Security News for the Week Ending February 7, 2020
Iran Expands Oil & Gas Attacks to Electric as Well
According to researchers, Iran linked APT33 has expanded its attack surface. Initially they were going after the global oil and gas industry but now they have added the electric grid to the mix. Right now, they say, the goal is reconnaissance – gathering information to use later. They also are trying to establish a foothold inside the infrastructure to use at a time of their choosing. Source: Threat Post
In the Wake of the Iowa Caucus Voting Mess – Are We More Secure Now Than 2016?
Clearly the Iowa voting software issue does not instill confidence in the election process. Was that a Russian hack? No, I don’t think so. Just software quickly thrown together with not much planning. Apparently, they only paid $63,000 for it. Given how important it was, it seems like a LOT more testing was needed. That did not happen.
But more concerning this this week’s McAfee report. They say that 84% of county websites did not have a .Gov domain name. This is important because there is more verification done on those domains.
In addition, 46% of county web sites were not encrypted – with Texas being the worst with less than 25% of their county web sites being encrypted.
If we are not taking basic security measures like these, why would anyone think that they are doing a better job at protecting your vote. Source: Help Net Security
GAO Says That CISA is Behind on Election Security Plans
The GAO says that DHS’s CISA is behind on its plans for election security. CISA became responsible for election security when elections were declared critical infrastructure in 2017.
Unfortunately, CISA’s budget is less than JP Morgan Chase’s security budget. Given the lack of funding, this is not a surprise.
Given the challenges with tech (non-hacking related) at the Iowas Caucuses, this is not a good sign.
The House has passed a number of bills to fund election security but the Senate has not taken up any of them and none of them have been submitted to the White House. More than likely, this is due to partisan politics. However, if there are problems during this election, voters are likely not going to be happy.
The GAO listed three recommendations for the CISA:
- Urgently finalize the strategic plan and the supporting operations plan for securing election infrastructure for the upcoming elections.
- Ensure that the operations plan fully addresses all lines of effort in the strategic plan for securing election infrastructure for the upcoming elections.
- Document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency’s 2020 planning.
Source: CNBC
Experts Say the Software Used at Iowa Caucuses Looks Like a Student’s Class Project
Multiple Android app development experts and cybersecurity pros who took about the app that the IDP tried to use to report the Caucus results had the quality similar to what a college student might turn in for a programming class.
The software was based on React Native, a cross platform app development framework released as open source by Facebook. That in itself is not a problem.
One expert said that the developers took an off the shelf skeleton project and added some stuff to it. One expert said that it was clearly done by someone who had just read a tutorial on how to do it. Another expert said the app looks like it was “hastily thrown together”.
It also appears that user training was inadequate. The development team only started gathering requirements 6 months ago. Homeland Security had offered to test the security of the app, but the Iowa party officials declined.
The IDP says that this app was not supposed to be the final arbiter of results but only a way to get quick, unofficial numbers. The caucuses all collected their data on paper and were supposed to transfer the results to the app. Source: Motherboard
Sources also say that the version of the app planned to be used in Nevada (plans which have been cancelled) also had errors. Source: Motherboard