SlideShare a Scribd company logo

Voting Systems - ISSA Chicago Presentation 2020

Download as PPTX, PDF
C
Chris Roberts

This document discusses issues with voting machine security and election integrity in the United States. It notes that major voting machine companies like ES&S, Dominion, and Hart still rely on outdated and insecure technology, with vulnerabilities like easy-to-guess default passwords and hundreds of thousands of lines of insecure source code. The document also outlines other security problems like a lack of paper audits trails and patching, as well as corruption within the voting machine industry. Overall, it argues that the current electronic voting systems in the US are insecure and cannot guarantee fair and accurate elections.

Government & Nonprofit
1 of 99
All Your Votes Are Belong To… ES&S, Dominion, and Hart… Chris Roberts Chris@hillbillyhitsquad.com Sidragon1 (LinkedIn and Twitter)
Intro… GeekResearcher HackerDad
Public Service Announcement
Disclaimer… The guy giving this presentation doesn’t have skin in this game… • I don’t care if a Democrat, Republican, or John McAfee gets in… • I’d rather you didn’t vote in the Constitution folks. • This is your country… • We gave it back to you • It started out promising. • It’s not looking so good... • However, with Brexit back home, I really can’t say too much! • What I DO care about is a fair fight… – And you don’t have the mechanism in place for that.
If you were looking for a feel-good pep talk… This isn’t going to be it You have been warned
Squirrel Moment Over
The Now…
"The integrity of our elections is directly tied to the machines we vote on — the products that you make," they wrote. "Despite shouldering such a massive responsibility there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price." (2019) Four senators… For once, something we agree on…
Our Industry…
Business Is Booming!!
We’re Spending More And More! Add 5-10% for 2020
Splendid, So We’re Winning?
Nope…
Not Even Close… The global average mean time to identify a data breach is 197 days. The mean time to recover from a data breach is around 70 days. 76% of organizations were targeted by a phishing attack in the past 12 months. 75% companies say a data breach has caused a material disruption to business processes. The global average cost of a breach is around $4m. We are losing an average of 22.5 million records a DAY. Statistically you now have a 33% chance of being breached in the next 24 months. USA is still the most popular target, 57% of breaches, 97% of the data in last 24 months.
Globally Top 30 breaches account for almost DOUBLE the Earths population… Congratulations to us… At least we’re thorough in losing everyone data… TWICE!
EVEN in failure we manage to make a profit?!? Ransomware services, for when the blinky shit fails
But I’ve Got Cyber?!?
Adversaries Perspective… Not only do I have a bigger toolbox than you do, I also have time, patience, and the element of surprise on my side. You MUST be right ALL the time… I only need to get lucky once.
Invite Only CTF, Jan 2020 • Task: – Compromise the Win10 platform and escape from the Virtual Machine • Action: – The team attempted BOTH objectives – Completed BOTH objectives – It took 68 seconds to do both • Result: – Win10 payout $25k – Virtual machine payout $75k – Split between team (different countries) – Most went to charities
Defenders Current Status It’s not pretty…less tools, the technologies don’t readily coexist and we’re spending ½ the time justifying what we DO do. We also have policies, procedures and controls….all with less resources.
But My Vendors Told Me I’d Be Secure…
Confusion Managed
Going To Need More Tasers…
Everyone's Got Alert Fatigue
It’s not IF, it’s WHEN you’ll be breached…
Narcissistic Reality • Companies are no longer led by solving problems, they’re led by marketing messages. • We charge down the latest buzzwords, fads, and breaches like a pack of rabid hyenas. • We confuse clients with an increasing array of acronyms, product names and rarely simplify the message. • Our companies no longer focus on protecting their charges, simply making more profit. • Build, grow, get acquired and move on is NOT a sustainable view for any established enterprise. • We hide behind FUD, hoodies, faceless attackers, while peppering our clients with AI, ML, Blockchain, and other empty promises. • The evolution of InfoSec to Cyber has NOT been done for the right reasons… • AS an attacker, and adversary YOU have created the perfect conditions for ME to succeed.
The State Of Voting…
We’re going to skip past the fact that the 2018’s midterms were a mess, we’ll ignore some of the stuff so far this year, and assume that you already have a background IN the voting systems themselves…
Let’s Jump In With Passwords…
Your Vote’s Protected! • By systems with passwords such as: – 1111 – 1234 – Admin – ESS – EVEREST – password – Vogue – (no password)
WHY Bother Redacting?
For Reference…
When the FAIL is so strong, one facepalm is not enough…
Hacking Skills NOT Required… Search for: ElectionCentralMenuPassword
Try Searching For: • Instruction manuals • Passwords • Configuration settings • Local/Regional/State installation discussions • Images/pictures/booth configurations • Manufacturers patents • Suppliers instructions/device installs • Support forums, tickets, help areas • Software code forums • Etc.
It’s OK! The Software Will Protect Us...
Microsoft ended mainstream support for Windows 8.1 on January 9, 2018
“The ES&S system is extraordinarily complex, consisting of nearly 670,000 lines of source code written in twelve programming languages for five different hardware platforms.” “The type of discovered security bugs strongly suggests that ES&S did not perform an adequate level of code analysis.” “Using another tool, hundreds of potentially exploitable software bugs were immediately exposed.” (Thanks, Micah Sherr, PhD)
Dec 2019
I’d Be Disappointed Too..
Other Findings… • Malicious software running on machines can steal votes with little risk of detection. • Malicious software can modify records, audit logs, and counters kept by the machine. • Forensics will find nothing amiss. • Anyone with physical access to a machine can install malicious software. (<60 seconds) • Anyone who has access to memory cards used in the machine can also install software. • Poll workers and others often have long periods of unsupervised access to machines. • Several targeted machine are susceptible to specific voting-machine viruses • Malicious activity is easy to undertake during normal election activity. • Remediation? – Some of the issue can be eliminated by improving software, – Others cannot be rectified without full hardware replacements. – Significant changes to procedures would be needed to ensure security.
Anything else??!?
Patching? Nope…
When a Regular Facepalm Just Isn’t Enough The Presidential Facepalm
ES&S “Answers For Every Election Challenge” “These companies’ litigiousness creates a barrier to competition that becomes a barrier to improving our elections.” Louisiana campaign finance records show that an ES&S lobbyist in Baton Rouge has donated $13,250 to Edwards’ campaigns since 2014. Thanks: Jessica Huseman
ES&S Corruption Doc ...and another 39 pages
Note: Even though this points out ES&S’s flaws (only a few of them.) The others (Dominion and Hart) also fail most levels of scrutiny…and shouldn’t be sitting there congratulating themselves… You’re ALL as bad as each other, and that’s part of the problem.
We don’t need anyone to “hack” our elections… We’re fully capable of cocking it up on our own! In Summary:
So, Where DOES That Leave Us?
Nobody’s Got The Full Picture… This is the general population… Happy, relaxed and blissfully unaware…
That’s NOT Quite True…
August 2019, Las Vegas… 1. Commercially-Available Voting System Hardware Remains Vulnerable to Attack 2. There is an Urgent Need for Paper Ballots and Risk-Limiting Audits 3. New Ballot Marking Device (BMD) Products are Vulnerable 4. Infrastructure and Supply Chain Issues Continue to Pose Significant Security Risks PLEASE , take the time to download AND read the voting village report from DEF CON 27
Thank you, from ALL of us!
So We Have A Clue, But We’re Still Screwed?
Blame Someone, That Always Works…
Who To Blame? Theoretical and empirical research on the effect of foreign electoral intervention has been thin on the ground and weak until recently… Since 2011 several studies have been conducted. One study indicated that the country intervening in most foreign elections is: • The United States with 81 interventions • Russia (including the former Soviet Union) with 36 interventions The estimates put interference from 1946 to 2000 at an average of once in every nine competitive elections. (Most being through covert actions, BUT, on average able to shift the voting share by about 3%...)
Why Are We In Such A Mess?
Those we protect…
Communication Math • It takes 1 minute to convince you to hand me your email… • It takes 1 free offer to get your phone number… • It takes 1 time to get you to click an email… • It takes 1 connection with your Bluetooth or wireless… • It takes 1 guess to work out you re-use your passwords… • It takes 1 minute with your unattended electronics… • It takes 1 connection on your social media networks… YET… • It takes 7-20 times to get through to you about awareness… Therefore adversaries continue to win. Change the engagement model
2019-2020 Passwords… • 123456 (Still No1…) • 123456789 (Moved UP from 3rd place last year) • qwerty (Moved UP from 9th place last year) • password (Fallen from 2nd place…) • 1234567 (Too depressed to carry on…) • 12345678 • 12345 • Iloveyou (I actually hate you at this point) • 111111 (Congressman’s favorite…) • 1111 (Voting machine favorite!) • 123123 Seriously, we’re talking AI, bioengineering, nanotechnology, and putting people on Mars, and yet this is STILL front and center?!?
“…any civilization that had so far lost its head as to need to include a set of detailed instructions for use in a package of toothpicks, was no longer a civilization in which I could live and stay sane.” Douglas Adams, you are missed.
Or, TRY to protect…
Just ONE Attack Vector… • Last 4 years, around 1,500 healthcare companies have been hit with ransomware. • The 172 individual attacks from 2016 to 2019 affected 6.6 million patients. • The overwhelming majority of organizations affected were: – Hospitals or clinics at 74% – Elderly care providers accounted for 7% – Dental (5%) – Medical testing (2%) – Health insurance, government health and medical supplies, all at 1% • Researchers calculated the overall cost of the attacks at $157 million.
When We Get It WRONG… People DIE
iRobot Artificial Intelligence in action…
So, NO, despite what the vendors say Artificial Intelligence is NOT going to save us
What DO We Do About It?
How About We JUST Talk? Communication: Exchange ideas with each other… Cooperation: Independent goals, with an aim to share data Coordination: ALL rowing in same direction for once… Collaboration: The whole is greater than the sum of its parts
TALK in a language OTHERS understand
ASK More Questions!
DevSecOps!
SHARE Intelligence BEFORE it’s too late
We’ve forgotten the people, Ignored the process, and skipped straight to technology… CHANGE the equation…
And…one for us
Unplug!
There’s more, but hopefully you get the idea
Our Future
All Of Us… • Irrespective of your background. • Irrespective of your race, creed, color, faith, or eye color. • Absolutely irrespective of your orientation! • Change takes ALL of us. – This isn’t securities problem, it isn’t the researcher's fault, we need to stop blaming the hackers. – This isn’t the C-Suites blame to carry, nor is it the user's issue to solve. Developers need to be out of the firing line as does EVERYONE in the business. • We ALL take some of the responsibility, therefore we ALL have to solve it…together!
(Phew!) Final Thoughts…
Fundamental Attribution Error
“We may have all come on different ships, but we’re in the same boat now” Martin Luther King, Jr. 97
I will fail We will succeed
Voting Systems - ISSA Chicago Presentation 2020

Recommended

Gunning for granny
Gunning for grannyGunning for granny
Gunning for granny
Chris Roberts
 
Hackers contemplations
Hackers contemplationsHackers contemplations
Hackers contemplations
Chris Roberts
 
Artificial Intelligence in InfoSec
Artificial Intelligence in InfoSecArtificial Intelligence in InfoSec
Artificial Intelligence in InfoSec
Chris Roberts
 
GrrCon 2018 - Getting Into InfoSec
GrrCon 2018 - Getting Into InfoSecGrrCon 2018 - Getting Into InfoSec
GrrCon 2018 - Getting Into InfoSec
Chris Roberts
 
Secular Technological Tailwinds
Secular Technological TailwindsSecular Technological Tailwinds
Secular Technological Tailwinds
Dionisio Chiuratto Agourakis
 
The Programmable Internet of Things
The Programmable Internet of ThingsThe Programmable Internet of Things
The Programmable Internet of Things
Rich Miller
 
Wiki Web Way (Practical Manual to Earn Money on Internet)
Wiki Web Way (Practical Manual to Earn Money on Internet)Wiki Web Way (Practical Manual to Earn Money on Internet)
Wiki Web Way (Practical Manual to Earn Money on Internet)
AbundioTeca
 
Machine Learning for Non-technical People
Machine Learning for Non-technical PeopleMachine Learning for Non-technical People
Machine Learning for Non-technical People
indico data
 

Recommended

Gunning for granny
Gunning for grannyGunning for granny
Gunning for granny
Chris Roberts
 
Hackers contemplations
Hackers contemplationsHackers contemplations
Hackers contemplations
Chris Roberts
 
Artificial Intelligence in InfoSec
Artificial Intelligence in InfoSecArtificial Intelligence in InfoSec
Artificial Intelligence in InfoSec
Chris Roberts
 
GrrCon 2018 - Getting Into InfoSec
GrrCon 2018 - Getting Into InfoSecGrrCon 2018 - Getting Into InfoSec
GrrCon 2018 - Getting Into InfoSec
Chris Roberts
 
Secular Technological Tailwinds
Secular Technological TailwindsSecular Technological Tailwinds
Secular Technological Tailwinds
Dionisio Chiuratto Agourakis
 
The Programmable Internet of Things
The Programmable Internet of ThingsThe Programmable Internet of Things
The Programmable Internet of Things
Rich Miller
 
Wiki Web Way (Practical Manual to Earn Money on Internet)
Wiki Web Way (Practical Manual to Earn Money on Internet)Wiki Web Way (Practical Manual to Earn Money on Internet)
Wiki Web Way (Practical Manual to Earn Money on Internet)
AbundioTeca
 
Machine Learning for Non-technical People
Machine Learning for Non-technical PeopleMachine Learning for Non-technical People
Machine Learning for Non-technical People
indico data
 
INTERNET
INTERNETINTERNET
INTERNET
yaharamazing
 
CTO Straight Talk Issue 1
CTO Straight Talk Issue 1CTO Straight Talk Issue 1
CTO Straight Talk Issue 1
HCL Technologies
 
The future of technology
The future of technologyThe future of technology
The future of technology
Pew Research Center's Internet & American Life Project
 
Weakness and strengths of computer
Weakness and strengths of computerWeakness and strengths of computer
Weakness and strengths of computer
Amanjot_kaur
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Michael Rushanan
 
Privacy, Emerging Technology, and Information Professionals
Privacy, Emerging Technology, and Information ProfessionalsPrivacy, Emerging Technology, and Information Professionals
Privacy, Emerging Technology, and Information Professionals
Centre for Advanced Management Education
 
ICT causes social ills by MUET Unit KISAS
ICT causes social ills by MUET Unit KISASICT causes social ills by MUET Unit KISAS
ICT causes social ills by MUET Unit KISAS
Kisas Muet
 
James Katz en MoRe
James Katz en MoReJames Katz en MoRe
James Katz en MoRe
Eduardo Arriagada
 
AI - Artificial Intelligence - Implications for Libraries
AI - Artificial Intelligence - Implications for LibrariesAI - Artificial Intelligence - Implications for Libraries
AI - Artificial Intelligence - Implications for Libraries
Brian Pichman
 
Advantages of disadvantages of using the computer
Advantages of disadvantages of using the computerAdvantages of disadvantages of using the computer
Advantages of disadvantages of using the computer
MissNDuncan
 
How Machine Learning is Shaping Digital Marketing
How Machine Learning is Shaping Digital MarketingHow Machine Learning is Shaping Digital Marketing
How Machine Learning is Shaping Digital Marketing
indico data
 
How technology impacts our lives ( finished)
How technology impacts our lives ( finished)How technology impacts our lives ( finished)
How technology impacts our lives ( finished)
Devon Saysell
 
Science & Technology
Science & Technology Science & Technology
Science & Technology
Cake Butter
 
The Future Computed
The Future ComputedThe Future Computed
The Future Computed
Ronald Veisenberger
 
Internet
InternetInternet
InternetPatrícia Magalhães
 
Dk neuro cog
Dk neuro cogDk neuro cog
Dk neuro cog
Dirk A. Kummerle
 
Digital technology impacts by 2020
Digital technology impacts by 2020Digital technology impacts by 2020
Digital technology impacts by 2020
Pew Research Center's Internet & American Life Project
 
Implementing Artificial Intelligence with Big Data
Implementing Artificial Intelligence with Big DataImplementing Artificial Intelligence with Big Data
Implementing Artificial Intelligence with Big Data
IDEAS - Int'l Data Engineering and Science Association
 
ICT Trends WorldWide
ICT Trends WorldWide ICT Trends WorldWide
ICT Trends WorldWide
Ines Seidel
 
Intranets and intranet projects - a few ideas and practical things learned.
Intranets and intranet projects - a few ideas and practical things learned.Intranets and intranet projects - a few ideas and practical things learned.
Intranets and intranet projects - a few ideas and practical things learned.
Jonas Söderström
 
Red vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsRed vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 years
EC-Council
 
Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)
Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)
Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)
Flupa
 

More Related Content

What's hot

INTERNET
INTERNETINTERNET
INTERNET
yaharamazing
 
CTO Straight Talk Issue 1
CTO Straight Talk Issue 1CTO Straight Talk Issue 1
CTO Straight Talk Issue 1
HCL Technologies
 
The future of technology
The future of technologyThe future of technology
The future of technology
Pew Research Center's Internet & American Life Project
 
Weakness and strengths of computer
Weakness and strengths of computerWeakness and strengths of computer
Weakness and strengths of computer
Amanjot_kaur
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Michael Rushanan
 
Privacy, Emerging Technology, and Information Professionals
Privacy, Emerging Technology, and Information ProfessionalsPrivacy, Emerging Technology, and Information Professionals
Privacy, Emerging Technology, and Information Professionals
Centre for Advanced Management Education
 
ICT causes social ills by MUET Unit KISAS
ICT causes social ills by MUET Unit KISASICT causes social ills by MUET Unit KISAS
ICT causes social ills by MUET Unit KISAS
Kisas Muet
 
James Katz en MoRe
James Katz en MoReJames Katz en MoRe
James Katz en MoRe
Eduardo Arriagada
 
AI - Artificial Intelligence - Implications for Libraries
AI - Artificial Intelligence - Implications for LibrariesAI - Artificial Intelligence - Implications for Libraries
AI - Artificial Intelligence - Implications for Libraries
Brian Pichman
 
Advantages of disadvantages of using the computer
Advantages of disadvantages of using the computerAdvantages of disadvantages of using the computer
Advantages of disadvantages of using the computer
MissNDuncan
 
How Machine Learning is Shaping Digital Marketing
How Machine Learning is Shaping Digital MarketingHow Machine Learning is Shaping Digital Marketing
How Machine Learning is Shaping Digital Marketing
indico data
 
How technology impacts our lives ( finished)
How technology impacts our lives ( finished)How technology impacts our lives ( finished)
How technology impacts our lives ( finished)
Devon Saysell
 
Science & Technology
Science & Technology Science & Technology
Science & Technology
Cake Butter
 
The Future Computed
The Future ComputedThe Future Computed
The Future Computed
Ronald Veisenberger
 
Dk neuro cog
Dk neuro cogDk neuro cog
Dk neuro cog
Dirk A. Kummerle
 
Digital technology impacts by 2020
Digital technology impacts by 2020Digital technology impacts by 2020
Digital technology impacts by 2020
Pew Research Center's Internet & American Life Project
 
Implementing Artificial Intelligence with Big Data
Implementing Artificial Intelligence with Big DataImplementing Artificial Intelligence with Big Data
Implementing Artificial Intelligence with Big Data
IDEAS - Int'l Data Engineering and Science Association
 
ICT Trends WorldWide
ICT Trends WorldWide ICT Trends WorldWide
ICT Trends WorldWide
Ines Seidel
 
Intranets and intranet projects - a few ideas and practical things learned.
Intranets and intranet projects - a few ideas and practical things learned.Intranets and intranet projects - a few ideas and practical things learned.
Intranets and intranet projects - a few ideas and practical things learned.
Jonas Söderström
 

What's hot (20)

INTERNET
INTERNETINTERNET
INTERNET
 
CTO Straight Talk Issue 1
CTO Straight Talk Issue 1CTO Straight Talk Issue 1
CTO Straight Talk Issue 1
 
The future of technology
The future of technologyThe future of technology
The future of technology
 
Weakness and strengths of computer
Weakness and strengths of computerWeakness and strengths of computer
Weakness and strengths of computer
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
 
Privacy, Emerging Technology, and Information Professionals
Privacy, Emerging Technology, and Information ProfessionalsPrivacy, Emerging Technology, and Information Professionals
Privacy, Emerging Technology, and Information Professionals
 
ICT causes social ills by MUET Unit KISAS
ICT causes social ills by MUET Unit KISASICT causes social ills by MUET Unit KISAS
ICT causes social ills by MUET Unit KISAS
 
James Katz en MoRe
James Katz en MoReJames Katz en MoRe
James Katz en MoRe
 
AI - Artificial Intelligence - Implications for Libraries
AI - Artificial Intelligence - Implications for LibrariesAI - Artificial Intelligence - Implications for Libraries
AI - Artificial Intelligence - Implications for Libraries
 
Advantages of disadvantages of using the computer
Advantages of disadvantages of using the computerAdvantages of disadvantages of using the computer
Advantages of disadvantages of using the computer
 
How Machine Learning is Shaping Digital Marketing
How Machine Learning is Shaping Digital MarketingHow Machine Learning is Shaping Digital Marketing
How Machine Learning is Shaping Digital Marketing
 
How technology impacts our lives ( finished)
How technology impacts our lives ( finished)How technology impacts our lives ( finished)
How technology impacts our lives ( finished)
 
Science & Technology
Science & Technology Science & Technology
Science & Technology
 
The Future Computed
The Future ComputedThe Future Computed
The Future Computed
 
Internet
InternetInternet
Internet
 
Dk neuro cog
Dk neuro cogDk neuro cog
Dk neuro cog
 
Digital technology impacts by 2020
Digital technology impacts by 2020Digital technology impacts by 2020
Digital technology impacts by 2020
 
Implementing Artificial Intelligence with Big Data
Implementing Artificial Intelligence with Big DataImplementing Artificial Intelligence with Big Data
Implementing Artificial Intelligence with Big Data
 
ICT Trends WorldWide
ICT Trends WorldWide ICT Trends WorldWide
ICT Trends WorldWide
 
Intranets and intranet projects - a few ideas and practical things learned.
Intranets and intranet projects - a few ideas and practical things learned.Intranets and intranet projects - a few ideas and practical things learned.
Intranets and intranet projects - a few ideas and practical things learned.
 

Similar to Voting Systems - ISSA Chicago Presentation 2020

Red vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsRed vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 years
EC-Council
 
Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)
Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)
Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)
Flupa
 
Presentation 'a web application security' challenge
Presentation 'a web application security' challengePresentation 'a web application security' challenge
Presentation 'a web application security' challenge
Dinis Cruz
 
2022 - Killer Bunny - TPRA Conference.pptx
2022 - Killer Bunny - TPRA Conference.pptx2022 - Killer Bunny - TPRA Conference.pptx
2022 - Killer Bunny - TPRA Conference.pptx
Chris Roberts
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Steve Poole
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Steve Poole
 
Melki, Jad - Myths and tensions of digital age
Melki, Jad - Myths and tensions of digital ageMelki, Jad - Myths and tensions of digital age
Melki, Jad - Myths and tensions of digital age
Salzburg Global Seminar
 
IAC21: Shedding Light on Dark Patterns.pdf
IAC21: Shedding Light on Dark Patterns.pdfIAC21: Shedding Light on Dark Patterns.pdf
IAC21: Shedding Light on Dark Patterns.pdf
Noreen Whysel
 
Bob Gourley
Bob GourleyBob Gourley
Bob Gourley
AFCEA International
 
Cyber crime: A Quick Survey
Cyber crime: A Quick SurveyCyber crime: A Quick Survey
Cyber crime: A Quick Survey
Arindam Sarkar
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
Steve Poole
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Matt Hathaway
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Alexandre Sieira
 
Social Engineering - By Chris Hills
Social Engineering - By Chris HillsSocial Engineering - By Chris Hills
Social Engineering - By Chris Hills
Chris Hills CPP, CRMP
 
William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015
CSO_Presentations
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!
Frode Hommedal
 
An Introduction to Maskirovka aka Information Operations
An Introduction to Maskirovka aka Information OperationsAn Introduction to Maskirovka aka Information Operations
An Introduction to Maskirovka aka Information Operations
Heather Vescent
 
Essay Technology 250 Words. Online assignment writing service.
Essay Technology 250 Words. Online assignment writing service.Essay Technology 250 Words. Online assignment writing service.
Essay Technology 250 Words. Online assignment writing service.
Diana Hole
 
Socialpreso craighannabus
Socialpreso craighannabusSocialpreso craighannabus
Socialpreso craighannabus
Donaldphejane
 
Computing and the future of everything
Computing and the future of everythingComputing and the future of everything
Computing and the future of everything
David Gerhard
 

Similar to Voting Systems - ISSA Chicago Presentation 2020 (20)

Red vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsRed vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 years
 
Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)
Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)
Flupa UX Days 2018 | Sara Wachter-Boettcher (EN)
 
Presentation 'a web application security' challenge
Presentation 'a web application security' challengePresentation 'a web application security' challenge
Presentation 'a web application security' challenge
 
2022 - Killer Bunny - TPRA Conference.pptx
2022 - Killer Bunny - TPRA Conference.pptx2022 - Killer Bunny - TPRA Conference.pptx
2022 - Killer Bunny - TPRA Conference.pptx
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker Side
 
Melki, Jad - Myths and tensions of digital age
Melki, Jad - Myths and tensions of digital ageMelki, Jad - Myths and tensions of digital age
Melki, Jad - Myths and tensions of digital age
 
IAC21: Shedding Light on Dark Patterns.pdf
IAC21: Shedding Light on Dark Patterns.pdfIAC21: Shedding Light on Dark Patterns.pdf
IAC21: Shedding Light on Dark Patterns.pdf
 
Bob Gourley
Bob GourleyBob Gourley
Bob Gourley
 
Cyber crime: A Quick Survey
Cyber crime: A Quick SurveyCyber crime: A Quick Survey
Cyber crime: A Quick Survey
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Social Engineering - By Chris Hills
Social Engineering - By Chris HillsSocial Engineering - By Chris Hills
Social Engineering - By Chris Hills
 
William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015William Cheswick Presentation - CSO Perspectives Roadshow 2015
William Cheswick Presentation - CSO Perspectives Roadshow 2015
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!
 
An Introduction to Maskirovka aka Information Operations
An Introduction to Maskirovka aka Information OperationsAn Introduction to Maskirovka aka Information Operations
An Introduction to Maskirovka aka Information Operations
 
Essay Technology 250 Words. Online assignment writing service.
Essay Technology 250 Words. Online assignment writing service.Essay Technology 250 Words. Online assignment writing service.
Essay Technology 250 Words. Online assignment writing service.
 
Socialpreso craighannabus
Socialpreso craighannabusSocialpreso craighannabus
Socialpreso craighannabus
 
Computing and the future of everything
Computing and the future of everythingComputing and the future of everything
Computing and the future of everything
 

Recently uploaded

PPT Item # 4 - 434 College Blvd. (sign. review)
PPT Item # 4 - 434 College Blvd. (sign. review)PPT Item # 4 - 434 College Blvd. (sign. review)
PPT Item # 4 - 434 College Blvd. (sign. review)
ahcitycouncil
 
G7 Apulia Leaders Communique, June 2024 (1).pdf
G7 Apulia Leaders Communique, June 2024 (1).pdfG7 Apulia Leaders Communique, June 2024 (1).pdf
G7 Apulia Leaders Communique, June 2024 (1).pdf
Energy for One World
 
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
odmqk
 
CBO's Immigration Projections - Presentation
CBO's Immigration Projections - PresentationCBO's Immigration Projections - Presentation
CBO's Immigration Projections - Presentation
Congressional Budget Office
 
Antyodaya saral portal haryana govt schemes
Antyodaya saral portal haryana govt schemesAntyodaya saral portal haryana govt schemes
Antyodaya saral portal haryana govt schemes
narinav14
 
Item # 10 -- Historical Presv. Districts
Item # 10 -- Historical Presv. DistrictsItem # 10 -- Historical Presv. Districts
Item # 10 -- Historical Presv. Districts
ahcitycouncil
 
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
afsebu
 
一比一原版(Adelaide毕业证)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证)阿德莱德大学毕业证如何办理一比一原版(Adelaide毕业证)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证)阿德莱德大学毕业证如何办理
teeaszt
 
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRISTTRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
Cheong Man Keong
 
ColombiaPresentation.pptx macroeconomics
ColombiaPresentation.pptx macroeconomicsColombiaPresentation.pptx macroeconomics
ColombiaPresentation.pptx macroeconomics
JuanFelipeHerrera4
 
在线办理(英国UEA毕业证书)东英格利亚大学毕业证成绩单一模一样
在线办理(英国UEA毕业证书)东英格利亚大学毕业证成绩单一模一样在线办理(英国UEA毕业证书)东英格利亚大学毕业证成绩单一模一样
在线办理(英国UEA毕业证书)东英格利亚大学毕业证成绩单一模一样
3woawyyl
 
IEA World Energy Investment June 2024- Statistics
IEA World Energy Investment June 2024- StatisticsIEA World Energy Investment June 2024- Statistics
IEA World Energy Investment June 2024- Statistics
Energy for One World
 
在线办理美国乔治华盛顿大学毕业证(gwu毕业证书)学历学位证书原版一模一样
在线办理美国乔治华盛顿大学毕业证(gwu毕业证书)学历学位证书原版一模一样在线办理美国乔治华盛顿大学毕业证(gwu毕业证书)学历学位证书原版一模一样
在线办理美国乔治华盛顿大学毕业证(gwu毕业证书)学历学位证书原版一模一样
9d5c8i83
 
Item #s 8&9 -- Demolition Code Amendment
Item #s 8&9 -- Demolition Code AmendmentItem #s 8&9 -- Demolition Code Amendment
Item #s 8&9 -- Demolition Code Amendment
ahcitycouncil
 
PPT Item # 5 - 318 Tuxedo Ave. (sign. review)
PPT Item # 5 - 318 Tuxedo Ave. (sign. review)PPT Item # 5 - 318 Tuxedo Ave. (sign. review)
PPT Item # 5 - 318 Tuxedo Ave. (sign. review)
ahcitycouncil
 
2024: The FAR - Federal Acquisition Regulations, Part 42
2024: The FAR - Federal Acquisition Regulations, Part 422024: The FAR - Federal Acquisition Regulations, Part 42
2024: The FAR - Federal Acquisition Regulations, Part 42
JSchaus & Associates
 
原版制作(Hope毕业证书)利物浦霍普大学毕业证文凭证书一模一样
原版制作(Hope毕业证书)利物浦霍普大学毕业证文凭证书一模一样原版制作(Hope毕业证书)利物浦霍普大学毕业证文凭证书一模一样
原版制作(Hope毕业证书)利物浦霍普大学毕业证文凭证书一模一样
ii2sh2v
 
2024: The FAR - Federal Acquisition Regulations, Part 40
2024: The FAR - Federal Acquisition Regulations, Part 402024: The FAR - Federal Acquisition Regulations, Part 40
2024: The FAR - Federal Acquisition Regulations, Part 40
JSchaus & Associates
 
在线办理(西班牙UPV毕业证书)瓦伦西亚理工大学毕业证毕业完成信一模一样
在线办理(西班牙UPV毕业证书)瓦伦西亚理工大学毕业证毕业完成信一模一样在线办理(西班牙UPV毕业证书)瓦伦西亚理工大学毕业证毕业完成信一模一样
在线办理(西班牙UPV毕业证书)瓦伦西亚理工大学毕业证毕业完成信一模一样
dj1cx4ex
 
G7 Apulia Leaders Communique, 14th June 2024
G7 Apulia Leaders Communique, 14th June 2024G7 Apulia Leaders Communique, 14th June 2024
G7 Apulia Leaders Communique, 14th June 2024
Energy for One World
 

Recently uploaded (20)

PPT Item # 4 - 434 College Blvd. (sign. review)
PPT Item # 4 - 434 College Blvd. (sign. review)PPT Item # 4 - 434 College Blvd. (sign. review)
PPT Item # 4 - 434 College Blvd. (sign. review)
 
G7 Apulia Leaders Communique, June 2024 (1).pdf
G7 Apulia Leaders Communique, June 2024 (1).pdfG7 Apulia Leaders Communique, June 2024 (1).pdf
G7 Apulia Leaders Communique, June 2024 (1).pdf
 
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
 
CBO's Immigration Projections - Presentation
CBO's Immigration Projections - PresentationCBO's Immigration Projections - Presentation
CBO's Immigration Projections - Presentation
 
Antyodaya saral portal haryana govt schemes
Antyodaya saral portal haryana govt schemesAntyodaya saral portal haryana govt schemes
Antyodaya saral portal haryana govt schemes
 
Item # 10 -- Historical Presv. Districts
Item # 10 -- Historical Presv. DistrictsItem # 10 -- Historical Presv. Districts
Item # 10 -- Historical Presv. Districts
 
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
 
一比一原版(Adelaide毕业证)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证)阿德莱德大学毕业证如何办理一比一原版(Adelaide毕业证)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证)阿德莱德大学毕业证如何办理
 
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRISTTRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
 
ColombiaPresentation.pptx macroeconomics
ColombiaPresentation.pptx macroeconomicsColombiaPresentation.pptx macroeconomics
ColombiaPresentation.pptx macroeconomics
 
在线办理(英国UEA毕业证书)东英格利亚大学毕业证成绩单一模一样
在线办理(英国UEA毕业证书)东英格利亚大学毕业证成绩单一模一样在线办理(英国UEA毕业证书)东英格利亚大学毕业证成绩单一模一样
在线办理(英国UEA毕业证书)东英格利亚大学毕业证成绩单一模一样
 
IEA World Energy Investment June 2024- Statistics
IEA World Energy Investment June 2024- StatisticsIEA World Energy Investment June 2024- Statistics
IEA World Energy Investment June 2024- Statistics
 
在线办理美国乔治华盛顿大学毕业证(gwu毕业证书)学历学位证书原版一模一样
在线办理美国乔治华盛顿大学毕业证(gwu毕业证书)学历学位证书原版一模一样在线办理美国乔治华盛顿大学毕业证(gwu毕业证书)学历学位证书原版一模一样
在线办理美国乔治华盛顿大学毕业证(gwu毕业证书)学历学位证书原版一模一样
 
Item #s 8&9 -- Demolition Code Amendment
Item #s 8&9 -- Demolition Code AmendmentItem #s 8&9 -- Demolition Code Amendment
Item #s 8&9 -- Demolition Code Amendment
 
PPT Item # 5 - 318 Tuxedo Ave. (sign. review)
PPT Item # 5 - 318 Tuxedo Ave. (sign. review)PPT Item # 5 - 318 Tuxedo Ave. (sign. review)
PPT Item # 5 - 318 Tuxedo Ave. (sign. review)
 
2024: The FAR - Federal Acquisition Regulations, Part 42
2024: The FAR - Federal Acquisition Regulations, Part 422024: The FAR - Federal Acquisition Regulations, Part 42
2024: The FAR - Federal Acquisition Regulations, Part 42
 
原版制作(Hope毕业证书)利物浦霍普大学毕业证文凭证书一模一样
原版制作(Hope毕业证书)利物浦霍普大学毕业证文凭证书一模一样原版制作(Hope毕业证书)利物浦霍普大学毕业证文凭证书一模一样
原版制作(Hope毕业证书)利物浦霍普大学毕业证文凭证书一模一样
 
2024: The FAR - Federal Acquisition Regulations, Part 40
2024: The FAR - Federal Acquisition Regulations, Part 402024: The FAR - Federal Acquisition Regulations, Part 40
2024: The FAR - Federal Acquisition Regulations, Part 40
 
在线办理(西班牙UPV毕业证书)瓦伦西亚理工大学毕业证毕业完成信一模一样
在线办理(西班牙UPV毕业证书)瓦伦西亚理工大学毕业证毕业完成信一模一样在线办理(西班牙UPV毕业证书)瓦伦西亚理工大学毕业证毕业完成信一模一样
在线办理(西班牙UPV毕业证书)瓦伦西亚理工大学毕业证毕业完成信一模一样
 
G7 Apulia Leaders Communique, 14th June 2024
G7 Apulia Leaders Communique, 14th June 2024G7 Apulia Leaders Communique, 14th June 2024
G7 Apulia Leaders Communique, 14th June 2024
 

Voting Systems - ISSA Chicago Presentation 2020

  • 1.
  • 2. All Your Votes Are Belong To… ES&S, Dominion, and Hart… Chris Roberts Chris@hillbillyhitsquad.com Sidragon1 (LinkedIn and Twitter)
  • 3.
  • 6. Disclaimer… The guy giving this presentation doesn’t have skin in this game… • I don’t care if a Democrat, Republican, or John McAfee gets in… • I’d rather you didn’t vote in the Constitution folks. • This is your country… • We gave it back to you • It started out promising. • It’s not looking so good... • However, with Brexit back home, I really can’t say too much! • What I DO care about is a fair fight… – And you don’t have the mechanism in place for that.
  • 7. If you were looking for a feel-good pep talk… This isn’t going to be it You have been warned
  • 10. "The integrity of our elections is directly tied to the machines we vote on — the products that you make," they wrote. "Despite shouldering such a massive responsibility there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price." (2019) Four senators… For once, something we agree on…
  • 13. We’re Spending More And More! Add 5-10% for 2020
  • 16. Not Even Close… The global average mean time to identify a data breach is 197 days. The mean time to recover from a data breach is around 70 days. 76% of organizations were targeted by a phishing attack in the past 12 months. 75% companies say a data breach has caused a material disruption to business processes. The global average cost of a breach is around $4m. We are losing an average of 22.5 million records a DAY. Statistically you now have a 33% chance of being breached in the next 24 months. USA is still the most popular target, 57% of breaches, 97% of the data in last 24 months.
  • 17. Globally Top 30 breaches account for almost DOUBLE the Earths population… Congratulations to us… At least we’re thorough in losing everyone data… TWICE!
  • 18. EVEN in failure we manage to make a profit?!? Ransomware services, for when the blinky shit fails
  • 19.
  • 20. But I’ve Got Cyber?!?
  • 21. Adversaries Perspective… Not only do I have a bigger toolbox than you do, I also have time, patience, and the element of surprise on my side. You MUST be right ALL the time… I only need to get lucky once.
  • 22.
  • 23. Invite Only CTF, Jan 2020 • Task: – Compromise the Win10 platform and escape from the Virtual Machine • Action: – The team attempted BOTH objectives – Completed BOTH objectives – It took 68 seconds to do both • Result: – Win10 payout $25k – Virtual machine payout $75k – Split between team (different countries) – Most went to charities
  • 24.
  • 25. Defenders Current Status It’s not pretty…less tools, the technologies don’t readily coexist and we’re spending ½ the time justifying what we DO do. We also have policies, procedures and controls….all with less resources.
  • 26.
  • 27. But My Vendors Told Me I’d Be Secure…
  • 29.
  • 30. Going To Need More Tasers…
  • 32.
  • 33. It’s not IF, it’s WHEN you’ll be breached…
  • 34. Narcissistic Reality • Companies are no longer led by solving problems, they’re led by marketing messages. • We charge down the latest buzzwords, fads, and breaches like a pack of rabid hyenas. • We confuse clients with an increasing array of acronyms, product names and rarely simplify the message. • Our companies no longer focus on protecting their charges, simply making more profit. • Build, grow, get acquired and move on is NOT a sustainable view for any established enterprise. • We hide behind FUD, hoodies, faceless attackers, while peppering our clients with AI, ML, Blockchain, and other empty promises. • The evolution of InfoSec to Cyber has NOT been done for the right reasons… • AS an attacker, and adversary YOU have created the perfect conditions for ME to succeed.
  • 35.
  • 36. The State Of Voting…
  • 37. We’re going to skip past the fact that the 2018’s midterms were a mess, we’ll ignore some of the stuff so far this year, and assume that you already have a background IN the voting systems themselves…
  • 38. Let’s Jump In With Passwords…
  • 39. Your Vote’s Protected! • By systems with passwords such as: – 1111 – 1234 – Admin – ESS – EVEREST – password – Vogue – (no password)
  • 42. When the FAIL is so strong, one facepalm is not enough…
  • 43. Hacking Skills NOT Required… Search for: ElectionCentralMenuPassword
  • 44. Try Searching For: • Instruction manuals • Passwords • Configuration settings • Local/Regional/State installation discussions • Images/pictures/booth configurations • Manufacturers patents • Suppliers instructions/device installs • Support forums, tickets, help areas • Software code forums • Etc.
  • 45. It’s OK! The Software Will Protect Us...
  • 46. Microsoft ended mainstream support for Windows 8.1 on January 9, 2018
  • 47. “The ES&S system is extraordinarily complex, consisting of nearly 670,000 lines of source code written in twelve programming languages for five different hardware platforms.” “The type of discovered security bugs strongly suggests that ES&S did not perform an adequate level of code analysis.” “Using another tool, hundreds of potentially exploitable software bugs were immediately exposed.” (Thanks, Micah Sherr, PhD)
  • 50. Other Findings… • Malicious software running on machines can steal votes with little risk of detection. • Malicious software can modify records, audit logs, and counters kept by the machine. • Forensics will find nothing amiss. • Anyone with physical access to a machine can install malicious software. (<60 seconds) • Anyone who has access to memory cards used in the machine can also install software. • Poll workers and others often have long periods of unsupervised access to machines. • Several targeted machine are susceptible to specific voting-machine viruses • Malicious activity is easy to undertake during normal election activity. • Remediation? – Some of the issue can be eliminated by improving software, – Others cannot be rectified without full hardware replacements. – Significant changes to procedures would be needed to ensure security.
  • 52.
  • 53.
  • 55. When a Regular Facepalm Just Isn’t Enough The Presidential Facepalm
  • 56. ES&S “Answers For Every Election Challenge” “These companies’ litigiousness creates a barrier to competition that becomes a barrier to improving our elections.” Louisiana campaign finance records show that an ES&S lobbyist in Baton Rouge has donated $13,250 to Edwards’ campaigns since 2014. Thanks: Jessica Huseman
  • 57. ES&S Corruption Doc ...and another 39 pages
  • 58. Note: Even though this points out ES&S’s flaws (only a few of them.) The others (Dominion and Hart) also fail most levels of scrutiny…and shouldn’t be sitting there congratulating themselves… You’re ALL as bad as each other, and that’s part of the problem.
  • 59. We don’t need anyone to “hack” our elections… We’re fully capable of cocking it up on our own! In Summary:
  • 60. So, Where DOES That Leave Us?
  • 61. Nobody’s Got The Full Picture… This is the general population… Happy, relaxed and blissfully unaware…
  • 62.
  • 64. August 2019, Las Vegas… 1. Commercially-Available Voting System Hardware Remains Vulnerable to Attack 2. There is an Urgent Need for Paper Ballots and Risk-Limiting Audits 3. New Ballot Marking Device (BMD) Products are Vulnerable 4. Infrastructure and Supply Chain Issues Continue to Pose Significant Security Risks PLEASE , take the time to download AND read the voting village report from DEF CON 27
  • 65. Thank you, from ALL of us!
  • 66. So We Have A Clue, But We’re Still Screwed?
  • 67. Blame Someone, That Always Works…
  • 68. Who To Blame? Theoretical and empirical research on the effect of foreign electoral intervention has been thin on the ground and weak until recently… Since 2011 several studies have been conducted. One study indicated that the country intervening in most foreign elections is: • The United States with 81 interventions • Russia (including the former Soviet Union) with 36 interventions The estimates put interference from 1946 to 2000 at an average of once in every nine competitive elections. (Most being through covert actions, BUT, on average able to shift the voting share by about 3%...)
  • 69. Why Are We In Such A Mess?
  • 70.
  • 71.
  • 73. Communication Math • It takes 1 minute to convince you to hand me your email… • It takes 1 free offer to get your phone number… • It takes 1 time to get you to click an email… • It takes 1 connection with your Bluetooth or wireless… • It takes 1 guess to work out you re-use your passwords… • It takes 1 minute with your unattended electronics… • It takes 1 connection on your social media networks… YET… • It takes 7-20 times to get through to you about awareness… Therefore adversaries continue to win. Change the engagement model
  • 74. 2019-2020 Passwords… • 123456 (Still No1…) • 123456789 (Moved UP from 3rd place last year) • qwerty (Moved UP from 9th place last year) • password (Fallen from 2nd place…) • 1234567 (Too depressed to carry on…) • 12345678 • 12345 • Iloveyou (I actually hate you at this point) • 111111 (Congressman’s favorite…) • 1111 (Voting machine favorite!) • 123123 Seriously, we’re talking AI, bioengineering, nanotechnology, and putting people on Mars, and yet this is STILL front and center?!?
  • 75.
  • 76. “…any civilization that had so far lost its head as to need to include a set of detailed instructions for use in a package of toothpicks, was no longer a civilization in which I could live and stay sane.” Douglas Adams, you are missed.
  • 77. Or, TRY to protect…
  • 78. Just ONE Attack Vector… • Last 4 years, around 1,500 healthcare companies have been hit with ransomware. • The 172 individual attacks from 2016 to 2019 affected 6.6 million patients. • The overwhelming majority of organizations affected were: – Hospitals or clinics at 74% – Elderly care providers accounted for 7% – Dental (5%) – Medical testing (2%) – Health insurance, government health and medical supplies, all at 1% • Researchers calculated the overall cost of the attacks at $157 million.
  • 79. When We Get It WRONG… People DIE
  • 81. So, NO, despite what the vendors say Artificial Intelligence is NOT going to save us
  • 82. What DO We Do About It?
  • 83. How About We JUST Talk? Communication: Exchange ideas with each other… Cooperation: Independent goals, with an aim to share data Coordination: ALL rowing in same direction for once… Collaboration: The whole is greater than the sum of its parts
  • 84.
  • 85. TALK in a language OTHERS understand
  • 89. We’ve forgotten the people, Ignored the process, and skipped straight to technology… CHANGE the equation…
  • 92. There’s more, but hopefully you get the idea
  • 94. All Of Us… • Irrespective of your background. • Irrespective of your race, creed, color, faith, or eye color. • Absolutely irrespective of your orientation! • Change takes ALL of us. – This isn’t securities problem, it isn’t the researcher's fault, we need to stop blaming the hackers. – This isn’t the C-Suites blame to carry, nor is it the user's issue to solve. Developers need to be out of the firing line as does EVERYONE in the business. • We ALL take some of the responsibility, therefore we ALL have to solve it…together!
  • 97. “We may have all come on different ships, but we’re in the same boat now” Martin Luther King, Jr. 97
  • 98. I will fail We will succeed

Editor's Notes

  1. Welcome to 2020 SnowFroc!
  2. Oh let me SHOW you how many ways I may attack you….
  3. It’s NOT pretty…it hasn’t been for a while, competing priorities OT vs. IT vs. IR…..it’s a mess and it’s not getting any easier. I WANT our customers to talk about this too….(Scott/Shannon/Josh chime in and give us your perspectives and opinions…)
  4. Taser the vendor….simple as that. NO absolutes NO guarantees NO BS
  5. Here’s a partial survey of what happened: In South Carolina, machines were changing votes—a “calibration issue,” an election official told The State. “In Georgia,” The Washington Post reported, “voters waited more than four hours to vote at an elementary school in suburban Atlanta, where some voting machines were not working at the start of the day.” (Problems were reported elsewhere in the state, too.) The Detroit Free Press reported: Michigan voters are being turned away from the polls, or left waiting in seemingly interminable lines, in various metro Detroit locations so far on Election Day. Rex Nagy, a voter in Redford Township, said that his polling place at Pierce Middle School was relying on just one voting machine that he was told had not been tested before Tuesday morning. Everything was at a standstill while around 100 people waited for it to get fixed. From 7:50 a.m. to 9:30 a.m., Nagy saw about half the line leave to go to work, he said. Although Redford Township said the issue was resolved in around a half-hour, Nagy noted the line was still backed up. According to USA Today, malfunctioning voting machines caused long lines at several precincts in Indiana. Technical glitches were among the factors causing hours-long lines in Maricopa Country, Arizona. In Hamilton County, Ohio, “voting machines unexpectedly rejected ballots that had not been completely filled out” in “Blue Ash, Colerain Township, Hyde Park, Walnut Hills, downtown Cincinnati, Monfort Heights and other locations,” according to the Cincinnati Enquirer. And the Cleveland Plain Dealer reported that “a computer glitch at Geauga County polling places caused the system to mark some Election Day voters as having already voted by absentee ballot.” “Across New York City,” the AP noted, “reports of broken ballot scanners surfaced at several polling places. Turnout was so heavy at one packed precinct on Manhattan’s Upper West Side that the line to scan ballots stretched around a junior high school gym. Poll workers there told voters that two of the roughly half-dozen scanners were malfunctioning.” According to Politico, “Glitchy paperless voting machines are affecting an untold number of early voting ballots in Texas and Georgia, raising the specter that two of the most closely watched races could be marred by questions about whether the vote count is accurate.”
  6. https://security.cs.georgetown.edu/~msherr/papers/wv-voting-testimony.pdf
  7. https://www.propublica.org/article/the-market-for-voting-machines-is-broken-this-company-has-thrived-in-it
  8. Several US companies, and nobody’s good at being HONEST….
  9. Which leads to this…..everyone’s blissfully unaware until we get our ASSES handed to us….
  10. There ARE some folks who CARE and who want to make a difference!!
  11. There ARE some folks who CARE and who want to make a difference!!
  12. Quick to blame others, rarely do WE look in the mirror…. WE prefer to argue, to use lobbyist and to simply ignore the fact WE are to blame…
  13. So, I guess WE have to go look in the mirror …..
  14. Remember our childhood….
  15. Healthcare, Critical Infrastructure….think what would happen if ransomware hit some of the COVID-19 labs? OR if someone decided to NOW let lose another version of
  16. REMEMBER the voting village…..
  17. People Process THEN Technology
  18. We’re ALL in this together…thanks Charles Schulz!
  19. FAE, Fundamental Attribution Error, welcome to the end of days. Stop blaming the Russians UNTIL YOU REALLY KNOW! START Looking in the mirror