Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security United States Politics

Foreign Hackers Cripple Texas County's Email System, Raising Election Security Concerns (propublica.org) 51

Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. "Re: official precinct results," one subject line read. The text supplied passwords for an attached file. But Jackson didn't send the messages. From a report: Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson's three-person office, already grappling with the coronavirus pandemic, ground to a near standstill. "I've only sent three emails today, and they were emails I absolutely had to send," Jackson said Friday. "I'm scared to" send more, she said, for fear of spreading the malware. The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots. Although experts have repeatedly warned state and local officials to follow best practices for computer security, numerous smaller locales like Hamilton appear to have taken few precautionary measures.

U.S. Department of Homeland Security officials have helped local governments in recent years to bolster their infrastructure, following Russian hacking attempts during the last presidential election. But desktop computers used each day in small rural counties to send routine emails, compose official documents or analyze spreadsheets can be easier targets, in part because those jurisdictions may not have the resources or know-how to update systems or afford security professionals familiar with the latest practices. A ProPublica review of municipal government email systems in swing states found that dozens of them relied on homebrew setups or didn't follow industry standards. Those protocols include encryption to ensure email passwords are secure and measures that confirm that people sending emails are who they purport to be. At least a dozen counties in battleground states didn't use cloud-hosted email from firms like Google or Microsoft. While not a cure-all, such services improve protections against email hacks.

This discussion has been archived. No new comments can be posted.

Foreign Hackers Cripple Texas County's Email System, Raising Election Security Concerns

Comments Filter:
  • Email insecurity (Score:4, Interesting)

    by cowdung ( 702933 ) on Thursday September 24, 2020 @01:58PM (#60541042)

    Why has it taken so long to make email secure?

    Why aren't emails signed and encrypted already everywhere?

    (I know GMail have some email address verification features)

    Everything else seems to have improved (FTP -> SCP, Telnet -> SSH, Gopher -> WWW w SSL/TLS encryption).. so why hasn't email improved?

    • by Tablizer ( 95088 )

      So everyone will have to pay for a security certificate to use email? Regular folks are not going to like that.

      I'd like to see "e-stamps" because a money trail makes tracing easier. And the stamp fees would help pay for inspectors and detectives to hunt down riff-raff.

      For example, offer a $30/yr subscription which comes with 500 emails per subscriber. Anything above 500 requires 1 cent per message.

      I'd be happy to spend $30/yr for less riff-raff.

      • PKI is enough. Publish your public key, and then anyone can verify that the email is from you. There are some problems still, but none are bigger than the security problems SSH has (ie, small problems).
        • by hey! ( 33014 )

          Unsigned (or mis-signed) email messages need to be automatically flagged. We've already made that transition for web pages; we should have bitten the email bullet even before that.

          • We've already made that transition for web pages

            And what a victory! I celebrate every time I log into a firewall, and need 3 extra clicks because self-signed certificates are a tool of the devil.

            Thank you browsers, for caving in to the SSL mafia.

            But but but, how do you know the site you're connecting to is who it says it is if the cert is self signed???? SSL certs don't guarantee identity, and anyone who thinks they do is DOING I.T. WRONG.
            Cyber security is like airport security. An ineffectual bur

        • How is the public key published? Even more important, how do you revoke a key? All the public key allows is verifying that the message came from someone with the matching private key- not you.

          • by dknj ( 441802 )

            use a trusted third party. verisign, keybase, your web server....

          • Same way SSH deals with it.
        • by AmiMoJo ( 196126 )

          Publish it where? And how do they verify that it's your key without ever meeting you?

          The issue is a lack of infrastructure.

          • You can literally publish your public key everywhere. For lack of a better option, send it in your signature of every email. It would make more sense to throw it in an email header, though.
      • jpay email starting $0.35 per message!

      • by shanen ( 462549 )

        Not sure I believe you since there have been a number of email systems that tried such models and none of them have been markedly successful. Too hard to compete with free, even when it's just an illusion of free and all of us are bearing the costs.

        One of my old solution approaches would have involved exchange-based accounting you referenced. It didn't even need to involve the exchange of real money, since the costs could be imposed on the spammers' servers in the form of exponentially increasing time delay

    • Use Protonmail already, FFS.

    • Re:Email insecurity (Score:5, Informative)

      by BeerFartMoron ( 624900 ) on Thursday September 24, 2020 @02:44PM (#60541156)

      Why has it taken so long to make email secure?

      Lots of legacy mail systems out there.

      Why aren't emails signed and encrypted already everywhere?

      Turns out that global PKI is hard. Explain it to your relatives. They will laugh at you. Ain't no one going to just through all those hoops just to send an email.

      (I know GMail have some email address verification features)

      Everything else seems to have improved (FTP -> SCP, Telnet -> SSH, Gopher -> WWW w SSL/TLS encryption).. so why hasn't email improved?

      Where are you going to get my public key from, before you send me that first email? What do you do when your cousin Jeb loses his private key? Tell him all his mail is now gone forever? Sure folks will put up with that?

      • +1

        You took the words out of my mouth. There is no easy and workable and standard way for Email encryption. You are lucky if you can get 2 of the three.

        Securing content isn't that difficult, however, since you can password protect most attachments in the file format itself (pdf, zip, odf, etc). As long as the password is not ALSO sent via the same channel. But that does require extra steps.

        Ensuring the message is coming from who you think it is, that is more complicated and at least requires the senders

      • I was sending secure, signed emails 25 years ago with mutt & GnuPG. Revocation, key servers, everything. There's no reason for Jeb to lose a single message if he simply had half a clue. You're right--the technology isn't the problem. As usual, the weak links are the humans in the chain.

      • There is a key distribution method in place it turns text into numbers and is scalable... its called DNS

        Using DANE server to server is then verified without involving the users

        https://tools.ietf.org/html/rfc7671

        NIST standard
        SP 800-177 Rev. 1
        Trustworthy Email
        https://csrc.nist.gov/publications/detail/sp/800-177/rev-1/final [nist.gov]

           

    • I'm taking your questions as sincere rather than rhetorical, but the obvious answers are because the spammers make money and the email providers just respond "Live and let spam". It is quite safe to say that Bayesian filtering is something the spamming scammers can live and profit with.

      It is NOT an unsolvable problem. Proof of concept is the death of pump-and-dump stock-scam spam. You don't get that now because they decided "Live and let spam" was unacceptable AFTER some academic papers proved the spammers

    • S/MIME Is clunky and requires paid certificates, and CAs are shitty for validating personal info anyway.

      What we need is for the Federal government to just issue certificates with passports and state governments with driver's licenses. They're in the best position to verify identities.

      And with a universal certificate standard, you might get the major email providers (Microsoft, Google, etc) coerced into adopting this and making end-user signing and encryption to work in an easy manner.

      But let's not pretend

      • "Federal government to just issue certificates with passports and state governments with driver's licenses"
        Free from the government always has a huge price for someone! You just may not know or care who since it is not you!

        Almost sounds like a national ID. And my last state drivers lic renewal took 4 months to be processed.
        • "state drivers lic renewal took 4 months to be processed" and that was pre covid Aug 28 2019 to Dec 24 2019 MN.
          • Last time I had to renew my license (including new photo and all that), I was in and out of the DPS within 2 hours. It showed up in the mail in 2 or 3 weeks.

            The time before that, it took 30 minutes at the DPS, and not more than a month waiting on the mail.

          • That sounds like the poorly-{designed|implemented|managed} software fiasco called MNLARS.
        • by tlhIngan ( 30335 )

          "Federal government to just issue certificates with passports and state governments with driver's licenses"
          Free from the government always has a huge price for someone! You just may not know or care who since it is not you!

          Almost sounds like a national ID. And my last state drivers lic renewal took 4 months to be processed.

          And obviously the OP was someone not from the US, where only around 30-50% of Americans have a passport (There's almost no need - a significant chunk never leave their home towns, and for

          • "And obviously the OP was someone not from the US,"
            Did not even think about that ;) me bad

            Is there a place in the world where government Country/Regional actually works.
      • by Sloppy ( 14984 )

        S/MIME Is clunky and requires paid certificates, and CAs are shitty for validating personal info anyway.

        Use PGP/MIME so you can have multiple signatures and trust levels, and each CA can have whatever policies they want.

        What we need is for the Federal government to just issue certificates with passports and state governments with driver's licenses. They're in the best position to verify identities.

        Damn good idea; I highly approve. And I'd bet the federal signature would end up being the gold standard in a l

    • by tokul ( 682258 )

      > (I know GMail have some email address verification features)

      Google is DMARC and OpenARC enabled sender/receiver. Second largest ESP using DMARC is not open since 2018 and follows only part of the DMARC spec that suits them. Something that got to do with corporate culture in that multibillion corp.

      DMARC, DKIM and SPF depend on sender system using those features. They won't stop homonym based spoofs.

    • Reading all the comments I'm surprised that no-one mentions PGP. They have the infrastructure in place. It may be too cumbersome for the layman but I don't think it can't be built in in the current batch of mail clients (or in online infrastructure like gmail).
    • by gweihir ( 88907 )

      Email _is_ secure. What is not secure is MS word and broken email clients that are actually web-browsers.

  • by kenh ( 9056 ) on Thursday September 24, 2020 @03:27PM (#60541296) Homepage Journal

    Jackson's three-person office, already grappling with the coronavirus pandemic, ground to a near standstill. "

    Seriously? We think the US election system can be brought to its knees by someone infecting an email server 6 weeks before the election?

    Here's a thought - set up a secure standalone email server just for election results, give everyone their own email account, and only turn the server on the day of the election, prohibit external/incoming email, and turn it off after counting ends.

    Or, simply drive results to a central location - from what I've seen, most states will be taking several days to determine a winner, owing to extended windows to receive post-marked ballots.

    FFS email is easy, this isn't the way the election will be brought down.

    • They can't afford to replace three computers?

      And I don't think they use email to submit results. Pretty sure it's only being used for normal office purposes, which means they can just fall back on phones and paper if necessary. Meaning this is pretty overblown as an election issue. It is significant as an example of the need for local governments to put some money into securing their systems.

  • Then let us know how much secure costs. Itâ(TM)s not particularly cheap, or for that matter secure.

    Then wave your arms about in despair as people wonâ(TM)t pay.

  • Passwords (Score:4, Interesting)

    by markdavis ( 642305 ) on Thursday September 24, 2020 @04:15PM (#60541408)

    >" The text supplied passwords for an attached file. But Jackson didn't send the messages."

    And there is the obvious red flag. You NEVER send passwords via Email for documents that were also sent via Email. Never. Doesn't matter if it is the same Email as the attachments or a different Email. And yet, I have to tell users this over and over again.

    • ... tell users this over and over again.

      It shows how bad humans are at identifying procedural contradictions: "What's the point of locking something then leaving the key in the lock?" is not the problem: They have a document to read and a pointless extra step, is the problem getting their attention.

      It's like when 'electronic-lock' safes appeared: People threw the backup keys in the safe, despite the obvious contradiction. Soon, the batteries went flat and the safe could not be opened again.

  • Trump would love for everybody who doesn't vote for him, to vote over e-mail so he can *possibly* [read: "if needed"] discredit those votes. Just the other day there was a thread on /. about how he could do it. Just go to the voting booth and vote normally. Don't use e-mail, unless you're disabled so you really, really must use it. Trump won't let go of his chair easily.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...