Tag Archives: compromised

Vendor admits election systems included remote software

Election system security was compromised by the installation of remote access software on systems over the span of six years, a vendor admitted in a letter to a senator.

Election Systems & Software (ES&S), a voting machine manufacturer based in Omaha, Neb., admitted it installed the flawed PCAnywhere remote access software on its election management system (EMS) workstations for a “small number of customers between 2000 and 2006,” according to a letter sent to Sen. Ron Wyden (D-Ore.) that was obtained by Motherboard.

The PCAnywhere source code was stolen from Symantec servers in 2006, leaving the software vulnerable, and further issues in 2012 caused Symantec to suggest users uninstall the program before officially putting PCAnywere to its end of life in 2014.

ES&S had previously denied knowledge of the use of remote access software on its election management systems, but told Wyden about the vulnerable software that could have put voting machine security at risk. ES&S wrote that it stopped installing the PCAnywhere software in December 2007 due to new policies enacted by the Election Assistance Commission regarding voting machine security.

Gene Shablygin, CEO and founder of WWPass, an identity and access management company based in Manchester, N.H., said the actions by ES&S were “pretty consistent with the overall state of computer security” for the time.

“Today, these technologies and general approaches are totally unacceptable, and must be completely reworked. The last decade especially, was the period of explosive growth of hacking technologies, and the defensive side of many systems was left in the dust. So, most of the systems that are still in use — and voting systems are no exception — have multiple vulnerabilities, some of which are zero-day, or not yet discovered,” Shablygin wrote via email. “You can’t stop progress, and sooner or later, remote voting will become a matter of everyday life.”

Lane Thames, senior security researcher at Tripwire, agreed that the failures of ES&S with election system security shouldn’t be surprising, “especially during the 2000 to 2007 timeframe when cybersecurity was hardly ever on the roadmap for companies producing computing systems.”

“Another concerning point is the underlying arguments that imply the devices built from 2000 to 2007 are still in use. As with many critical infrastructure systems, costs can prohibit frequent hardware refresh cycles,” Thames wrote via email. “As such, many voting machines are likely to contain older operating systems and other software with many vulnerabilities due to these systems not being able to be updated with operating system patches and such. This is a challenging problem we face with all of our critical infrastructure, with very few good solutions at this time.”

ES&S did not respond to requests for comment and it is unclear if the affected election systems were ever fixed or if they are still in use.

Fixing voting machine security

Voting machine security was already proved to be in a troubling state after hackers at Defcon 2016 were able to crack all systems tested within just a few days.

Every system charged with securing our government’s processes … should be open to large security audits.
Jonathan SanderCTO, Stealthbits Technologies

Sean Newman, director of product management at Corero Network Security, said the news about PCAnywhere will make “little difference” in the likelihood of finding other election system security issues.

“They run software and, if they have any kind of internet connectivity, even for managing the voting system/process itself, then there’s a reasonable chance that vulnerabilities exist, which could provide unauthorized users with the ability to have an impact on the normal operation of the system,” Newman wrote via email. “The focus should be for vendors, like ES&S, to ensure they use secure coding practices to develop the software for such systems and avoid any need to expose such systems to the public Internet.”

Jonathan Sander, CTO at Stealthbits Technologies, noted that government “pressures to do everything cheaply and with world class, state actor proof security are in tension” when it comes to election system security and outside audits are needed.

“Every system charged with securing our government’s processes — a.k.a. protecting our collective benefit — should be open to large security audits. To sell anything to the federal government you need to go through tons of certifications. But that’s not enough,” Sander wrote via email. “Bug bounties to get the hacker community to find vulnerabilities, open review at a source level for all solutions to be used in government, and mandatory standards for any remote access features should be table stakes for putting in systems like this.”

Thames notes that a major issue is that “although the U.S. electoral infrastructure is part of the nation’s critical infrastructure, it is still largely up to local and state agencies to ultimately enforce security of the systems.”

“Herein lies another challenging problem. Local and state agencies likely have little to no expertise or budget for securing their voting systems. Every time I go to the voting polls, I see mostly volunteers with a few dedicated staff. Most volunteers at the polls will not have experience with cyber and/or physical security issues related to voting machines,” Thames wrote. “Moreover, the nation already has a significant deficit for staffing our cyber security departments, in both government and industry. Funding will likely need to be increased, somehow, for local and state government agencies in order to provide adequate security for our voting systems.”

Equifax breach response deemed insufficient in multiple ways

The Equifax data breach compromised the personal data, including Social Security numbers, of 148 million Americans, but experts are critical of how the company responded to the incident.

The Equifax breach was detected on July 29 but was not disclosed until Sept. 7. After the disclosure, Equifax came under fire after reports surfaced that executives had sold stock in the company prior to the breach disclosure, and because language in the terms of service stipulating that victims who take advantage of the TrustedID credit and identity monitoring service could not sue if that service were to fail.

Despite these issues, the CEO of Equifax, Richard Smith did not comment on the situation  — beyond a brief video posted with the initial announcement — until Sept. 12. Smith claimed the Equifax breach disclosure took six weeks from the time of detection in order to give time for the investigation and because the company “thought the intrusion was limited.”

“As of Tuesday [Sept. 12], more than 15 million people have visited the website and 11.5 million are enrolling in credit file monitoring and identity theft protection,” Smith wrote in a public statement published by USA Today. “We took the unprecedented step of offering credit file monitoring and identity theft protection to every U.S. consumer. Every consumer, whether affected or not, has the option of signing up for the services.”

Protection and monitoring

The identity protection service offered by Equifax was limited to one year of protection, which has been standard in incidents similar to the Equifax breach, but experts said was not sufficient.

Peter Tran, general manager and senior director at RSA, said, turning off the protections to those affected by the Equifax breach after one year “would be like turning off a pilot’s instruments mid-flight.”

“From a cyber defense perspective, pervasive visibility and continuous monitoring is imperative for both known cyber threats and suspicious digital movements and for any breach of this magnitude due care should extend to the affected consumers and/or end users,” Tran told SearchSecurity via email. “The bottom line is no one knows at this point the extent and duration [of] this incident’s exposure and risk.”

Equifax’s security was lax and allowed a huge breach, but one of their responses to the breach can now exacerbate and enlarge the harm impact of the breach.
Rebecca HeroldCEO, Privacy Professor

Ferruh Mavituna, CEO of Netsparker, said a Social Security number (SSN) “is for life and it is very difficult to have it changed.”

“The majority of people do not change their SSN, even in the case of an identity theft. They do not want to deal with the paperwork, bureaucracy, the police, etc.

So one year of ID monitoring is not enough to protect the victims in the long run,” Mavituna told SearchSecurity. “The SSNs will still have the same value one year down the line, so the attackers just have to wait until the numbers are no longer being monitored and the victim stops keeping a close eye on the number to use them.”

A number of experts noted that Equifax stands to profit off of the identity and credit monitoring services if enough victims continue to use the product after the free year has passed.

Eduard Goodman, global privacy officer of CyberScout, said with just one year of service, “Equifax is offering to monitor their own files on all of us, which is essentially free to them, then go on to make a profit on offering credit and fraud monitoring in the subsequent years.”

“The personal data exposed in the Equifax breach are truly the keys to the kingdom for identity theft,” Goodman told SearchSecurity. “Those records for millions of Americans will end up on the dark web, for sale to cyber criminals who can use your name, birth date and SSN to perpetrate a variety of scams. Often, the consumer is on their own, trying to repair the harm to their finances.”

Equifax breach ramifications

Rebecca Herold, CEO of Privacy Professor, said the impact of the Equifax breach “goes so far beyond just the SSNs.”

“The PINs of every one of the frozen personal records that Equifax has, whether or not they were included within the gargantuan breach, can now be determined by every person on the planet. Their format for creating PINs are so obvious; basically just the date you put a freeze on your account,” Herold told SearchSecurity. “Think about it; most folks putting a freeze on their account will do so soon after the breach was announced, making it not too hard for cybercrooks to just call up and remove the freeze. So Equifax’s security was lax and allowed a huge breach, but one of their responses to the breach can now exacerbate and enlarge the harm impact of the breach.”

Goodman said the Equifax breach should highlight the need to seriously rethink SSNs in terms of “verification and identity management in the 21st century.”

“The SSN has served us beyond what it was meant for and as a country. There are solutions that can be put into play. These include utilizing advanced biometrics, voice recognition, even typing pattern recognition. It will also involve the utilization of some combination of advanced encryption and blockchain technology,” Goodman said. “My concern is that the government will lean on a stale concept such as a national ID card or citizen ID number, both of which offer the same pitfalls as a SSN.”

Tran said identity management and authentication “should never be tied to a single point of failure and relying on data points alone such as birth dates, social security, driver’s license numbers and the like have posed challenges for many years.”

“This breach was the final knock-out punch to show a move to electronic identification (e-ID) multifactor identity and authentication technology, life cycle and governance platforms is long past due,” Tran said. “It’s likely going to spark aggressive legislative discussion on whether a new national e-ID program will be implemented to include the use of a unified smart card CHIP/PIN, RFID and/or biometric identification standard to reduce the current and future data exposure risks.”

Herold noted there are security and privacy risks in such e-ID programs as well as major logistical issues in moving away from SSNs.

“Some want to move to biometrics, but that will include not only technology challenges, but also significant privacy issues. A big challenge is that so many organizations, of all types and sizes, now use SSNs, and have used them for many decades. It would probably be a bigger challenge than moving the U.S. from [imperial measurements] to the associated metric units. Our ideas for how to do identification need to dramatically change from what we’ve been considering. We are stuck in an identity innovation rut and need to have a dramatically new idea, that is comparatively easy to switch to. Such inspiration has not yet been described, though.”