Security – As the midterms approach, America’s electronic voting systems are more vulnerable than ever. Why isn’t anyone trying to fix them? <read>  The article is a sad summary of where are and how we got here.

Two years later, as the 2018 elections approach, the American intelligence community is issuing increasingly dire warnings about potential interference from Russia and other countries, but the voting infrastructure remains largely unchanged…How did our election system get so vulnerable, and why haven’t officials tried harder to fix it? The answer, ultimately, comes down to politics and money: The voting machines are made by well-connected private companies that wield immense control over their proprietary software, often fighting vigorously in court to prevent anyone from examining it when things go awry.

 

 

What we don’t understand seems all but impossible and fictional

Like you I don’t know a lot about brain surgery, flying a jet, or hacking a cell-phone. Off-hand I often think of all of those somewhere on a spectrum from taking years to learn, to almost impossible, fictional or magical.  Yet the evidence is different. People learn brain surgery, perform it regularly and well. Just this week we saw a mechanic take-off and fly a jumbo jet, apparently with only some video game experience. Which brings me to my newest proverb:

What we don’t understand seems all but impossible and fictional.

But that is not true. Case in point, DEFCON.

Georgia: New information enhance title as a Most Vulnerable State

article from McClatchy: Georgia election officials knew system had ‘critical vulnerabilities’ before 2016 vote

Georgia election officials got a friendly warning in August 2016 that their electronic voting system could be easily breached.

But less than a month before the November election, a state cybersecurity official fretted that “critical vulnerabilities” persisted, internal emails show.

The emails, obtained through a voting security group’s open records request, offer a glimpse into a Georgia election security team that appeared to be outmatched even as evidence grew that Russian operatives were seeking to penetrate state and county election systems across the country…

The disclosures add to alarms about the security of Georgia’s elections — not only in 2016, but also heading into this fall’s midterm elections.

Top voting vendor, ES&S, admits lying to public and election officials for years

Article from Mother Board by Kim Zetter: Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States <read>

Wyden told Motherboard that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”

I would add that lying about ballot boxes being left on a Moscow street corner is equivalent to flat out lying about the software installed on your products. We should expect more from companies whose hands and integrity upon which our elections depend.

Election Vulnerability: What we can learn from Ed Snowden and the NSA.

Now I have your attention, we can discuss the NSA and Ed Snowden in a bit. Let’s start with an Editorial:

Protecting Against Russian Cyber Risks is Insufficient. The attention on Cybersecurity, election hacking and Russian interference is good. There are cyber risks and Russia is capable. We should improve our cybersecurity across the board, including elections. Every vote should be backed up by a, so called, voter verified paper ballot. Yet that is far from sufficient.