Last week’s Disclosure regarding the North Carolina State Board of Elections’ 2018 Leak of Touchscreen Voting Machine Passwords just got a lot more confusing.
Well-regarded Cybersecurity Analyst Chris Vickery, happened upon the File full of Passwords used by Election Supervisors to Administer the State’s iVotronic Voting Machines, just before the 2018 election, while doing what he does for a living, rattling the Internet’s doorknobs to find Digital doors that should be Locked, but aren’t, and discretely Reporting those Unlocked Doors to their Owners, who should be, but usually aren’t, grateful for the favor.
In this case, Vickery explained, he found a Cloud Storage Directory, more precisely, an Amazon Web Services S3 ‘bucket’, belonging to the State Board of Elections, with Permissions Improperly Set to allow Anyone on the Internet to Read or Download the Sensitive Files stored there, including one containing iVotronic Administrative Passwords.
Vickery’s and the State Board’s Recitations of Events both agree that he Confidentially Reported the Problem to the Board in a timely fashion, before the 2018 Election, and appropriately avoided Disclosing it Publicly until the Board had been given ample time to Correct the Problem, about a year. But from there, the Two Parties’ explanations have now diverged widely.
In an Email, the State Board of Elections’ Public Information Officer, Pat Gannon, wrote:
The information in question includes encrypted iVotronic password data from Guilford County for the 2010 election.
That Data, according to State Board IT Staff, was Not posted to the State Board’s Public FTP site until October 22, 2012, nearly Two years after the Election. Importantly, the 2010 Passwords would have been Changed before the 2011 Municipal Primaries and again each subsequent Election, so there is no way they could have been used to affect any Election, even if Decrypted. Additionally, the Passwords in question were Unique to Guilford County and could not have been used to access iVotronics in any other County.
The First of Vickery’s Counter-Claims that the Password file itself was Not Encrypted, is easily Confirmed from the Redacted Screenshot he included in his Original Announcement, the Authenticity of which is Uncontested by the State Board.
The Second of Vickery’s Points, that the Passwords themselves were Not Encrypted, is more Difficult to Confirm, because he Redacted the Passwords in Conformance with the Ethical Standards of his Profession. He explained:
The redacted rectangles in my screenshot are longer than necessary, to prevent bad actors from attempting to guess at them. Any hashing algorithm that would have been feasibly used would have resulted in strings of, at bare minimum, at least 16 characters and more than likely 32(+) characters. Any 'encryption' that results in such short password representations [as the redacted ones] is not worth the time to implement or even develop. If [...] the relatively short passwords are the result of something like 1-to-1 character substitution (a Caesar Cipher type of thing), then it would be the weakest 'encryption' ever and not worth implementing.
Vickery is correct on all points here. Secure Hashing Algorithms like those routinely used to Safely Store Passwords on Internet-connected Computers produce nonsense Strings of Characters much Longer than the Screenshot’s Redactions could possibly Conceal. For example, if one was to hide the famed Podesta Password (P@ssw0rd) using the popular and secure SHA3-256 algorithm, the result would be: ac2d49c943655bc424a5686638db2952f3ebe3248f4381503d84ad942a4bc546.
In other words, Vickery appears to be Correct in asserting that the Very Short Redacted Passwords either are Not “encrypted,” or else are so poorly Encrypted as to be no more Secure than plaintext (unencrypted text) would be. The passwords are "random", but "encrypted", not likely.
It seems likely that State Board Spokesperson Gannon either Misunderstood or was Misinformed by his In-House IT Source regarding the Passwords’ Encryption. Board Spokesperson Gannon asserts that the Accidentally Revealed File was posted in 2012, according to State Board IT Staff”.
But Vickery’s Tweet informs us that the Zip File in the Open AWS S3 Bucket was dated 2016. At first, it would seem that this Disparity hardly matters if these were indeed 2010 Passwords expiring that year. But facts do matter, particularly in this era when ‘truth’ is so frequently so well lubricated that it becomes a slippery thing indeed.
Only one of these Two Dates can be a truth. If the reputed 2012 Date is in doubt, that leaves the claimed 2010 Date of the Passwords’ Validity, plus pretty much everything else the State asserts in this matter, open to question too. The First Rule of good Crisis Management is to get the Facts out, and get them Right, in order to Defend the Organization’s Credibility.
Vickery doesn’t have a dog in this fight. He has long since made his Name and established his Credibility in the Cybersecurity field frying much, much bigger fish than this small fry, with past finds like his discovery of a leaked Thompson Reuters Database of suspected Terrorists’ Identities, Leaked User Data from an HIV-Positive Dating App, a Leaked Database of Personal Information regarding 93 Million Mexican Citizens, and Leaks of Comprehensive TSA Security Plans and Screening Protocols for New York’s Stewart International Airport. Vickery was doing the State Board and the Citizens of North Carolina a favor when he Confidentially Reported this latest Security Flaw back in 2018. In return, he now been Rewarded by being accused, in the State Board’s Email of indulging in, Erroneous, Misleading, and Politically Charged Attacks on the State Board and its Employees.
But, the most Important Unanswered Question of all is how America’s Electoral Cybersecurity Watchdog, the Department of Homeland Security (DHS), Managed to Miss this. DHS provides State Governments, including North Carolina’s, with Election Cybersecurity Assessments. It’s not Unreasonable to feel that this affair doesn’t say much for the Depth, Breadth, and Quality of those Assessments. The Internet is awash with Tools to Search for Unguarded Data Stores, like shodan.io, which are widely used by both White-Hat Good Guys like Vickery and Black-Hat Bad Guys alike, but, apparently, Not by DHS.
Hopefully, the Silver Lining to this Incident’s Dark Cloud will prove to be the Shaming of DHS into upping it’s Game. Because if DHS isn’t at least as Good as Vickery at Finding the Chinks in our Electoral Armor, it sure as hell isn’t as good as Russia’s GRU.
Perhaps DHS and the North Carolina's State Board of Elections might even consider Enlisting Vickery’s Help, rather than Vilifying his Efforts.
NYC Wins When Everyone Can Vote! Michael H. Drucker
No comments:
Post a Comment