Vulnerable to Hackers and Errors
The wide examples here show that hacks and software
errors can be reduced but not prevented. The widespread The only protection is
to detect errors and recover, which
means independently checking the counts. Reputable software has hundreds
of bugs, and annual updates have bugs. Chinese,
Russians,
other countries,
and organized
crime have infiltrated everywhere worth infiltrating. The SolarWinds
hack is one of many similar (as yet undiscovered) infestations
which affect all organizations. Policy
makers need a broader, longer term view than software designers.
Contents
of This Page
B. Election Hacking, With Unknown Results
D. Future Hacks
A.
ELECTION MACHINE ERRORS
B.
ELECTION HACKING, WITH UNKNOWN RESULTS
1.
On 11/4/2020, before any state had audited election
results, the federal government assured
voters that "Robust safeguards including canvassing and auditing
procedures help ensure the accuracy of official election results." And
11/12/2020 they said "The November 3rd election was the most
secure in American history" still before audits were done. These were the same federal officials who had not noticed their own
systems had been infiltrated by Russian hackers for 8
months. Yet they were sure all 15,000 election jurisdictions were secure.
2.
As of 2019, researchers have found security
flaws in all election computers, which let voters, staff members or
outsiders disrupt or change results, often without detection.
3.
Through 2019, Russia has spent billions of
dollars on a decade of work to create broad-based
new ways to attack election computers (zero days), using independent teams
so they don't reveal each other's methods.
4.
In July 2018 the FBI told Maryland officials that a local web
hosting company they used for voter registration, candidacy, online ballot
delivery, and election results had been owned since 2015 (or 2011) by a company financed by Vladimir Potanin, a Russian
oligarch close to Putin. The manager is a Russian millionaire, Guerman Aliev, who took an
American name, Gerald T. Banks. Maryland's Senate President said the FBI "weren't really anxious for us to come forward"
to tell the public (quote is at 6:54 in video). FBI also told state officials
in 2017 not to tell the public about foreign intrusion attempts (pages 146-151 of court filing).
5.
In March 2018 the security site CSO found on
the dark web over 100 emails of workers at one of the
largest companies making and programming election machines, ES&S, and
smaller numbers at smaller voting machine companies. They also found passwords
for the accounts, though the companies said these passwords did not meet their
current standards, so would have been changed. Nevertheless with valid emails,
attackers can spray password variations until they log in on at
least one of the accounts and install malware. Hackers share tips on the dark web.
6.
From August 2017 to March 2018 Georgia's
election software was on the public web without passwords or encryption (pages 140-143, 153-163 of court filing, news).
7.
In August 2017 the biggest manufacturer of
voting machines, Election Systems &
Software, created a public file on Amazon Web Services with "encrypted
versions of passwords for ES&S employee accounts. The
encryption was strong enough to keep out a casual hacker but by no means
impenetrable...The worse-case scenario is that they could be completely
infiltrated right now".
8.
In May 2019 the FBI told Florida officials 2
counties' voter registration systems had been penetrated by Russia in 2016. The
FBI could not say if the Russians changed the files,
and only revealed anything because the Mueller Report did. The counties were Washington and one other.
9.
In 2016, "We can assume that the majority
of states were probably a target... I want to make clear today on the record,
it's likely that all 50 states were likely affected... Every organization is
scanned a lot, sometimes thousands of times a day. What we were trying to
differentiate between: we saw very concerning activity from known suspicious
servers in this case... They were targeting to look for vulnerabilities...
Probably tried all the states. These are the states we could see they were
trying. That's right." ~US Department of Homeland Security Senate
hearing at 41 minutes.
10.
They attacked "in alphabetical order by
state name... voter registration and election results sites... to identify and
exploit SQL database vulnerabilities in webservers and databases. The FBI and DHS... noted that they had no
information on how many of those attempts were successful, aside from two
instances"
11.
August 24, 2016, hackers sent phishing emails
to seven workers at VR Systems,
which provides voter registration systems and election-night reporting.
"At least one of the employee accounts was likely compromised."
Then on October 27 they used VR Systems credentials to send phishing emails to
122 local election officials. If they opened it, it installed malware which
opened a persistent back door into the computer. At least 10
computers were harmed (¶77b). The government has not said and may
not know what the hackers did with their back door. Mueller's indictment July
13, 2018 confirms these events (¶73-77) and adds that the hackers targeted more
than one election company (¶69). 2 years after the election, the
press revealed that VR Systems had a common practice of remotely accessing county election systems, to
troubleshoot them, up to the day before the election.
12.
Also in 2016 hackers sent emails pretending to
be from another election vendor,
offering "election-related products and services." The same hackers
sent emails to election workers in American Samoa "mimicking a legitimate absentee ballot-related service provider."
NSA does not know what they accomplished with any of
these attacks.
13.
In 2016 Georgia, Indiana and Idaho said the US Dept. of Homeland
Security tried to bypass firewalls in election systems without permission. Kentucky and West Virginia said DHS probes of
their systems were not malicious.
14.
Ukraine's 2014 election results were hacked, but
officials removed a virus and believe they had correct totals. South Africa's 1994 election was hacked, and
officials hand-compiled the counts, as noted at right.
15.
A 2007 study for the Ohio Secretary of State
reported on election software from ES&S, Premier and Hart. Besides specific
problems it found, it noted that all "election systems rely heavily on third
party software that implement interfaces to the operating systems, local
databases, and devices such as optical scanners... the construction and
features of this software is unknown, and may contain undisclosed
vulnerabilities such trojan horses or other malware."
C. BEST-DEFENDED
INDUSTRIES
This list shows that companies' computers will never be
bug-proof or hack-proof, since problems happen at even the best-defended
industries. Hacks and bugs can be reduced but not prevented. The only
protection is to detect errors and recover,
which means independently checking election tallies.
1. 2021 US military generally
omits cybersecurity from contracts for weapons systems.
2. 2008-2021 spying
chips have been placed on computers made in China for SuperMicro
and Lenovo, and sold in the US. The US did not reveal the issue and kept buying
the companies' equipment. An earlier story had identified chips in 2015-2018. Amazon, Apple, and almost 30 other companies were
then known to be affected, giving backdoor access to the Chinese. Reviewers say
backdoors can be hidden better inside chips which are supposed to be there.
3. In Jan-March 2021
30,000-250,000
email systems were hacked by a previously unnoticed Chinese team, with software
which also leaves a backdoor in the organization's computers. The hack started
by Jan 3, was reported to Microsoft Jan 5, became widely used in late February,
and a patch
was issued March 2, though thousands more systems per hour were still being
hacked by at least 5
groups on March 3. The vulnerabilities in the software had been present
since at least 2010. A different Microsoft email hack was in Jan-March 2019.
All computer systems are now targeted
by nation-states, though cloud systems may get patched faster.
4. In 2020,
the US government and worldwide companies were infiltrated broadly by a hacked
update of Orion computer management software from SolarWinds company. The
company used password solarwinds123 from 2017-2019. As an update, it was
installed in air-gapped
systems as well as internet-connected ones (partial list of victims).
At the same time a separate
Chinese hack also infiltrated Orion's code and its customers. It's the tip
of an iceberg: "Chinese, others, they've all built huge capabilities,
they're well-resourced, well-staffed, [and] focused on doing exactly this. This
is not a one-off, this is not something unusual... I guarantee you that there
are other operations similar in size and scope, if not larger, that haven't
been discovered." Federal systems watched for known
problems, not for connections to previously
unknown servers. Sure enough, the Chinese
had been hacking through SolarWinds at the same time.
5. The depth of CIA infiltration of
China has led to China
espionage teams in 2010-2021 becoming much more professional and wanting
the same depth of infiltration in the US.
6. US energy companies in 2018-2020
and "a wide range of US-based organizations, state and federal government
agencies, and educational institutions," hacked by Russia.
7. Domain registrars for entire
countries in 2018-19, letting hackers spy on and change emails
and web results throughout the country. The registrars succumbed to phishing.
8. Phone calls for several years up to 2019
9.
Homeland Security
in 2019, through a contractor
10.
Attacks rising in 2018
11.
Encryption hacked by NSA and Germany 1960s-2018, first seen in 1995
12.
2018
Defense Department kept buying and using Lexmark printers and Hikvision
security cameras despite knowing China can conduct surveillance through them.
13.
Chinese hacked most of the biggest providers
of cloud computing in 2010-2017, including IBM, 224 systems at Hewlett
Packard Enterprise, Computer Sciences Corp, Fujitsu, Tata Consultancy, NTT
Data, and many other firms through them, including the US Navy's biggest
shipbuilder (incl. nuclear submarines), Sabre reservations for thousands of
hotels and hundreds of airlines (so they could surveil all traveling
executives), Ericsson telecoms, biotech firm Syngenta, which was then bought by
Chinese. Hacks continued to succeed even after they were noticed and defenses
mounted. They gathered hundreds of login credentials. Many hacked companies
were not told, and if told they denied they lost anything.
14.
Electric grid air-gapped computers hacked in 2014, 2016-2018 (and US in 2012-2019 Russian and Iranian grids)
15.
In
2017, using NSA software, "hackers from North
Korea were using some of those picklocks to break into the computer systems
of, among other places, British hospitals, German railways, Russian banks, a
French automaker, Indian airlines, Chinese universities, the Japanese police,
FedEx, and electrical-utility companies all over the United States...
WannaCry."
16.
CIA air-gapped computers in 2017
17.
"Deloitte
in 2017
18.
NSA air-gapped computers in 2016, followup in 2017
19.
CIA in 2011-15 had "A major concern...
that the Russians were collecting information from a breach of computers not connected to the Internet... The CIA had
already figured out how to perform similar operations themselves."
20.
FBI in 2011-2016 radio encryption decrypted by Russia
21.
DoD in 2007, Jan and June 2015, 2016, so DoD pays bug bounties. In 2018,
GAO staff "were able to take control of [DOD weapons] systems
relatively easily and operate largely undetected." Alarms went off so
often the operators ignored them.
22.
Securities and Exchange Commission in 2016
23.
OPM security clearances in 2015 (details)
24.
Mozilla in 2015
25.
General Electric/Safran aircraft engine designs
hacked by China 2010-2015
26.
Boeing (jet fighters) in 2008-2014
27.
1,000 oil and gas companies in 84 countries, 2012-2014
28.
By 2013
the NSA "appeared
to have acquired a vast library of invisible backdoors into almost every major
app, social media platform, server, router, firewall, antivirus software,
iPhone, Android phone, BlackBerry phone, laptop, desktop, and operating
system."
29.
Nuclear and other companies in 2006-2014
30.
Google in 2010, 2014, so they pay bug
bounties
31.
"In 2008,
Russia got into a network at the Pentagon; hackers broke into the campaigns of
both Barack Obama and John McCain; the next year, North Korea compromised the
Web sites of everything from the Treasury Department to the New York Stock
Exchange. In 2010, a computer worm called Stuxnet... NSA’s sponsors—American
taxpayers—who now relied on NSA-compromised technology not only for
communication but for banking, commerce, transportation, and health care. And
nobody apparently stopped to ask whether in their zeal to poke a hole and
implant themselves in the world’s digital systems, they [NSA] were rendering
America’s critical infrastructure—hospitals, cities, transportation,
agriculture, manufacturing, oil and gas, defense; in short, everything that
undergirds our modern lives—vulnerable to foreign attacks.
32.
Microsoft in 2000, 2013, and can be slow to protect customers
33.
Military contractors in 2007-2010 and 2013
34.
Symantec in 2012
35.
State lotteries in 2005-2011 (CO, IA, KS, OK, WI; security director
sentenced in 2017)
36.
Programmers'denial of reality codified in
2003.
37.
Moonlight Maze 1996-1999
documents taken from US military, other government agencies, and military
contractors.
38.
"In 1968,
the Pentagon’s Defense Science Board Task Force on Computer Security concluded
that “contemporary technology cannot provide a secure system in an open
environment."
D. FUTURE
HACKS
4.
In 2021 Bruce Schneier
wrote "The president of the United States is a singular espionage
target, but so are members of his staff and other administration officials.
Members of Congress are targets, as are governors and mayors, police officers
and judges, CEOs and directors of human rights organizations, nuclear power
plant operators, and election officials. All of these people have smartphones, tablets, and laptops.
Many have Internet-connected cars and appliances, vacuums, bikes, and doorbells.
Every one of those devices is a potential security risk, and all of those
people are potential national security targets. But none of those people will
get their Internet-connected devices customized by the NSA."