{"id":301,"date":"2017-06-26T14:53:07","date_gmt":"2017-06-26T14:53:07","guid":{"rendered":"http:\/\/securitycurve.com\/?p=301"},"modified":"2017-06-26T14:53:07","modified_gmt":"2017-06-26T14:53:07","slug":"election-stuff-3-new-things","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=301","title":{"rendered":"Election Stuff: 3 new things"},"content":{"rendered":"<p><a href=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/06\/6df09c2bac88d6b08cb1b73917e9b1cc.jpg\"><img decoding=\"async\" class=\"alignright size-medium wp-image-271 lazyload\" data-src=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/06\/6df09c2bac88d6b08cb1b73917e9b1cc-300x208.jpg\" alt=\"\" width=\"300\" height=\"208\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 300px; --smush-placeholder-aspect-ratio: 300\/208;\" \/><\/a>So I&#8217;ve <a href=\"https:\/\/securitycurve.com\/to-fix-cyberwarfare-check-your-politics-at-the-door\/\">commented on this before<\/a>, but it seemed like a good time to recap. \u00a0As you know, we&#8217;re starting to get more information about the (ahem) &#8220;situation&#8221; that transpired in the 2016 US presidential election. \u00a0As of now, we know that:<\/p>\n<ul>\n<li>Voting machine manufacturers were targeted and compromised<\/li>\n<li>21 states were targeted for systematic attack during the election process<\/li>\n<li>Voter registration records were compromised and leaked in at least one jurisdiction (Illinois)<\/li>\n<\/ul>\n<p>There&#8217;s a lot of speculation about other stuff, but those are the things that at this point are indisputable. \u00a0I have three things to say about that.<\/p>\n<h2>#1 \u00a0Politics still influencing coverage<\/h2>\n<p>My ire got raised this morning because I happened to notice that the <a href=\"https:\/\/www.reuters.com\/article\/us-usa-girlscouts-idUSKBN19C29G\">Girl Scout merit badge for cybersecurity<\/a> got 3x the coverage in the trade press compared to the analysis of the new details about the election attack. \u00a0I know because I counted the items in my feedly &#8211; not scientific, but the best I can do with a half hour before the workday starts. \u00a0For reference, you can see the relative search interest here:<\/p>\n<p><script type=\"text\/javascript\" src=\"https:\/\/ssl.gstatic.com\/trends_nrtr\/1064_RC02\/embed_loader.js\"><\/script> <script type=\"text\/javascript\"> trends.embed.renderExploreWidget(\"TIMESERIES\", {\"comparisonItem\":[{\"keyword\":\"girl scouts cybersecurity\",\"geo\":\"\",\"time\":\"now 7-d\"},{\"keyword\":\"russia election tampering\",\"geo\":\"\",\"time\":\"now 7-d\"}],\"category\":0,\"property\":\"\"}, {\"exploreQuery\":\"date=now%207-d&q=girl%20scouts%20cybersecurity,russia%20election%20tampering\",\"guestPath\":\"https:\/\/trends.google.com:443\/trends\/embed\/\"}); <\/script><\/p>\n<p>Now, I&#8217;m all about the girl scout badge (seriously, go go girl-scouts &#8212; this is an awesome thing you&#8217;re doing), but&#8230; priorities. \u00a0We need to cover this. \u00a0Because, like I said before, this isn&#8217;t the last time it&#8217;ll happen. \u00a0In fact, now is our opportunity to study it before it gets more subtle and attackers hone their tradecraft so it&#8217;s more efficient next time around. \u00a0Get over the politics and let&#8217;s discuss how to prevent this next time.<\/p>\n<p>In my first post on this (linked above), I outlined why it isn&#8217;t in anybody&#8217;s interest to give into the temptation to not cover this is the trade press because it&#8217;s too &#8220;politically loaded.&#8221; \u00a0It isn&#8217;t &#8211; or at least it shouldn&#8217;t be. \u00a0Here we have ongoing cyberwarfare between nation states. \u00a0Covering it like it&#8217;s something else &#8211; or not covering it at all &#8211; detracts from our ability, as people interested in security and the scientific process, to analyze and discuss what occurred. \u00a0It&#8217;s not &#8220;meddling&#8221; (this isn&#8217;t old Mr. McGillicuddy in a mask scaring tourists away from the abandoned mine). \u00a0It&#8217;s also not\u00a0tampering, fiddling, coaxing, diddling or gently massaging. \u00a0Call it what it is: &#8220;warfare&#8221; &#8211; slap a cyber in front of it if you must (cyberwarfare). \u00a0But either way, let&#8217;s talk about it so it doesn&#8217;t happen again.<\/p>\n<h2>#2 There&#8217;s malware<\/h2>\n<p>So there was a hesitancy on the part of folks testifying from the law enforcement community to comment on whether or not there was malware installed in election systems due to the fact it&#8217;s an ongoing investigation.<\/p>\n<p>Here&#8217;s the deal: there&#8217;s malware. \u00a0If Russia got into election systems (which we know they did because Illinois) and they had sufficient access to exfiltrate data &#8212; which again we know they did &#8212; there&#8217;s absolutely malware on there. \u00a0In fact, if they didn&#8217;t install malware, I&#8217;m taking away their &#8220;intelligent adversary&#8221; merit badge right now.<\/p>\n<p>Installing the back door rootkit is &#8220;bad-guy shenanigans&#8221; 101. \u00a0I get it that people don&#8217;t want to confirm it or whatever, but let me save you some time because of course they did.\u00a0So, please to go fix that.<\/p>\n<h2>#3 The threat model is wrong<\/h2>\n<p>The last thing that strikes me is that the threat model that we have around protecting the election process in the first place is wrong. \u00a0It has to be. \u00a0It&#8217;s decentralized &#8211; every state has their own voting methodology and every individual precinct has the responsibility to protect their voting records at the municipal level.<\/p>\n<p>Is this a good idea? \u00a0Let&#8217;s frame it this way: say you have a thousand small businesses &#8211; like your local grocers, car dealerships, &#8220;mom and pop&#8221; antique stores, etc. \u00a0Is it reasonable to assume that <strong>all of them<\/strong> will maintain sufficient defenses to protect against a nation state? \u00a0Not just any nation state, mind you. \u00a0But arguably the second or third best in the world at this kind of attack? \u00a0I&#8217;m going with no. \u00a0You could probably protect one or two given ridiculous levels of investment, but all of them? \u00a0Even if it was at the state level, you&#8217;d be hard pressed. \u00a0Because the bad guy has to find just one way in and you have 50 environments to defend against.<\/p>\n<p>From an economics point of view alone, centralization has to be the way to go. \u00a0Or come up with something that is designed to be distributed in the first place and self-enforces integrity. \u00a0Like, oh I don&#8217;t know, maybe some kind of distributed Merkle tree with a corresponding proof of stake algorithm and use that to tally votes? \u00a0Hmm. \u00a0I wonder where we&#8217;d find such a system. Nah, that&#8217;s probably too &#8220;SciFi&#8221; to realistically implement. &lt;\/sarcasm&gt;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I&#8217;ve commented on this before, but it seemed like a good time to recap. \u00a0As you know, we&#8217;re starting to get more information about the (ahem) &#8220;situation&#8221; that transpired in the 2016 US presidential election. \u00a0As of now, we know that: Voting machine manufacturers were targeted and compromised 21 states were targeted for systematic [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[35,46,102],"class_list":["post-301","post","type-post","status-publish","format-standard","hentry","category-security","tag-cyberwar","tag-elections","tag-russia"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=301"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/301\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}