STE WILLIAMS

Crooks mounted a crypto-mining scam after hacking into a supplier of an unnamed PDF editor software vendor.

Microsoft has reported that as-yet-unidentified hackers compromised some font packages installed by a PDF editor app. The hack was used to push two types of crypto-currency mining app, the cybercrime du jour.

Redmond’s security response team got wind of the attack after following up alerts generated by Windows Defender ATP, the commercial version of the Windows Defender antivirus.

Subsequent investigations revealed that miscreants broke into cloud-based infrastructure of a supplier to the app maker and others with font packages in the form of MSI files. Six additional app vendors may have been at risk of being redirected to download installation packages from the attacker’s server. None but the PDF app maker are confirmed as victims.

It seems that the unnamed PDF package was targeted for attack as part of a money-making racket. The app vendor itself was not compromised, rather its partner was pwned before poison was poured into the software mix further upstream.

Hackers created a copy of the partner’s cloud-based servers before pushing a tainted MSI files download, hidden among unassuming files.

Anatomy of a supply chain attack against PDF editor vendor

“The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation,” Microsoft explained. “All the MSI files were clean and digitally signed by the same legitimate company – except for the one malicious file.

“The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin-mining code.

“Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the [PDF editor] app. The parameters included a new download link that pointed to the attacker server.”

Tricksy, but let’s not start thinking the caper was the work of ninja black hats.

“This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources,” Microsoft added.

Asian users of the PDF editor app ended up downloading a tainted font package that bundled crypto-mining code, which hijacked resources on infected PCs to mine Monero, as per many other crypto mining scams.

The whole exercise is a fine example of a supply chain attack, which was also used to spread the NotPetya ransomware last year. The same tactic was also recently used to serve up spyware disguised as the CCleaner utility in a more subtle cyber-espionage operation.

In the case in point, a PDF editor app loaded with a doctored font was installed with admin privileges, which goes some way towards explaining why the app maker might have been targeted in the first place.

Microsoft reckons the compromise lasted between January and March 2018, and affected only a small number of users, strongly suggesting a fringe developer was targeted.

Redmond concluded: “While the impact is limited, the attack highlighted two threat trends: (1) the escalating frequency of attacks that use software supply chains as threat vector, and (2) the increasing use of cryptocurrency miners as primary means for monetising malware campaigns.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/27/pdf_editor_supply_chain/

Your data, identities, and credentials are cyber chum. Here’s how to protect yourself from the feeding frenzy.

Your odds of being attacked by a shark are zero if you never venture into the ocean — which is far lower than the odds of being cyber hacked even if you never go online. After all, you could still become a victim of identity theft without ever wading unto Internet waters.

The point is this: Fear the cyber shark far more than the great white, tiger, or bull shark, whose majesty was celebrated this week during the Discovery Channel’s Shark Week, as it has every year since 1987.

So, what can Shark Week teach us about cybersecurity? Here are four areas to focus on in honor of Shark Week.

1. Assume the Role of a Lifeguard
An organization’s ocean is the Internet. Some if it equates to shallow waters such as internal networks, but much of is deep and uncharted via the cloud. No matter the depth of the water, you still need to assess the risks of venturing into potentially perilous territory. A CISO is a company’s lifeguard, which means being aware of, adapting to, taking precautions against, and assuming control of the threats that attackers present. With threats always evolving, it’s imperative to keep improving your organizational lifeguarding skills.

2. Guard Against Phishing Attacks and Save the Whales
Phishing attacks — and, specifically, mobile phishing attacks — continue to rise. In fact, the SANS 2017 Threat Landscape Survey reported that phishing remains the most significant threat to organizations, with 74% of cyberattacks beginning when a user clicked on a malicious attachment or link contained in an email.

Spearphishing attacks are also increasing, rising to 50% in the last quarter of 2017. This technique has been used to devastating, well-documented effect over the past few years. Spearphishing takes the form of an email that appears to be from the recipient’s friend or colleague. The email encourages the recipient to click on what are in reality malicious links or attachments or persuades that person to reply with sensitive professional or personal information. These attacks are difficult to identify on the surface because they combine the most common attributes of successful social engineering.

Social engineering tactics are also heavily leveraged in an even more insidious method of phishing known as pretexting, business email compromise (BEC), or “whaling” attacks. These attacks create the believable pretext of a fabricated persona in which the victim — most often a C-level executive — develops a false sense of trust in the hacker. Once the relationship has been established, money-transfer fraud and/or outright data theft quickly follows.

Prevention measures for all phishing, spearphishing, and whaling attacks are widely known and essentially the same. Yet despite anti-phishing methods such as reporting suspicious emails and routinely changing passwords, attacks are still increasing. Modern authentication techniques can be great tools for preventing the repercussions of stolen credentials. Performing security audits and providing user education and training are also solid prevention methods.

2. Safeguard Your Waters with Modern Authentication Methods
Many threats are false positives; the dorsal fin of a friendly, curious dolphin can look like the dorsal fin of a shark that’s circling the waters. Similarly, an access attempt might not look suspicious until it’s too late. With 80% of breaches being caused by valid yet stolen or misused credentials, it is imperative to validate every access attempt — ensuring that the good guys get in (without hindering user experience and productivity) while keeping the bad guys out. Today’s available solutions add intelligence and analytics to authentication methods. These risk-based solutions, available from many vendors, focus on the user’s profile and tendencies. They can include techniques such as geographic analysis, device recognition, and IP address-based threat services.

3. Continually Assess Your Environments
Threats are everywhere, in the water and online. They’re usually hidden. They sometimes don’t appear until it’s too late. But that shouldn’t keep humans from swimming in the ocean or conducting activity online, especially in the age of digital transformation. Safety counts, and precautions matter.

During Shark Week, we witnessed humans taking shelter in shark cages and avoiding seal-populated areas and shark-infested waters. As organizations continue to engage in Internet activities, remember to follow identity and security best practices, keep your senses alert for phishing emails and have a remediation and response plan when an attack does occur.

Related Content:

• Cracking 2FA: How It’s Done and How to Stay Safe
• Reactive or Proactive? Making the Case for New Kill Chains
• Inside a SamSam Ransomware Attack
• Beyond Passwords: Why Your Company Should Rethink Authentication

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register by July 27 and save $700! Click for more info. 

As Senior VP of Identity Strategy at SecureAuth and Core Security, Robert Block is responsible for executing strategic vision of preventing the misuse of stolen credentials. Block has over 19 years of IT experience — of which 15 years have been focused on identity and … View Full Bio

Article source: https://www.darkreading.com/endpoint/every-week-is-shark-week-in-cyberspace-/a/d-id/1332413?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Russian hackers have their sights on McCaskill and her staff as they gear up for her 2018 re-election campaign.

Fancy Bear, a cyber espionage group believed to operate out of the Russian military agency GRU, has reportedly targeted Senator Claire McCaskill and her staff as they prepare for her 2018 reelection campaign.

This makes McCaskill, a Missouri Democrat, the first named target of Russia’s 2018 election meddling, according to a report by The Daily Beast. Many consider her vulnerable given her past criticism of Russia; she has repeatedly accused the Kremlin of “cyber warfare against our democracy” and referred to Russian President Vladimir Putin as a “thug” and a “bully.”

Attackers hit McCaskill’s campaign with a variant of the password-stealing tactic Fancy Bear used against John Podesta in 2016, the report said. Senate staffers received fake notification emails instructing them to change their Microsoft Exchange passwords. If they clicked, targets were sent to a page disguised to belong to the US Senate’s Active Directory Federation Services login. Each phishing email was tailored to its recipient’s email address.

Microsoft first reported three hacking attempts on the midterm elections late last week. Experts earlier this year detected a fake Microsoft domain had been registered as a landing page for attacks against midterm candidates, though they didn’t identify them at the time.

McCaskill released a statement that said the cyberattack was unsuccessful.

Read more details here.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/fancy-bear-targets-democratic-sen-claire-mccaskill/d/d-id/1332412?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Two men who masterminded various Coinvault ransomware infections will carry out 240 hours of community service as punishment for screwing over 1,200 computers and banking around €10,000 (£9k, $12k) in profit.

The sentence was handed down by a court in Rotterdam, in the Netherlands, where it was ruled brothers Melvin and Dennis van den B. had earned leniency based on their cooperation with police, lack of a criminal record, and young ages at the time they were collared in 2015. Melvin was 22 and Dennis 18 at the time of their arrest.

Prosecutors had asked they receive a year in prison in addition to the 240 hours of community service.

Coinvault surfaced in 2014 as a high-profile file-scrambling malware. The software encrypted victims’ documents, and demanded they pay a ransom of one Bitcoin (worth a few hundred Euros at the time) to restore access to their data.

While the pair was only charged with infecting 1,259 machines, researchers have estimated that the actual number of PCs hit with the malware was more like 14,000, with victims in more than 20 countries.

It was claimed in court that about 100 people coughed up the ransom demands before antivirus makers were able to develop a decryption tool to unscrambled hostage files. The malware would only be eradicated fully in 2015 when the brothers were arrested and the full decryption keys were recovered.

Interestingly, it was the pair’s Dutch nationality that brought them down. Researchers were able to pinpoint the locality of the authors to the Netherlands after finding snippets of the code containing “flawless Dutch phrases” that are usually only bandied about by native speakers of the notoriously difficult language.

Kaspersky Lab, who helped lead the investigation and eventual takedown of Coinvault, said that, despite the lenient sentence, the ultimate takeaway from the three-year ordeal should be that, in the end, extortionists get caught.

“Cybercrime doesn’t pay,” said Kaspersky Lab researcher Jornt van der Wiel. “If you become a victim of criminal or ransomware activity, keep your files and report the incident to the police. Never pay the ransom and be confident that not only will the decryption tool appear, but also that justice will triumph in regards to the criminals.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/27/ransomware_coinvault_community_service/

Computer security researchers have devised a way to exploit the speculative-execution design flaws in modern processor chips over a network connection – a possibility that sounds rather more serious but may be something less than that.

Until now, Spectre attacks have required malicious code to be running on a vulnerable machine to potentially extract passwords, keys, and other secrets, from the memory of other software on the computer.

Now, here comes NetSpectre: a technique for potentially extracting private information from another device on the network without requiring any exploit code on the target box, albeit exfiltrating it rather slowly. There are potentially billions of computers, gadgets, and gizmos at some degree of risk.

“Spectre? Psst. Who cares. You need local code execution.”

*record skip* pic.twitter.com/BhKXfrpY7C

— The Register (@TheRegister) July 26, 2018

Establishing a network connection to a service running exploitable snippets of code should, in theory, be enough to very slowly discern the contents of application memory remotely. This requires precise timing and constant measurement, so noisy network environments, such as the internet, will hamper exploitation to some extent.

That’s the first stage. The next step is to pull out interesting data rather than grab temporary variables and other inconsequential stuff lying around in a program’s memory – a step that is non-trivial.

“We show that Spectre attacks do not require local code execution but can also be mounted remotely,” said Michael Schwartz, one of the NetSpectre researchers, in an email to The Register. “Moreover, with the new covert channel, we show that Spectre does not necessarily require the cache to leak values.”

The major catch, described in a paper titled NetSpectre: Read Arbitrary Memory over Network, is that this side-channel attack only leaks 15 bits per hour, or 60 bits an hour via an AVX-based covert channel, which means it could take days to find and gather privileged information such as an encryption key or authentication token.

High-value targets

Schwartz reckons this data leakage is something people should worry about, although, admitted that the speed at which it can be conducted is a limiting factor.

“Luckily, the speed is quite limited, which makes this attack mainly interesting for targeted attacks on high-value targets,” he said. “If the system is fully patched against Spectre, including the new gadget variants we show in the paper, the attack should be prevented. However, we are still at the beginning of understanding how Spectre gadgets can look like, so this is not a problem that is trivial to solve.”

Spectre attacks manipulate the branch prediction mechanisms used in modern CPUs’ speculative execution engines to force the target process to access memory in a way that leaks privileged information. Today’s processors rely on speculative execution to run software at high speed, predicting where the flow of the program will go ahead and priming themselves with code and data in anticipation. It is possible to discern the contents of memory that is otherwise out of sight by manipulating and observing the effects of this predictive execution.

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

READ MORE

For a remote Spectre attack, the targeted device must include code that performs an operation such as an reading through an array in a loop with a bounds check on each iteration. The exploit abuses design decisions within the processor microarchitecture to induce speculative execution, and discern the content of memory as a result. The paper, written by Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, and Stefan Mangard of Austria’s Graz University of Technology, calls these code fragments “Spectre gadgets.”

“Similar to a local Spectre attack, our remote attack requires the presence of a Spectre gadget in the code of the target,” the paper explained. “We show that systems containing the required Spectre gadgets in an exposed network interface or API can be attacked with our generic remote Spectre attack, allowing to read arbitrary memory over the network. The attacker only sends a series of crafted requests to the victim and measures the response time to leak a secret value from the victim’s memory.”

The attack involves sending multiple network packets at the target with a value that’s always in bounds, thereby training the branch predictor to predict the comparison as true.

Don’t cross the (bit) streams

For example, given this code running on a vulnerable device:

if (x  bitstream_length)
  if(bitstream[x])
    flag = true;

…a miscreant can attempt to use the bitstream[x] access to extract a bit from the software’s private memory. “The attacker sends a packet where x is out of bounds, such that bitstream[x] is a secret bit in the target’s memory,” the paper explained.

The branch predictor then assumes the bounds check is true and the memory access is speculatively executed.

Intel, informed by the researchers of their findings earlier this year, doesn’t appear to be terribly alarmed. Essentially, if you’ve updated your code and applications to mitigate previous Spectre exploits, you should be safe from NetSpectre.

“NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate,” a spokesperson told The Register in an emailed statement.

Intel said it has updated its white paper, Analyzing Potential Bounds Check Bypass Vulnerabilities, to incorporate information related to the findings and thanked the researchers for reporting their research.

Red Hat says it has been working with the researchers and plans to publish details about the impact on its products, if any, in a blog post on Friday. “We have not identified any viable userspace Spectre gadget attacks but are actively auditing all of the daemons that listen over the network and the rest of the stack,” said Jon Masters, chief Arm architect and computer microarchitecture lead at Red Hat, via Twitter.

So far, as with the other Spectre and Meltdown variants and sub-variants, no malware is exploiting these flaws in the wild, that we know of. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/26/netspectre_network_leak/

Side-channel radio attacks just got a whole lot worse: a group of researchers from Eurocom’s Software and Systems Security Group has extracted crypto keys from the noise generated by ordinary communications chips.

Unlike more esoteric side-channels, which often need physical access to a target machine or some kind of malware implant, this leak comes from radio devices working as intended by the maker. If an SoC packs analogue and digital operations on the same die, the CPU’s operations inevitably leak to the radio transmitter, and can be traced from a distance.

As Tom Hayes of Eurocom wrote to El Reg in an email: “This type of leak is carried by the device’s intended radio signal, and thus broadcast over a potentially longer distance” [than previous side-channel attacks].

How to quietly slurp sensitive data wirelessly from an air-gapped PC

READ MORE

“In our work we have demonstrated over-the-air extraction of AES keys from a consumer-grade bluetooth device over a distance of 10 meters”, Hayes continued.

The paper describing their work, “Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers”, explains that the physical mechanism involved is very simple. “Leakage from digital logic is inadvertently mixed with the radio carrier, which is amplified and then transmitted by the antenna”, because “mixed-signal chips include both digital circuits and analog circuits on the same silicon die in close physical proximity,” the paper says.

That crosstalk between CPU and radio allowed the group to recover the AES-128 key from tinyAES from 10 metres away, and – using a correlation attack – they claimed to grab the AES-128 key in mbedTLS at a distance of one meter. Ouch.

To demonstrate that this isn’t vendor-specific (for example, the result of bad design), the researchers tested the nRF52832, a Bluetooth low-energy chip from Nordic Semiconductor; and a Qualcomm Atheros AR9271, a Wi-Fi USB dongle.

As the spectrograph below shows, the ten rounds of an AES-128 negotiation are easy to identify in the “noise” coming from the Bluetooth LE chip:

The ten rounds of AES-128 setup are clearly visible in this radio trace. Image: Eurocom, “Screaming Channels”

Because the digital noise is picked up and amplified by the radio circuits, it can travel a useful distance. The researchers achieved key recovery over 10 metres in an anechoic chamber, but they note that with more development, others could improve on their results.

With a trace captured and cleaned up, the researchers wrote, pre-existing key-recovery tools like https://newae.com/tools/chipwhisperer/ ChipWhisperer recovered the AES encryption keys with only small modifications.

The group has published its paper here, and its code is available at GitHub.

The paper will be presented at BlackHat in August, and at the ACM’s Conference on Computer and Communications Security in October.

The team included Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes and Aurélien Francillon, all from Eurocom. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/27/screaming_channels_attack/

International shipping giant Cosco says it is recovering from an apparent ransomware infection on its American computer network.

The biz said late Wednesday that its freight shipping operations will not be impacted, but phone and email systems were down in the US, Canada, and in some of the corp’s Panama, and Peru and other South American offices. Cosco identified the issues as a “network breakdown,” that had prompted staff to cut off email and VoIP connections between the Americas offices and other regions of its business.

Cosco said that all of its shipping fleets would continue to operate as normal as it scrubs and restores its computers, and that its customer-facing websites and tracking services were not compromised.

“We have started contingency plans, such as transfer of operations and conducting operation via remote access, to ensure continuous service in the Americas,” Cosco said on Thursday.

“During the network failure period, there could be delays in service response in the Americas, and we are expecting your kind understanding.”

Ransomware is so 2017, it’s all cryptomining now among the script kiddies

READ MORE

According to Cosco’s FAQ page [PDF] on the matter, the contingency plan includes re-routing some US and Canada shipping requests through available systems in the Peru and Panama offices, and in other cases, the company has been forced to run shipping requests through Yahoo! and Hotmail email addresses.

While Cosco did not say what the cause of the network disruption was, a report from maritime news specialists Lloyds List cited company emails in placing the blame on a ransomware infection that had been spotted on its US systems, prompting the decision to cut off contact with other regions. The report notes that networks outside of the US are in fact functioning as normal and that employees have been advised not to open suspicious emails.

Shipping and logistics site JOC.com reported that despite the outage, shipments from Cosco are being processed, although things are moving slower than normal, according to the companies that unload Cosco containers at various ports in North and South America. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/26/cosco_ransomware_attack/

Ransomware first began targeting victims in 2014.

The two brothers responsible for the CoinVault ransomware were sentenced today to 240 hours of community service, the Dutch court announced.

It has been nearly three years since the pair was arrested for CoinVault, which began targeting victims in 2014 by encrypting data on machines and demanding cryptocurrency ransom. It briefly stopped in November 2014, when a sample was detected by Kaspersky Lab, but then resumed in April 2015, when a new sample was discovered.

In the time it was active, CoinVault spread to more than 14,000 Windows machines in 20 countries, primarily the Netherlands, the US, the UK, Germany, and France. The brothers behind the attack were accused of breaking into computers, making other people’s work inaccessible, and extorting 1,295 people. Researchers at Kaspersky Lab believe more users were infected because they recorded at least 14,000 keys when they released their final decryption tool.

Read more about the trial here.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/coinvault-authors-sentenced-to-community-service/d/d-id/1332398?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The past year has been one of significant growth for the cybersecurity firm, which is trading under the NASDAQ symbol TENB.

Tenable Holdings today announced the initial public offering (IPO) terms for Tenable Network Security, which has raised about $250 million and is pricing 10.9 million shares at $23 per share.

The company jumped 40% in its first day on the market, with shares opening at $33 and boosting Tenable’s market value past $3 billion. The stock price was $31.29 per share at the time of publishing.

Tenable, based in Columbia, Md., was founded in 2002 to help companies detect security threats. Since building vulnerability assessment tool Nessus 10 years ago, the company has built and released Tenable.io, a “Cyber Exposure” platform designed to give security teams visibility into activity across their attack surface of endpoints, cloud, and IoT devices. The company is led by chairman and CEO Amit Yoran, former president of RSA and founding director of US-CERT.

In the 16 years since its founding, Tenable has grown to amass more than 24,000 customers in 160 countries. Clients include 53% of the Fortune 500 and 29% of the Global 2000, in addition to nine of the 10 largest US financial institutions, the company reports.

The past year marked a significant year of growth for Tenable, which ended 2017 with record billings exceeding $250 million, marking over 45% growth for the fiscal year. This also signified the seventh consecutive quarter of more than 40% year-over-year billings growth for the firm.

Toward the end of last year, the security firm teamed with Siemens on managed security services for critical infrastructure networks. The ICS/SCADA vendor announced plans to incorporate Tenable’s vulnerability detection and management system into a new managed security service for critical infrastructure providers.

Hints of an IPO first appeared late last month, when Tenable filed a registration statement on Form S-1 with the US Securities and Exchange Commission. At the time, it announced shares would be traded under the NASDAQ symbol TENB, the symbol it continues to use today.

Tenable is one of several cybersecurity firms that have announced, or are rumored to announce, IPOs this year. Endpoint security company Carbon Black went public in early April, with plans to raise $100 million. Cloud security software provider Zscaler, the first major tech IPO of 2018, priced its stock in March at $16 per share.

Related Content:

• Threat Hunting: Rethinking ‘Needle in a Haystack’ Security Defenses
• 8 Big Processor Vulnerabilities in 2018
• The Good Bad News About Today’s Cybersecurity Investment Landscape
• 72% of CEOs Steal Corporate IP from Former Employers

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/tenable-prices-ipo-raises-$250-million/d/d-id/1332399?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Here’s some advice from leading authorities on how state and local governments can adapt to an environment where election systems will inevitably be hacked.

Image Source: Shutterstock via Artist_R

It’s time to think of securing elections the same way we think about securing our businesses and government agencies. Election systems, like all other entities today, are open to cyberattack. So election and government officials have to learn from their corporate counterparts and put a plan in place to achieve a successful election.

“What I’ve been telling everyone as I speak to groups is that we have to run a successful election that people can trust even if we are hacked,” says Noah Praetz, director of elections in the Cook County Clerk’s Office in Illinois. In an April 16 email sent out to his election colleagues in Illinois, Praetz outlined some best practices and options for local elections officials.

“What we need more than anything are professional security people, boots on the ground who can help institute best practices,” Praetz says.

The federal Election Assistance Commission made available $380 million earlier this year for states to improve and modernize their election systems. But Praetz cautions that EAC only allocated funding for this year under the Help America Vote Act of 2002. He says much more is needed over successive years to deliver what’s needed to the nation’s 8,800 election districts.

While it’s unclear that more financial help will be authorized beyond this year, the Department of Homeland Security has been more open in the past several weeks about the need for increased election security leading up to November’s Congressional elections.

In testimony earlier this week before the House Committee on Oversight and Government Reform, undersecretary Christopher C. Krebs told lawmakers that DHS has prioritized voluntary cybersecurity assistance for election infrastructure similar to what’s provided to numerous other sectors that have been designated as critical infrastructure, such as the financial sector, defense industry, and electric utilities. DHS designated election infrastructure a critical subsector in January 2017. 

Krebs said DHS has been working with the EAC and other state and local partners to strengthen the security of election systems nationwide, noting in his testimony that DHS will continue to offer a broad range of services, such as cybersecurity hygiene scans, risk and vulnerability assessments, and incident response assistance.

The EAC money has served as a good start, but there are thousands of election districts across the country that are lucky to have one IT support person, let alone a $250,000-a-year threat hunter with a CISSP or other important security credentials. While DHS and other groups are available to help, there’s insufficient support for a much stronger national effort.

A comment from Maria Benson, communications director of the National Association of Secretaries of State, gives some insight into how difficult it would be to forge a national effort. When asked what the status was in Washington of developing a national set of guidelines for election security, Benson replied: “I do not have an opinion, nor does the association. Each state has the authority to decide how to run elections in a secure, fair manner.”

In contrast, Harri Hursti, participant in the Voting Machine Hacking Village at DEFCON last year, and Cecile Shea, non-resident senior fellow for global security and diplomacy at the Chicago Council on Global Affairs, say there should be a much stronger effort at the federal level. Both Hursti and Shea say national guidelines can be developed in a way that offers states technology options, but still gives local districts control and the ability to do what suits them best.

For now, a group of Democratic Senators last month introduced the Protecting American Votes and Elections Act, legislation headed up by Sen. Ron Wyden (D-Ore.) that would require states to produce paper trails and mandatory audits. If passed into law, the bill would authorize $10 million to study, test, and develop accessible paper ballot voting, verification, casting mechanisms and devices, and voting best practices. The bill has only Democratic sponsors and no support from Republicans.

That’s why Dark Reading took some time and talked to numerous state and local and industry officials to develop a feature that outlines some proactive steps governments (and private citizens) can take to make their elections this November more secure.

We talked to the following sources: Noah Praetz, director of elections, Cook County, Ill., Dr. Eman El-Sheik, director of the Center for Cybersecurity, West Florida University, Harri Hursti, a leader in the DEFCON election hacking effort, and Cecile Shea of the Chicago Council on Global Affairs. We also reached out and compiled valuable information via email with Harvard University’s Belfer Center for Science and International Affairs, the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the Brennan Center for Justice, and Sen. Wyden’s office in Washington, D.C.

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/8-steps-toward-safer-elections/d/d-id/1332400?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple