Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSW2017 Harri hursti csw17 final

981 views

Published on

CanSecWest2017

Published in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

CSW2017 Harri hursti csw17 final

  1. 1. © 2016 Nordic Innovation Labs. All Rights Reserved. November 22, 2016 Touch-and-Go Elections How convenience has taken over security, again. Harri Hursti
  2. 2. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Why I am talking about this? u  Started hacking election machines in the summer of 2005 by invitation of Election Supervisor Ion Sancho of Tallahassee, Florida u  Have participated 3 government sanctioned election machine security studies u  In my opinion, the EVEREST Report commissioned by the Secretary of State Ohio is the most important – the redacted report was 316 pages u  Written in 2007 so it is old and claimed to be outdated u  Studied around the world about systems used in other countries u  In the recent US Presidential election participated as an expert witness in 3 state lawsuits and additional Federal suits u  … and those proceedings are not yet closed … it is a long story
  3. 3. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here What this talk is and is not about? u  Not an announcement of a new hack u  Not making claims that the elections were hacked u  This is to provide information and insights what has been going on … just to make it clear
  4. 4. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here How it all started ... u  2005 hack of Diebold machines u  2007 California top-to-bottom review u  2007 EVEREST of Ohio u  … and that was the last wide scale independent security review in the USA u  After, new systems have been deployed … and never independently reviewed •  52 models of voting machines were used in 2016 election …
  5. 5. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here What kind of system they use ...
  6. 6. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here This is a simple ballot ...
  7. 7. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here 39,695 ballots
  8. 8. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Who is responsible in the government ... u  NIST drafts The Voluntary Voting System Guidelines (VVSG) u  The Election Assistance Commission (EAC) u  Independent agency of the United States government created in 2002 (HAVA) u  Adopting voluntary voting system guidelines u  Accrediting voting system test laboratories u  Certifying voting equipment u  … and a lot more with staff of 30 employees u  2010 the EAC lost its quorum of Commissioners u  preventing many normal operational duties u  December 2014 the U.S. Senate confirmed 3 out of 4 Commissioners u  Back in business … right ? u  For a while ... … on the Federal level
  9. 9. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Not so much... … this is not over yet … but may be heading towards the end
  10. 10. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Developments elsewhere ... u  DMCA 6th triennial review & rulemaking 2015 u  The mechanism to get exemptions u  Final ruling grants exemption ”for purposes of good-faith security research” of voting machines, effective immediately … DMCA
  11. 11. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here How to get a real election machine? l  It used to be l  Still 10 years ago it was very difficult to get any access to a voting machine l  All these 3 models are still in use in general elections in USA l  … and some internationally … That must be next to impossible?
  12. 12. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here … wait, there’s more! l  There are companies you’d never imagine! How about something intersting?
  13. 13. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here … wait, there’s more! l  There are companies you’d never imagine! How about something intersting?
  14. 14. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here … wait, there’s more! l  And they sell everything you need to secure elections … like secure seals ... How about something intersting?
  15. 15. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here … wait, there’s more! l  Official seals? I am sure they wouldn’t sell those with no questions asked to anyone by just typing in a credit card. Right? How about something intersting?
  16. 16. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Oh no! Facepalm!
  17. 17. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Before the last year US elections Congressional hearings … explained why elections cannot be hacked u  ”Citizens cast their votes at a voting machine that is not connected to the internet” u  ”Because voting machines are not connected to the internet, a bad actor would need to physically access hundreds of voting machines that collect the votes.” u  So the machines are not connected? Right? u  Many Local Election Officials certainly believe that there is no ”Network access” even without the Internet
  18. 18. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Sauk, WI … reporting their election night results u  It is a common practice and often required by the law for local jurisdictions to report their results on the official website u  This is the 1st page of the results published, and the only document available for a long time u  Weird?
  19. 19. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Sauk, WI … reporting their election night results u  There are more votes reported in the individual races than the total ballots cast
  20. 20. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Sauk, WI … reporting their election night results u  Down the ballot the gap gets smaller
  21. 21. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Sauk, WI … reporting their election night results u  And after the 3rd it becomes normal ...
  22. 22. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here … fast forward 3 weeks or so … what did the recount say? u  Minutes of the Board of Canvassers, December 1 : u  Clarification on election night totals was given as: On election night after several unsuccessful attempts made by the City of Baraboo to modem-in the results from one voting machine, the results from that machine were manually entered by staff in the Sauk County Clerk’s office. When it appeared that the results still were not submitted, staff in the clerk’s office manually entered the results again, resulting in the results being entered twice. The error was count at the county canvass and race results were adjusted accordingly. u  One machine in a city of 5777 ballots caused 2485 votes extra? u  More importantly : Modem in results?
  23. 23. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Meanwhile in Florida … Actually a 1.5 years earlier ... u  The equipment had been tested. The test had failed. u  The addendum was published to address an issue of failing the test.
  24. 24. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Meanwhile in Florida … Actually a 1.5 years earlier ... u  “Testing conducted for this request was limited in scope to only regression testing of the Verizon C2 modem configuration.” u  On May 11, 2015 : u  “When the modem process started, a 'Modem Error – Connection Refused by Host' occurred.” u  “BVSC determined that the IP address was incorrect” u  “Both attempts resulted in an 'SFTP Error Login Fail' error message” u  “... the vendor determined that the problem was due to the fact that configuration script in the firewall … needed to be upgraded ...”
  25. 25. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Meanwhile in Florida … Actually a 1.5 years earlier ... u  On May 14, 2015 : u  ”BVSC received the new firewall” u  ”.. also verifying the connection to BVSC's SFTP server from the vendor's home office ...” u  ”This resulted the vendor discovering that a typo existed in the configuration scripts that were provided with the new firewall.”
  26. 26. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Meanwhile in Florida … Actually a 1.5 years earlier ... u  On May 18, 2015 : u  “BVSC received the updated firewall firewall from ES&S” u  “The modem transmission went through successfully with no errors.” u  “As a final step, staff verified that the modemed election results yielded the expected counts.” u  Success! In a week they sorted it out and modem was modeming without errors u  … and there certainly was no word “Internet” anywhere, so we are good. u  or maybe as Penn & Teller remind us, “Elvis didn't do no drugs”
  27. 27. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Meanwhile in Florida … Actually a 1,5 years earlier ... u  Voting machine marketing material says”: “Results are sent over a secure and hardened network. Static Internet Protocol (IP) addresses are assigned to the modem inside each DS200. These IPs are added to the server’s “white list” while all other incoming IP addresses are blocked for a secure transfer.” u  So, what was this “The Modem” thingie anyways? u  Footnote says : “Multitech MTSMC-C2-N3-R. 1”
  28. 28. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Meanwhile in Florida … Actually a 1.5 years earlier ... u  Specifications are clear about TCP/IP functions...
  29. 29. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Meanwhile in Florida … so what does this all mean? u  Modem means something goes over TCP/IP and SFTP involving a firewall along the way u  We all know that TCP/IP does not mean Internet, neither does SFTP u  Neither does firewall mean Internet, on docs identified as Cisco ASA 5505 u  And certainly connecting into Verizon or Sprint LTE data service does not mean Internet u  Netgear Zing and Jetpack 4G LTE MiFi/WiFi dongles are mentioned as alternatives to the 'Modem' regional results u  … and a bad actor cannot go evil without physical access ... u  There are no specific IP addresses mentioned in those public documents u  FTP software is mentioned for secure FTP : u  Server : Cerebus 6.0.7.1 u  Client : IPSwitch WS_FTP 12.4.1 u  (Client side system requires RMCOBOL 12.06 runtime =)
  30. 30. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Meanwhile in Florida … so what does it all mean? u  The actual certificate document lists also 3 wireless USB LTE devices: u  USB551L u  Netgear 341U u  Netgear 340U u  USB memory sticks, CF cards, etc u  Anti-virus software is mentioned as optional u  (as the computers are not connected to a network, right?)
  31. 31. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Meanwhile in Florida … so what does it all mean? u  Everyone in this room can agree that someone should take a serious look into these newer systems?
  32. 32. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here At least it's decentralized … and single place can only cause very limited damage u  ”The Center for Election Systems is a unique project impacting all facets of Georgia's elections. It tests every voting machine used in the state, creates all federal, state and local ballots and houses the voter rolls for every district in Georgia.” u  Georgia is a single vendor environment u  Central Election Management System servers are supported by staff from the University. u  … and it is not a unique approach to have a 3rd party handle a lot of the activities the public assumes are the responsibilities of the officials ...
  33. 33. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here At least it's decentralized … and single place can only cause very limited damage u  Across the USA in many cases, the actual programming of the voting machines is done by 10-20 employee shops u  Literally in a strip mall, and without any basic security u  … while the Georgia outsource partner is a major university which is well funded and well prepared compared to its peers ...
  34. 34. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here What are the hot topics going forward? … where is the gold rush now? u  Internet voting concepts keep on coming back. u  The newest snake oil is blockchain voting u  Electronic pollbooks are attracting a lot of attention u  Those systems have to be real-time synchronized, and therefore networked u  Some systems vendors are pushing are virtual screen sharing systems from a central location
  35. 35. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Housekeeping item, about those recounts … what happened? u  Wisconsin – Recounted statewide, through not all by hand u  51 counties counted by hand, 9 by re-scanning (!), 12 by a combination u  11,883 votes were corrected (over half of the margin of victory was erased!) u  Michigan – Halted after 3 days under opposition from state and the winning candidate u  10 counties finished, 12 started but not finished (out of 83) u  Pennsylvania – Defeated in federal court under opposition from state and the winning candidate u  One county (out of 67) recounted by hand only 143 of its 228 precincts u  No published results. No information available.
  36. 36. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Housekeeping item, about those recounts … what happened? u  There was no evidence detected for an attack. u  Only in Wisconsin the probability to have detected an attack was meaningful u  part of the votes were recounted by rescanning them and therefore in case of a hack... u  Important information learned about vulnerabilities! u  Fun numbers. The USA has: u  200 million registered voters u  13,000 voting jurisdictions u  187,000 election precincts u  52 models of voting machines were used in 2016 election
  37. 37. © 2016 Nordic Innovation Labs. All Rights Reserved. Presentation Title Goes Here Acknowledgements … to the partners in preventing crimes u  Alex Halderman u  Matt Bernhard u  Margaret MacAlpine u  Justin Moore u  … and many others
  38. 38. © 2016 Nordic Innovation Labs. All Rights Reserved. Thank you! Q&A

×