FBI Says Foreign Hackers Got Into Election Computers
from the well,-that's-just-great dept
We’ve written probably hundreds of stories on just what a dumb idea electronic voting systems are, highlighting how poorly implemented they are, and how easily hacked. And, yet, despite lots of security experts sounding the alarm over and over again, you still get election officials ridiculously declaring that their own systems are somehow hack proof.
And now, along comes the FBI to alert people that it’s discovered at least two state election computer systems have been hacked already, and both by foreign entities.
The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials.
The report apparently noted that Arizona and Illinois were the two states whose systems were exploited — with both attacks coming from the same IP addresses. From the report, it does not look as if the hacks were specifically about modifying vote totals, but rather accessing voter registration data — but that’s still a pretty big concern.
In response, the Department of Homeland Security has apparently reached out to state election officials offering “help” in better securing their election systems. Doesn’t it seem a bit late for them to start securing their systems now? And, of course, it’s not like DHS is somehow a great at stopping hackers either. It wasn’t so long ago that a 16-year-old kid using the online handle “penis” was able to hack DHS’s computer systems.
Maybe, just maybe, people in charge of elections in America should have considered some of this, I dunno, two decades ago when people first raised the issues about vulnerabilities in election systems.
Filed Under: cybersecurity, dhs, e-voting, fbi, foreign hackers, hackers, homeland security, security
Comments on “FBI Says Foreign Hackers Got Into Election Computers”
Pretty misleading headline and lede. The weaknesses of electronic voting machines are real, and they deserve attention, but this story isn’t about electronic voting machines being hacked, it’s about *voter registration databases* being hacked.
While there is some overlap to the threat — after all, if you compromise the voter rolls, you can influence elections — it’s a different system, a different type of hack, and requires a completely different set of security fixes.
Re: Re:
“if you compromise the voter rolls,”
If? It’s pretty much a given at this point. They are not even subtle about it anymore.
Re: Re: Re:
But to be fair, most attempts of hacking the voter base are by legislative means like Jim Crow laws.
Re: Re: Re: Re:
… and
voter id laws
expunging of “old” registrations
closing or moving polling places in select neighborhoods at the last minute
paving operations in and around polling places in select neighborhoods
How are these not illegal attempts to disenfranchise voters?
And then there is gerrymandering
Re: Re: Re:2 Re:
These are all very real concerns, but they’re yet another separate issue from the one we’re talking about. Elected officials in this country manipulating the electoral system to stay in power is an important issue, but it’s a completely different one from the question of independent individuals or foreign governments manipulating the electoral system for their own ends. They’re related issues but they have different outcomes, and the strategies for dealing with them are different.
As for what I mean by “if”, don’t be dense. I was making a conditional statement. If premise, then result.
Re: Re: Re:3 Re:
And people here would never try to make it look as though the hack originated elsewhere.
Re: Re: Re:4 Re:
Of course it’s possible that this was a domestic attack executed through foreign proxies to make it appear foreign.
Absent any evidence of that, however, I’m not going to assume it’s the case.
Maybe they need
Maybe they need a way to secure the data so that if it is stolen, it is still protected. Oh wait…it already exists in the form of secure encryption without back doors.
Time for officials to whine harder instead of doing what should have been done years ago.
Re: Maybe they need
They just need to make it illegal
Paper Ballots
Paper ballots served the nation well for over 200 years.
How did the US manage to survive (flourish even) for 200 years without electronic voting machines and the Department of Homeland Stupidity?
Re: Paper Ballots
Just to repeat: this story has nothing to do with electronic voting machines. It is about voter registration data.
Re: Paper Ballots
Those big-ass machines aren’t futuristic enough for us anymore. Look at the election day coverage graphics the news channels sport. We need sleek obsolete electronic machines.
I don’t understand why everyone is so worked up about this. There’s only ever two candidates that could realistically win the election, so any hacker who made a different candidate win would be found out immediately. And in all honesty, if you just look at the decisions made when in office there’s been almost no real difference between those two candidates for the last several decades, so rigging it to swing a couple percent of the vote one way or the other will have almost no actual effect.
Re: Re:
Well…for one thing, there’s actually quite a lot of difference between the two major party candidates. I’m not saying either is better (full disclosure: I’m voting for Hillary solely to keep the nuclear football out of Trump’s hands and otherwise I am really not a fan) but don’t pretend it’s a meaningless choice.
That said, you must be a millennial. As someone slightly older (I’m 29) I remember the election in 2000 quite vividly. The presidential election was thought to be a gimmie by both republicans and democrats – neither side thought the other had a chance. In the end, the election was decided by less than 300 votes (and then unconstitutionally overturned by the US Supreme Court, but that’s another issue). There are 370 million Americans, and only 300 votes made a difference.
Bush’s margin of victory during his reelection was less than 2% too.
My point being that, a hacker skewing the election by 2% can make a HUGE difference. Don’t discount that.
As someone who generally believes that technology can solve (almost) any problem, I have to agree with the poster above you: paper ballots should be the way. And none of those hole-punched things either. X’s in boxes all the way.
Re: Re: Re:
Man, nobody seems to be able to agree on what a Millennial actually is.
I’m 33 and I consider myself to be on the older end of the Millennial Generation, not the younger end of Gen X. At any rate I graduated high school right before the turn of the millennium, and faced the common Millennial problems of going to college to get a good job only to graduate into a market where it was a lot harder to find one than I’d been led to believe.
Re: Re: Re: Re:
Apparently millenials are those born from 1980-early 2000’s
Re: Re: Re:2 Re:
No, no. That’s the Pepsi Generation. 😉
Re: Re: Re:
My point being that, a hacker skewing the election by 2% can make a HUGE difference. Don’t discount that.
It can make a HUGE difference….in who happens to sit in the big chair. But apart from a lot of talking, it’s been nearly impossible to differentiate Republican and Democratic administrations over the last 3-4 decades. The democrats move a little money into whatever social program is popular, but not enough to matter. The republicans move a little money into (usually) military applications, but not enough to matter. Occasionally one or the other will do something big, there will be a lot of yelling, but then the next administration leaves it as is.
Re: Re: Re: Re:
So, what you are claiming is that had Gore “won” the election in 2000 then we still would have invaded Iraq?
I don’t think there is a lot of data in support of your claim.
Re: Re: Re:2 Re:
You really think the President has that much power?
Cinderella could have been elected and she would have invaded Iraq.
Re: Re: Re:3 Re:
The power to declare war? Um, yes, that is in fact a power that the President has.
It’s possible that Gore would have invaded Iraq. It’s certain that Bush did. It’s also pretty clear that Bush and major figures within his administration had been pushing Clinton to invade Iraq for years and Clinton had largely resisted, preferring sanctions and strategic airstrikes to a full-scale invasion.
On the other hand, Bush did have congressional support for the invasion, and the later arguments by Democratic supporters like John Kerry and Hillary Clinton that they were misled and had no reason to doubt the Bush Administration’s case for war have been less than convincing.
Re: Re: Re:3 Re:
The only reason that Bush invaded Iraq was so that history would view him as a “war” president. He knowingly lied to start that war. Did so without the approval of the UN. Slaughtered 100,000 to 1,000,000 displaced 2-4 million. Disrupted the little balance that existed in the region. Is the progenitor of all the wars and slaughters going on there now.
Re: Re: Re:4 Re:
Well, that’s clearly not the only reason he invaded Iraq — he was, after all, already a war president by then.
The neocons who had Bush’s ear had been advising an invasion of Iraq for years, for a number of reasons. Saddam was a bad man (true) who had gassed his own people (true) and was hoarding chemical weapons (false) and working on nuclear weapons (false); if we took him out we would be able to spread stability and democracy throughout the region (really, really false).
There were other reasons besides that; people who say oil was the reason we went to war are grossly oversimplifying, but it was a factor. And Saddam attempted to assassinate Bush Sr, so I think there was an element of personal revenge involved. There were people who felt Bush Sr should have “finished the job” when we went in the first time, and also Cheney’s alleged “one percent doctrine” suggesting that even a one percent chance that a nation was a threat to us was reason enough to go to war.
Be careful attributing any one thing as “the only reason” for something. Especially something as complex as going to war.
Re: Re: Re:5 Re:
A one percent chance is a violation of the Geneva Conventions. And what could Iraq do to the US. If it had declared war on the US, Iraq would have been naught but green glass.
One must also remember that Hussein was a front man for the US until it became convenient to turn him into a monster. He may have gassed some of his people, but many of those attributed to him were from Iranian gas. Photos show clear evidence of asphyxiating gases (Iran’s specialty) as opposed to nerve agents which were Iraq’s favorite.
Where was the evidence of the massive burials of 250K people at a site? There were none. Note that there was no attempt to kill Bush41, not even the Pentagon included that in its justifications.
Re: Re: Re:6 Re:
You seem to be mistaking my description of the Bush Administration’s rationale for war for a defense of same. It isn’t. Cheney’s One Percent Doctrine is madness and he should be tried for war crimes.
Bush said “This is the man who once tried to kill my dad” in a speech. I think he believed it. That doesn’t mean I’m defending him; even if it were true it wouldn’t be a justification for the war, which, in case I haven’t made it clear, I think was a terrible decision based on lies.
Re: Re:
I’m as cynical about the two-party system as anybody (I’m about to vote Stein for the second election running), but you do remember that 2000 came down to 400 votes in Florida, yes? And while I will grant there were too many similarities between Bush and Gore for comfort, I think it is reasonable to conclude that a Gore presidency would have been different from the Bush Administration in some very important and fundamental ways.
There are a number of factors that led to the outcome we saw in 2000. People mostly tend to focus on Nader voters and the Supreme Court halting the recount. But another issue that helped determine the election was that a number of minority voters were incorrectly turned away from the polls, even though they were registered. Surely you can see how this fact is pertinent to the subject at hand: if a foreign power has access to voter registration records, that can swing an election.
And that’s just the presidency. There are lots of other elected offices, and ballot initiatives, in any given election. It’s true that elections can only be stolen if they’re close. But strategic manipulation of close elections could shape policy outcomes.
Or, if attackers were to simply go after the whole thing with a hatchet and tamper with elections in an obvious way, it could still achieve their goals: it would cause chaos, paralyze elections, and undermine the public’s trust in the democratic process. You could joke that these things have already happened, and you’d have a point, but it could get a lot worse than it already is. And if you don’t believe that, well, we are currently looking at a race between the two most unpopular major-party candidates in recorded history, and that’s without foreign interests attacking our voter rolls (let alone our electronic voting machines, which this story is not actually about but which are very vulnerable nonetheless).
Re: Re:
You clearly do not have even the slightest comprehension of how little vote manipulation is required to swing an election. Sit down, shut up, and try (as best you can) to learn from those who are superior to you.
Re: Re: Re:
Not helping.
Re: Re: Re:
flipping a single bit, 1 to a 0 or vice versa, can make a winner a loser or a loser a winner.
Re: Re: Re: Re:
I…really don’t think that’s how election machines work.
You’d need to flip at least a couple of hundred bits, in a close race.
Re: Re: Re:2 Re:
There are 10 types of people, those who understand binary and those who don’t.
Re: Re:
There may only be two candidates at the top of the tickets, but there are likely thousands of candidates who will have a great impact on the way our nation will run. From president to dog catcher.
Foreign IP adresses, not foreign entities
C’mon! The report said foreign IP adresses were linked, not foreign entities.
“The FBI warning in an Aug. 18 flash alert from the agency’s Cyber Division did not identify the intruders or the two states targeted. “
“The FBI bulletin listed eight separate IP addresses that were the sources of the two attacks and suggested that the attacks may have been linked, noting that one of the IP addresses was used in both intrusions. “
Re: Foreign IP adresses, not foreign entities
Because… ya know… I could never issue commands from a compromised machine in Russia. /s
Remember folks… an IP address is not a person or even a very good indication of a location of the user.
Russian hackers has more drama.
Frankly, they would be stupid not to exploit. Not only foreign governments. Security shoul be priority. Paper is harder to manipulate in secrecy.
Re: Re:
Once again: this article is about voter registration rolls.
Do you really believe that voter registration data should only be stored on paper?
Because I think that’s a reasonable requirement for ballots, but not for registrations.
Re: Re:
Paper is easier to manipulate than computers. But manipulating one piece of paper just gives you one vote.
Re: Re: Re:
Only if the computers in question are air-gapped. If they’re networked, they’re a lot easier to manipulate than paper, because you can manipulate them without being in the same room.
Re: Re: Re: Re:
Even air-gapping no longer works if the computers are within a room of each other. Google “cracking air gapped computers” for a large number of references as to how this is done.
Re: Re: Re:2 Re:
That’s true but misses the point. You can’t tamper with an air-gapped US voting machine from Russia.
Re: Re: Re:3 Re:
No, a machine can not be hijacked by airgapping from 6K miles away. But even the US “justice” system is starting to understand that an IP number is just that, and not the DNA of the individual performing the task, nor an identifier of where the machine doing the cracking is located. VPNs can make a computer in Australia look and act like it is coming from a lab in Moscow.
Re: Re: Re:4 Re:
That’s true, and it may yet turn out that these attacks actually came from Australia. I haven’t seen anybody produce any evidence to indicate that as yet, and so I’m not going to assume that it’s true.
I’ll grant that I haven’t seen any hard evidence that these attacks came from Russia, either, and that “the FBI says so” is not sufficient evidence to convince me.
However, there is good evidence to suggest that the DNC servers were compromised by Russian attackers; not just IP addresses but metadata and linguistic analysis. There is further evidence that Russia has attempted to tamper with elections in several European nations.
It is not a stretch to assume that these most recent attacks came from Russia. There is no conclusive evidence yet (at least, not that’s been released to the public), but it matches the pattern and is the most obvious conclusion based on what we know right now.
If somebody — ideally a reputable, independent security analyst — produces evidence that the attacks actually came from Australia, then I’ll believe they came from Australia.
At which point I will ask you what the fuck difference it makes to my point about air-gapping, because people in Australia can’t compromise air-gapped computers in America either.
Re: Re: Re:5 Re:
If you can air-gap a computer in the next room, then you can use that technique anywhere in the world.
Re: Re: Re:
Paper is easier to hack because aliens. Right…
Re: Re: Re: Re:
Paper can be filled out beforehand and then swapped with a little slight of hand… or simply misplaced. There’s all sorts of shenanigans that people played with paper ballots. They both have vectors for fraud, just mainly different ones.
Someone needs to get a Clue-by-4 and beat the entire government!
SECURITY! *WHACK!*
IS! *WHACK!*
AN! *WHACK!*
I.T.! *WHACK!*
PROBLEM! *WHACK!*
NO! *WHACK!*
LAW! *WHACK!*
WILL! *WHACK!*
MAKE! *WHACK!*
US! *WHACK!*
SECURE!! *WHACK!*
Re: Re:
Of course, there are laws that can make us less secure. Like good ol’ Section 1201.
Paranoid, tinfoil-hat, conspiracy theorists
Are you suggesting it did not happen?
Re: Paranoid, tinfoil-hat, conspiracy theorists
It is possible that the “foreign hackers” were, in fact, the FBI hacking into these databases in an attempt to convince someone to join their hacking plot so the FBI could then arrest them and show that they stopped the terrorists.
Re: Re: Paranoid, tinfoil-hat, conspiracy theorists
Agreed, but how did you get that from what was posted?
Clinton Foundation
They are probably funded by the Clinton Foundation.
HOW fun is this...
Anyone wonder about this..
MOST election info is the SAME as your drivers license..
You GIVE ACCESS, to the internet for DATA that isnt really needed on the NET..
why WOULD THE election SYSTEM GIVE Access to the NET for this?? WHY??
In Oregon…The WHOLE system is controlled and monitored by 1 REMOTE system.. AND wheN THAT REMOTE GOES down…nothing works..the WHOLE state, Police to workmens comp…ALL are not accessible..
Re: HOW fun is this...
That’s a good argument in favor of syncing a local copy of records data, but it’s not a good argument against keeping them online where they can be accessed by multiple branches and multiple agencies. If I go to the DMV in Mesa, it should have my information on file just like the one in Tempe.
There are multiple different locations that should have access to the voter roles, at the district, city, county, and state level. Keeping that information online and secured is reasonable. Having voting machines online is not reasonable. There is a fundamental difference between the two things and I really wish this article hadn’t conflated them.
Is that interfering with the FBI's own hacks?
I mean, the FBI are monitoring the voting registration systems at an access level where they see tampering? It’s not that they have been notified by the system adminitrators of such access but have found out themselves?
What is their end game?
Re: Is that interfering with the FBI's own hacks?
Another hanging chad situation.
OPEN SOURCE VS CLOSED SOURCE ELECTIONS
Of course… the only way that the DHS is going to be able to realize a truly secure electronic voting system, is if it moves to Free and Open Source Software, and Free and Open Source Hardware! The problem with our electronic voting systems is the same problem faced by Hillary in her use of her cellphone and Internet Server to communicate sensitive government information!… the software and hardware within these, are in the control of “private interests” that we have to trust will do the right thing!
.
Please!… no emails!
State Computers
I worked in cybersecurity at a state. The various agencies usually don’t share information (they can’t figure out cost sharing) and even within a single agency, they tend to keep things in separate systems.
Voter Registration Systems are often outsourced, and the vendors must submit to annual onsite third party audits. The normal issues are finding the money to fix the audit findings, and dealing with public perception.
Voting Systems are different than Voter Registration Systems. The information flow between them is strictly controlled. Having access to a VRS doesn’t necessarily mean you have access to add, modify, or delete data within it. There are integrity checks and backups.
Of all the information, the source of the attacks is the one I most trust. The FBI cannot reveal all its sources, but its cyber intelligence units are very good at identifying who is behind the hacks. For the states, they don’t need to know who is hacking. They need information on how and how to defend against those methods. That is what the FBI is offering the states.