When it comes to election hacking, low tech is cheaper and better

Georgia Secretary of State Brian Kemp is often quoted as skeptical about the threat of web-based attacks on the State’s computerized voting systems. The Secretary makes many such pronouncements, but he also professes to know few details of the underlying technologies.  I suspect that Kemp’s knowledge base concerning such matters will disappear completely with the recently announced firing of Merle King and the incident-prone Center for Election Systems at Kennesaw State University. It was King who famously introduced the (incorrect) idea that Georgia’s voting machines were “air-gapped,” a measure that–even if true–would have little impact on the end-to-end security of the elections system.

When it comes to election hacking, low tech is always cheaper and, in most cases, it is much better.

I have already  previewed some of the main vulnerabilities here, here, and here, but will have a lot more to say in the next few days about high-tech vulnerabilities.  I want to use today’s post to point out that no self-respecting spy/hacker would resort to such exotic measures without first trying much less risky (and far less expensive) ways of hacking an election.

The human element is always the first choice in espionage.

Human espionage is an ancient art; in fact, it has even been called the oldest profession. Unfortunately, espionage is still alive and well in today’s post Cold War environment. If anything, it is even more rampant. Events in the news remind us of this, such as the recent arrests of two Lucent Technologies employees, and a catering employee of MasterCard International for the theft of trade secrets. Throughout history and in current times efforts to identify indicators of espionage have been made. Unfortunately these efforts have met with limited success. In every instance of espionage, the person involved had access to information. Understanding this, and the fact we have the ability to control access to computer file systems, is critical to protecting information

I will give just one of many examples that Russian election hackers are certain to know well.  The U.S. government spends hundreds of millions of dollars on encryption technology aimed at thwarting even the most well-funded adversaries. This is one of the oldest ideas in information and communications security.  It dates from the British cracking of German Enigma codes in World War II. The idea behind encryption security is that there should be a concrete price for technology that can be used to crack a code. For the British, that price was the cost of mounting the deciphering unit at Bletchley Park.

For modern hackers, the price tag is the cost of building a deciphering super computer. Those costs have soared over the last 25 years. In the 1980’s, a $20 million supercomputer would have been sufficient to hack into all but the most highly sophisticated encrypted communications. But it is an arms race, and today only National intelligence services and a few non-state actors are able to invest upwards of $500 million annually to reliably decrypt enemy communications.

One reason for this shift in strategy is that the most damaging breaches in history have been ridiculously easy to mount, and not all that expensive. Six million dollars would have done it.  That was the total price tag for turning CIA intelligence officer Alrich Ames ($2.5M), FBI agent Robert Hanssen ($1.4M), U.S. Navy communications officer John Anthony Walker ($1M), and intelligence analyst Jonathan Pollard (a bargain at $50,000), all of whom became spies for foreign powers. Edward Snowden and Chelsea Manning, get thrown in for free.

I mention this point only because, among Logan Lamb’s and Chris Grayson’s discoveries when they stumbled into the unprotected servers at Kennesaw State, were files containing election day passwords. Brian Kemp claims the files were enrypted and password protected.  Lamb and Grayson say no, and the the directories that I have seen myself back up the Lamb and Grayson accounts.

Either Kemp knows this and is simply lying to the public, or (more likely than not) he is ill-informed about what was going on the the Kennesaw operation.

Either way, why would a Russian attacker go through the trouble of mounting a web-based attack on voting machines when Georgia’s election officials simply handed over the election day keys to voting systems?

 

 

Why are Georgia’s election officials lying about the stolen poll books?

It’s not that hard to figure out that someone is lying.  There are the inevitable tells:

In order to convince the accuser, a liar may respond to an allegation with a truthful statement that casts him in a favorable light.

Or

Going into attack mode against the questioner

But usually it’s just too darn hard to keep your stories straight.  That’s what trips people up. That’s what’s causing Brian Kemp’s story about stolen poll books to unravel. His office first reported that the poll books were stolen from a Cobb County precinct manager’s car. Not to worry said Kemp’s office:

the stolen machine, known as an ExpressPoll unit, cannot be used to fraudulently vote in Tuesday’s election but that it does contain a copy of Georgia’s statewide voter file

Not a question that anyone was asking, but ok. It’s not a small point however that it was not a single stolen machine, but five of them.

Oh, and by the way:

the poll book that was stolen did have a flash card with a voter list on it. But, it does require some knowledge or expertise to use machine to retrieve the information.

Wherever would someone get “some knowledge?”  It better be hard to do because, like a needle being passed among addicts in some back alley that flash card is a perfect vehicle for delivering malware to voting machines. And there are now five of them out there.

Kemp was upset that it took a couple days for Cobb County officials to let him know they had screwed up, but then it was all ok because the missing machines had been found in a dumpster.  Until they weren’t: “…safe in a landfill,” was the reassuring message from election officials.

Kemp was so relieved he had a ceremony for the police officers who “recovered the stolen equipment.” Except that they actually did not recover the stolen equipment, which was safe in a landfill.  “Too expensive to dig it up…” they said.

Finally, in an attempt to put the whole thing to bed, Kemp’s Office had to reassure us:

…no voter information had been taken from the stolen voting equipment and the equipment was destroyed before being placed in a landfill.

Now how the heck did they know that?  Police never actually had the machines in their possession, so how did they know they had been destroyed? And how would you know whether voter information had been taken from the machines in any event?

There are those flash cards. Those are not mentioned at all.  Were they in the landfill too?

You see where all this is going, don’t you? Taken together not much about this entire story makes much sense, unless you believe that Kemp and Georgia election officials are just making all this up on the spot.  That’s what eventually trips up a liar.

Let’s call in someone who knows a little about tripping up liars.

 

 

 

 

30 Reasons (Part 3) to believe that Georgia’s computerized voting system may not be as secure as election officials claim

Reasons 1-10 are here, and 11-20 can be found here.

These are reasons 21-30:

  1. Georgia election officials consistently misstate operating characteristics and functionality of the computerized election system.  These misstatements are designed to convey an impression that the system has security and recovery features that, in fact do not exist. For example, in sworn testimony before Fulton County Judge Adams, the  Fulton County chief election administrator claimed under cross-examination that Accuvote TS voting machines maintain a voter verified trail because an image of the voter’s ballot is stored in memory. Unsupported claims of isolation, multi-layered protection and proper user authentication abound in statements from election officials.
  2. Election officials raise problems with alternative methods of verifying votes, where none exist.  Richard Barron (Fulton County administrator) for example, claimed that paper ballot counts have 5% error rates (and are therefore at least as error-prone as any method of counting votes).  There have been scientific studies of this matter. Barron is off by an order of magnitude.  Proper hand counting methods have error rate up to 0.5% and even low-cost methods have error rates of only 2%.
  3. Physical security  of devices and chain of custody are important to election security in Georgia, and the use of tamper-proof seals is often cited as an important link in the security chain. Not only are tamper-proof seals of the type used in Georgia readily online, election workers often break the seals and re-seal devices without prior authorization.  That type of breach for example might be prompted by a desire to check a machine for damage as was observed by independent 3rd parties during the June 20 runoff.
  4. According to CES Executive Director Merle King, Georgia’s computerized voting systems use a version of Windows that dates from the early 2000 and is unpatched and unsupported by Microsoft. Unpatched operating systems are vulnerable to malware of all type and significantly increase the likelihood of successful hacks.
  5. There has never been an independent security evaluation of Georgia’s computerized election system.
  6. Georgia’s election officials have never looked to see whether their systems have been hacked. Despite claims to the contrary, no one in CES or the Secretary of State’s Office has actually checked to see whether the election system has been hacked.  This includes the immediate aftermath of the CES break-in, during which it would have been appropriate to see whether malware had been introduced or the systems had otherwise been compromised.  A representative from the US Department of Homeland Security  testified to the Senate Intelligence Committee that DHS has not conducted such an analysis either.
  7. CES Executive Director has stated publicly that CES scrounges for used and reconditioned equipment to replace its aging components.   Information about information assurance measures for these devices has not been released.  Nor does CES have any idea about whether these parts have ever been connected to the Internet.
  8. Secretary of State Brian Kemp was one of the few secretaries of state objecting to DHS offer in 2016 to designate election systems as critical national infrastructure, which would have dramatically increased the security-related resources available to the state. In fact, Kemp used the occasion to pick a fight with DHS by accusing the agency of a “massive attack” on Georgia’s systems.  That accusation was refuted thoroughly by DHS Inspector General in an open letter.
  9. Secretary of State Brian Kemp issues dismissive statements to the press, but has yet to respond to this letter or this letter about Georgia’s system security posed by a group of distinguished computer scientists.  These questions were designed to increase the public confidence in the security of the underlying system.
  10. The premise underlying Georgia’s approach to paperless DRE voting systems was undermined in 2003, shortly after the implementation of HAVA and the chartering of the Election Assistance Commission (EAC), when the National Institute of Standards  (NIST) was asked to formulate the alternatives to a voter verified paper trail.  NIST in turn chartered the Auditability Working Group to conduct an exhaustive study.  The 2011 report of the NIST Working Group rejected the very idea of paperless voting. The report begins with the main conclusion: AWG Conclusions In other words, the paperless system in use in Georgia is, by design, perfectly engineered to incorporate a fatal flaw: there is always the possibility of undetectable errors in the recording of vote. The NIST study means that the high confidence expressed by election officials in the security of Georgia’s computerized voting system has no scientific basis.

30 Reasons (Part 2) to believe that Georgia’s computerized voting system may not be as secure as election officials claim

See Part 1 for Reasons 1-10.  Here are reasons 11-20.

  1. Despite repeated assurances that voting machines are never connected to the Internet, Logan Lamb watches a video on the CES website that instructs poll workers (and demonstrates) how to insert PCMCIA memory cards into Internet connected computers to load them with ballots and other election-related information.  Poll workers are instructed to insert those cards into a port on Diebold Accuvote TS voting machines on election day.  This establishes a connection between the voting machines and the Internet that would allow their exposure to malware.
  2. Despite assurances that voting machines cannot be tampered with because they are under the secure, continual physical control of election officials at all times, numerous voters observe the following

    unattended voting machines in hallways of public buildings. The receipt shows that the recipient has not signed for these machines and the machines are accessible to anyone.

  3. Despite repeated assurances that election security is a priority for Georgia elections, an internal Kennesaw State University audit of the Lamb-Grayson breach, concludes that there was “poor understanding” of the risk posed by CES.
  4. Missing ballots are nothing new in Georgia elections.  Reports surface every election cycle about votes that are cast on computerized voting equipment that are never recorded.  These range from anecdotes about touchscreen presses that are reversed by the time the summary screen is presented to the voter to legal challenges mounted by candidates (like this one). Georgia’s Secretary of State makes challenges based on illegal tampering even more complex because he has been on a crusade to reduce the size of voter rolls in the state.  Nevertheless, election night analysis continues to show that flipping votes on DRE type voting machines is a real risk. Tally records confirm missing ballots:
  5. It may seem like sour grapes for losing candidates to complain about election night anomalies, but Georgia seems to have more than its fair share of surprises like that. In 2002, for example, Diebold’s voting machines reported the defeat of Democratic senator Max Cleland. Early polls had given the highly popular Cleland a solid lead over his Republican opponent, Saxby Chambliss. Two days before the election, a Zogby poll gave Chambliss a one-point lead among likely voters, while the Atlanta Journal-Constitution reported that Cleland maintained a three-point advantage with the same group. Cleland lost by seven points. In the month leading up to the election, Diebold employees, led by Bob Urosevich, applied a mysterious, uncertified software patch to 5,000 voting machines that Georgia had purchased in May. Popular Governor Roy Barnes lost to Sonny Perdue by somehow blowing an 11 point lead on the eve of the election, and voter turnout anomalies like the one below led many to question the validity of the June 20 election in the 6th District.
  6. Voter rolls have become a favorite target of election hacks, so when it was reported that five electronic poll books were stolen before the April special election, it caught the eye of cyber security professionals already concerned about the integrity of Georgia elections.  The theft was not reported until the eve of the Special Election, and the stolen machines were subsequently found in a dumpster. (Note added July 9: Initial press reports were misleading.  They were not found in a dumpster. Later reporting said that the police took the word of the alleged thief  that he threw them away.  Officials did not think it was worth it to try to recover them.  Interestingly enough Secretary of State Brian Kemp threw a party for the police who did not recover the missing poll books).
  7. Since there were many opportunities for hackers to modify contact information, it is not surprising that voters were turned away from legitimate polling centers:
  8. Or directed to alternative centers because of an unusually large number of simultaneous renovations to existing centers, thus depressing voter turnout:
  9. Vague descriptions of what exactly constitutes Georgia’s computerized voting system are useful to deflect questions about what components are certified by whom.  A citizens’ request that SoS produce active, valid certifications for the entire system was denied.
  10. SoS Brian Kemp in published op-ed pieces is openly dismissive of threats to election systems.  In particular, he dismisses the threat of Russian hacking as “fake news,” making it difficult to balance threats, vulnerabilities, and security measures.  Kemp often declares Georgia’s systems to be absolutely secure, but that is not a great feat if you do not acknowledge any threats.

#protectGAvote and special thanks to Lady Liberty Votes for visual examples..

30 Reasons to believe that Georgia’s computerized voting system may not be as secure as election officials claim, Part 1

  1. An internal analysis by the vendor says the machines are vulnerable to vote changing.
  2. Data breach in the Secretary of State’s office exposes 6M+ names and personal information of Georgia voters to media outlets and political party offices.
  3. Secretary of State Karen Handel ignores recommendations for beefing up voting system
  4. The same voting machines used in Georgia are successfully and repeatedly attacked.
  5. In a realistic test, Washington DC voting system is hacked: in 48 hours all of the election results were undetectably changed.
  6. A walkthrough of The Center for Election System at Kennesaw State University (which programs, tests, and maintains the State’s 27,000 voting machines) shows shocking lapses of physical security.
  7. Cyber security researcher Logan Lamb stumbles into 15GB of sensitive documents that were externally accessible, already indexed by Google. Files included election day passwords, GEMS databases. training videos, and executable files. CES managers warn Lamb to avoid talking to the media or risk being “crushed by powerful people downtown.”
  8. CES promises to fix the problem, but 6 months later cyber security researcher Chris Grayson finds that the files are still exposed to the Internet.
  9. Despite assurances that CES is not connected to the public Internet, an internal Kennesaw State audit of the Lamb-Grayson breach find an unlocked data closet at CES wih a public access port to the Internet.
  10. Despite assurances that CES is not connected to the public Internet, an internal Kennesaw State audit of the Lamb-Grayson breach finds an unauthorized wireless acccess point on premises, providing a channel from internal CES systems to the public Internet.

 

Secretary of State Brian Kemp takes his case public for maintaining Georgia’s reputation for the country’s most insecure voting system.

Georgia Secretary of State Brian Kemp responded this morning to a USA Today editorial that points out an inconvenient fact:

in Georgia, where researchers discovered a gaping hole in election security last fall, it’s unclear what has been done to plug it. Georgia Secretary of State Brian Kemp has argued vehemently against replacing the state’s voting machines, which are susceptible to sabotage because they lack a paper record of votes.

Kemp could have defended himself by behaving like a responsible public servant and: (1) acknowledging the threat, (2) promising to marshal the considerable resources at his disposal to meet the threat, and (3) forming a national strength-in-numbers coalition of election officials to adopt the common-sense reforms that are the consensus recommendation of voting technology experts.  He did not do that.

Instead, Kemp laid out his case for placing his personal political ambitions above his duty to protect Georgia voters:

As reporters chase stories to feed the 24-hour news cycle, they dilute facts and develop false narratives about Russian hacking and potential vulnerabilities in the system. The prevailing plot line is that states like Georgia can’t provide suitable security for elections.

At last month’s Senate Intelligence Committee hearing, national security officials testified that there is no doubt about Russian hacking. Committee members-who have been briefed on the threats and vulnerabilities-showed rare bipartisan agreement. They also said that DHS has not conducted classified briefings for state election officials, so Brian Kemp actually has no way to know whether the “narratives” are false.

This sounds like me.  When I was Mayor of Amity, Chief Brody tried to get me to close the beaches because of a great white shark that was snacking on 4th of July tourists.  I was more concerned about the political implications than protecting people.  I’ve apologized for my irresponsible behavior.  My hope is that Brian Kemp follows suit, but I don’t think that’s very likely.

The next best outcome is for Kemp’s Republican gubernatorial opponent, Lt. Gov. Casey Cagle to use this shocking editorial to argue that Kemp should never again be allowed to represent the public interest.

In the meantime, Georgians are left to wonder whether the results of recent elections can be trusted.

#protectGAvote

You don’t know if an election is hacked unless you take steps to find out.

It was overlooked by the news networks, but there was a significant step forward in advancing public understanding of how to secure voting systems in yesterday’s Senate Intelligence Committee hearing.  California Senator Kamela Harris opened her questioning with an old cyber security riddle:

Q: How is not being hacked like being hacked?

A: Either way you don’t know.

This has been at the root of public misperceptions of election system security: since you can’t point to a successful vote-changing hack,  we must therefore be secure. In fact, most the of the Senate committee seemed hell-bent on propagating this idea by coaxing

No Senator, I don’t know if votes were actually changed in the November election

from witnesses who in fact have never tried to find out.

Alex Halderman tackled both sides of this fallacy with his opening statement.  First,  he pointed to a supervised hack of a Washington DC election that, over 48 hours changed every vote.

Even more importantly, he recommended risk-limiting post-election audits as a mandatory cost-effective and mathematically sound method of verifying election results:

 Specifically, if the reported outcome (usually the set of winner(s)) is incorrect, then a risk-limiting audit has a large, pre-specified minimum chance of leading to a full hand count that reveals the correct outcome. A risk-limiting audit can stop as soon as it finds strong evidence that the reported outcome was correct. (Closer elections generally entail checking more ballots.)

An important bottom line from yesterday’s hearing was an answer to the question whether you can ever know that an election was hacked.  You can, if you look.

#protectGAvote