Slashdot Mirror

← Back to Stories (view on slashdot.org)

File-Sharing Software On State Election Servers Could Expose Them To Intruders (propublica.org)

Posted by BeauHD on from the poor-voting-security dept.

An anonymous reader quotes a report from ProPublica: As recently as Monday, computer servers that powered Kentucky's online voter registration and Wisconsin's reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password. The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky's was accessible from other Eastern European countries.

The service, known as FTP, provides public access to files -- sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server's operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives. Officials in both states said that voter-registration data has not been compromised and that their states' infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica's inquiries. Kentucky left its password-free service running and said ProPublica didn't understand its approach to security. "FTP is a 40-year-old protocol that is insecure and not being retired quickly enough," said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. "Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change."

14 of 125 comments (clear)

  1. can the MPAA and RIAA's shut down the vote if by Joe_Dragon · · Score: 3, Interesting

    can the MPAA and RIAA's shut down the vote if say the hot new movies where to be hosted there?

  2. Re:Never heard of breaches in the tech news by Aighearach · · Score: 2

    It is just standard basic precautions, not a major attack vector.

    The fear isn't so much related to that it might be compromised, but that it isn't encrypted and so everybody on your subnet can read the traffic, and if somebody p0wned your router they could also alter that traffic. And the router in question really might be a consumer wifi router!

    Personally, I think election systems demand even stronger security than banks, but if we could at least get the security up to the level the local public library has it would be a great start!

  3. Oh Good Lord by 93+Escort+Wagon · · Score: 3, Insightful

    Regardless of the presence of state actors wanting to interfere in our elections...

    WHAT KIND OF MORON RUNS FTP ON AN ELECTIONS SERVER?

    --
    #DeleteChrome
    1. Re:Oh Good Lord by 93+Escort+Wagon · · Score: 4, Insightful

      I understand what you’re saying - and why - but I still ascribe to “never attribute to malice what can be adequately explained by incompetence”.

      --
      #DeleteChrome
    2. Re:Oh Good Lord by swillden · · Score: 2

      That presupposes that incompetence is substantially more common than malice - I'm not sure that holds in politics, where both seem nearly ubiquitous.

      What about incompetent malice?

      I assert that competence is rare everywhere -- including in politics -- and that this is the true basis of Hanlon's Razor. The reason you should never attribute to malice what can be adequately explained by stupidity (or incompetence) isn't so much that malice is rare [*], but that incompetence is so incredibly common. Nearly all attributions of malice implicitly assume competent malice, because the incompetently malicious generally screw up in some way, and it's this assumption of competence more than the assumption of malice that calls the assertion into question.

      Conspiracy theories are always dubious for exactly this same reason. Competent conspirators are really hard to find, so as the number of people who would have to be involved for the conspiracy to work rises, the probability that the conspiracy continues to successfully avoid leaking proof of its existence falls. If more than a handful of extraordinarily dedicated and competent people would have to be in on it, then it's just not so.

      [*] It's worth pointing out that malice is actually pretty rare, and that malice in its purest form -- malice for its own sake -- is extremely uncommon. Screwing your neighbor to benefit yourself is more common, but the fact that being known as someone who will shaft their neighbor to benefit themselves is almost always more costly than whatever benefit can be obtained from the betrayal means that people are pretty reluctant to do it. The vast majority of people are also held back by morality... though we also tend to have tremendous powers of self-justification. That last sentence really just describes emotions which are themselves an evolutionary adaptation to the fact that screwing your neighbor is likely to come back on you, and cooperation is likely to give the best outcome -- unless you can be really sure you won't be caught.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Oh Good Lord by swillden · · Score: 2

      The much more important question is, "What directories were exposed, and what was in them?"

      If -- and I mean if -- it's only /pub, and there's nothing in /pub then what's to worry about?

      Vulnerabilities in the FTP server and, far more likely, misconfigurations that mean that /pub isn't the only thing exposed. If a system is badly misconfigured enough to have an FTP server enabled by accident, what are the odds that it's configured correctly and patched up?

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  4. Re: FTP you say? by Zocalo · · Score: 2

    You mean something like this on-going sequence of events concerning Georgia's equally exploitable voter registration system? It might not be the actually voting machines here, but the whole sequence of events and actions by those involved is sketchy as hell, so it's sure going to be interesting to see how many "dead people" etc. turn out to have voted in this one...

    --
    UNIX? They're not even circumcised! Savages!
  5. Re:FTP can be secure by ShanghaiBill · · Score: 2

    Ftp actually can be secure.

    Maybe it CAN be secure, but it isn't by default, and there are more secure protocols, such as scp, that make ftp unnecessary. There is no good reason to run it on any system, much less an election server.

  6. Re: FTP can be secure by Junta · · Score: 2

    All this is true, ftp *can* be done secure.

    However, it's *much* easier to do rsync or sftp in so many ways that I could hardly see a reason to bother with ftp and trying to bolt on security through kerberos and/or tls.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  7. Re:FTP can be secure by ctilsie242 · · Score: 2

    Why would you want to make an old protocol secure, when there are other protocols out that solve the issues FTP has from the ground up. FTPS (as in SSL/TLS over FTP) is a band-aid at best. Why even bother with that, when you have SFTP which is designed from the ground up to be secure, can be configured to allow for RSA authentication from both ends, so a password never goes in the clear, can't be brute-forced, and goes over only one port.

    With how easy it is to use SSH, why even bother with FTP these days?

  8. Re:Never heard of breaches in the tech news by Cassini2 · · Score: 2

    A common configuration for FTP servers was that they support all logins, both privileged and unprivileged. That means you can simply run a password guesser at it until you find the login for a privileged account. Alternatively, you can snoop on the traffic until someone logs in, steal there credentials, and hope they have privileged access. A privilege escalation attack works too.

    If you had the ability to snoop and modify the traffic, then a good approach would be to wait until the wait until election day and modify the results in real-time. As long as there are no other checks, it would be very difficult to prove.

    An interesting complication would be if multiple parties tried to hack the system simultaneously. A clever malicious hacker would keep the changes within the limits of statistical feasibility. A poor hacker would simply make everyone vote the same way. For the clever malicious hacker to be succeed, he would also need to secure the system against the poor hacker without being detected. Thus, for the malicious, there is an optimal level of security. Too much security, and the system can't be modified. Too little security, and it is possible that someone else will hack the system, and expose the flaws.

    A malicious actor requires a very specific level of insecurity. A competently designed system with paper ballots won't work, because an audit-check on the paper ballots would expose tampering. The malicious actor requires a system that appears to be secure, but has no effective audit checks. If the system was completely insecure, then some script kiddy could break in, and the scheme would unravel. Similarly, the system can't have any deliberately engineered security holes, because the author of the software could turn states-witness and the scheme would unravel too. The system needs a set of security holes that can be attributable to design incompetence. Is an FTP server might be a suitable middle-ground? Maybe ...

    It makes me feel so good to vote on Tuesday.

  9. Oblig XKCD by dead_user · · Score: 2

    https://xkcd.com/463//

  10. FTP is for sales by astrofurter · · Score: 2

    100% of real-world FTP servers I've seen running in the last decade were setup on orders from Sales or Marketing departments. Those folks tend to have low technical ability, zero understanding of security, and far more political power than Dev or IT.

    In fact, the presence of an FTP server on an important host tells us something about their organizational structure. It tells us there is at least one zero-tech-knowledge person in the org, whose mere whim carries more weight than the CTO's (or CSO's) total office-political power.

    It's a social problem. We now live in a world where everything is controlled by computers. Yet programmers have no real upward career path and are systematically excluded from leadership positions in most organizations. Thus even highly tech- dependent orgs usually have 100% tech-illiterate leaders.

    Until this social problem is fixed, expect security incidents to get steadily worse and more frequent.

  11. Re:Never heard of breaches in the tech news by rtb61 · · Score: 2

    So drop all the electronic bullshit and go back to pencil and paper and eyeballs. Make you mark on you bit of paper and afterwards, reps of those representatives seeking election, count the votes togethor, tabulate them and put them up on a board and phone that information to the state vote counting centres, who under public camera view put the numbers up and tabulate, keeping in mind those who originally counted them can see their numbers go up on the central board for the total count.

    Elections should be about people, not corruptly created and manipulated electronics. Your elections are being stolen and will continue to be until you go back to an entirely manual system, accept the reality, you are being conned.

    --
    Chaos - everything, everywhere, everywhen