Vulnerable to Hackers and Errors
Page uses Atkinson
Hyperlegible font from Braille Institute
The wide-ranging examples here show that hacks and
software errors in elections can be reduced but not prevented. The only
protection is to detect errors and
recover, which means independently checking the counts. Reputable software
has hundreds
of bugs, and annual updates have bugs. Chinese,
Russians,
other countries,
and organized
crime have infiltrated everywhere worth infiltrating. The SolarWinds
hack is one of many similar (as yet undiscovered) infestations
which affect all organizations. Policy
makers need a broader, longer term view than software designers. Election
offices & companies need physical tokens,
not passwords.
Contents
of This Page
B. Election Vulnerabilities, With Unknown
Results
C. Air-gapped, Offline Computers
E. Future Hacks
A.
ELECTION MACHINE ERRORS
B. ELECTION VULNERABILITIES, WITH UNKNOWN RESULTS
1. 2023
Dominion executives recognize “our shit is just riddled
with bugs... we don’t address our weaknesses effectively!” Besides bugs, they
know they need more failsafes, for example that
Dominion software should have been designed to catch the miscounts in Antrim
MI. (pp.15-16, or 25-26 in pdf)
2.
2022
China aggressively targeted Canadian federal elections, with secret
money for 19 candidates, some of whom knew it, and placing staff. Goal is
to change Parliamentary votes on China. Do they do the same in other countries?
3.
2022
Increase of thousands of phishing emails detected for election workers before
primaries in AZ & PA. If other states were targeted, it was not detected.
4.
2015-2022 Iran
targets US elections
5.
2022 tests found that 30% of workers fall for phishing
attacks in technology companies (election vendors would be in this
category), and 25% in government.. These dropped to 5% after a year of regular
anti-phishing training and monthly simulated phishes, so companies or
governments with hundreds of workers stay very vulnerable.
6.
On 6/3/2022, CISA warned states about several
vulnerabilities in Dominion
ballot marking devices.
7.
On 11/4/2020, before any state had audited
election results, CISA and other federal agencies assured
voters that "Robust safeguards including canvassing and auditing
procedures help ensure the accuracy of official election results." And
11/12/2020 they said "The November 3rd election was the most
secure in American history" still before audits were done. These were the same federal officials who had not noticed their own
systems had been infiltrated by Russian hackers for 8
months. Yet they were sure all 15,000 election jurisdictions were secure. Commentary
narrowed their claims.
8.
As of 2019, researchers have found security
flaws in all election computers, which let voters, staff members or
outsiders disrupt or change results, often without detection.
9.
Through 2019, Russia has spent billions of
dollars on a decade of work to create broad-based
new ways to attack election computers (zero days), using independent teams
so they don't reveal each other's methods.
10. In 2018 the Election
Assistance Commission denigrated cyberthreats and declined to provide
cybersecurity guidance to local election offices.
11.
In July 2018 the FBI told Maryland officials that a local web
hosting company they used for voter registration, candidacy, online ballot
delivery, and election results had been owned since 2015 (or 2011) by a company financed by Vladimir Potanin, a Russian
oligarch close to Putin. The manager is a Russian millionaire, Guerman Aliev, who took an American name, Gerald T. Banks.
Maryland's Senate President said the FBI "weren't really anxious for us to come forward"
to tell the public (quote is at 6:54 in video). FBI also told state officials
in 2017 not to tell the public about foreign intrusion attempts (pages 146-151 of court filing).
12.
In March 2018 the security site CSO found on
the dark web over 100 emails of workers at one of the
largest companies making and programming election machines, ES&S, and
smaller numbers at smaller voting machine companies. They also found passwords
for the accounts, though the companies said these passwords did not meet their
current standards, so would have been changed. Nevertheless with valid emails,
attackers can spray password variations until they log in on at
least one of the accounts and install malware. Hackers share tips on the dark web.
13. In October 2017 Senator Wyden asked
voting machine manufacturers about their security practices. Results
were not encouraging. Letters from Dominion, ES&S, 5Cedars, Unisyn
14. From August 2017 to March 2018 Georgia's election software was on the
public web without passwords or encryption (pages 140-143, 153-163 of court filing, news).
15. In August 2017 the biggest manufacturer of voting machines, Election Systems & Software,
created a public file on Amazon Web Services with "encrypted versions of passwords for ES&S employee accounts. The
encryption was strong enough to keep out a casual hacker but by no means
impenetrable...The worse-case scenario is that they could be completely
infiltrated right now".
16. In May 2019 the FBI told Florida officials 2 counties' voter
registration systems had been penetrated by Russia in 2016. The FBI could not say if the Russians changed the files,
and only revealed anything because the Mueller Report did. The counties were Washington and one other.
17.
In 2016, "We can assume that the majority
of states were probably a target... I want to make clear today on the record,
it's likely that all 50 states were likely affected... Every organization is
scanned a lot, sometimes thousands of times a day. What we were trying to
differentiate between: we saw very concerning activity from known suspicious
servers in this case... They were targeting to look for vulnerabilities...
Probably tried all the states. These are the states we could see they were
trying. That's right." ~US Department of Homeland Security Senate
hearing at 41 minutes.
18. They attacked "in alphabetical order by state name... voter
registration and election results sites... to identify and exploit SQL database
vulnerabilities in webservers and databases. The FBI and DHS... noted that they had no
information on how many of those attempts were successful, aside from two
instances"
19. August 24, 2016, hackers sent phishing emails to seven workers at VR Systems, which provides voter
registration systems and election-night reporting. "At least one of the employee accounts was likely compromised."
Then on October 27 they used VR Systems credentials to send phishing emails to
122 local election officials. If they opened it, it installed malware which
opened a persistent back door into the computer. At least 10
computers were harmed (¶77b). The government has not said and may not
know what the hackers did with their back door. Mueller's indictment July 13,
2018 confirms these events (¶73-77) and adds that the hackers targeted more
than one election company (¶69). 2 years after the election, the
press revealed that VR Systems had a common practice of remotely accessing county election systems, to
troubleshoot them, up to the day before the election.
20. Also in 2016 hackers sent emails pretending to be from another election vendor, offering
"election-related products and services." The same hackers sent
emails to election workers in American Samoa "mimicking a legitimate absentee ballot-related service provider."
NSA does not know what they accomplished with any of
these attacks.
21.
In 2016 Georgia, Indiana and Idaho said the US Dept. of Homeland
Security tried to bypass firewalls in election systems without permission. Kentucky and West Virginia said DHS probes of their
systems were not malicious.
22. Ukraine's 2014 election results were hacked, but
officials removed a virus and believe they had correct totals. South Africa's 1994 election was hacked, and
officials hand-compiled the counts, as noted at right.
23. A 2007 study for the Ohio Secretary of State reported on election
software from ES&S, Premier and Hart. Besides specific problems it found,
it noted that all "election systems rely heavily on third
party software that implement interfaces to the operating systems, local
databases, and devices such as optical scanners... the construction and
features of this software is unknown, and may contain undisclosed
vulnerabilities such trojan horses or other malware."
C. AIR
GAPPED, OFFLINE COMPUTERS
1.
2024
Russian worm spreads by USB drives beyond its first target of Ukraine
2.
2022
Satellite communications closed down during
Russian invasion of Ukraine
3.
2022
NATO classified documents stolen from Portugal
4.
2022
Detect vibrations with a smart phone gyroscope
5.
2020There is standardized malware to enter air gapped computers, by hiding
in files on thumb drives, in case the drive is later taken to an air-gapped
computer, such as updates for voting machines. It was developed by hackers who
are believed to work for South Korea.
6. 2017 air gapped computers in CIA. Investigation has found circumstantial
evidence and a mistrial, so punishment
for the leaker(s) is not assured.
7. NSA air gapped computers in 2016, followup in 2017
8. Electric grid air gapped computers hacked in 2014, 2016-2018 (and US in 2012-2019 Russian and Iranian grids)
9. CIA in 2011-15 had "A major concern... that the Russians were
collecting information from a breach of computers not connected to the Internet... The CIA had
already figured out how to perform similar operations themselves."
D.
BEST-DEFENDED INDUSTRIES
This list shows that companies' computers will never be
bug-proof or hack-proof, since problems happen at even the best-defended
industries. Hacks and bugs can be reduced but not prevented. The only
protection is to detect errors and
recover, which means independently checking election tallies.
1.
2024
“XZ Utils” is an example of a pervasive utility, managed by one person, being
subverted
2.
2024
FBI & CISA, seeking more budget, say China has widespread access in US
critical infrastructure, and 50 times as many “cyber operatives” as total FBI
agents. "Chinese cyber actors have taken advantage of very basic flaws in
our technology. We have made it easy on them,” said Easterly, head of CISA.
“Unfortunately, the technology underpinning our critical infrastructure is
inherently insecure because of decades of software developers not being held
liable for defective technology." The hackers are believed to be deeply
entrenched in US infrastructure.
3.
2021-2031
Ubiquitous Log4j
will allow attacks on computers for a decade. China requires its companies to
disclose vulnerabilities to the Chinese government when found, before they're
fixed.
4.
2009-2024
Most Windows or Linux computers (including election computers) parse a logo to
display before installing the operating system. Hijacking the parser lets
attackers overcome most later security checks.
5.
2023 top 10 weaknesses in
cloud computing (pdf)
6.
2013-2023
timeline of Experian flaws which make credit histories available to attackers
7.
2013-2023
timeline of N. Korea attacks
8.
2018-2023
“any company that hired freelance IT workers over the last few years ‘more than
likely’ hired someone” from North Korea, pretending to be American. "In some instances, the North Korean workers also
infiltrated computer networks and stole information from the companies that
hired them, the Justice Department said. They also maintained access for future
hacking and extortion schemes... "program has been in play for more than a decade
, but the effort got a boost from the COVID-19 pandemic."
9.
2023
Some Android systems in TVs and tablets come with backdoor for malware
pre-installed
10. 2019-2023
Millions of mail servers vulnerable through EXIM software, and company has not
prepared a patch.
11.
1999-2023
“RSA, Other Crypto Systems Vulnerable to Side-Channel Attack” in bad
implementations, which are still common in 2023. Full paper.
12.
2020-2023
Microsoft exposed 38 terabytes of their private files with read/write access,
by misconfiguring a token given to the public
13. 2023
China hacked thousands of computers through a weakness in Microsoft security. Russia
also hacked Microsoft, with less clear results. Hack included US Commerce
Secretary, Ambassador to China, Assistant Sec. of State and others’ emails
on diplomatic
strategy
14. 2020-2023
China deeply penetrated Japanese military networks
15. 2023
UK Electoral Commision revealed hacker had access to
their emails and the UK voter registration system from August 2021 to October
2022
16. 2023
Fleets of computers in data centers can be hacked remotely through a
vulnerability in the code which lets administrators update multiple computers.
17.
2023
Secure radio controls for pipelines, water & other critical infrastructure
have had a backdoor since the 1990s. The firmware was secret, so not checked
until Dutch researchers reverse-engineered it in 2021. The firmware has been
replaced in new radios with other secret codes, not yet checked by outsiders.
These radios are used throughout the world, though not commonly in the US
18. 2023
MSI (which makes motherboards and computers) leaked its signing key, so hackers
can send updates with back doors and other malware
19. 2023
Microsoft will take a year to fix a severe security bug in booting up its computers,
because correcting it makes old boot media fail.
20. 2023
Motherboards from Gigabyte, used in high performance computers have backdoor
installed by maker in the firmware which loads the operating system, so it is
hard to see or remove
21.
2023
US no-fly list is distributed to many airlines, and leaked from one of them
22. 2021-2022
Lapsus$ group of teenagers hacked major tech companies by phishing, bribing
insiders, calling contracted help desks, buying access from black market
“Initial Access Brokers”, pretending to be law enforcement with “Emergency
Disclosure Requests,” and other human
contacts. It advertised
for insiders at tech companies. “The cyberattacks were not the work of a
nation-state actor, nor did they always involve particularly complex or
advanced tooling or methods. Yet the attacks were consistently effective
against some of the most well-resourced and well-defended companies in the
world... exploited the tendency for enterprises and their employees to document
internal procedures, share information on collaboration platforms, and use
ticketing systems to perform internal help desk operations... 34% of surveyed
respondents believed their third-party suppliers would report a breach to them.
Over 50% experienced a breach that originated from one of their third-party
suppliers within the last 12 months,” Phone retail store staff are low-paid,
lightly trained, with privileged access.
APT-Advanced
Persistent Teenagers
23. 2022
Ponemon survey found 63% of IT professionals said
their organization had been breached and sensitive or confidential information
misused. Only 36% evaluated security & privacy of contractors. Only 12%
were very confident a third party would tell them if the third party was
breached.
24.2022 GAO said about
information security programs, that “Inspectors General reported ineffective
programs at 16 of 23 civilian agencies. Our recent reports also identified
major weaknesses in government-wide and agency-specific cybersecurity
initiatives”
25. 2022
Hack of Sargent & Lundy engineering firm, which has designs of electric
utilities and is subject to looser cyber standards than the electric utilities
26. 2022
CISA recommends phishing-resistant multi-factor authentication, but important
to know how it can still be phished or hacked
27. 2022
Apple only maintains full security fixes on latest versions of operating
system, though saying others are "supported".
28. 2022
Microsoft Defender lets through 19% of phishing emails
29. 2007-2022
Python bug present in 350,000 projects
30. 2022
Subscription for criminals to bypass multi-factor authentication, by capturing
the session cookies which prove authentication, so criminals can continue to
access the victims' accounts, $400/month
31. 2022
5G networks are hackable
32. 2022
intruders gained access to Cisco, by phishing an employee, intending to sell
access
33. 2022 China runs
"a coordinated campaign on a grand scale... Seeking to bend our economy,
our society, our attitudes to suit the Chinese Communist Party’s interests...
the Chinese Communist Party is interested in our democratic, media and legal
systems. Not to emulate them, sadly, but to use them for its gain... But the
right model can’t be to scale the operational agencies to somehow take on all
of this activity."
34. 2022
Homeland Security staff have been charged with helping China.
35. 2022
Organizations which discover they've been hacked don't improve defenses enough
to avoid future hacks.
36. 2022 "Managed
Service Providers This advisory defines MSPs as entities that deliver, operate,
or manage ICT services and functions for their customers via a contractual arrangement,
such as a service level agreement... Offerings may include platform, software,
and IT infrastructure services; business process and support functions; and
cybersecurity services... U.S.
cybersecurity authorities expect malicious cyber actors—including
state-sponsored advanced persistent threat (APT) groups—to step up their
targeting of MSPs in their efforts to exploit provider-customer network trust
relationships."
37. 2022
Malware "offline and online delivery technique" is for sale for
$69/month or $249 lifetime use.
38. 2022
Defense staff & contractors need card reader at home to use secure systems.
Common reader has malware.
39. 2022
storage from SanDisk,
Sony, Lexar, and probably others has a flawed, breakable file encryption
system.
40. 2022
Defense Department still uses Chinese telecom & security equipment declared
insecure 3 years before. So do corporate jets and rural cell phone towers
(needed by election workers). Chinese companies are ending support in the US.
DOD use includes web-connected security cameras.
41. 2019-2022
Ragnar Locker ransomware infected "at least 52 entities ... in the
critical manufacturing, energy, financial services, government, and information
technology sectors,"
42. 2022
China has been using a hacking tool unnoticed for 10 years
43. 2022
NSA used a set of hacking tools for 10 years in 45 countries, primarily China,
Japan, Korea, Germany, Spain, India, Russia, Mexico and Italy.
44. 2022
DHS & Commerce report said, "The ubiquitous use of open-source
software can threaten the security of the software supply chain given its
vulnerability to exploitation... outsource firmware development to third party
suppliers, which introduces risks related to the lack of transparency into
suppliers’ programming and cybersecurity standards." (Cartoon which they
didn't cite). Developers can set the code to attack
certain computers
45. 2022
75% of US defense contractors fail government standards
46. 2021
58-80 vulnerabilities exploited in the wild before manufacturers knew of them
(zero-days). In 2020 there had only been 25-30. "For all types of
actors, a lot of bread-and-butter hacking still involves exploiting
vulnerabilities that became public long ago but haven't been patched
consistently. Zero-days are still less common. But by tracking which zero-days
have already been actively exploited, defenders can prioritize deploying
certain patches and mitigations in the endless stream of updates that need to be
done."
47. 2021
University of Cambridge found a dangerous vulnerability in at least 19
compilers (used in all commercial software), it gave 99 days
notice, and only 9 of the 19 said they'd fix it. (Horrifyingly, 2
require that bug reports come in by non-encrypted email). Software companies
tended to ignore
bugs which used an unfamiliar approach.
48. 2021 2/3
of organizations have had ransomware attacks and most multi-factor authentication
is vulnerable.
49. 2021 US military generally
omits cybersecurity from contracts for weapons systems.
50. 2021
Australian sites pervasively hacked by Chinese actors, "state actor
activity often goes unnoticed by targets, who only find out they’ve been
compromised from government officials or outside threat analysts,"
51. In Jan-March 2021
30,000-250,000
email systems were hacked by a previously unnoticed Chinese team, with software
which also leaves a backdoor in the organization's computers. The hack started
by Jan 3, was reported to Microsoft Jan 5, became widely used in late February,
and a patch
was issued March 2, though thousands more systems per hour were still being
hacked by at least 5
groups on March 3. The vulnerabilities in the software had been present
since at least 2010. A different Microsoft email hack was in Jan-March 2019.
All computer systems are now targeted
by nation-states, though cloud systems may get patched faster.
52. 2020-2021
hackers (likely Chinese) compromised several federal agencies & critical
infrastructure, and many other companies through a VPN, Pulse Connect.
53. In 2020,
the US government and worldwide companies were infiltrated broadly by a hacked
update of Orion computer management software from SolarWinds company. 2021 summary.
The company used password solarwinds123 from 2017-2019. As an update, it was
installed in air gapped
systems as well as internet-connected ones (partial list of victims).
It's the tip of an iceberg: "Chinese, others, they've all built huge
capabilities, they're well-resourced, well-staffed, [and] focused on doing
exactly this. This is not a one-off, this is not something unusual... I
guarantee you that there
are other operations similar in size and scope, if not larger, that haven't
been discovered." Federal systems watched for known
problems, not for connections to previously
unknown servers. Sure enough, the Chinese
had been hacking through SolarWinds at the same time.
54. 2020
Excel spreadsheets in phishing campaigns
carry malware. 2014-2020
Even legitimate Excel sheets hack the computers they run on.
55. The depth of CIA infiltration of
China has led to China
espionage teams in 2010-2021 becoming much more professional and wanting
the same depth of infiltration in the US.
56. US energy companies in 2018-2020
and "a wide range of US-based organizations, state and federal government
agencies, and educational institutions," hacked by Russia.
57. Domain registrars for entire
countries in 2018-19, letting hackers spy on and change emails
and web results throughout the country. The registrars succumbed to phishing.
58. Phone calls for several years up to 2019
59. Homeland Security in 2019, through a contractor
60. Attacks rising in 2018
61. Encryption hacked by NSA and Germany 1960s-2018, first seen in 1995
62. 2018
Defense Department kept buying and using Lexmark printers and Hikvision
security cameras despite knowing China can conduct surveillance through them.
63. Chinese hacked most of the biggest providers of cloud computing in 2010-2017, including IBM, 224 systems at Hewlett
Packard Enterprise, Computer Sciences Corp, Fujitsu, Tata Consultancy, NTT
Data, and many other firms through them, including the US Navy's biggest
shipbuilder (incl. nuclear submarines), Sabre reservations for thousands of
hotels and hundreds of airlines (so they could surveil all traveling
executives), Ericsson telecoms, biotech firm Syngenta, which was then bought by
Chinese. Hacks continued to succeed even after they were noticed and defenses
mounted. They gathered hundreds of login credentials. Many hacked companies
were not told, and if told they denied they lost anything.
64. In 2017, using NSA
software, "hackers from North
Korea were using some of those picklocks to break into the computer systems
of, among other places, British hospitals, German railways, Russian banks, a
French automaker, Indian airlines, Chinese universities, the Japanese police,
FedEx, and electrical-utility companies all over the United States...
WannaCry."
65. "Deloitte in 2017
66. FBI in 2011-2016 radio encryption decrypted by Russia
67. DoD in 2007, Jan and June 2015, 2016, so DoD pays bug bounties. In 2018,
GAO staff "were able to take control of [DOD weapons] systems
relatively easily and operate largely undetected." Alarms went off so
often the operators ignored them.
68. Securities and Exchange Commission in 2016
69. OPM security clearances in 2015 (details) $63 million settlement
70. Mozilla in 2015
71. General Electric/Safran aircraft engine designs
hacked by China 2010-2015
72. Boeing (jet fighters) in 2008-2014
73. 1,000 oil and gas companies in 84 countries, 2012-2014
74. 2014
"there
are two kinds of big companies in the United States. There are those who've
been hacked by the Chinese and those who don't know they've been hacked by the
Chinese... Their strategy seems to be: We'll
just be everywhere all the time."
75. By 2013
the NSA "appeared
to have acquired a vast library of invisible backdoors into almost every major
app, social media platform, server, router, firewall, antivirus software,
iPhone, Android phone, BlackBerry phone, laptop, desktop, and operating
system."
76. Nuclear and other companies in 2006-2014
77. Google in 2010, 2014, so they pay bug
bounties
78. "In
2008,
Russia got into a network at the Pentagon; hackers broke into the campaigns of
both Barack Obama and John McCain; the next year, North Korea compromised the
Web sites of everything from the Treasury Department to the New York Stock
Exchange. In 2010, a computer worm called Stuxnet... NSA’s sponsors—American
taxpayers—who now relied on NSA-compromised technology not only for
communication but for banking, commerce, transportation, and health care. And
nobody apparently stopped to ask whether in their zeal to poke a hole and
implant themselves in the world’s digital systems, they [NSA] were rendering
America’s critical infrastructure—hospitals, cities, transportation,
agriculture, manufacturing, oil and gas, defense; in short, everything that
undergirds our modern lives—vulnerable to foreign attacks.
79. Microsoft in 2000, 2013, and can be slow to protect customers
80. Military contractors in 2007-2010 and 2013
81. Symantec in 2012
82. State lotteries in 2005-2011 (CO, IA, KS, OK, WI; security director
sentenced in 2017)
83. Programmers'denial of reality codified in
2003.
84. Moonlight Maze 1996-1999
documents taken from US military, other government agencies, and military
contractors.
85. "In
1968,
the Pentagon’s Defense Science Board Task Force on Computer Security concluded
that “contemporary technology cannot provide a secure system in an open
environment."
E. FUTURE
HACKS (and recent advisories)
1. 2023
"China
already has a bigger hacking program than every other major nation
combined," Wray said.... Mandia told
Reuters at the conference that Chinese hackers were increasingly among the best
spies out there
2. 2022 Password
manager LastPass hacked
3. 2022 74%
of malware is used only once, so is not caught by checking for past malware
signatures
4. 2022 a top CISA goal
is "to reduce the time-to-detect and time-to-remediate
intrusions," which recognizes attackers will get inside, so remediation is
the first priority.
5. 2022 half of vulnerabilities are in code which was badly
patched. There were over 17,000 vulnerabilities reported in 10 years/
6. Thousands of websites collect keystrokes
before a user clicks Submit.
7. A 2021 MIT study found averages of a 3-4 vulnerabilities per 10,000 lines of
code (or 5-12 in cryptographic systems).
8. In 2021 an Amazon security staffer said about casual cybersecurity,
"Why would you care about cloud security?
You don't have to bust your ass because you live in a small-town market where
you know everybody and you’re never going to be out of a job. A lot of
companies that are headquartered in remote areas don't have particularly sophisticated IT teams."
9. In 2021 Bruce Schneier wrote "The
president of the United States is a singular espionage target, but so are members
of his staff and other administration officials. Members of Congress are
targets, as are governors and mayors, police officers and judges, CEOs and
directors of human rights organizations, nuclear power plant operators, and
election officials. All of these people have smartphones,
tablets, and laptops.
Many have Internet-connected cars and appliances, vacuums, bikes, and
doorbells. Every one of those devices is a potential security risk, and all of
those people are potential national security targets. But none of those people
will get their Internet-connected devices customized by the NSA."
10. In 2019, CIA chief of counterintelligence said, "Russians are a professionally proficient
adversary who have historically penetrated every American institution worth
penetrating."
11. In 2015, FBI director said, "there
are two kinds of big companies in the United States. There are those who've
been hacked
by the Chinese and those who don't know they've been hacked by the Chinese."
If Chinese can hack big companies, they can hack election offices to help some
candidates win or lose.
12. In 2011, the director of PricewaterhouseCoopers' forensic services
practice said, "you have to assume
you've been compromised" by the cyber
Mafia.
13. An NSA official told a Washington
Post reporter, "Russians,
Chinese, French, the Israelis, the Brits...
full-fledged nation-state attempt to exploit your IT. To include not just
remote stuff, but hands-on, sneak-into-your-house-at-night kind of stuff... If
some of those services want you, they’re going to get you." It turned
out the reporter had also been hacked by Turkey,
while India,
Pakistan, Saudi
Arabia, Qatar,
UAE, Iran,
Vietnam, North
and South
Korea also use expert hackers. Would any of these countries want to defeat
members of Congressional committees on armed services, foreign affairs or
trade, by hacking one or two large election offices in their districts? If
caught they'd blame and even arrest their "rogue" private citizens.
14. "Every piece of commercial software... has hundreds if not
thousands of vulnerabilities, most of them undiscovered." Over 100,000 software vulnerabilities are
publicly known (besides zero-days, which are not public). Many thousands have
been found by each big web company, such as Oracle, Google,
Microsoft, Cisco, IBM, Adobe, Qualcomm. Over a thousand companies pay bounties
for bugs. Election companies are not immune. "The potential for high-tech catastrophe is embedded in the fabric
of day-to-day life" Scanning ballots will let us recover.
15. What the FBI said about hacking emails applies widely: "we don’t have direct evidence that the
server was successfully hacked. We wouldn’t, though, expect to see that evidence
from sophisticated adversaries, given the nature
of the adversary and given the nature of the system."
16. Wired says, "the average time
between a malware infection and discovery of the attack is more than 200
days, a gap that has barely narrowed in recent years. 'We can’t operate with
the mindset that everything has to be about keeping them out,' says Rich
Barger, ThreatConnect’s chief intelligence officer. 'We have to operate knowing
that they’re going to get inside sometimes. The
question is, how do we limit their effectiveness and conduct secure business operations
knowing they’re watching?' Accomplishing that means building networks that are
designed to limit a hacker’s ability to maneuver and creating better ways to
detect anomalous behavior by allegedly authorized users.
17. Even in key industries, companies leave clickable links in incoming
emails. On average 4% of recipients open any particular phishing
message, and 22% open at least one per year. At 4%, sending a phishing message
to 30 recipients gives a 70% chance that someone will open it. Even at 1%,
sending to 120 recipients gives a 70% chance that someone will open it. There
is no reliable way to tell phishing emails from legitimate emails. When people
think an email looks suspicious, and send it for checking, 90% are
"legitimate" (p.5 Phishing 2018), which means most people
cannot tell them apart. Sending them for checking simply prevents access to the
90% which are legitimate, since checkers
rarely send them back. At a minimum, staff in key industries who click on a
test phishing email need all clickable links removed from future incoming
emails.
18. The FDA recalls insecure medical devices. No one
recalls insecure election machines.
19. Protect, Detect, Respond Recover. We must strengthen all four
steps.
