Software Vendor May Have Opened a Gap For Hackers in 2016 Swing State

A Florida election software company targeted by Russians in 2016 inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election, POLITICO reported on Wednesday, citing a document and a person with knowledge. From the report: VR Systems, based in Tallahassee but with customers in eight states, used what's known as remote-access software to connect for several hours to a central computer in Durham County, N.C., to troubleshoot problems with the company's voter list management tool, the person said. The software distributes voter lists to so-called electronic poll books, which poll workers use to check in voters and verify their eligibility to cast a ballot.

The company did not respond to POLITICO's requests for comment about its practices. But election security experts widely condemn remote connections to election-related computer systems -- not only because they can open a door for intruders but because they can also give attackers access to an entire network, depending on how they're configured. In Durham County's case, the computer in question communicated with North Carolina's State Board of Elections to download the county's voter list before elections, which could have potentially opened a gateway to the state system as well.

Re:

[Aighearach]

Yeah, it seems to me that if you don't know why it happened, it is just as dishonest to say it was "inadvertent" as to say it was "intentional." It could be either, we don't know.

It appears that the physical actions taken were intentional, not accidental. So it would be very difficult to know if the side-effects were intended, or merely the result of poor security practices.

In other news....

[Anonymous Coward]

...the internet exists and the media needs yet even more FUD to be anti-Trump. ...especially since it was the Dems who screwed themselves.

Re:

[Sique]

The Russian collusion was never discredited. Instead, there are 34 persons charged because of involvement in Russian interference in the 2016 elections. The only good news is that Donald Trump apparently was oblivious to the machinations. He wanted results, and he didn't care how they were accomplished. But he definitely tried to interfere into the investigation itself.

Re:

[Narcocide]

Your counter-narrative is about a week stale. Anyone who has turned on a TV in the past few days will know that now even if they were fooled previously.

Re:

[Straif]

Can you name one charge of an American citizen that had to do with Russian interference?

All charges, with the exception of those against actual Russians which will never be followed through on, were for either process crimes (crimes that only exist due to the investigation itself and often over used as a way of forcing cooperation) or completely unrelated external actions (even occurring years before the election or any involvement with either part candidate - Manafort).

The Mueller report itself states that

Re:Why is /. still pushing [collusion] narrative?

[Tablizer]

The T family simply turned out to be clueless pawns instead of intentional colluders.

Hanlon's razor applies, but one doesn't know for sure until an investigation is done.

Mueller spoken testimony did emphasize one thing above all else: Russia meddled and still is.

Re:

[Tablizer]

Hey, one evil at a time here.

Re:

[Tablizer]

You clowns told us for TWO YEARS that Mueller was going to nail Trump

I didn't. You are cherry-picking. Stop.

Re:

[Straif]

And what does any of that have to do with Russian interference in the US election?

Manafort is a sleezy businessman who did some work on behalf of Ukraine (partnered with close friend of the Clintons Tony Podesta which no one seems to care about), made some false statements on some bank loan applications (which he paid back) and may have underreported some foreign income. He deserves to go to jail or at least face stiff fines but none of those crimes had anything to do with the 2016 Presidential campaign.

Re:

[Straif]

Turns out Konstantin Kilimnik was an important intel agent, for the US [thehill.com].

Re:

[will_die]

here are a few names of people who colluded with a Russian in order to affect a US election. Will they ever be changed probably not.
https://thehill.com/opinion/ca... [thehill.com]

Re: Why is /. still pushing this narrative?

[kenh]

The Russian collusion was never discredited. Instead, there are 34 persons charged because of involvement in Russian interference in the 2016 elections.

Are those the 'throw-away' indictments Mueller made against Russians he never expected to actually show up in court? Last I heard, a significant number of those accused hired a lawyer to fight the charges, and prosecutors suddenly needed to go back and re-examine their evidence before going forward... I thought you are supposed to be ready to prosecute when you file charges?

That Russians ran a six-figure social media ad buy campaign and staged some minor protests designed to stir up emotions is far from a s

Re:

[najajomo]

Because it feeds into the neocon narrative and distracts from just who is really manipulating the political system in Washington and it ain't the Ruskies.

@Anonymous: “Why is /. still pushing the thoroughly-discredited ''Russia collusion'' narrative?

What does /. have to gain from doing so?

It sure isn't helping this site's reputation, which has already been in the shitter for some time now.

Maybe it leads to lots of comments, but they're almost all junk comments, which again doesn't help.

E

May...could have... potentially...

[poity]

Yawn

Gets popcore

[jwhyche]

I'm going to sit this one out. Feel free to argue among yourselves.

Paper Ballots

[Virtucon]

Sorry, just get paper ballots and also tighten the rules on absentee ballots. No "harvesting" or collection by third parties. If you can't make it to the polls, mail your absentee ballot in by the election date & any not postmarked by that date are rejected. Oh and make re-registration mandatory, say every two years you need to re-register to vote unless your over 65. That's a start.

Re:

[AmiMoJo]

They recently found that software had mis-counted and awarded the election to the wrong party in multiple areas of Switzerland. Paper ballots and a manual recount saved the day.

Source, please?

[DrYak]

awarded the election to the wrong party in multiple areas of Switzerland.

Could you please cite your source? This genuinely interests me...

Re:

[AmiMoJo]

https://www.republik.ch/2019/0... [republik.ch]

I submitted it as a story but it was rejected.

(Spain, not Switzerland)

[DrYak]

https://www.republik.ch/2019/0... [republik.ch]

I submitted it as a story but it was rejected.

Thank you for your source.

(Though, there's a bit of a mix-up in your above comment:
- The *e-Voting* system was responsible of awarding election to the wrong party in multiple areas of *Spain*
- The *e-Counting* system was found once to have miscounted during a random check in Switzerland)

Re:Paper Ballots

[Aighearach]

In Oregon where all ballots are delivered by mail, we're doing well by not worrying about postmarks; your ballot has to be received by the elections department by 8pm on election day.

And we put collection boxes (like for the mail, but painted white) around for people to deliver the ballots to if they want. So if it is close to the election, you just drop it in the box instead of mailing it in.

It really helps the counting process compared to waiting on postmarks. This way the counting happens over a short time period, and so it is easy for observers to observe. If it was happening over weeks, there would be lots of times with few observers.

Re:

[Virtucon]

That sounds like a good start.

Re:

[Cyberax]

So basically, if you're poor then don't bother voting. How about this: voting registration is automatic and voting by mail is universal.

Re:

[Boronx]

The problem with voting by mail is that your vote is no longer secret and can be directly influenced. In a voting booth, the abused spouse can vote for whomever they wish, seal the ballot, then simply lie to their spouse about who they voted for. Not so for mail ins.

Re:

[Cyberax]

OK, then just make the registration automatic. There's no reason NOT to.

Re:Paper Ballots

[Riceballsan]

I almost agree with you. But why so much emphasis on the registration, and why exceptions for people over 65. Old people are the ones with the actual free time to go do things like register, and have the easier time getting out to vote etc... Younger and poorer people on the other hand, are working long hours, may or may not be able to afford transportation etc... Individual vote manipulation is the hardest, rarest, least effective form of election manipulation imaginable.

If you want to steal an election that you would otherwise lose by 5,000 votes. you don't need to try and manipulate 5,000 people, it's so much easier to increase the difficulty of registering somewhere you aren't popular and get 10,000 people that don't like you to not vote. Which is what's being done again and again to great success. Meanwhile they do so under the justification that it is stopping the kind of voter fraud that is so rare and so inefficient that for all practical purposes it never happens.

Re:

[Virtucon]

Fair points. I also saw another comment if you have ID you should be able to vote however that does preclude citizenship. We have the Federally mandated changes to IDs happening in states nationwide as part of the Patriot act, I can't see why Citizenship can't be added to it. That way you show up with your ID with the little star or whatever that says you're a US Citizen and eligible to vote and you vote. All the privacy folks out there won't like it because now they track citizens but we already do that n

Re:

[Anonymous Coward]

Are you daft?

Any IT person who has been paying even remote attention to elections in the past decade knows:
1. Voting machines are easily hackable [theguardian.com], in ways that cannot be detected
2. Local voting commissioners are non-technical political hacks who have no way of assessing IT vulnerabilites
3. You are just another paid troll trying to fluff trumps deflated... ego

Airgapped?

[Dan East]

Are these systems required to be airgapped? If not, I don't see the issue here. Either the systems are required to be 100% offline, in which case some law or *required* security practice was broken, or else this is just hand waving. Trillions of dollars of money, services and goods traverse the internet annually and those systems are managed through the internet, and I can assure you that there are not human beings sitting at server boxes with physical keyboards plugged into them to manage those systems.

Re:

[Dan East]

...and from TFA:

That wouldn’t have allowed intruders to alter the vote tallies — and no evidence has surfaced that anyone hacked North Carolina's election results. But interference with voter records or electronic poll book software could allow an attacker to alter records in a way that prevents people from voting in crucial swing precincts.

So the first sentence literally says "This is not newsworthy", and the second sentence is terrible grammar and doesn't even make sense. How does interference with voter records allow an attacker to do something? Isn't an attacker the one doing the interference, and so they are allowing themselves to alter records because they are interfering? Or did the altering come first, followed by the interfering, which allows the altering? Or something? Me write good!

Re:

[Inglix the Mad]

Best practices, even standard government STIG practices, would label this a horrifying lapse in security... before 2016. My employer banned the use of any commercially available remote access programs. We use (and did use then) a multi-layered model with interior and multiple exterior zones, with very specific delineations for what is permissible to travel between zones. I'm sorry but this is a ridiculous setup and none of our clients would trust us with their data if we were so inept as a contractor. I hat

"targeted by Russia" - no it wasn't

[Uberbah]

From TFA:

The critical security lapse - previously undisclosed publicly - is the latest cause for concern surrounding VR Systems, a company hit by a malicious email campaign targeting its own employees in August 2016 that was believed to be linked to Russia.

Oooo, they got an email that was spam or a phishing attempt. Er. Mah. Gerd. Putting the weasel word of "believed" aside along with the lack of any evidence*, there's the lazy fallacy of associating anything with any Russian IP address with the Russian F

Ooo, am I talking to Ken's stalker?

[Uberbah]

Back in the Obama Administration, you clowns would accuse me of being an Obamabot because I would insist that, yes Shirley, Obama was indeed born in Hawaii. Sorry sparky, but I would apply the Nuremberg Standard [chomsky.info] to every president, both living and diseased.

Another likely nothing burger

[kenh]

Software vendor did something that MAY have exposed some voting systems to possible exploits, in the opinion of SOME security experts.

Just a reminder, the "RUSSIANS!" Would have to know that there was a problem in the target voting system and gained access to the troubled system while company engineers were logged in remotely in the last few hours the polls were open.

That's a whole lotta 'possiblies' and 'potentiallies' with nothing more than the opinion of an outsider not involved in anything that happened

Re:

[account_deleted]

Comment removed based on user account deletion

USPS is the solution

[Sqreater]

A national voter system should be set up through the United States Postal Service computer network. It already maintains and downloads to sites and machinery the one hundred and fifty million or so addresses of individuals in the United States in order to route the mail to each individual using the NDSS, the National Directory Support System. Upgrade this backbone and add additional layers of security to those already in place and it should work nicely I think.

Re:

[Jason Levine]

This looks good in theory, but what if someone is homeless? If you don't have an address for mail to go to, do you not get to vote? We've moved past the days when your right to vote was tied to whether you owned land. Everyone should get a vote nowadays.

The solution to this is paper ballots. No matter what the system, make sure that there's a paper ballot that can be checked. Ideally, one with a human-readable printout of the vote(s) cast. So I go into the voting booth, select Candidate A, get a printout sa

Re:

[Sqreater]

The problem of getting the homeless to vote is not a problem that would be created by this USPS system of voting. And you must not let perfect be enemy of the good enough. There are always exceptions to anything if you look hard enough. As for network security: https://about.usps.com/handbooks/as805/as805c11_001.htm

Remote-access software ..

[najajomo]

“VR Systems, based in Tallahassee but with customers in eight states, used what's known as remote-access software to connect for several hours to a central computer in Durham County, N.C.”

What was the name of this remote-access software and what was it even doing on the computer in the first place? and I assume the used the Internet to communicate and what was it even doing connected to the Internet?