Foreign Hackers Cripple Texas County's Email System, Raising Election Security Concerns

Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. "Re: official precinct results," one subject line read. The text supplied passwords for an attached file. But Jackson didn't send the messages. From a report: Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson's three-person office, already grappling with the coronavirus pandemic, ground to a near standstill. "I've only sent three emails today, and they were emails I absolutely had to send," Jackson said Friday. "I'm scared to" send more, she said, for fear of spreading the malware. The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots. Although experts have repeatedly warned state and local officials to follow best practices for computer security, numerous smaller locales like Hamilton appear to have taken few precautionary measures.

U.S. Department of Homeland Security officials have helped local governments in recent years to bolster their infrastructure, following Russian hacking attempts during the last presidential election. But desktop computers used each day in small rural counties to send routine emails, compose official documents or analyze spreadsheets can be easier targets, in part because those jurisdictions may not have the resources or know-how to update systems or afford security professionals familiar with the latest practices. A ProPublica review of municipal government email systems in swing states found that dozens of them relied on homebrew setups or didn't follow industry standards. Those protocols include encryption to ensure email passwords are secure and measures that confirm that people sending emails are who they purport to be. At least a dozen counties in battleground states didn't use cloud-hosted email from firms like Google or Microsoft. While not a cure-all, such services improve protections against email hacks.

Email insecurity

[cowdung]

Why has it taken so long to make email secure?

Why aren't emails signed and encrypted already everywhere?

(I know GMail have some email address verification features)

Everything else seems to have improved (FTP -> SCP, Telnet -> SSH, Gopher -> WWW w SSL/TLS encryption).. so why hasn't email improved?

Re:

[Tablizer]

So everyone will have to pay for a security certificate to use email? Regular folks are not going to like that.

I'd like to see "e-stamps" because a money trail makes tracing easier. And the stamp fees would help pay for inspectors and detectives to hunt down riff-raff.

For example, offer a $30/yr subscription which comes with 500 emails per subscriber. Anything above 500 requires 1 cent per message.

I'd be happy to spend $30/yr for less riff-raff.

Re:

[phantomfive]

PKI is enough. Publish your public key, and then anyone can verify that the email is from you. There are some problems still, but none are bigger than the security problems SSH has (ie, small problems).

Re:

[hey!]

Unsigned (or mis-signed) email messages need to be automatically flagged. We've already made that transition for web pages; we should have bitten the email bullet even before that.

Re:

[Killall -9 Bash]

We've already made that transition for web pages

And what a victory! I celebrate every time I log into a firewall, and need 3 extra clicks because self-signed certificates are a tool of the devil.

Thank you browsers, for caving in to the SSL mafia.

But but but, how do you know the site you're connecting to is who it says it is if the cert is self signed???? SSL certs don't guarantee identity, and anyone who thinks they do is DOING I.T. WRONG.
Cyber security is like airport security. An ineffectual bur

Re:

[sydbarrett74]

BTW- People claiming to be Nigerian princes sent mail before e-mail existed.

FTFY.

Re:

[Matt_Bennett]

How is the public key published? Even more important, how do you revoke a key? All the public key allows is verifying that the message came from someone with the matching private key- not you.

Re:

[dknj]

use a trusted third party. verisign, keybase, your web server....

Re:

[sabbede]

The only people who act like they want a dictatorship are on your side buddy. The GOP isn't taking to the streets to violently silence opposition and subvert our democratic system. They aren't the ones actively discrediting the Constitution they seek to destroy. They aren't the black-clad anarchists who adopted the name of the militant wing of the German Communist Party.

Re: Email insecurity

[phantomfive]

Same way SSH deals with it.

Re:

[AmiMoJo]

Publish it where? And how do they verify that it's your key without ever meeting you?

The issue is a lack of infrastructure.

Re:

[phantomfive]

You can literally publish your public key everywhere. For lack of a better option, send it in your signature of every email. It would make more sense to throw it in an email header, though.

jpay email starting $0.35 per message!

[Joe_Dragon]

jpay email starting $0.35 per message!

Re:

[shanen]

Not sure I believe you since there have been a number of email systems that tried such models and none of them have been markedly successful. Too hard to compete with free, even when it's just an illusion of free and all of us are bearing the costs.

One of my old solution approaches would have involved exchange-based accounting you referenced. It didn't even need to involve the exchange of real money, since the costs could be imposed on the spammers' servers in the form of exponentially increasing time delay

Re:

[lessSockMorePuppet]

Use Protonmail already, FFS.

Re:Email insecurity

[BeerFartMoron]

Why has it taken so long to make email secure?

Lots of legacy mail systems out there.

Why aren't emails signed and encrypted already everywhere?

Turns out that global PKI is hard. Explain it to your relatives. They will laugh at you. Ain't no one going to just through all those hoops just to send an email.

(I know GMail have some email address verification features)

Everything else seems to have improved (FTP -> SCP, Telnet -> SSH, Gopher -> WWW w SSL/TLS encryption).. so why hasn't email improved?

Where are you going to get my public key from, before you send me that first email? What do you do when your cousin Jeb loses his private key? Tell him all his mail is now gone forever? Sure folks will put up with that?

Re:

[markdavis]

+1

You took the words out of my mouth. There is no easy and workable and standard way for Email encryption. You are lucky if you can get 2 of the three.

Securing content isn't that difficult, however, since you can password protect most attachments in the file format itself (pdf, zip, odf, etc). As long as the password is not ALSO sent via the same channel. But that does require extra steps.

Ensuring the message is coming from who you think it is, that is more complicated and at least requires the senders

Re:

[ShoulderOfOrion]

I was sending secure, signed emails 25 years ago with mutt & GnuPG. Revocation, key servers, everything. There's no reason for Jeb to lose a single message if he simply had half a clue. You're right--the technology isn't the problem. As usual, the weak links are the humans in the chain.

EASY use DANE

[johnjones]

There is a key distribution method in place it turns text into numbers and is scalable... its called DNS

Using DANE server to server is then verified without involving the users

https://tools.ietf.org/html/rfc7671

NIST standard
SP 800-177 Rev. 1
Trustworthy Email
https://csrc.nist.gov/publications/detail/sp/800-177/rev-1/final [nist.gov]

   

Re:Email insecurity [due to bad financial models]

[shanen]

I'm taking your questions as sincere rather than rhetorical, but the obvious answers are because the spammers make money and the email providers just respond "Live and let spam". It is quite safe to say that Bayesian filtering is something the spamming scammers can live and profit with.

It is NOT an unsolvable problem. Proof of concept is the death of pump-and-dump stock-scam spam. You don't get that now because they decided "Live and let spam" was unacceptable AFTER some academic papers proved the spammers

Re:

[LostMyAccount]

S/MIME Is clunky and requires paid certificates, and CAs are shitty for validating personal info anyway.

What we need is for the Federal government to just issue certificates with passports and state governments with driver's licenses. They're in the best position to verify identities.

And with a universal certificate standard, you might get the major email providers (Microsoft, Google, etc) coerced into adopting this and making end-user signing and encryption to work in an easy manner.

But let's not pretend

Re:

[oldgraybeard]

"Federal government to just issue certificates with passports and state governments with driver's licenses"
Free from the government always has a huge price for someone! You just may not know or care who since it is not you!

Almost sounds like a national ID. And my last state drivers lic renewal took 4 months to be processed.

Re:

[oldgraybeard]

"state drivers lic renewal took 4 months to be processed" and that was pre covid Aug 28 2019 to Dec 24 2019 MN.

Re:

[sound+vision]

Last time I had to renew my license (including new photo and all that), I was in and out of the DPS within 2 hours. It showed up in the mail in 2 or 3 weeks.

The time before that, it took 30 minutes at the DPS, and not more than a month waiting on the mail.

Re: Email insecurity

[Guru2Newbie]

That sounds like the poorly-{designed|implemented|managed} software fiasco called MNLARS.

Re:

[oldgraybeard]

Bingo! ;) and I still ended up with an old style lic

Re:

[tlhIngan]

"Federal government to just issue certificates with passports and state governments with driver's licenses"
Free from the government always has a huge price for someone! You just may not know or care who since it is not you!

Almost sounds like a national ID. And my last state drivers lic renewal took 4 months to be processed.

And obviously the OP was someone not from the US, where only around 30-50% of Americans have a passport (There's almost no need - a significant chunk never leave their home towns, and for

Re:

[oldgraybeard]

"And obviously the OP was someone not from the US,"
Did not even think about that ;) me bad

Is there a place in the world where government Country/Regional actually works.

Re:

[Sloppy]

S/MIME Is clunky and requires paid certificates, and CAs are shitty for validating personal info anyway.

Use PGP/MIME so you can have multiple signatures and trust levels, and each CA can have whatever policies they want.

What we need is for the Federal government to just issue certificates with passports and state governments with driver's licenses. They're in the best position to verify identities.

Damn good idea; I highly approve. And I'd bet the federal signature would end up being the gold standard in a l

Re:

[tokul]

> (I know GMail have some email address verification features)

Google is DMARC and OpenARC enabled sender/receiver. Second largest ESP using DMARC is not open since 2018 and follows only part of the DMARC spec that suits them. Something that got to do with corporate culture in that multibillion corp.

DMARC, DKIM and SPF depend on sender system using those features. They won't stop homonym based spoofs.

Re:

[MoreDruid]

Reading all the comments I'm surprised that no-one mentions PGP. They have the infrastructure in place. It may be too cumbersome for the layman but I don't think it can't be built in in the current batch of mail clients (or in online infrastructure like gmail).

Re:

[gweihir]

Email _is_ secure. What is not secure is MS word and broken email clients that are actually web-browsers.

The Horror!

[kenh]

Jackson's three-person office, already grappling with the coronavirus pandemic, ground to a near standstill. "

Seriously? We think the US election system can be brought to its knees by someone infecting an email server 6 weeks before the election?

Here's a thought - set up a secure standalone email server just for election results, give everyone their own email account, and only turn the server on the day of the election, prohibit external/incoming email, and turn it off after counting ends.

Or, simply drive results to a central location - from what I've seen, most states will be taking several days to determine a winner, owing to extended windows to receive post-marked ballots.

FFS email is easy, this isn't the way the election will be brought down.

Re:

[sabbede]

They can't afford to replace three computers?

And I don't think they use email to submit results. Pretty sure it's only being used for normal office purposes, which means they can just fall back on phones and paper if necessary. Meaning this is pretty overblown as an election issue. It is significant as an example of the need for local governments to put some money into securing their systems.

Define secure

[zkiwi34]

Then let us know how much secure costs. Itâ(TM)s not particularly cheap, or for that matter secure.

Then wave your arms about in despair as people wonâ(TM)t pay.

Re:

[XXongo]

Nine ballots, to be precise.

Re:

[tsqr]

Thanks for the pecision. What's your point, that election fraud is OK as long as the part we know about only occurs in small numbers?

Re:

[tlhIngan]

Thanks for the pecision. What's your point, that election fraud is OK as long as the part we know about only occurs in small numbers?

That the people voting fraudulently don't know who to vote for.

Trump's trying to discredit mail in voting because it's going to fraudulently let Biden win. So the fraudsters sent in 9 fake ballots voting for Trump? How's Trump supposed to tweet about that as a victory against mail in voting?

Re:

[XXongo]

Thanks for the pecision. What's your point, that election fraud is OK as long as the part we know about only occurs in small numbers?

Ths is slashdot. We're nerds. Numbers are important.

Re:

[Holi]

Considering the gp made the postr like it was some massive scandal, I think accuracy was required, Also 7 were for Trump, not all.

inflammitory headlines and partial information are tools of propaganda, the opposite if what is required for an informed electorate.

Link, please.

[Ungrounded Lightning]

Also 7 were for Trump, not all.

The linked article said that all the ballots found (so far, search continues) were for Trump.

You said there were 7 of 9 for Trump, 2 not for Trump. But you provide no link to a source for that claim.

Can you provide such a link? Or could you otherwise elaborate? (i.e. if you're involved in the investigation could you say so?)

Re:

[Jeremy Erwin]

Any discrepancies in election returns tend to discredit the electoral process as a whole. One party in particular is eager to seize on the mere suggestion of a less than perfect election because they believe that institutional elites are well positioned to override the votes of a increasingly pissed off electorate.

Re:

[Ungrounded Lightning]

Nine ballots, to be precise.

Gosh. If they'd just shredded them with the rest there wouldn't be any election fraud to report. B-)

Re:

[onyxruby]

The trolls are hard at work burying comments they don't like such as yours. How many ballots for Trump have been thrown out that haven't been found?

That or they they fail to understand that a single stack of 9 ballots that happened to get found one day could be but one of thousands that get discarded on any given day across the nation. I thought postal workers weren't supposed to be able throw away the votes of citizens like that? Imagine how easily they could do that at scale when several states are puttin

Passwords

[markdavis]

>" The text supplied passwords for an attached file. But Jackson didn't send the messages."

And there is the obvious red flag. You NEVER send passwords via Email for documents that were also sent via Email. Never. Doesn't matter if it is the same Email as the attachments or a different Email. And yet, I have to tell users this over and over again.

Re:

[NotEmmanuelGoldstein]

... tell users this over and over again.

It shows how bad humans are at identifying procedural contradictions: "What's the point of locking something then leaving the key in the lock?" is not the problem: They have a document to read and a pointless extra step, is the problem getting their attention.

It's like when 'electronic-lock' safes appeared: People threw the backup keys in the safe, despite the obvious contradiction. Soon, the batteries went flat and the safe could not be opened again.

Trump would love it.

[dddux]

Trump would love for everybody who doesn't vote for him, to vote over e-mail so he can *possibly* [read: "if needed"] discredit those votes. Just the other day there was a thread on /. about how he could do it. Just go to the voting booth and vote normally. Don't use e-mail, unless you're disabled so you really, really must use it. Trump won't let go of his chair easily.