5 comments

[ 6.9 ms ] story [ 28.3 ms ] thread
It seems almost a given that these election software companies will have an access configuration snafu that leaves them compromised in way similar to Capital One or Equifax. But the article makes the case that the software makers and county officials are confused as to the basic definition of "air gap" (among other things):

> “There’s nothing connected to the firewall that is exposed to the internet,” Gary Weber, vice president of software development and engineering for ES&S, told Motherboard. “Our [election-management system] is not pingable or addressable from the public internet.” This makes them invisible to bad actors or unauthorized users, he said.

> But Skoglund said this “misrepresents the facts.” Anyone who finds the firewall online also finds the election-management system connected to it.

> “It is not air-gapped. The EMS is connected to the internet but is behind a firewall,” Skoglund said. “The firewall configuration [that determines what can go in and out of the firewall]… is the only thing that segments the EMS from the internet.”

I mean, it may very well be that the firewall setup is secure (at least in theory). But to insist that it represents an air-gapped system, as if "air-gapped" was just a marketing buzzword with no actual meaning, is a whole other level of incompetence.

(of course, the quoted VP may actually be maliciously deceptive, but I'd argue that for all intents and purposes, the difference between malice and gross ignorance is relatively negligible when it comes down to the county official enduser)

For context, Kevin Skoglund is “an independent security consultant who conducted the research with nine others, all of them long-time security professionals and academics with expertise in election security.”

The VP is speaking in layman’s terms to bolster the image of his company.

Even though the researchers are not allowed to probe beyond the firewall, others will not be subject to these constraints.

The federal govmt needs to step in to protect these systems as a matter of national security. Require the vendor to undergo third party security audits and not allow its use unless vulnerabilities are mitigated.

Why doesn’t coordinated or responsible disclosure apply to election systems?

> The researchers reported the firewall IP addresses in August 2018 to the national Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)—a 24-hour watch center funded by the Department of Homeland Security and operated by the Center for Internet Security, a nonprofit established to develop and promote best practices in cybersecurity. The EI-ISAC provides election officials with security threat information and warnings, and told the researchers they would pass the information to where it needed to go, but the researchers never got any follow-up from the EI-ISAC.

> A spokesperson for the group would not tell Motherboard if the information was disseminated to the affected counties, but the researchers did see some county systems disappear from the internet. The Department of Homeland Security, which has been working with states and counties since 2016 to secure their election infrastructures, also declined to speak with Motherboard about the researchers’ findings.

I can't believe this isn't getting more attention! Aren't the leaked NSA tools from 2017 designed to attack these exact Cisco firewalls?
Don't worry, they've got a firewall so hot that no hackers can get close enough to hack it.