Tech Friday

posted by Brian Thomas - 

  • Election security remains a big issue in 2018:
    • A new article from the Electric Frontier Foundation warns that election security has not improved since 2016 and that there are possible vulnerabilities in the system from voter registration databases, to online voting, to voting machines
    • Some states use DRE (Direct Recording Electronic) systems that don't have a paper trail
    • States with at least some DREs include New Jersey, South Carolina, Georgia, Louisiana, Pennsylvania, Virginia, Kentucky, Indiana, Texas, Delaware, according to Verified Voting
    • In some states including Georgia, Louisiana, Delaware, New Jersey, and South Carolina, voters can only use an electronic voting machines that produce no paper
    • Additionally, states use different infrastructures and systems to tally and analyze the vote and decide the election which makes if difficult to find issues
    • Alex Rice, CTO and co-founder of HackerOne, pointed out that slot machines currently undergo more security assurance and regulation than voting machines
    • Some experts have said that hacking an election is more about influence and disruption, not changing votes in the voting machines
    •  "A sufficiently motivated adversary would have no shortage of feasible strategies for the compromise voting computers," Rice said
    • Many electronic voting systems run obsolete software such as Windows XP and Microsoft Access and don't get security updates
    • Any system that it connected to a network can be attacked, "and we've seen no evidence that these computers are universally and permanently air-gapped," Rice added
    • A Denial of Service attack could make it impossible for voters to vote
    • Hacked registration database could also cause voters to be denied the opportunity to vote
    • University of Michigan professor J. Alex Halderman participated in a project where the public was invited to attack a proposed Internet voting system. Halderman's team took less than 48 hours was to gain access and change every vote
    • Halderman made a video showing how his hacker team even accessed the security cameras to watch the people running the election system. Haldemann said “We don’t have the technology to vote online safely,” and “It will be decades more before Internet voting can be secure
    • In the past many flaws have been found with voting machines. Auditors discovered they could connect to the machines’ wireless network and could change votes remotely without detection. Flaws included:
      • Easily crackable passwords including “abcde”, “admin” and “shoup” to secure the admin account, Wi-Fi network and voter results database respectively
      • Wi-Fi that uses easily crackable Wired Equivalent Privacy (WEP) which the FBI demonstrated could be broken in 3 minutes back in 2005
      • Ports that could be easily tampered with
      • Lack of logging
      • An unencrypted Microsoft Access database for voter results
    • Jeremy Epstein, a security expert specializing in e-voting from SRI International, has said: “The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place - within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know"
    • Hackers made big headlines at this year at DEFCON 25 by exposing several vulnerabilities in voting technology. Disturbingly, they were eventually successful hacking into every voting machine they tried
    • Several machines were broken into within two hours and sadly, and all were compromised within two-and-a-half days 
    • Joseph Lorenzo Hall, CTO at The Center for Democracy and Technology, said it wasn’t surprising that the voting machines were breached quickly, cybersecurity experts have warned about vulnerabilities for years
    • Many of the most typical voting machines are more than 15 years old. They run obsolete operating systems such as Windows 95. "The biggest barrier to hacking them was finding the right pieces of old software" Hall said
    • The Voting Machine Hacking Village (VMHV) at DEFCON offered a set of voting machines that will actually be used in the 2018 midterm elections
    • VHMV attendees are encouraged to analyze and attack voting machines and sites, and will again have access to dozens of pieces of equipment including several that haven’t previously been tested
    • The hackathon includes "13 imitation websites linked to voting in presidential battleground states" according to PBS
    • An 11-year old boy, Emmett Brewer, accessed a replica of the Florida secretary of state’s website and was able to change the results of the "election" in less than 10 minutes
    •  Nico Sell, co-founder r00tz Asylum, a non-profit that teaches kids to hack, and an event organizer reported that an 11-year-old girl also managed to triple the number of votes on the replica Florida site in about 15 minutes and that more than 30 kids were able to hack a variety of other similar state replica websites in less than half an hour
    • Jake Braun, a co-organizer of the VHMV and a former White House and public liaison for DHS, raised the concern that many voting machines use computer chips made in China: "This strikes at the heart of the idea that you’d need thousands of Russians with physical access to the machines to get into them, when in fact, no, you don’t -- you need one Russian to bribe a Chinese manufacturing-plant official, and now all of a sudden they own an entire class of machines nationwide" 
    • Jeanette Manfra, a cybersecurity expert with the Department of Homeland Security said election officials "do a lot with not a lot of resources, and now they're on the front lines trying to deal with a lot of these issues. They can't do it alone"
    • Not surprisingly, voting equipment manufacturers have tried to undermine the credibility these reports 
    • In a statement regarding VHMV, the National Association of Secretaries of State (NASOS) said "It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols
    • The (NASOS) statement also said "While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results"
    • In addition to voting machine issues, governments are notoriously bad at cybersecurity putting the networks and database that store voter registration information and election data at risk
    • The National Academies of Sciences and Engineering just released a report that says “Every effort should be made to use human-readable paper ballots in the 2018 federal election. All local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.” Get a copy here: https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy
    • Despite money set aside by Congress to combat the issues, the states and special interest groups have made lobbied against changes
    • You should contact your representatives and urge them to read these reports and work to ensure that our elections are secure
    • You can view the EFF article here: https://www.eff.org/deeplinks/2018/09/election-security-remains-just-vulnerable-2016
  • Facebook "double friend request" hoax:
    • Another hoax has recently made the rounds on Facebook
    • A message that goes something like this: "Almost every account is being cloned. Your picture and your name are used to create a new Facebook account. They want your friends to add them to your Facebook account. Your friends will think it's you and accept your name. From that point on they can write what they want under your name." has gone viral
    • While it sounds plausible, especially in light of the many privacy issues Facebook has recently dealt with, this one is thankfully untrue
    • Unfortunately, these types of hoaxes have been a part of social media since the beginning and occur frequently
    • A Facebook spokesman told Fox News that these messages are taking the form of a "'chain mail' type of notice
    • He said "We’ve heard that some people are seeing posts or messages about accounts being cloned on Facebook"
    • Cloning is when your user profile is copied with the hopes of using it to connect with your friends in order to access their personal information
    • Fake stories like this one often go viral 
    • Facebook has advised that you should exercise caution when you see posts that request you to copy and paste language
    • According to Facebook, "Accounts and Pages that impersonate other people aren't allowed on Facebook. If you see an account that's pretending to be you, someone you know, or a public figure (example: celebrity, politician), we encourage you to let us know"
    • If you are concerned when you see a post like this, the best bet is to reach out directly to the party involved. For example, you can contact Facebook support, or visit the Facebook Newsroom blog at https://newsroom.fb.com/
    • Other steps you can take include:
      • Ask your friends if they have received new Friend requests from you
      • Report suspicious or fraudulent activity to Facebook
      • Use a strong, unique password
      • Change your password regularly
      • Enable multi-factor authentication, aka Two Factor Authentication (2FA)
  • Google's latest breach:
    • Google recently announced that their Google+ platform has been hacked and details on roughly 500,000 accounts were breached
    • For those who never used Google+, it was Google's attempt to create a Facebook competitor and get in the social media game
    • Launched in 2011, Google+ received mixed reviews and never really gained much of a following
    • An internal Google project named Strobe was exploring "third-party developer access to Google account and Android device data" as well as "privacy controls, platforms where users were not engaging"
    • Google discovered a bug that allowed access to profile information. Data exposed by the flaw included user names, email addresses, occupations, genders and age
    • Google fixed the bug in March of 2018 and claims that there is no evidence that anyone exploited it to steal user data
    • Sadly, Google choose not to disclose the bug, which had been an issue since 2015, until a Wall Street Journal report effectively gave them no choice. It appears that Google had no intention of ever telling users about the breach for fear of regulation
    • Ben Smith, Google's vice president of engineering said, "Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice," and "Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance."
    • "Hiding data exposures is harmful to users—trying to keep the cat in the bag is not a sustainable strategy," -  Lukasz Olejnik, security and privacy researcher and member of the W3C Technical Architecture Group
    • Ironically, this news comes on the heels of a new Google initiative to better protect user privacy
    • Google, has once again demonstrated they can't be trusted with your data
    • Your best bet is to minimize your Google footprint, or dump all Google platforms and services completely. For example switch from Android to iOS, from Google Search to Duck Duck Go or Bing, and from Chrome to Firefox or Safari
Brian Thomas

Brian Thomas

Based in Cincinnati, OH, the Brian Thomas Morning Show covers news and politics, both local and national, from a conservative point of view. Read more

title

Content Goes Here