Slashdot Mirror
DHS Tried To Breach Our Firewall, Says Georgia's Secretary of State (cyberscoop.com)
An anonymous reader quotes a report from CyberScoop: Georgia's secretary of state has claimed the Department of Homeland Security tried to breach his office's firewall and has issued a letter to Homeland Security Secretary Jeh Johnson asking for an explanation. Brian Kemp issued a letter to Johnson on Thursday after the state's third-party cybersecurity provider detected an IP address from the agency's Southwest D.C. office trying to penetrate the state's firewall. According to the letter, the attempt was unsuccessful. The attempt took place on Nov. 15, a few days after the presidential election. The office of the Georgia Secretary of State is responsible for overseeing the state's elections. "At no time has my office agreed to or permitted DHS to conduct penetration testing or security scans of our network," Kemp wrote in the letter, which was also sent to the state's federal representatives and senators. "Moreover, your department has not contacted my office since this unsuccessful incident to alert us of any security event that would require testing or scanning of our network. This is especially odd and concerning since I serve on the Election Cyber Security Working Group that your office created." "The Department of Homeland Security has received Secretary Kemp's letter," a DHS spokesperson told CyberScoop. "We are looking into the matter. DHS takes the trust of our public and private sector partners seriously, and we will respond to Secretary Kemp directly." Georgia was one of two states that refused cyber-hygiene support and penetration testing from DHS in the leadup to the presidential election. The department had made a significant push for it after hackers spent months exposing the Democratic National Committee's internal communications and data.
Translation: We will deny this happened while privately scolding the team we ordered to do this. If you keep pushing us, we will be forced to throw our IT guys under the bus.
I mean getting caught doesn't exactly inspire confidence...
I sure hope Obama instructs the nation's intelligence agencies to conduct a full review!
While the majority of states worked with DHS for help in protecting their election systems from hacks, cybersecurity experts were at odds as to what portions of the country would be targeted for Election Day attacks.
[Homeland Security Secretary Jeh] Johnson announced shortly after the election that DHS found no evidence of an attack on Election Day.
No evidence? But..but...what about THE FULL REVIEW?!
detected an IP address from the agency's Southwest D.C. office trying to penetrate the state's firewall... "We are looking into the matter"
Probably the DHS servers are all overrun with botnets trying to probe around for more servers to take over.
https://assets.documentcloud.org/documents/3234551/Georgia-Secretary-of-State-Letter-to-DHS-Secretary.txt
The Office of Secretary of State
23mm Kemp
SECRETARY OF STATE
December 8, 2016
The Honorable Jeh Johnson
Secretary of Homeland Security
Department of Homeland Security
Washington, DC. 20528
Secretary Johnson,
On November 15, 2016, an IP address associated with the Department of Homeland Security made an
unsuccessful attempt to penetrate the Georgia Secretary of State's firewall. I am writing you to ask whether
DHS was aware of this attempt and, if so, why DHS was attempting to breach our firewall.
The private-sector security provider that monitors the agency's firewall detected a large unblocked scan
event on November 15 at 8:43 AM. The event was an IP address (216.81.81.80) attempting to scan certain
aspects of the Georgia Secretary of State?s infrastructure. The attempt to breach our system was unsuccess-
ful.
At no time has my office agreed to or permitted DHS to conduct penetration testing or security scans of our
network. Moreover, your Department has not contacted my office since this unsuccessful incident to alert
us of any security event that would require testing or scanning of our network. This is especially odd and
concerning since I serve on the Election Cyber Security Working Group that your office created.
As you may know, the Georgia Secretary of State?s office maintains the statewide voter registration data-
base containing the personal information of over 6.5 million Georgians. In addition, we hold the information
for over 800,000 corporate entities and over 500,000 licensed or registered professionals.
As Georgia's Secretary of State, I take cyber security very seriously. That is why I have contracted with a
global leader in monitored security services to provide immediate responses to these types of threats. This
firm analyzes more than 180 billion events a day globally across a 5,000+ customer base which includes
many Fortune 500 companies. Clearly, this type of resource and service is necessary to protect Georgians'
data against the type of event that occurred on November 15.
Georgia was one of the only few states that did not seek DHS assistance with cyber hygiene scans 0r pen-
etration testing before this year?s election. We declined this assistance due to having already implemented
the security measures suggested by DHS. Under 18 U.S.C. 1030, attempting to gain access or exceeding
authorized access to protected computer systems is illegal. Given all these facts, a number of very important
questions have been raised that deserve your attention:
214 State Capitol oAtlanta, Georgia 30334 - (404) 656-2881 (404) 656-0513 Fax
Did your Department in fact conduct this unauthorized scan?
If so, who on your staff authorized this scan?
Did your Department conduct this type of scan against any other states? systems without authorization?
If so, which states were scanned by DHS without authorization?
I am very concerned by these facts provided by our security services provider, as they raise very serious
questions. I would appreciate your prompt and thorough response.
Sincerely,
Brian P. Kemp
[follows is long list of CC: Congressman, etc.]
The STATE Georgia, not the COUNTRY.
DHS ran an nmap scan against our public ip address space! Bloody hackers!
Yawn, probably just some pinging going around by the gov
In an online political discussion, one conservative complained about Obama's alleged excess snooping. I pointed out that Bush and Trump are pretty much pro-snoopers also.
At first (s)he seemed to argue otherwise, but after a lot of probing on my part, the truth finally came out: He was more nervous with a Democrat snooping than a Republican. It wasn't the snooping itself, but WHO was snooping.
I can see how the personal trust issue can play a part, but to keep switching the laws back and forth depending on which party is in power is not realistic.
Table-ized A.I.
" DHS takes the trust of our public ..."
Yes, because the public doesn't GIVE it our trust.
E
Sorry, but since when does one need "permission" for a basic pen test on a public-facing system, assuming they didn't get in? The secretary of state should be seeing this stuff all the time from the open internet. Those at DHS may have not really thought it that significant that they should "warn" the Georgia secretary of state about it. And if they didn't get in, there was no reason to follow up. If there have been burglaries in my neighborhood, I don't think I'd really be surprised if a cop walked up to my house and checked the doorknobs and maybe a couple of windows, found they were all locked and then just moved on. If I later see him on surveillance footage, I'm not going to call the paper complaining that I wasn't notified. The bluster in the letter appears to be a ridiculous attempt by the Georgia SOS to score political points. Sadly it will probably work.
The last two administrations have weaponized a lot of Federal agencies against the American people, violating the 1st, 2nd, 4th, 5th, 8th and other Amendments of the Bill of Rights, and their oath of office to "uphold and defend the Constitution of the United States".
Were they trying to break into the election computers and change the counts?
Running with Linux for over 20 years!
Do you have any basis for this (i.e. evidence) or are you just like all other conspiracy nuts and just making shit up. The unfortunate thing is other conspiricy nuts are just as gullible as you are and will quote you as a fact.
I await your personal attacks because you can't come up with anything better.
The Federal Government just does whatever it wants. Damn the laws or the Constitution or anyone's rights. Get used to it.
I'm an American. I love this country and the freedoms that we used to have.
The parent post needs to be seen!
Do you have any basis for this (i.e. evidence) or are you just like all other conspiracy nuts and just making shit up. The unfortunate thing is other conspiricy nuts are just as gullible as you are and will quote you as a fact.
I await your personal attacks because you can't come up with anything better.
Yo AC Here's the real truth!
https://yro.slashdot.org/comments.pl?sid=9977609&cid=53455847
See, it wasn't Obama trying to fix the election FOR Hillary. It was AGAINST her. Think about it. Who else with the mighty US intelligence apparatus at his command could have more easily broken into the DNC email servers and pizza aficionado John Podesta's gmail account and delivered them to Wikileaks? Who else could have secretly orchestrated Anthony Weiner's exposure as sex freak who propositioned an underage girl and necessitated a reopening of Hillary's email scandal just days before the election? Who could do this? Only the guy that hates Hillary Clinton more than her own husband: Barack Hussein Obama, that who.
Yo AC to you too.
Proof is not a link to another AC's post on slashdot. It is just another gullible person that another gullible person believes (i.e. you).
Want me to google proof for you? I sure wikipedia has an article on it, I could find it you like..
I can see both sides of this issue, frankly.
When conducting White Hat penetration testing, it's important to get an official OK to conduct those operations. It is not legal or ethical to conduct them otherwise. However SOP is to keep the circle of those informed of what was going on, as small as possible.
Pen Tests become less effective (read: less true to life and revealing) the more people know about them. Thus you often see the CEO and maybe the CSO or CIO knowing, but almost no one else on the inside knows. And of course the White Hat team knows.
The concern is that insiders want their organization to perform well, so they leak. Or they tip someone off inadvertently, which has much the same result: Operations and Security know that the attack is coming. Then organizational defenses go higher than normal, everyone is on alert, and the organization is unrealistically effective at detecting and responding to the Pen Test.
How does that translate here? It could be (pure speculation here, bear with me) that DHS knew about and authorized the Pen Test. However they elected to keep Georgian officials mostly or completely in the dark.
Another possibility is that this was a communications screw up.
DHS: "We've hired you to Pen Test all state IT systems. We'll get back to you with a list of exceptions later."
White Hats: "OK!"
White Hats later, on scheduled Pen Test Day: "Well, DHS never got us that exception list and they aren't responding to our update requests. It's Go time!"
So is this legit? Well it's certainly awkward politically. However one of the consequences of most Pen Tests is that certain ranking individuals discover, they weren't in the loop. That was by design and they may have bruised egos about it.
My take? Someone in Georgia State politics or administration should have been told of this, and probably should have approved it too. And that could still be true!
>Want me to google proof for you? I sure wikipedia has an article on it, I could find it you like..
I find that hard to believe, but, sure, I'm just waiting on a script to finish so I'll be here a while.
I do IT for small-town banks, and some have signed up with a service from the DHS where they do a (rudimentary) external vulnerability scan once a week, and then generate reports with trends in open ports/services/etc. My guess is someone in IT for the state probably signed up for these scans, and then their firewall/IDS/IPS vendor put out a scary report about hacking attempts. That report probably got handed to someone with an anti-federal agenda and here we are.
https://yro.slashdot.org/story/15/12/01/1741223/dhs-offering-free-vulnerability-scans-penetration-tests
I didn't realize this program has existed for so long, as we've only started using it this year.
https://en.wikipedia.org/wiki/...
There you go, extra bonus, this one is also relevant.
https://en.wikipedia.org/wiki/...
The Ukraine keeps attacking everyone's wordpress installations... lets just call it even.
In an online political discussion, one conservative complained about Obama's alleged excess snooping. I pointed out that Bush and Trump are pretty much pro-snoopers also.
The rest of us are still in early December, 2016.
What's the date where you live?
Oh shit, you were being literal. You literally provided the Wikipedia lind to "proof!" LOL. I thought you were gonna google proof that Bill Clinton loves his wife, which I find very hard to believe. Hey, while your at it could you google "epistemic certainty?"
I'm not saying Obama doesn't hate the Clintons - clearly he does - but what's his follow-on move? He got outmaneuvered when they dug up whatever disastrous oppo research made Biden choose not to run. I don't think he has a plan for how to make himself a future kingmaker.
Oh shit, you were being literal
I have no idea why the idea of providing proof to back up statements is such a surprise to you. If you make a statement you should be able to back it up.
If you can demonstrate epistemic certainty I will accept that though.
I'm very doubtful that the DHS actually did something like this. Two possibilities seem much more likely: the real attacker somehow managed to compromise a DHS IP to attack Georgia or this is just a demonstration of governmental incompetence. I have my doubts that Georgia's IT team is sophisticated enough to actually make a proper determination of the true origin of this attack. "Never assume malice when stupidity will suffice." http://rationalwiki.org/wiki/Hanlon's_razor
Brian Kemp is the same Georgia (U.S.) Secretary of State that had his IT department send out CD's to dozens of places with the entire Georgia Voters list info including Names, Addresses, Social Security Numbers,and what primary's the voter voted in (Democratic or Republican). Anybody could get them they just had to pay the fee! When this hit the local news he sent a letter asking everyone who got them to return them so that "fixed" the problem. I don't think he even knows that any number of copies could have been made nor does he care. Get real. This guy doesn't know an IP address from a gnats ass.
Only a crackpot would think HRC wasn't the REAL WINNER of the electrion. SMH
Perhaps the DHS did not do it? It could be the work of a hacker that infiltrated DHS and use it to probe states.
Given that most states gave permission to DHS to perform penetration testing, it makes the DHS the perfect base for such activity.
A Republican in Georgia was smart enough to turn on a computer? I doubt that.
eat shit and die
If you've never acted out at government / school officials chances are you deserve this. The rest of us are trying to mount a merger defence up in New Hampshire. It's extremely difficult when you and our parents and our parents parents generation did little to nothing to curtail the federal government. We now have a very expansive federal (and state) governments and little to no control over our own lives. I can't take a shit without being forced to comply with some regulation or other. There are certain things you should do, but they shouldn't be mandated in law. From seat belts to drugs there should be no law on these things.
And the justification for it is often the result of other terrible laws: socialism. If people's wages weren't stolen from them we wouldn't need a big government bureaucracy to keep out the 'illegals' because they'd have to compete on the same terms and they wouldn't come (supposedly if you believe the conservatives) for the free money (welfare).
What we need to do is end the government indoctrination programs (ie public 'schools'), welfare programs, tax breaks and loop holes of corporations, and so forth. Instead we should get rid of the taxes altogether and put responsibility back into the hands of the people. Yea- it comes with risk. If you make stupid life choices you may end up in a worst state. But the reality is if everybody's wages doubled people could contribute to charity again and more efficiently solve the problem of social injustices.
We brought this on ourselves. If you want freedom and liberty and control over things like who you marry (gay/straight/whatever) and how many people you can marry (polygamists) or just want some other type of relationship then check out the Free State Project and the Shire Society. We're not conservatives or republicans or democrats. We're people who want to end government. End the police state. Heck. End the police. There is a history in this country where there have been times where there weren't any state police. Until 1930s the state police didn't even exist in New Hampshire. We still don't have mandatory car insurance and people survive. Adults aren't required to wear seat belts either.
Now if we can get rid of drivers licenses, taxes, and various other licenses/fees/and registrations there might be a chance we can form a truly free state. But that won't happen until there are enough people up in New Hampshire who believe in liberty and are willing to sacrifice. Fortunately there are 20,000 people who've signed up and are moving. 10% have moved already in fact. Now we will have a minority still, but a disproportionately active minority can have a huge impact on state politics. And state politics is where the majority of people get harmed. We have more people in prisons at the state level then the feds. The state government despite all the bad supreme court decisions still retain quite a bit of power and can refuse federal mandates if states refuse to take federal bribes. The states can refuse to enforce federal laws. They can repeal laws against pot and other no-victim 'crimes'. And while this won't entirely solve every issue it'll have a big impact on freedom. We can also pass laws to hinder other unjust laws like copy"right" that states do not control. It's as simple as passing a law to criminalize logging by ISPs. And you could probably solve this in a better way without more regulation by expanding access to the market by tearing down the regulations that inhibit new ISPs from forming. The regulations increase the costs and if we get more ISPs some very well may stop logging voluntarily to gain a nitch in the privacy market (or if that isn't big enough the piracy market).
Biden didn't run because his son had just died and he wasn't interested in having news crews on him 24/7. Not everything has to be some giant conspiracy, for god's sake.
Have gnu, will travel.
DHS
mighty US intelligence apparatus
Oh, god, stop it! I'm going to die laughing here.
If you make access possible to the internet, then you are effectively putting out a welcome mat. You can't bitch that someone "tried the door knob" when you yourself put that door knob there in the first place, not to mention the door, the path to the door and the neon sign pointing to your house.
So funny. When GW Bush was President, no proof was necessary. Any whacky thing that happened - See, GW at it again. They're already trying to blame Trump for stuff even though he's not even POTUS yet.
So let's blame Obama. He's POTUS still and it was one of the agencies that he runs. So he should be personally responsible, just like CEOs are under Sarbanes/Oxley.
Reading parent was like déjà vu. It allowed me to re-live the confusion, and later understanding, of reading the summary.
-- The National Inspire-er
The story printed above perfectly mirrors my experience of reading the summary. I was surprised at how well the author both understood and conveyed my most private feelings on this matter.
-- The New York Globe
This rings true. It perfectly captures the feelings of Joe Everyreader.
-- Book Club subcommittee on internet comments
AAA++doublesuperplus. Fast shipping! Would buy again!
God damn Russians have taken over DHS and are trying to hack the great state of Georgia.
Commy pinko DHS bastards!
and freedom loving people should DEMAND it's dismantling.
I think the mos telling statement in the article is that
"Georgia was one of two states that refused cyber-hygiene support and penetration testing from DHS in the leadup to the presidential election."
The State of Georgia elections have been a fraud since 2002 when unverifiable, privatized electronic voting systems were mandated state wide. The systems run closed source vendor software and provide no voter verified physical evidence (aka paper ballots or audit printouts) to verify or authenticate the systems against technical failures or malicious tampering at any scale. The State Supreme Court hid behind an totally unadvertised loophole that any voter can choose to use a paper absentee ballot to keep the systems in place, but the requirements of anonymity in voting mean that none of the vote totals from electronic systems can be legitimately verified and voting on the zero-evidence systems here, as about 98% of the voters do, is nothing but political masturbation.