Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security United States Politics

Software Vendor May Have Opened a Gap For Hackers in 2016 Swing State (politico.com) 83

A Florida election software company targeted by Russians in 2016 inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election, POLITICO reported on Wednesday, citing a document and a person with knowledge. From the report: VR Systems, based in Tallahassee but with customers in eight states, used what's known as remote-access software to connect for several hours to a central computer in Durham County, N.C., to troubleshoot problems with the company's voter list management tool, the person said. The software distributes voter lists to so-called electronic poll books, which poll workers use to check in voters and verify their eligibility to cast a ballot.

The company did not respond to POLITICO's requests for comment about its practices. But election security experts widely condemn remote connections to election-related computer systems -- not only because they can open a door for intruders but because they can also give attackers access to an entire network, depending on how they're configured. In Durham County's case, the computer in question communicated with North Carolina's State Board of Elections to download the county's voter list before elections, which could have potentially opened a gateway to the state system as well.

This discussion has been archived. No new comments can be posted.

Software Vendor May Have Opened a Gap For Hackers in 2016 Swing State

Comments Filter:
  • by Anonymous Coward

    ...the internet exists and the media needs yet even more FUD to be anti-Trump. ...especially since it was the Dems who screwed themselves.

  • I'm going to sit this one out. Feel free to argue among yourselves.

  • Paper Ballots (Score:3, Interesting)

    by Virtucon ( 127420 ) on Wednesday June 05, 2019 @04:10PM (#58715276)

    Sorry, just get paper ballots and also tighten the rules on absentee ballots. No "harvesting" or collection by third parties. If you can't make it to the polls, mail your absentee ballot in by the election date & any not postmarked by that date are rejected. Oh and make re-registration mandatory, say every two years you need to re-register to vote unless your over 65. That's a start.

    • by AmiMoJo ( 196126 )

      They recently found that software had mis-counted and awarded the election to the wrong party in multiple areas of Switzerland. Paper ballots and a manual recount saved the day.

    • Re:Paper Ballots (Score:5, Interesting)

      by Aighearach ( 97333 ) on Wednesday June 05, 2019 @06:19PM (#58716228)

      In Oregon where all ballots are delivered by mail, we're doing well by not worrying about postmarks; your ballot has to be received by the elections department by 8pm on election day.

      And we put collection boxes (like for the mail, but painted white) around for people to deliver the ballots to if they want. So if it is close to the election, you just drop it in the box instead of mailing it in.

      It really helps the counting process compared to waiting on postmarks. This way the counting happens over a short time period, and so it is easy for observers to observe. If it was happening over weeks, there would be lots of times with few observers.

    • by Cyberax ( 705495 )
      So basically, if you're poor then don't bother voting. How about this: voting registration is automatic and voting by mail is universal.
      • by Boronx ( 228853 )

        The problem with voting by mail is that your vote is no longer secret and can be directly influenced. In a voting booth, the abused spouse can vote for whomever they wish, seal the ballot, then simply lie to their spouse about who they voted for. Not so for mail ins.

    • Re:Paper Ballots (Score:4, Interesting)

      by Riceballsan ( 816702 ) on Thursday June 06, 2019 @10:01AM (#58719022)

      I almost agree with you. But why so much emphasis on the registration, and why exceptions for people over 65. Old people are the ones with the actual free time to go do things like register, and have the easier time getting out to vote etc... Younger and poorer people on the other hand, are working long hours, may or may not be able to afford transportation etc... Individual vote manipulation is the hardest, rarest, least effective form of election manipulation imaginable.

      If you want to steal an election that you would otherwise lose by 5,000 votes. you don't need to try and manipulate 5,000 people, it's so much easier to increase the difficulty of registering somewhere you aren't popular and get 10,000 people that don't like you to not vote. Which is what's being done again and again to great success. Meanwhile they do so under the justification that it is stopping the kind of voter fraud that is so rare and so inefficient that for all practical purposes it never happens.

      • Fair points. I also saw another comment if you have ID you should be able to vote however that does preclude citizenship. We have the Federally mandated changes to IDs happening in states nationwide as part of the Patriot act, I can't see why Citizenship can't be added to it. That way you show up with your ID with the little star or whatever that says you're a US Citizen and eligible to vote and you vote. All the privacy folks out there won't like it because now they track citizens but we already do that n

  • Are these systems required to be airgapped? If not, I don't see the issue here. Either the systems are required to be 100% offline, in which case some law or *required* security practice was broken, or else this is just hand waving. Trillions of dollars of money, services and goods traverse the internet annually and those systems are managed through the internet, and I can assure you that there are not human beings sitting at server boxes with physical keyboards plugged into them to manage those systems.

    • ...and from TFA:

      That wouldn’t have allowed intruders to alter the vote tallies — and no evidence has surfaced that anyone hacked North Carolina's election results. But interference with voter records or electronic poll book software could allow an attacker to alter records in a way that prevents people from voting in crucial swing precincts.

      So the first sentence literally says "This is not newsworthy", and the second sentence is terrible grammar and doesn't even make sense. How does interference with voter records allow an attacker to do something? Isn't an attacker the one doing the interference, and so they are allowing themselves to alter records because they are interfering? Or did the altering come first, followed by the interfering, which allows the altering? Or something? Me write good!

    • Best practices, even standard government STIG practices, would label this a horrifying lapse in security... before 2016. My employer banned the use of any commercially available remote access programs. We use (and did use then) a multi-layered model with interior and multiple exterior zones, with very specific delineations for what is permissible to travel between zones. I'm sorry but this is a ridiculous setup and none of our clients would trust us with their data if we were so inept as a contractor. I hat
  • From TFA:

    The critical security lapse - previously undisclosed publicly - is the latest cause for concern surrounding VR Systems, a company hit by a malicious email campaign targeting its own employees in August 2016 that was believed to be linked to Russia.

    Oooo, they got an email that was spam or a phishing attempt. Er. Mah. Gerd. Putting the weasel word of "believed" aside along with the lack of any evidence*, there's the lazy fallacy of associating anything with any Russian IP address with the Russian F

  • Software vendor did something that MAY have exposed some voting systems to possible exploits, in the opinion of SOME security experts.

    Just a reminder, the "RUSSIANS!" Would have to know that there was a problem in the target voting system and gained access to the troubled system while company engineers were logged in remotely in the last few hours the polls were open.

    That's a whole lotta 'possiblies' and 'potentiallies' with nothing more than the opinion of an outsider not involved in anything that happened

  • A national voter system should be set up through the United States Postal Service computer network. It already maintains and downloads to sites and machinery the one hundred and fifty million or so addresses of individuals in the United States in order to route the mail to each individual using the NDSS, the National Directory Support System. Upgrade this backbone and add additional layers of security to those already in place and it should work nicely I think.
    • This looks good in theory, but what if someone is homeless? If you don't have an address for mail to go to, do you not get to vote? We've moved past the days when your right to vote was tied to whether you owned land. Everyone should get a vote nowadays.

      The solution to this is paper ballots. No matter what the system, make sure that there's a paper ballot that can be checked. Ideally, one with a human-readable printout of the vote(s) cast. So I go into the voting booth, select Candidate A, get a printout sa

      • The problem of getting the homeless to vote is not a problem that would be created by this USPS system of voting. And you must not let perfect be enemy of the good enough. There are always exceptions to anything if you look hard enough. As for network security: https://about.usps.com/handbooks/as805/as805c11_001.htm
  • VR Systems, based in Tallahassee but with customers in eight states, used what's known as remote-access software to connect for several hours to a central computer in Durham County, N.C.”

    What was the name of this remote-access software and what was it even doing on the computer in the first place? and I assume the used the Internet to communicate and what was it even doing connected to the Internet?

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...