Tech Friday

  • The dismal state of election security continues:
    • The New York Times recently reported that there many issues with election security
    • There approximately 350,000 voting machines which fall into two categoriesoptical-scan machines or direct-recording electronic (DRE) machines. Each has issues
    • DRE systems don't have a paper trail
    • Optical-scan machines have paper that is scanned, but that paper is rarely audited, and if it is, it's typically scanned again
    • In some states including Georgia, Louisiana, Delaware, New Jersey, and South Carolina, voters can only use electronic voting machines that produce no paper
    • Additionally, states use different infrastructures and systems to tally and analyze the vote which makes if difficult to find issues
    • Alex Rice, CTO and co-founder of HackerOne, pointed out that slot machines currently undergo more security assurance and regulation than voting machines
    • "A sufficiently motivated adversary would have no shortage of feasible strategies for the compromise voting computers," Rice said
    • Many electronic voting systems run obsolete software such as Windows XP and Microsoft Access and don't get security updates
    • Neil Jenkins, a former director in the Office of Cybersecurity and Communications at the Department of Homeland Security, learned that someone hacked the Illinois Board of Elections in 2016 
    • This hack demonstrated that someone was trying to infiltrate the election system
    • The hackers stole information on hundreds of thousands of voters but where discovered when a server crashed
    • In early August of 2016, Jenkins learned of a breach on an Arizona state website. The attack appeared to originate from the IP addresses used in Illinois
    • Additional reports came in from other states that the same IPs were scanning their voter registration systems
    • Jenkins wanted to raise the alarm, but quickly discovered there are more than 10,000 election jurisdictions in the United States and no one controlling body
    • He eventually stumbled upon the U.S. Election Assistance Commission (EAC) which was created by Congress in 2002
    • After talking to the EAC, they quickly discovered that the voting machines were the biggest issue
    • University of Michigan professor J. Alex Halderman participated in a project where the public was invited to attack a proposed Internet voting system. Halderman's team took less than 48 hours was to gain access and change every vote
    • Halderman made a video showing how his hacker team even accessed the security cameras to watch the people running the election system. Haldemann said “We don’t have the technology to vote online safely,” and “It will be decades more before Internet voting can be secure
    • In the past many flaws have been found with voting machines. Auditors discovered they could connect to the machines’ wireless network and could change votes remotely without detection. Flaws included:
      • Easily crackable passwords including “abcde”, “admin” and “shoup” to secure the admin account, Wi-Fi network and voter results database respectively
      • Wi-Fi that uses easily crackable Wired Equivalent Privacy (WEP) which the FBI demonstrated could be broken in 3 minutes back in 2005
      • Ports that could be easily tampered with
      • Lack of logging
      • An unencrypted Microsoft Access database for voter results
    • Jeremy Epstein, a security expert specializing in e-voting from SRI International, has said: “The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place - within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know"
    • Hackers made big headlines at this year at DEFCON 25 by exposing several vulnerabilities in voting technology. Disturbingly, they were eventually successful hacking into every voting machine they tried
    • Several machines were broken into within two hours and sadly, and all were compromised within two-and-a-half days 
    • Many of the most typical voting machines are more than 15 years old. They run obsolete operating systems such as Windows 95. "The biggest barrier to hacking them was finding the right pieces of old software" Hall said
    • The Voting Machine Hacking Village (VMHV) at DEFCON offered a set of voting machines that will actually be used in the 2018 midterm elections
    • An 11-year old boy, Emmett Brewer, accessed a replica of the Florida secretary of state’s website and was able to change the results of the "election" in less than 10 minutes
    •  Nico Sell, co-founder r00tz Asylum, a non-profit that teaches kids to hack, and an event organizer reported that an 11-year-old girl also managed to triple the number of votes on the replica Florida site in about 15 minutes and that more than 30 kids were able to hack a variety of other similar state replica websites in less than half an hour
    • Jake Braun, a co-organizer of the VHMV and a former White House and public liaison for DHS, raised the concern that many voting machines use computer chips made in China: "This strikes at the heart of the idea that you’d need thousands of Russians with physical access to the machines to get into them, when in fact, no, you don’t -- you need one Russian to bribe a Chinese manufacturing-plant official, and now all of a sudden they own an entire class of machines nationwide" 
    • Jeanette Manfra, a cybersecurity expert with the Department of Homeland Security said election officials "do a lot with not a lot of resources, and now they're on the front lines trying to deal with a lot of these issues. They can't do it alone"
    • In a statement regarding VHMV, the National Association of Secretaries of State (NASOS) said "It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols
    • The (NASOS) statement also said "While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results"
    • In addition to voting machine issues, governments are notoriously bad at cybersecurity putting the networks and database that store voter registration information and election data at risk
    • Additionally, most states don’t conduct robust post-election audits to compare paper to electronic tallies, so there is a strong possibility that altered votes will go undetected
    • As we close in on the 2018 election, little has changed, in large part due to time and money. The states and special interest groups have made lobbied against changes
    • Sadly, election systems were not designated "critical infrastructure" until January 2017
    • The National Academies of Sciences and Engineering just released a report that says “Every effort should be made to use human-readable paper ballots in the 2018 federal election. All local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.” Get a copy here: https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy
    • You should contact your representatives and urge them to read these reports and work to ensure that our elections are secure
    • Learn more here: https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html
  • Mobile websites can access you device's sensors without permission:
    • When an app wants to access the sensors in your phone, it typically requires permission from you to do it
    • A team of researchers has recently discovered that those same rules don't necessarily apply to mobile websites loaded in a phone's web browser
    • They found that 3,695 of the top 100,000 websites use scripts that can access certain sensors in a phone
    • Nikita Borisov, one of the researchers, said "With motion, lighting, and proximity sensors there isn’t any mechanism to notify the user and ask for permission, so they're being accessed and that is invisible to the user. For this collection of sensors there isn't a permissions infrastructure."
    • The researchers examined nine browsers: Edge, Safari, Firefox, Brave, Focus, Dolphin, Opera Mini, Chrome, and UC Browser and found that all of them require no permission for a web page to access motion and orientation sensors
    • The good news is that unlike an app, a website can only access the sensors while it's loaded in the browser
    • And researchers point out that the data available from these sensors is probably not enough to compromise a user's identity or the security of their phone
    • But the data captured by the sensors could be used identify individual devices and track them across the web. This technique ia known as browser fingerprinting and is not new. But using the sensors surreptitiously is a new twist on creating a fingerprint
    • The World Wide Web Consortium sets the standards for web browsers and thus far has said that data from these sensors is "not sensitive enough to warrant specific sensor permission grants"
    • Of the sites capturing data from these sensors, some were benign, but 63% were using the data for fingerprinting
    • The researchers also noted that some of the scripts couldn't be easily classified as using sensor data in a particular way
  • Yahoo pays $50 million for a massive security breach:
    • Following a major breach in 2013, Yahoo was a hit the largest known security breach to date in 2014 
    • Yahoo recently agreed to settle a 2-year-old lawsuit that resulted from the breach
    • The settlement includes $50 million in damages and 2 years of credit-monitoring services for the 200 million people impacted by the breach
    • Yahoo did not disclose the breach until after it negotiated a $4.83 billion buy-out deal with Verizon
    • As a result of the breach, Yahoo had to discount that price by $350 million before the deal was completed
    • About 3 billion Yahoo accounts were breached and the settlement covers about 1 billion of those accounts which belong to roughly 200 million people
    • Any eligible Yahoo account holder that suffered losses as a result of the breach can submit a claim
    • Costs covered under a claim include identity theft and other issues that arose from having personal information stolen
    • AllClear’s credit-monitoring service will be provided to impacted users and is valued at about $360 for 2 years
    • A settlement makes sense since estimates of damages caused by security breaches are as high as $8 per account. If Yahoo went to trial and lost, it could have cost as much as $1 billion 
    • Yahoo disputed the damage estimates noting that many users supplied false information when they created their accounts, limiting the usefulness of the stolen information
    • A hearing to approve the preliminary settlement is scheduled for Nov. 29. If approved, notices will be emailed to affected users and published in several magazines
    • Yahoo is part of Verizon's Oath subsidiary. Oath has not yet commented on the settlement
Brian Thomas

Brian Thomas

Based in Cincinnati, OH, the Brian Thomas Morning Show covers news and politics, both local and national, from a conservative point of view. Read more

title

Content Goes Here