VoteWell.net

 

Vulnerable to Hackers and Errors

The wide examples here show that hacks and software errors can be reduced but not prevented. The widespread The only protection is to detect errors and recover, which means independently checking the counts. Reputable software has hundreds of bugs, and annual updates have bugs. Chinese, Russians, other countries, and organized crime have infiltrated everywhere worth infiltrating. The SolarWinds hack is one of many similar (as yet undiscovered) infestations which affect all organizations. Policy makers need a broader, longer term view than software designers.

 

Contents of This Page

A. Election Machine Errors

B. Election Hacking, With Unknown Results

C. Best-Defended Industries

D. Future Hacks

A. ELECTION MACHINE ERRORS

  1. In a 2019 election in Northampton county, Pennsylvania, the software under-counted one candidate by 99%, reporting 164 votes, compared to 26,142 found in a subsequent hand-count, which changed the candidate's loss to a win.
  2. In a 2019 election in Israel, software errors created erroneous results.
  3. In South Carolina every election from 2010-2018 had some memory cards fail. In 2010 and 2018, programming errors meant at least 420 votes were erroneously added to a different contest in the central tally. There were also votes lost by garbled transmissions, which the state election commission saw but did not report as an issue. 49 machines reported that their three internal memory counts disagreed, an average of 240 errors per machine, but the machines stayed in use, and the state evaluation did not report the issue, and there were other error codes and time stamp errors.
  4. In a 2017 York County, Pennsylvania, election, a programming error let voters vote twice for the same candidate. This happened 2,904 times.
  5. In a 2016 Maryland election, a comparison of two scanning systems on the same ballots revealed that (a) 1,972 ballot images were incorrectly left out of one system, (b) one system incorrectly ignored many votes for write-in candidates, (c) shadows from paper folds were sometimes interpreted as names written in on the ballot, (d) the scanner sometimes pulled two ballots at once, scanning only the top one, (e) the ballot printers sometimes left off certain candidates, (f) voters often put a check or X instead of filling in an oval, which software has to adapt to, and (g) a scratch or dirt on a scanner sensor put a black line on many ballot images, causing the appearance of voting for more than the allowed number of candidates, so those votes were incorrectly ignored.
  6. In a 2011 Fairfield Township, New Jersey, election a programming error gave two candidates low counts. They collected more affidavits by voters who voted for them than the computer tally gave them, so a judge ordered a new election which they won.
  7. In a 2004 Yakima, Washington, election 24 voters' choices on 4 races were ignored by a faulty scanner which created a white streak down the ballot.
  8. In a 2000 Bernalillo County (Albuquerque area), New Mexico, election, a programming error meant that straight-party votes on paper ballots were not counted for the individual candidates. The number of ballots was thus much larger than the number of votes in each contest. The software was fixed, and the ballots were re-scanned to get correct counts.

 

B. ELECTION HACKING, WITH UNKNOWN RESULTS

1.     On 11/4/2020, before any state had audited election results, the federal government assured voters that "Robust safeguards including canvassing and auditing procedures help ensure the accuracy of official election results." And 11/12/2020 they said "The November 3rd election was the most secure in American history" still before audits were done. These were the same federal officials who had not noticed their own systems had been infiltrated by Russian hackers for 8 months. Yet they were sure all 15,000 election jurisdictions were secure.

2.     As of 2019, researchers have found security flaws in all election computers, which let voters, staff members or outsiders disrupt or change results, often without detection.

3.     Through 2019, Russia has spent billions of dollars on a decade of work to create broad-based new ways to attack election computers (zero days), using independent teams so they don't reveal each other's methods.

4.     In July 2018 the FBI told Maryland officials that a local web hosting company they used for voter registration, candidacy, online ballot delivery, and election results had been owned since 2015 (or 2011) by a company financed by Vladimir Potanin, a Russian oligarch close to Putin. The manager is a Russian millionaire, Guerman Aliev, who took an American name, Gerald T. Banks. Maryland's Senate President said the FBI "weren't really anxious for us to come forward" to tell the public (quote is at 6:54 in video). FBI also told state officials in 2017 not to tell the public about foreign intrusion attempts (pages 146-151 of court filing).

5.     In March 2018 the security site CSO found on the dark web over 100 emails of workers at one of the largest companies making and programming election machines, ES&S, and smaller numbers at smaller voting machine companies. They also found passwords for the accounts, though the companies said these passwords did not meet their current standards, so would have been changed. Nevertheless with valid emails, attackers can spray password variations until they log in on at least one of the accounts and install malware. Hackers share tips on the dark web.

6.     From August 2017 to March 2018 Georgia's election software was on the public web without passwords or encryption (pages 140-143, 153-163 of court filing, news).

7.     In August 2017 the biggest manufacturer of voting machines, Election Systems & Software, created a public file on Amazon Web Services with "encrypted versions of passwords for ES&S employee accounts. The encryption was strong enough to keep out a casual hacker but by no means impenetrable...The worse-case scenario is that they could be completely infiltrated right now".

8.     In May 2019 the FBI told Florida officials 2 counties' voter registration systems had been penetrated by Russia in 2016. The FBI could not say if the Russians changed the files, and only revealed anything because the Mueller Report did. The counties were Washington and one other.

9.     In 2016, "We can assume that the majority of states were probably a target... I want to make clear today on the record, it's likely that all 50 states were likely affected... Every organization is scanned a lot, sometimes thousands of times a day. What we were trying to differentiate between: we saw very concerning activity from known suspicious servers in this case... They were targeting to look for vulnerabilities... Probably tried all the states. These are the states we could see they were trying. That's right." ~US Department of Homeland Security Senate hearing at 41 minutes.

10.  They attacked "in alphabetical order by state name... voter registration and election results sites... to identify and exploit SQL database vulnerabilities in webservers and databases. The FBI and DHS... noted that they had no information on how many of those attempts were successful, aside from two instances"

11.  August 24, 2016, hackers sent phishing emails to seven workers at VR Systems, which provides voter registration systems and election-night reporting. "At least one of the employee accounts was likely compromised." Then on October 27 they used VR Systems credentials to send phishing emails to 122 local election officials. If they opened it, it installed malware which opened a persistent back door into the computer. At least 10 computers were harmed (¶77b). The government has not said and may not know what the hackers did with their back door. Mueller's indictment July 13, 2018 confirms these events (¶73-77) and adds that the hackers targeted more than one election company (¶69). 2 years after the election, the press revealed that VR Systems had a common practice of remotely accessing county election systems, to troubleshoot them, up to the day before the election.

12.  Also in 2016 hackers sent emails pretending to be from another election vendor, offering "election-related products and services." The same hackers sent emails to election workers in American Samoa "mimicking a legitimate absentee ballot-related service provider." NSA does not know what they accomplished with any of these attacks.

13.  In 2016 Georgia, Indiana and Idaho said the US Dept. of Homeland Security tried to bypass firewalls in election systems without permission. Kentucky and West Virginia said DHS probes of their systems were not malicious.

14.  Ukraine's 2014 election results were hacked, but officials removed a virus and believe they had correct totals. South Africa's 1994 election was hacked, and officials hand-compiled the counts, as noted at right.

15.  A 2007 study for the Ohio Secretary of State reported on election software from ES&S, Premier and Hart. Besides specific problems it found, it noted that all "election systems rely heavily on third party software that implement interfaces to the operating systems, local databases, and devices such as optical scanners... the construction and features of this software is unknown, and may contain undisclosed vulnerabilities such trojan horses or other malware."

 

C. BEST-DEFENDED INDUSTRIES

This list shows that companies' computers will never be bug-proof or hack-proof, since problems happen at even the best-defended industries. Hacks and bugs can be reduced but not prevented. The only protection is to detect errors and recover, which means independently checking election tallies.

1.     2021 US military generally omits cybersecurity from contracts for weapons systems.

2.     2008-2021 spying chips have been placed on computers made in China for SuperMicro and Lenovo, and sold in the US. The US did not reveal the issue and kept buying the companies' equipment. An earlier story had identified chips in 2015-2018. Amazon, Apple, and almost 30 other companies were then known to be affected, giving backdoor access to the Chinese. Reviewers say backdoors can be hidden better inside chips which are supposed to be there.

3.     In Jan-March 2021 30,000-250,000 email systems were hacked by a previously unnoticed Chinese team, with software which also leaves a backdoor in the organization's computers. The hack started by Jan 3, was reported to Microsoft Jan 5, became widely used in late February, and a patch was issued March 2, though thousands more systems per hour were still being hacked by at least 5 groups on March 3. The vulnerabilities in the software had been present since at least 2010. A different Microsoft email hack was in Jan-March 2019. All computer systems are now targeted by nation-states, though cloud systems may get patched faster.

4.     In 2020, the US government and worldwide companies were infiltrated broadly by a hacked update of Orion computer management software from SolarWinds company. The company used password solarwinds123 from 2017-2019. As an update, it was installed in air-gapped systems as well as internet-connected ones (partial list of victims). At the same time a separate Chinese hack also infiltrated Orion's code and its customers. It's the tip of an iceberg: "Chinese, others, they've all built huge capabilities, they're well-resourced, well-staffed, [and] focused on doing exactly this. This is not a one-off, this is not something unusual... I guarantee you that there are other operations similar in size and scope, if not larger, that haven't been discovered." Federal systems watched for known problems, not for connections to previously unknown servers. Sure enough, the Chinese had been hacking through SolarWinds at the same time.

5.     The depth of CIA infiltration of China has led to China espionage teams in 2010-2021 becoming much more professional and wanting the same depth of infiltration in the US.

6.     US energy companies in 2018-2020 and "a wide range of US-based organizations, state and federal government agencies, and educational institutions," hacked by Russia.

7.     Domain registrars for entire countries in 2018-19, letting hackers spy on and change emails and web results throughout the country. The registrars succumbed to phishing.

8.     Phone calls for several years up to 2019

9.     Homeland Security in 2019, through a contractor

10.  Attacks rising in 2018

11.  Encryption hacked by NSA and Germany 1960s-2018, first seen in 1995

12.  2018 Defense Department kept buying and using Lexmark printers and Hikvision security cameras despite knowing China can conduct surveillance through them.

13.  Chinese hacked most of the biggest providers of cloud computing in 2010-2017, including IBM, 224 systems at Hewlett Packard Enterprise, Computer Sciences Corp, Fujitsu, Tata Consultancy, NTT Data, and many other firms through them, including the US Navy's biggest shipbuilder (incl. nuclear submarines), Sabre reservations for thousands of hotels and hundreds of airlines (so they could surveil all traveling executives), Ericsson telecoms, biotech firm Syngenta, which was then bought by Chinese. Hacks continued to succeed even after they were noticed and defenses mounted. They gathered hundreds of login credentials. Many hacked companies were not told, and if told they denied they lost anything.

14.  Electric grid air-gapped computers hacked in 2014, 2016-2018 (and US in 2012-2019 Russian and Iranian grids)

15.  In 2017, using NSA software, "hackers from North Korea were using some of those picklocks to break into the computer systems of, among other places, British hospitals, German railways, Russian banks, a French automaker, Indian airlines, Chinese universities, the Japanese police, FedEx, and electrical-utility companies all over the United States... WannaCry."

16.  CIA air-gapped computers in 2017

17.  "Deloitte in 2017

18.  NSA air-gapped computers in 2016, followup in 2017

19.  CIA in 2011-15 had "A major concern... that the Russians were collecting information from a breach of computers not connected to the Internet... The CIA had already figured out how to perform similar operations themselves."

20.  FBI in 2011-2016 radio encryption decrypted by Russia

21.  DoD in 2007, Jan and June 2015, 2016, so DoD pays bug bounties. In 2018, GAO staff "were able to take control of [DOD weapons] systems relatively easily and operate largely undetected." Alarms went off so often the operators ignored them.

22.  Securities and Exchange Commission in 2016

23.  OPM security clearances in 2015 (details)

24.  Mozilla in 2015

25.  General Electric/Safran aircraft engine designs hacked by China 2010-2015

26.  Boeing (jet fighters) in 2008-2014

27.  1,000 oil and gas companies in 84 countries, 2012-2014

28.  By 2013 the NSA "appeared to have acquired a vast library of invisible backdoors into almost every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android phone, BlackBerry phone, laptop, desktop, and operating system."

29.  Nuclear and other companies in 2006-2014

30.  Google in 2010, 2014, so they pay bug bounties

31.  "In 2008, Russia got into a network at the Pentagon; hackers broke into the campaigns of both Barack Obama and John McCain; the next year, North Korea compromised the Web sites of everything from the Treasury Department to the New York Stock Exchange. In 2010, a computer worm called Stuxnet... NSA’s sponsors—American taxpayers—who now relied on NSA-compromised technology not only for communication but for banking, commerce, transportation, and health care. And nobody apparently stopped to ask whether in their zeal to poke a hole and implant themselves in the world’s digital systems, they [NSA] were rendering America’s critical infrastructure—hospitals, cities, transportation, agriculture, manufacturing, oil and gas, defense; in short, everything that undergirds our modern lives—vulnerable to foreign attacks.

32.  Microsoft in 2000, 2013, and can be slow to protect customers

33.  Military contractors in 2007-2010 and 2013

34.  Symantec in 2012

35.  State lotteries in 2005-2011 (CO, IA, KS, OK, WI; security director sentenced in 2017)

36.  Programmers'denial of reality codified in 2003.

37.  Moonlight Maze 1996-1999 documents taken from US military, other government agencies, and military contractors.

38.  "In 1968, the Pentagon’s Defense Science Board Task Force on Computer Security concluded that “contemporary technology cannot provide a secure system in an open environment."

 

D. FUTURE HACKS

  1. A 2021 MIT study found averages of a 3-4 vulnerabilities per 10,000 lines of code (or 5-12 in cryptographic systems).
  2. There is standardized malware to enter air-gapped computers, by hiding in files on thumb drives, in case the drive is later taken to an air-gapped computer, such as updates for voting machines. It was developed by hackers who are believed to work for South Korea.
  3. In 2021 an Amazon security staffer said about casual cybersecurity, "Why would you care about cloud security? You don't have to bust your ass because you live in a small-town market where you know everybody and you’re never going to be out of a job. A lot of companies that are headquartered in remote areas don't have particularly sophisticated IT teams."

4.     In 2021 Bruce Schneier wrote "The president of the United States is a singular espionage target, but so are members of his staff and other administration officials. Members of Congress are targets, as are governors and mayors, police officers and judges, CEOs and directors of human rights organizations, nuclear power plant operators, and election officials. All of these people have smartphones, tablets, and laptops. Many have Internet-connected cars and appliances, vacuums, bikes, and doorbells. Every one of those devices is a potential security risk, and all of those people are potential national security targets. But none of those people will get their Internet-connected devices customized by the NSA."

  1. In 2019, CIA chief of counterintelligence said, "Russians are a professionally proficient adversary who have historically penetrated every American institution worth penetrating."
  2. In 2015, FBI director said, "there are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese." If Chinese can hack big companies, they can hack election offices to help some candidates win or lose.
  3. In 2011, the director of PricewaterhouseCoopers' forensic services practice said, "you have to assume you've been compromised" by the cyber Mafia.
  4. An NSA official told a Washington Post reporter, "Russians, Chinese, French, the Israelis, the Brits...  full-fledged nation-state attempt to exploit your IT. To include not just remote stuff, but hands-on, sneak-into-your-house-at-night kind of stuff... If some of those services want you, they’re going to get you." It turned out the reporter had also been hacked by Turkey, while India, Pakistan, Saudi Arabia, Qatar, UAE, Iran, Vietnam, North and South Korea also use expert hackers. Would any of these countries want to defeat members of Congressional committees on armed services, foreign affairs or trade, by hacking one or two large election offices in their districts? If caught they'd blame and even arrest their "rogue" private citizens.
  5. "Every piece of commercial software... has hundreds if not thousands of vulnerabilities, most of them undiscovered." Over 100,000 software vulnerabilities are publicly known (besides zero-days, which are not public). Many thousands have been found by each big web company, such as Oracle, Google, Microsoft, Cisco, IBM, Adobe, Qualcomm. Over a thousand companies pay bounties for bugs. Election companies are not immune. "The potential for high-tech catastrophe is embedded in the fabric of day-to-day life" Scanning ballots will let us recover.
  6. What the FBI said about hacking emails applies widely: "we don’t have direct evidence that the server was successfully hacked. We wouldn’t, though, expect to see that evidence from sophisticated adversaries, given the nature of the adversary and given the nature of the system."
  7. Wired says, "the average time between a malware infection and discovery of the attack is more than 200 days, a gap that has barely narrowed in recent years. 'We can’t operate with the mindset that everything has to be about keeping them out,' says Rich Barger, ThreatConnect’s chief intelligence officer. 'We have to operate knowing that they’re going to get inside sometimes. The question is, how do we limit their effectiveness and conduct secure business operations knowing they’re watching?' Accomplishing that means building networks that are designed to limit a hacker’s ability to maneuver and creating better ways to detect anomalous behavior by allegedly authorized users.
  8. Even in key industries, companies leave clickable links in incoming emails. On average 4% of recipients open any particular phishing message, and 22% open at least one per year. At 4%, sending a phishing message to 30 recipients gives a 70% chance that someone will open it. Even at 1%, sending to 120 recipients gives a 70% chance that someone will open it. There is no reliable way to tell phishing emails from legitimate emails. When people think an email looks suspicious, and send it for checking, 90% are "legitimate" (p.5 Phishing 2018), which means most people cannot tell them apart. Sending them for checking simply prevents access to the 90% which are legitimate, since checkers rarely send them back. At a minimum, staff in key industries who click on a test phishing email need all clickable links removed from future incoming emails.
  9. The FDA recalls insecure medical devices. No one recalls insecure election machines.
  10. Protect, Detect, Respond Recover. We must strengthen all four steps.