Unsecurity Podcast

With Evan on vacation, Brad is joined by Ryan for another episode. This week, Brad and Ryan discuss voting machine security and election device security given the Super Tuesday elections held last week—as well as the 2016 debacle.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: All right, Welcome back. This is episode 70 of the Unsecurity podcast. I’m your host this week Brad Nigh, Today is March 9th and Evan is taking a well deserved vacation. So joining me this afternoon is Ryan RC. I’m gonna try to figure out how many times I can say your name wrong before you get mad, just interrupt me

[00:00:42] Ryan Cloutier: when somebody’s gonna start up twitter survey on this bread. I’ve gotten a lot of feedback about the last name issues. Uh, what’s the deal? So yes, I’m glad to be here with you and you’re absolutely right. Evan does need that vacation. Probably more than most.

[00:00:58] Brad Nigh: Yes. So we are recording in the afternoon. You are in Dallas now

[00:01:05] Ryan Cloutier: I’m in Austin. Austin texas. Our conference that were attending the Dallas Department of Information resources Information Security Forum um, is still ongoing. So I know there’s been a lot of talk of the coronavirus and uh, south by southwest was canceled here in Austin. So what that means for us is the price of the hotel room did not go down. But the availability of dining options went

[00:01:32] Brad Nigh: up. It looked like the positive outlook. So before we really did again. Um, let’s recap last week. You know what, what were you up to last week.

[00:01:43] Ryan Cloutier: Well, last week we were recovering from our essay. Um That was quite the, quite the adventure. Um making some progress on s to school working with a lot of districts last week. Um You know, we kind of crossed that barrier of, is this an issue? Do we need to do something? And so um last week and even this week, given that it’s only, you know, monday, um already feel that a lot of calls about insurance and about school shutdowns, The big talk last week was around what happens if we have to close our district because of this, this current coronavirus situation. So, been putting a lot of time and thought into that and helping manage some crisis plans. Um that was, you know, pretty full week for me just doing that because they’re, you know, our different political opinions on the topic, There’s different regional considerations. Um So there is no blanket answer for anyone school, but it’s, it’s been interesting to kind of hear the different concerns that communities have about this and different approaches they take to manage it.

[00:02:46] Brad Nigh: Yeah, it was interesting, we just got emails today from the school district my kids are in and how they’re going to be handling it. And is pretty interesting because the, basically, fourth through 12th graders have ipads, uh there’s not going to be a significant disruption if they need to physically close the building. So that’s pretty cool to see, you know, that use of technology. Uh there.

[00:03:12] Ryan Cloutier: Yeah, I know. Um you know, it’s interesting you bring that up the friend of mine who works at a A supply house if you will uh they just shipped I think 10 million chromebooks to the west coast. Wow. Yeah. So it’s it’s a lot of schools are preparing for this. Um you know, it’s one challenge though that that came up last week that nobody really thought about was um not everybody has internet access. So what do we do for the students that don’t have internet access at home? And how are we going to provide learning options for them? Should we need to close the school down? And nobody really had a good answer yet.

[00:03:55] Brad Nigh: Yeah, they actually had a little survey for the K through three. that said if you don’t have the access, you know, fill this out and I guess they have some plans around. I didn’t click through it. I didn’t have a chance to but yeah, if it’s a that’s an interesting thing that, you know, maybe people don’t don’t think about because of how common it is. All right. So I figured you know right or uh gosh, we’ll just edit that part out. Uh thinking with Evan out Ryan and I were talking last week and you know, it’s hard to ignore. Uh super Tuesday. And so we’re gonna go and discuss election security. That that was something that we were both pretty interested in. And you know, we’re going to try to keep this as non political as possible. This is not a political podcast. So, but we want to talk about the, you know, the security aspect of it because this is a big deal regardless of, of where you fall. So, You know, this is not something new. We’ve read heard and read about the uh the 2016 elections. This is something that goes back even well beyond before that. So we’re gonna just gonna go and have a conversation about that. It’s all good Ryan,

[00:05:10] Ryan Cloutier: absolutely man. You know, I’m always happy to talk about this

[00:05:13] Brad Nigh: stuff. So we will get out some articles uh excited with Evan being on vacation, the show notes will be delayed, but we’ll make sure we get these out in some way, but put together and just read, you know, read some articles, the first one is on wired, it’s about DARPA’s voting machine at def cons uh hacker village. And it was really funny to read, I thought, you know, they’ve obviously identified the issue of needing a secure voting method. So they put together what they think could be the initial prototype of a secure voting machine and it, we didn’t do well.

[00:05:56] Ryan Cloutier: Well, you know, I think so, so, you know, it, you know, better than most if it’s connected, it’s hackable, right? And this idea that something is unhappy. Kable is, is not, it’s not soundly based in science. Um if it was built by a human, it can be broken by a human, right? I think they did an extraordinary job of making an attempt to make it very difficult to do so. Um but there is there is no such thing as unhappy kable. And so I think it’s more of a mindset shift away from creating this, this iron vault, if you will, this this proverbial fort Knox, that does not exist in the world of connected computing uh and go more for, you know, would it alert someone if it was being tampered with? You know, nobody seems to be taking the tampering angle to say, well, we know that buildings aren’t impervious to burglary. So what do we do we put in mechanisms that alert us to when someone’s tampering with the building or attempting to make entry? We don’t make this this assumption that the building cannot be broken into. Not even Fort Knox, do they make that assumption? Right. They’ve built this amazing secured facility and yet they still have surveillance cameras and uh you know, motion sensors and armed guards and all these additional protections, even though it’s a literal it’s literally Fort Knox, right? And we use that, you know, anecdotally to talk about when something’s really, really secure and even then they have to have that human element to watch. Um and so I think, you know, great attempt, but it’s just not, it’s not in line with reality. And I think that’s true for the majority of voting machines out in the market space. The other thing that came to light as I was reading through these articles is the inconsistency um across the States and even within the States themselves, there’s inconsistency as to the type of voting machine being used uh and and definitely state by state, the type of voting method, you know, some states have the full digital, some states have laid here in Minnesota, we have the paper ballot which is then run through a scantron Mhm. Um and you know, from my personal perspective, I feel like that’s a more trustworthy system because it’s a second factor right, there’s still a sheet of paper somewhere that if there was a recount, needed a manual recount could be performed where I get pretty gravely concerned, is in the States that don’t have a paper mechanism and rely solely on digital um input as their source of truth. Well, make it really hard to reconstruct

[00:08:52] Brad Nigh: right? Well, and given the fact that, you know, basically in the latest uh probably just hacker village, that voting village at Def con this is from uh you know, in October basically they were able to hack into all 100 voting machine types that were there, right? So you know, what do they have in place to show what happened and that’s the problem and yeah, I’m with you, the paper ballots to give you that hard trail if there was any sort of inconsistencies? The other thing that was interesting is I’m looking for my article right now is in uh yeah. Uh, oh, I can’t find it now. Uh, there was the are the The race in Pennsylvania a couple years ago. Oh, there it is. It was November of 19, the North Hampton county pennsylvania candidate for judge came up with 164 votes out of 55,000 cast, which is like not possible. They didn’t hand scan the ballots. Uh, and he showed up as the winner, but there was no disinformation, there, there was no evidence of hacking. So what happened? Right? It’s what’s technology, a bug could happen. So having those paper ballots really does provide that additional layer of assurance that there hasn’t been any kind of foul play in place.

[00:10:26] Ryan Cloutier: Exactly. And, you know, to that point, I mean, that’s part of this greater conversation, right? We can we can throw all kinds of security controls that the technology. But what’s the process. Right. And, and that’s, that seems to be wildly inconsistent. Uh, it reminds me. Um, and I’m gonna show my age a little bit here, it reminds me of the dispute in florida back in the old gore in the gore bush election, a hanging chad. Yes. Yes. Yes. Yes. Right. And that was a solely paper based system, right? And that led to a, to a debacle. And so that for me highlights that it’s, it’s not even so much a technology problem at that point, but it is a process, you know, how do you ensure the integrity of the vote? And that’s really, I think the core question is regardless of the method the vote is collected. How do you ensure the integrity? And so I think there are technological things. We can do multiple verifications back to my comment earlier about, you know, who gets alerted when something’s not? Right. Right. Whether that’s whether that’s a bug, whether that’s active tampering, you know, how do these election officials become aware that something is a miss because they might, you know, let’s let’s play out a scenario. You go to your local polling station and that that machines behaving incorrectly. You know, if they had a visibility and awareness to that, they may choose to temporarily suspend that that polling station. Yeah, they may choose to say, you know what, we can’t count this.

[00:12:05] Brad Nigh: Yeah, I’m not to some some other fail over

[00:12:09] Ryan Cloutier: solution. Yeah. Right. Exactly. And you know, and in Minnesota no problem. We’ve got paper so we can go back very quickly and very easily, um, and reconstruct those votes, but in those states that are dependent on a digital only system, I don’t, I don’t know how they would do that. I don’t know if it’s if it’s using a technology like worm, Right? Is it, you know, maybe using a Riedel or a, you know, single way. Right. Um, is that a method, is it, you know, shipping it off to two or three off box, um, servers for integrity checks. Well, maybe a hardware key or something.

[00:12:52] Brad Nigh: Yeah, but part of the problem is, and you know, we want to keep it simple, right? We start getting too complex and now we’ve added a lot of issues in there. So, you know, I think those are good ideas and they’re not, you know, necessarily, I, I don’t know, there’s a lot to unpack. Right. I think some of the bigger issues is regardless of what you want to do, there’s no, like, I think you went across it, there’s no standards. Right. The current testing standards are from 2005 for the federal testing for elections. I don’t know about you, but I’m pretty sure things have changed just a bit in the last 15 years.

[00:13:34] Ryan Cloutier: Just a smidge. Just, I mean, you know,

[00:13:36] Brad Nigh: um, you know, there’s no federal federally mandated security standard at this point for voting machine manufacturers. They, they literally connect to the internet and have open USB. So until I think you hit some of those more basic things, all the rest of it’s kind of a moot point, you know, we need to have some sort of a standard across now, how the states actually do it. That’s fine. But

[00:14:05] Ryan Cloutier: to have 20

[00:14:07] Brad Nigh: different types or 100 different types that are not standardized is just asking for trouble.

[00:14:13] Ryan Cloutier: You’re absolutely right. And you know, I find it a little bit surprising because if we look to the gaming industry, Okay. Another machine that is highly regulated. Well, let’s think about gaming machines. There are some standards around that, you know, um you don’t just get to make a gaming machine and then install it in a casino. There’s a whole process behind that. There’s there’s uh, you know, verification, random spot checks, etcetera. Obviously a casino machine is going to be in use uh more than one day every four years. Right. Um, but I suppose the voting machines, you know, you’ve got your locals as well, but but even still their utilization is less, but they’ve got processed for that. And I wonder if maybe that’s a place to almost borrow from and say, well, you have really stringent standards around the manufacturer of gaming machines. You have really stringent standards around the manufacturer of automotive computers.

[00:15:13] Brad Nigh: Yeah,

[00:15:13] Ryan Cloutier: yeah. Take a more stringent and I don’t even know. I mean, I love the idea that, you know, there would be some kind of federal mandate, but at the same time we’ve seen where that doesn’t always work as intended. And I almost wonder if this isn’t something for esso or I triple E, you know, create a standard for checking for any machine that you expect to have infallible integrity of the data. Yeah.

[00:15:45] Brad Nigh: Well, I mean, even even if they followed some bait, like even if it wasn’t very prescriptive, right, just having updated guidelines that state you can’t connect to the internet. It can’t have open USB right. Some of these basic things would be uh you know, a good start at a minimum.

[00:16:04] Ryan Cloutier: And Yeah. And lock the lock. I saw a video on Youtube. The person was doing a security test on the voting machine and they gained access to the internal simply by pushing the button on the side of the machine and the panel drop down. And then they had full access direct to the to the hard drive to the motherboard, giving all the components were right there um you know, easily accessible within the voting booth itself, within the privacy of the voting booth. So I think, you know, maybe maybe maybe it’s a low tech option, some some tamper tape.

[00:16:39] Brad Nigh: Right. Well, so, uh I found an article from dark reading uh dot com. It was on uh February seven of this year. Five measures to harden election technology. Uh it was the part two of a and I really thought that they nailed five steps. Here’s what we can do to increase the security. And and I thought they did a good job. Um So we’ll go through those real quick. The first one was used single purpose systems. Well, that seems a little obvious, I think, but it’s not right. You’ve got this is what it’s for is for elections and secure device management and that’s it. It should be locked down. So that, that’s all it can do?

[00:17:24] Ryan Cloutier: Yeah, I I agree. I mean, that’s what we do with ATMs.

[00:17:28] Brad Nigh: Right? That’s a really good analogy.

[00:17:33] Ryan Cloutier: You know, and I think if we can, if we can do it with a with an automated teller, I would suspect those very same manufacturers would be able to assist in helping create a secure voting machine. So I completely agree with that. I think limit scope and limit purpose. I mean, that’s what we teach people all the time. Right? You and I work with customers all the time and we say, hey, maybe the server that doesn’t need email access shouldn’t have email access turned on. So I don’t think this is unfortunately, it’s not a new concept, but it might be new to those in the election world who traditionally don’t necessarily deal with security or any real it issue.

[00:18:13] Brad Nigh: So you mean you shouldn’t just install the software and and leave it at default can figs?

[00:18:18] Ryan Cloutier: I mean, you can,

[00:18:21] Brad Nigh: That leads to that 100% hack raid at def con um, yep good.

[00:18:30] Ryan Cloutier: Oh no, yeah, that you hit the nail on the head with that one. It’s, you

[00:18:33] Brad Nigh: know,

[00:18:34] Ryan Cloutier: taking some of these fundamentals when we talk about that so much on this podcast because it is so important. It’s fundamentals fundamentals fundamentals. Um, and I think, you know, it This shouldn’t be as complicated as it seems to be to the point you made earlier, why are there 100 versions out there for something that is paramount to our to our governmental structure? Like I get that I’ve got 100 options a chapstick or I’ve got 100 options of pogo stick. Right? I get that. That makes sense to me when it I don’t, you know, when it comes to national defense, when it comes to those systems that we rely on to keep, you know, our governmental process honest. I don’t know. 100 seems like a like a pretty wide swath um that could allow for error. And maybe it’s more stringent, you know, follow a model similar to the D. O. D. You know, there’s not 100 vendors of a particular um system control technology. Right? Or or F. A. I mean, let’s let’s even go a little bit more consumer side to something we touch every day, you know, think about all those air traffic control systems. Yes, fairly limited in scope and very stringent in order to be able to create one or medical devices for that matter, right? You can’t just make a pacemaker,

[00:19:59] Brad Nigh: right? You have to go through a process. Yeah, I agree. It is a little surprising uh That it when I read that the testing standards haven’t been updated since 2005, it’s like, wow, why not? Um so measure number to build in defense and depth. I mean we preach that all the time. It’s like it’s fundamentals don’t have a single point of failure.

[00:20:27] Ryan Cloutier: Well, and and yeah, I mean, the challenge. So, back to that complexity, right? You don’t want to have that single point of failure, but given the nature and type of the polling system, right. Uh My local polling station, for me personally, is a is a auditorium of the church, so they don’t really have a lot of robust infrastructure, if you will um to kind of support that. And I’m I don’t know if the voting machines live there, you’re around a lot cabinet or not, but you know, that’s uh

[00:21:05] Brad Nigh: yeah, I don’t know, I think,

[00:21:07] Ryan Cloutier: I don’t know how they would do that.

[00:21:08] Brad Nigh: I think you could do some stuff around, you know, there’s one level of of access to cast the vote, but then a separate level to actually see a database or be able to access the data of what was voted. Right? So yeah, you’ve got a user level just keep it simple that as the voter comes in, they push their who they’re voting for and it registers it. But then if you were to actually try to get into that system, it’s a separate level, you know, different accounts, different security to actually be able to access it.

[00:21:43] Ryan Cloutier: Are you suggesting that we do something like multi factor authentication? I

[00:21:49] Brad Nigh: mean, probably wouldn’t be a bad idea. I could see how that would be really difficult for, you know, potentially to to uh implement across that many devices, but there’s got there’s got to be something. Right.

[00:22:02] Ryan Cloutier: Well, I think, yeah, I think actually you really touched on the core of it different user types, you know, you the standard use of operation really should be a one way type of interaction. And once that right, you know, once that right happens, it shouldn’t in theory. Right. Just like the paper ballot, it shouldn’t be allowed to be modified. And I’m guessing that, you know, a fair amount of these databases behind the scenes are not set up um to, you know, enforce that that that probably, you know, I would venture to guess and I haven’t personally, you know, penn tested any of this stuff, but I would venture to guess there’s probably not even fundamental logging turned on to indicate, you know, which machine registered. What data entry at what point in time.

[00:22:52] Brad Nigh: Yeah. And who accessed and did what? I couldn’t say from what I’ve seen it that a lot of them don’t have that. Um And that that leads to number three of limiting privileges. We already kind of touched on it, but like don’t don’t give people access they don’t need. Right. Right. Not hard.

[00:23:13] Ryan Cloutier: Yeah. You definitely want to limit that. It’s um, you know, but also keep in mind too. I’m I’m guessing that, you know, uh I know for at least for my polling station, right. These are these are not paid people. They’re volunteers. Ah, they do this once every couple of years at most. Um, and my my guess is they probably don’t get a lot of training around, you know, how to, how to look for suspicious behavior, how to, you know, uh, interact with the system safely.

[00:23:48] Brad Nigh: Yeah. So I think part of that, that’s why I think that that you count on volunteers to do this. And these are people, you know, it’s an election is typically once a year with presidential every four obviously. Right. So build in the system, those privileges so that they have confidence to know or I don’t if it’s up and running we’re safe, we’re good. Right. It don’t, they don’t need to worry about who did they log in as and what would happen if they accidentally did something wrong, you know, make that as foolproof as possible by building that security into the back end.

[00:24:24] Ryan Cloutier: Yeah, I I agree. And you know, while it might sound hard, it’s really, it’s not now, it’s different set across, you know, 100 plus

[00:24:35] Brad Nigh: manufacturers,

[00:24:38] Ryan Cloutier: you know, implementing, who knows how many flavors and variants of, of, you know, code bases and databases and you know, etcetera, etcetera. Um, but as a, as a high level I think it’s absolutely something that could be done. Um, I know in the example I referred to earlier in this, youtube video. I mean the assumption was that anyone that had physical access to the innards household had admin level permission. Well if physical assets can be gained by pushing on the button that opens the panel, You know that that kind of stuff too. I think that’s that’s you know when we talk about building, you know the defense and depth and talk about limiting privilege, let’s let’s not let the simple simple stuff get past us. Let’s make sure that that device is physically secured as much as it can be against tampering both both physically and digitally because you know, well yes, these machines can be if they’re connected to the internet access. There’s also that that physical risk that a bad actor you know could manipulate an offline machine as well. Yeah, I think that you know as we think about you know, how do we secure these devices in between the elections? Um You know I think I think there’s there’s lots of room to improve I guess. So if any voting machine vendors are listening, you know, feel free to give us a call, we’ll gladly throw some ideas at you.

[00:26:13] Brad Nigh: Yeah. Yeah, no kidding. Um So measure for on this one was usually use multiple counting systems and cross checks. So the example they gave was uh the person goes into the voting machine, they punch in there who they’re gonna vote for? It spits out a paper ballot with a like a scan on it. Um And then we go to italian system where that Code is scanned. So in this case you have three different uh points of data to look at. So you have what was the physical ballot, what did it look like that they took, what did the voting machine record? And then what is the italian machine or system showing? So now you know you as a voter you vote who you’re going to vote for, You verify it on the paper slip and then submit it for scanning. You have three places that you can now validate that information and that’s not really a difficult implementation. It’s pretty straight forward and simple. Obviously there’s a lot behind the scenes that goes on but uh to me it makes sense. Keep it simple.

[00:27:21] Ryan Cloutier: Well and we already have those systems in place today about a prescription, think about financial transactions right there are checks and balances, right? Just you know, I um prescriptions come to mind. Um we have multiple checks and balances around prescription issuance especially these days, right? We maybe didn’t do so hot a couple of years ago and then a lot of people got a lot of pills out of these pill mills. Um but then we we really, you know, turn the screws on that and it didn’t take very long to implement these these prescription checks where there is now a state authority who you go to Walgreens and you know, not to pick up Walgreens, Walgreens CVS and insert favorite pharmacy here but they have to submit to the state board what they’ve been issuing as well as the doctors have to submit to the state board what they’ve been prescribing uh so that they can kind of keep a check on that night. So I can’t imagine um you know it sounds complicated but again it’s these are problems that have been solved multiple times for multiple industries. And I think we would we would benefit if we would start to leverage some of those existing methods instead of trying to reinvent the wheel.

[00:28:36] Brad Nigh: Well that’s uh that’s exactly what I was going to say is it seems like there’s a lot of exactly that trying to reinvent the wheel rather than using lessons learned from existing systems right? We’ve got you know ATMs and the pharmacy and all these things that take part of what would be needed. They are already out there and proven now are they flawless? No but why wouldn’t you start with something that has a track record instead of trying to build something from scratch?

[00:29:08] Ryan Cloutier: Well and it goes it goes back to that. I think there’s so many people in the game that it’s almost a. Yeah it is it’s the cash grab and it’s and what’s the incentive right? Um You know I know that you’ve been working a lot on C. M. M. C. Um Because the same problem existed if you will where the Department of Defense had all these different vendors doing all these different things different ways and they said no enough is enough. We need we need to at least know where they are in the spectrum. And I think the same is true. I mean the idea that I can just create my own voting machine and then take it to market shocks me.

[00:29:51] Brad Nigh: Right. Yeah it is a little surprising and yeah I I can’t talk anyway um what you what we’ve seen is is really it’s pretty mind blowing. But um so the last measure they mentioned is layered security measures for election devices. So this goes to your comment around uh you know needing some sort of Tampere tape right? How do you layer to prevent tampering to to prevent rogue software? Um Yeah he’s it’s not foolproof right? But if you can have some sort of physical protection in place that makes the hacking so much harder.

[00:30:35] Ryan Cloutier: Just you know I go back to uh you know years ago I had a alarm on my computer panel and my my home pc as you opened the side panel without disabling the alarm through the password protected bios. It would make a screaming sound. It was a six cent pizzo uh speaker And a six cent switch. So I think you know there’s a lot of room to improve with very little in the means of of you know heavy financial burden on these vendors write a simple a simple audible tamper alarm that somebody opens the side panel could do wonders for reducing the risk. You know, you still have that whole internet factor but I think you and I are are in pretty strong agreeance that during the voting process I don’t know that internet connections something that should be on an active. I think there there are more secure ways to bundle and ship that data for tabulation than than a real time wide open connection to the internet.

[00:31:46] Brad Nigh: Well yeah and and that’s where you’re going to hit the that functionality argument of people saying well wait a minute, how come we have to wait for results right? Kind of a used to

[00:31:59] Ryan Cloutier: yeah convenience and impatience. I want CNN to tell me who won before we’ve actually counted the votes right

[00:32:06] Brad Nigh: Well and you know but you know there’s gonna be a huge amount of pushback from that and regardless of if we if we know that’s not good security practice but the reality is who’s going to end up winning that.

[00:32:19] Ryan Cloutier: You know, maybe here’s where we learn a lesson from the DMV because nothing ever seems to happen fast there. I’m still waiting. I think I’m a month number three now waiting for my new I. D. Which is supposedly going to show up in three more months. No fun.

[00:32:36] Brad Nigh: Yeah I don’t think people you know would would be very happy waiting three months to hear the results But there’s got to be a happy medium between the two.

[00:32:47] Ryan Cloutier: Well and I think too, that, uh, at least anecdotally in the conversations that I’ve had with folks about this, both technical and nontechnical, I think given the last election cycle and all the concern about the integrity of the vote, if you would, uh, I heard a lot of people say, look, this is, we’ve got to do something about this. I think, I think there is a willingness on behalf of the average voter to adopt that change right to maybe, you know, they don’t obviously want to wait days for results, they don’t want to be overly inconvenienced. But I think there is an understanding that if we needed to put an extra step in for um security and to ensure the integrity of their vote. Most people that I’ve interacted and spoke with him have been okay with that idea. They didn’t see it as a big burden to them as much as they said. No, I I really would like to be able to trust the election.

[00:33:45] Brad Nigh: Yeah, well, and I think so, going to one of the other articles here that will put is from the Washington post, um, cybersecurity 202 voting machines, how to secure option or actually vulnerable to hacking what kind of sucks is, Well, I think this is where having the lack of standards and the lack of, you know, any formal testing is going to be the issue. Um, the ballot marking devices. So that’s the where you go in and put your vote and it spits out the paper ballot, that’s really is seems to be the, to me, probably the best way to do it. It’s kind of the best of both worlds. The issue is The machines like in Pennsylvania where they went crazy into the wrong winner and had like 144 votes out of 55,000. You don’t have any standards, you’re not having any testing, uh, without that baseline, without those requirements, even the best design or intentions are, what is it any good? Right? What’s the point?

[00:34:55] Ryan Cloutier: Well, yeah, and again, it’s, it’s, and you’ll hear, you’ve heard me talk about this many times in our race to adopt convenience, we’ve kind of stepped over common sense and you know, to have the ability to create this machine again, without a standard, just doesn’t, doesn’t seem like it was well thought through that somebody went, oh, this will make our lives as counters easier. Let’s implement that. It didn’t change. If anything had added a step to the voter right now, I gotta go from my little ballot box over to the machine granted it’s not terribly inconvenient, but it’s an added step for the voter. Um, but they just, they just kind of adopted this tech and now they’ve spent these hundreds and hundreds of millions of dollars on all this. And now they stand around going, well, what did we do? So I do think paper versus uh, you know, digital only for me just seems inherently dangerous and it makes it almost impossible to reconstruct uh, what the truth is, should, should something happen to that system and then, you know, hey, let’s not forget blue screen still happen.

[00:36:05] Brad Nigh: Right. Well, and I think the technology on this one is for the B M D. S as they call them. It shows the value there, right? If the machine, if the digital recording piece goes crazy, for whatever reason, you do have that paper, that physical ballot to fall back on and they were able to do it. So I think it’s a good proof of concept that it’s got those checks and balances to ensure that the correct outcome is, is ultimately got, you know, arrived at. But again, without having any sort of standard to build against or without having, you know, secure requirements. What are we really what’s the value there? So I think again, kind of goes back to, yeah, let’s, we need some sort of a standard out there across the industry to for these people to be held accountable to from as a, the vendors, manufacturers

[00:37:06] Ryan Cloutier: 100% agree. I mean, you know, we were talking about this watch Washington post article and the image in this article shows the voting machine and then it shows the standard issue off the shelf hp printer.

[00:37:18] Brad Nigh: Well, okay, so there’s, it’s not perfect,

[00:37:22] Ryan Cloutier: right? But, but I think, well, but to that point, if there was a standard for testing then you would say, okay, we’re going to use a commercial, we’re going to use, you know commercial off the shelf printer. But it’s got to pass this level of rigor right? Or you know, we have to it has to be at least patched within, you know, x amount of weeks of the voting cycle or something. I mean and the reason it caught my eyes because I just got done working with the district on getting their hp printers out of the environment because they had a lot of legacy printers that were affected by those critical vulnerabilities.

[00:38:00] Brad Nigh: Yeah, you definitely couldn’t would not want any sort of network connectivity on that uh on that printer. The nice thing is with that setup though, you know, you don’t need network connectivity for the actual voting process. Right? So you go up to the machine, hit the touch screen, it prints out your paper, there’s no requirement for network connectivity so it does eliminate a lot of that um which is good now whether or not they actually do it or not is a different story. Yeah, it’s tough to tell from that picture how many chords are going up and down and what’s actually attached.

[00:38:39] Ryan Cloutier: Right, But still, I think, you know, you hit the key point though, it’s back to what we were saying earlier. Right single single purpose use isolation, You know, don’t just because it can do 50 other things may be that stuff should be shut off. Right. I mean, think about your standard firewalls that we run into so many times. I run to the fanciest next gen firewall with very little rules actually set up and configured.

[00:39:05] Brad Nigh: Well, what’s so just to kind of throw a wrench into this, what’s interesting is you’ve got, you know, like Oregon uh for sure. I know does their elections by mail? Right. That’s a totally different a set of, you know, concerns. Uh and but it goes to there’s no real standard out there that that shows that to follow everybody’s on their own.

[00:39:32] Ryan Cloutier: Yeah, it does seem to be um I think of it akin to the privacy law challenge we have. Right? And maybe maybe this is, you know, maybe this starts to become a singular topic, right? Maybe it’s about how do you ensure the data integrity of systems like voting D. M. V. You know, some of these these critical systems that we rely on um for our society to function that are, you know owned and operated by the by the governments that we put into power. How do we set those standards and say, look, this is the minimum testing required for software that handles sensitive data that potentially has an impact on our society from a governmental perspective. Right. Because we we sure done that for other areas. Right. We’ve we’ve definitely addressed testing standards in the medical industry and of course, none of this is infallible, right? There’s all, there’s always stuff that slips through the cracks, but we at least made an effort. And, and in the election space, I don’t, I don’t see us making a lot of effort around the election voting technologies. I see a lot of that energy being spent on the voter. Um, we won’t, we won’t unpack that any further because that starts to get into that political territory. But, you know, that, yeah. And just as a citizen, you know, put my security guy had on the shelf for a second, just as a citizen and as a voter, I I just don’t know that they’re doing enough. And, and so, um, I know myself, I’ll be, you know, trying to find out, you know, who, who are the committee is responsible for this type of stuff, even within our own state. And, and do they have the necessary resources. So, kind of a call to action for our, for our listeners, if you will, you know, your security professionals and you’re doing this, um, reach out to your local entities and see if there’s a way to get involved. I know EMC SAC has done an extensive amount of work, um, trying to protect the elections, right? And there’s a lot of information sharing going on within that organization about some of the challenges. Um, but they’re not in a position to make policy, they’re not in a position to set standard if you will. Um, but you know, maybe maybe it’s time for us as the professionals in this industry to, to step up and start to offer our services and our help.

[00:41:51] Brad Nigh: Yeah. Yeah. It’ll be interesting. Um, yeah, it’ll be interesting to see what happens. I’m, I’m hoping that it doesn’t take a, you know, crisis as it were to force action. Uh, you know, we don’t, we don’t want to get to that point.

[00:42:09] Ryan Cloutier: Well, one question I got asked last week that I thought was really interesting. Somebody had asked me, well, how is voting going to work if if this whole coronavirus things

[00:42:17] Brad Nigh: happening?

[00:42:19] Ryan Cloutier: Well, right. If people, you know, and do people know how to vote by mail?

[00:42:25] Brad Nigh: Yeah, I know, you know, here in Minnesota, they made the absentee voting a lot easier. Like I needed to do that the one year because I traveled and was not going to be here. It was super simple. It was not nearly that easy in other states that I’ve lived in to do that and make it difficult. Well, what’s the benefit there? So again, I think that goes back to everybody runs things their own way. And when you do that, you start getting into complexity and that’s the enemy of good security. So let’s try and keep it simple and do the basics and the fundamentals. Alright. Anything else on that rain?

[00:43:07] Ryan Cloutier: No, it’s just been great.

[00:43:08] Brad Nigh: We could probably go for a lot longer, but you know, I don’t know how long people want to hear us talking about it. So we will move on to some news here. I actually do want to talk about these and spend a little time on it because um the first one was threat post and I thought kind of not surprising but kind of amusing given our topic today trump and Sanders of the top brands for cybercriminals. Not at all surprising, but what they’re seeing is the spam is coming up uh For using those two as the front runners now.

[00:43:44] Ryan Cloutier: Well, it, it follows, you know, I’m not surprised, right? It follows the scammers. M O right. They generally they’re scams are going to fit the narrative of the day, Right? So we saw this with, you know, obviously the closer we get to the election, the more that they’re going to be leveraging that um and and doing, you know, trying to scam people, um same thing with this whole outbreak situation or whatever, whatever it is. Um we’ve seen a huge increase in that, the closer we get to april, we’re going to see those tax scams pop up even harder. So yeah, I totally see this being um being a technique they’re using,

[00:44:27] Brad Nigh: it was interesting to me to see uh so in the article, they have some graphs and of the what they called it, that unsolicited commercial email Trump was 68% and then the Democrats were broken out Sanders was at eight Biden five Warren 5 Digits seven Bloomberg for right. So kind of where

[00:44:49] Ryan Cloutier: you can pronounce his name, right? But you can’t do mine. I just, I’m

[00:44:52] Brad Nigh: doing, I’m

[00:44:54] Ryan Cloutier: just doing

[00:44:55] Brad Nigh: it to you as for fun at this point to be completely honest. That’s pretty funny. Uh you know, Klobuchar at three there you go through the last one in there. But it was kind of interesting to me to see, You know, where they’re in the polls really did a line kind of with what the percentages were. Uh and the data was from January 9 to February 29. So uh you know, that was pretty interesting that that the pope more polarized than they are and being the democrats have more running right now that it was split up, but it would seem to be fairly even with what you would expect from based on polling data.

[00:45:32] Ryan Cloutier: Yeah, I’m looking at the second graphic here with the suspicious domains registered and Trump accounted for 51%. So yeah, I think and because you know, this year is especially charged if that’s the way to phrase it. Um I think people are more susceptible to clicking because they’re already in a in a fevered state. Like one of the things that I think the scammers are having great success with this is that it is, it is a more emotional and very personal type of topic. And so I think they’re they’re really exploiting the fact that people are in a lowered sense of risk because they’re in a heightened sense of a state of emotion when it comes to this particular topic. And I think the scammers are using that to their advantage

[00:46:24] Brad Nigh: like that lack of situational awareness right? You kind of get let your emotions run and in this highly charged environment like what he did what click

[00:46:36] Ryan Cloutier: download Exactly. Exactly yep.

[00:46:39] Brad Nigh: So that’s one threat post. I thought that was pretty interesting and and uh it was a pretty good write up of of what they were seeing. Um Another article from info security magazine dot com was The Trading Crypto Fund Data Breach. The 266,000 passwords stolen um resulted in the publication of the user names and passwords online that just came out March 5th. So that’s pretty recent. Um It’s I mean so you’ve got a crypto Investment index fund that is now compromised And what did they get? What it you know that’s not good because there’s not any sort of assurances your F. D. I. C. Insured for your crypto fund.

[00:47:30] Ryan Cloutier: Yeah well it’s um I’m just looking through this here. You know it’s you know 90 says that 90% of the login and password pairs were unique and had not been found in leaks before. And I’m actually not surprised by that statistic given that on average those that are consumers of cryptocurrencies generally tend to be a little bit more tech savvy and so um but I would also venture to guess that a fair amount of those are also valid for their bank account.

[00:48:08] Brad Nigh: Yeah. Yeah. And you know what’s interesting again and this goes back to kind of that lack of regulation. So this is out of uh operating out of malta, there’s no regulatory requirements, they’re not reporting anything. Uh So what exactly happened, nobody knows how much money was was impacted. Nobody really knows yet. I’m guessing there’s going to be a lot of really unhappy people out of this.

[00:48:35] Ryan Cloutier: Yeah. So this will be an interesting one to watch how it kind of unfolds. Um Especially given the nature of Cryptocurrency. Right? Just to your point, there’s there’s no insurance behind this, you know? No F. D. I. C. Uh Most governments refused to even acknowledge it as a legitimate form of currency at this point. Um Yeah I I don’t know what I can tell you is that I see this as the beginning of a trend um that I think you’re going to see more attacks against. So as as they try to legitimise if you will or commercialize maybe is a better word, the Cryptocurrency you’re going to you’re going to see more attacks against those index funds. You’re going to see I think more attacks against the miners themselves. You know an attempt to try to get into. Yeah some of the ledgers.

[00:49:30] Brad Nigh: Yeah I would agree. I mean the whole purpose of the that cybercrime is to make money. Where’s the money? Well let’s attack that they can get in and drain everyone’s Bitcoin and be gone. It’s a lot easier way to make money than ransom wearing and hoping someone pays

[00:49:48] Ryan Cloutier: for sure and we know thankfully and um one day I think we’ll get ahead of it. But thankfully as a rule of thumb criminals generally take the path of least resistance right? They’re not they’re not going to work hard if they don’t have to.

[00:50:03] Brad Nigh: Yeah agreed. Alright so last article this was uh this was just a interesting one that kind of like face palm or whatever reading it but off of naked security from cell phones. Cathay pacific airlines was fined overcooked sloppiness database for over four years. So the UK I. Ceo and information commissioner’s office find Cathy pacific Around £500,000. About $650,000. Uh for failing to secure the information. Um Apparently you know it was not the one time security fail, it was at risk for over four years. They identified in March of 2018 that its database had been hit by a brute force attack and then um They found out as a result of that that they had the Attackers had access from October of 2014 through May of 2018. Um Which is crazy.

[00:51:10] Ryan Cloutier: I don’t I

[00:51:11] Brad Nigh: don’t know. Yeah

[00:51:12] Ryan Cloutier: that’s just negligence. I mean if you if you had if you had a if you knew you had a brute force attack and didn’t take the necessary mitigation measures to investigate to re mediate that. I mean I don’t know about you but that if when I’m looking for indicators of compromise, well

[00:51:32] Brad Nigh: I guess that’s the bigger thing is how did they not identify the brute force attack? I mean I mean that’s a basic logging alerting things you would look for into a database is you

[00:51:46] Ryan Cloutier: know a certain number of fails. It is and I think that the quote here um in the article uh when they when they were talking to the I. C. O. They called it a catalogue of errors right? It wasn’t just one, it was one plus two plus three plus four and so on and so forth. Um And that that stuff unfortunately is happening a lot of places like we really start to look deep into the true root cause of of any of these breaches. Generally we’re going to find that it wasn’t a singular thing. It was it was a technical flaw combined with a process blah, combined with with the human flaw, right? And that and that it took the it took the multiple flaws to exist in order for it to be successful and I think that’s what we’re seeing here and so you know I’m actually glad to a certain degree that there was some type of penalty involved because you know four years is an extensive amount of time um especially for an organization that knew that it had highly sought after information. It’s not like these are uh yeah this is not recipes right? Granted. You know you really do want my wife’s chicken soup recipe but it’s not yeah this is this is this is you know people’s travel itineraries. This is you know credit card numbers and personal, you know in driver’s license numbers and you know, I think all the things you you know hand over when you when you register for a flight. So

[00:53:25] Brad Nigh: yeah, it’ll be interesting. Um To see their claiming only 403 expired credit card numbers and 27 credit card numbers that didn’t have a CVV attached. I’d be interested to see what the pc I counsel ends up doing to them because they don’t they don’t like that

[00:53:44] Ryan Cloutier: well and I think this might end up being like some of the other breaches where the initial number was reported significantly lower. And then as the as the excitement around that breach kind of died out in the news cycle then then it was like, oh actually it was way more than we said the first time around. Yeah and part of that could be because they are continuing their investigation. But you know I think there’s a little bit of a, we don’t want to say how bad it is until we have to say how bad it is. So if we have if we have to do a disclosure, let’s go with the conservative number.

[00:54:18] Brad Nigh: Yeah, only the confirmed. Yeah.

[00:54:21] Ryan Cloutier: Right. And then we’ll do a quiet press release six months later. It’s like actually it was a couple 100,000. Well,

[00:54:27] Brad Nigh: And if you look, I mean in the article it says it was 9.4 million people worldwide. 111,000 from the UK. So that £500,000 uh, fine was based on 111,000 people. But that’s a lot. And some of the basics that they identified, they weren’t backups that weren’t password protected, unpatched internet facing servers. Os is that we’re out of support and then inadequate anti virus protection, which to me, you know, without knowing exactly what it is means. They probably just didn’t have it.

[00:55:01] Ryan Cloutier: Right. And, and I think in 2020 it’s safe to say that that that is negligence. Mm. Yeah. You know, it We, you know, if you are responsible for a computing system in 2020, your systems administrator, your security professional, you’re truly responsible for the health care and feeding of said system. You can’t tell me you don’t know you need anti malware, antivirus, you can’t tell me that you don’t know that you need to restrict network

[00:55:32] Brad Nigh: traffic for

[00:55:34] Ryan Cloutier: for, you know, internet explosive devices and just I struggle to.

[00:55:39] Brad Nigh: Right. When did that?

[00:55:42] Ryan Cloutier: You know? Yeah. Well there was this little operating system called Windows XP. Right. Well,

[00:55:49] Brad Nigh: Apparently they probably had some of that or some 2000 threes or something.

[00:55:54] Ryan Cloutier: But you know, I think the old days of, well, we couldn’t do it. We couldn’t get to it. It wasn’t, you know, a lot. All the old excuses. We used to hear about why the legacy of gear hadn’t been properly protected. I really believe that we’re entering a time when the average consumer knows better. And, and he’s saying no, that’s, that’s completely unacceptable. So maybe some more more, you know, things like this where there’s, you know, actual consequence. Although I will say half a million dollars to an airline probably is not actual consequence. Um, yeah. You know, Yeah,

[00:56:37] Brad Nigh: I know. I’m with you. It’s tough. Um, yeah. Uh, at some point, somebody, yeah, there’s gonna have to be something more, but baby steps, I guess get going.

[00:56:51] Ryan Cloutier: Something’s better than nothing.

[00:56:53] Brad Nigh: Yeah, at least they, they were found to have these issues and the, the actual report, which there is a link to it. It’s pretty well written. So it’s clear that they were not doing what needed to be done. So we’ll see what happens with that. Uh, moving forward. All right. Well that is it episode 70 is a wrap. Thank you to our listeners keep the questions and feedback coming, send them to us by email at Unsecurity@protonmail.com. If you’re the social type socialize with with us on twitter, I’m @BradNigh Evan is @EvanFrancen and Ryan, you are

[00:57:28] Ryan Cloutier: @cloutiersec.

[00:57:31] Brad Nigh: You got C L O U T I E R S E C. I know how to spell it.

[00:57:36] Ryan Cloutier: Uh Just call me cola That’s what

[00:57:40] Brad Nigh: I know. I’m a certain

[00:57:41] Ryan Cloutier: yeah,

[00:57:42] Brad Nigh: that’s that’s what we’ll have to do. Uh lastly be sure to follow @StudioSecurity and @FRSecure for more goodies. That is it. Talk to you again next week. And with Evan nicely refreshed. Thank you for listening to this episode of the Unsecurity podcast.