Vulnerable to Hackers
Domain registrars for entire countries in 2018-19, letting hackers spy on and change emails
and web results throughout the country. The registrars succumbed to phishing.
Phone calls for several years up to 2019
Security in 2019, through a contractor
4. Attacks rising in 2018
5. Encryption hacked by NSA and Germany 1960s-2018, first seen in 1995
6. Chinese hacked most of the biggest providers
of cloud computing in 2010-2017, including IBM, 224 systems at Hewlett
Packard Enterprise, Computer Sciences Corp, Fujitsu, Tata Consultancy, NTT
Data, and many other firms through them, including the US Navy's biggest
shipbuilder (incl. nuclear submarines), Sabre reservations for thousands of
hotels and hundreds of airlines (so they could surveil all traveling
executives), Ericsson telecoms, biotech firm Syngenta, which was then bought by
Chinese. Hacks continued to succeed even after they were noticed and defenses
mounted. They gathered hundreds of login credentials. Many hacked companies
were not told, and if told they denied they lost anything.
7. Amazon, Apple, and almost 30 other companies
probably had extra Chinese chips placed on servers 2015-2018, giving backdoor
access to the Chinese. Reviewers say backdoors can be hidden better inside
chips which are supposed to be there.
8. Electric grid air-gapped computers hacked in 2014, 2016-2018 (and US in 2019 Russian grid)
9. CIA air-gapped computers in 2017
10. NSA air-gapped computers in 2016, followup in 2017
11. CIA in 2011-15 had "A major concern...
that the Russians were collecting information from a breach of computers not connected to the Internet... The CIA had
already figured out how to perform similar operations themselves."
13. FBI in 2011-2016 radio encryption decrypted by Russia
14. DoD in 2007, Jan and June 2015, 2016, so DoD pays bug bounties. In 2018,
GAO staff "were able to take control of [DOD weapons] systems
relatively easily and operate largely undetected." Alarms went off so
often the operators ignored them.
15. Securities and Exchange Commission in 2016
16. OPM security clearances in 2015 (details)
17. Mozilla in 2015
18. General Electric/Safran
aircraft engine designs hacked by China 2010-2015
19. Boeing (jet fighters) in 2008-2014
20. 1,000 oil and gas companies in 84 countries, 2012-2014
21. Nuclear and other companies in 2006-2014
22. Google in 2010, 2014, so they pay bug
23. Microsoft in 2000, 2013, and can be slow to protect customers
24. Military contractors in 2007-2010 and 2013
25. Symantec in 2012
26. State lotteries in 2005-2011 (CO, IA, KS, OK, WI; security director
sentenced in 2017)
2016 all states' election systems
were scanned for vulnerabilities by foreigners:
- "We can assume that the
majority of states were probably a target... I want to make clear today on
the record, it's likely that all 50 states were likely affected... Every
organization is scanned a lot, sometimes thousands of times a day. What we
were trying to differentiate between: we saw very concerning activity from
known suspicious servers in this case... They were targeting to look for
vulnerabilities... Probably tried all the states. These are the states we
could see they were trying. That's right." ~US Department of Homeland Security
Senate hearing at 41 minutes
- They attacked "in
alphabetical order by state name... voter registration and election
results sites... to identify and exploit SQL database vulnerabilities in
webservers and databases. The FBI and DHS... noted that they had no
information on how many of those attempts were successful, aside from two
- August 24, 2016, hackers sent
phishing emails to seven workers at VR
Systems, which provides voter registration systems and election-night
reporting. "At least one of the employee accounts was likely compromised."
Then on October 27 they used VR Systems credentials to send phishing
emails to 122 local election officials. If they opened it, it installed
malware which opened a persistent back door into the computer. At least 10 computers were harmed (¶77b). The
government has not said and may not know what the hackers did with their
back door. Mueller's indictment July 13, 2018 confirms these events
(¶73-77) and adds that the hackers targeted more than one election company (¶69). 2
years after the election, the press revealed that VR Systems had a common
practice of remotely accessing county election systems,
to troubleshoot them, up to the day before the election.
- Also in 2016 hackers sent emails
pretending to be from another
election vendor, offering "election-related products and
services." The same hackers sent emails to election workers in
American Samoa "mimicking a legitimate absentee ballot-related service provider." NSA does not know what they accomplished with
any of these attacks.
5. In August 2017 the biggest manufacturer of
voting machines, Election Systems &
Software, created a public file on Amazon Web Services with "encrypted
versions of passwords for ES&S employee accounts. The
encryption was strong enough to keep out a casual hacker but by no means
impenetrable...The worse-case scenario is that they could be completely
infiltrated right now".
6. From August 2017 to March 2018 Georgia's
election software was on the public web without passwords or encryption (pages 140-143, 153-163 of court filing, news).
7. In March 2018 the security site CSO found on
the dark web over 100 emails of ES&S workers and
smaller numbers at smaller voting machine companies. They also found passwords
for the accounts, though the companies said these passwords did not meet their
current standards, so would have been changed. Nevertheless with valid emails,
attackers can spray password variations until they log in on at
least one of the accounts and install malware. Hackers share tips on the dark web.
8. In July 2018 the FBI told Maryland officials that a local web
hosting company they used for voter registration, candidacy, online ballot
delivery, and election results had been owned since 2015 (or 2011) by a company financed by Vladimir Potanin,
a Russian oligarch close to Putin. The manager is a Russian millionaire, Guerman Aliev, who took an
American name, Gerald T. Banks. Maryland's Senate President said the FBI "weren't really anxious for us to come forward"
to tell the public (quote is at 6:54 in video). FBI also told state officials
in 2017 not to tell the public about foreign intrusion attempts (pages 146-151 of court filing).
9. In May 2019 the FBI told Florida officials 2
counties' voter registration systems had been penetrated by Russia. The FBI could not say if the Russians changed the files,
and only revealed anything because the Mueller Report did. The counties were Washington and one other.
10. In 2016 Georgia, Indiana and Idaho said the US Dept. of Homeland
Security tried to bypass firewalls in election systems without permission. Kentucky and West Virginia said DHS probes of
their systems were not malicious.
11. Ukraine's 2014 election results were hacked, but
officials removed a virus and believe they had correct totals. South Africa's 1994 election was hacked, and
officials hand-compiled the counts, as noted at right.
- "Every piece of commercial software... has hundreds if
not thousands of vulnerabilities, most of them undiscovered."
Over 100,000 software vulnerabilities are
publicly known (besides zero-days, which are not public). Many thousands
have been found by each big web company, such as Oracle,
Google, Microsoft, Cisco, IBM, Adobe, Qualcomm. Over a thousand companies
pay bounties for bugs. Election companies are
not immune. "The potential for high-tech catastrophe is embedded in the
fabric of day-to-day life" Scanning ballots will let us recover.
- What the FBI said about hacking
emails applies widely: "we
don’t have direct evidence that the server was successfully hacked. We wouldn’t, though, expect to see that evidence
from sophisticated adversaries, given the nature
of the adversary and given the nature of the system."
- CIA chief of counterintelligence
said in 2019, "the Russians are a professionally proficient adversary
who have historically penetrated every American institution worth
- Wired says, "the average time between a malware infection and
discovery of the attack is more than 200 days, a gap that has barely
narrowed in recent years. 'We can’t operate with the mindset that
everything has to be about keeping them out,' says Rich Barger, ThreatConnect’s chief intelligence officer. 'We have
to operate knowing that they’re going to get inside sometimes. The
question is, how do we limit their effectiveness and conduct secure
business operations knowing they’re watching?' Accomplishing that means
building networks that are designed to limit a hacker’s ability to
maneuver and creating better ways to detect anomalous behavior by
allegedly authorized users.
- Why don't these key industries filter
all clickable links out of their incoming emails? Convenience? On average 4% of recipients open any particular
phishing message, and 22% open at least one per year. At 4%, sending a
phishing message to 30 recipients gives a 70% chance that someone will
open it. Even at 1%, sending to 120 recipients gives a 70% chance that
someone will open it. There is no reliable way to tell phishing emails
from legitimate emails. When people think an email looks suspicious, and
send it for checking, 90% are "legitimate" (p.5 Phishing 2018), which means most people
cannot tell them apart. Sending them for checking simply prevents access
to the 90% which are legitimate, since checkers rarely send them back. At
least staff in key industries who click on a test phishing email need all
clickable links removed from future incoming emails.
- Protect, Detect, Respond Recover. We must strengthen all four
7. The FDA recalls insecure medical devices. No one recalls
insecure election machines.