Public Sector Cybersecurity Weekly Briefing 11-17-2017

The Next U.S. Election Hack Is a Matter of When, Not If
Americans need to view the entire electoral infrastructure as a critical asset — like a power grid or communications network — deserving of the same attention and resources. Officials must also consider non-cybersecurity, low-tech approaches such as ensuring that the voting process produces a clear, checkable paper trail that is kept for an extended period of time after the vote.


UK Spymasters Raise Suspicions Over Kaspersky Software’s Russia Links
British spymasters fear that anti-virus software given away for free by Barclays to more than 2m customers may be being used as an intelligence-gathering tool by the Russian government. […]
Intelligence officials worry that the widespread distribution of Kaspersky by Barclays in particular exposes at-risk individuals — such as employees of British government departments or members of the military — who are customers of the bank and have downloaded Kaspersky software to boost their home security.


WikiLeaks: CIA Impersonated Kaspersky Labs as a Cover for Its Malware Operations
WikiLeaks alleges that part of the CIA’s obfuscation methodology has it use faked digital certificates that are created by impersonating legitimate organizations “In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated,” the group wrote.


The Public is Not that Fussed About the Surveillance State: Confidence in the Intelligence Community and its Authorities
As we reported last week, public confidence in the intelligence community as a national security actor is relatively high in general—significantly higher than confidence in any other institution about which we poll, save the military. […] Only 32 percent of respondent suggest that the intelligence agencies have too much authority, while somewhat fewer (25 percent) contend it doesn’t have enough.


US Police, Military Bases Using Hackable Chinese Government-Owned Surveillance Cameras
According to the DHS, some cameras manufactured by Hikvision contained a security vulnerability that made the devices exploitable by hackers. The DHS flagged the flaw and assigned it the worst security rating available. […] Hikvision for its part has disputed any concerns over security issues with its products, noting that it follows the law in any country it does business in and took action to patch the flaws identified by the DHS.


Idaho Shared Voters’ Private Info with Kobach’s ‘Crosscheck’ System, Despite Cyber Vulnerabilities
Denney assured the public that other personal information collected on Idaho’s voter registration forms — a voter’s date of birth, driver’s license number and the last four digits of their Social Security number — is not releasable under Idaho’s public records law. Kobach, he said, could not have it. In fact, Denney had already given it to Kobach.


Lawmakers Grapple with Cyber-Sleuthing Technologies
Rep. John Lesch, DFL-St. Paul, a former St. Paul prosecutor, said that automated license plate readers and police body cameras threaten to widen social disparities. Both tend to be deployed in high-crime neighborhoods, he said, which tend to be poorer, more ethnically diverse areas. To Lesch, that suggests data on African-Americans and other minorities are captured in law enforcement databases at rates exceeding their proportion of Minnesota’s population. “That is a disparate impact—which the Supreme Court has stated is an issue—whether you intend to do it or not,” Lesch said.


Defense Department’s Vulnerability Disclosure Program Racks up 2,837 Security Flaws
Implemented just after the agency introduced its successful Hack the Pentagon bug bounty program, the initiative, spearheaded by the department’s Defense Digital team, has unearthed more than 100 vulnerabilities deemed critical and has attracted about 650 white hat hackers from more than 50 countries who have scoured the Defense Department’s public-facing websites for flaws. HackerOne said that, in addition to the United States, India, Russia, the U.K., France, Pakistan, Canada, the Philippines, Egypt and Australia are the top flaw-reporting countries to date.


Florida Governor’s Proposed Budget Would Formalize Cybersecurity Training
This year, at AST’s request, the governor proposes making recurring an annual expense of $220,000 to provide IT security training to the security managers across 35 state agencies. Previously, AST received the funding on a year-to-year basis, but as agency spokesperson Erin Choy pointed out, it has a “statutory responsibility” to train state agency information security personnel.


Are Voting Machine Hacks Overblown?
[A] closer examination reveals that the most direct form of “hacking an election,” breaking into voting machines and altering vote counts, is a good deal more difficult than the headlines suggest. For instance, while many outlets reported that conference attendees were able to penetrate all 30 machines, less reported was the fact that in the vast majority of cases, hackers needed to have extensive and direct physical access, including taking them apart, in order to find the vulnerabilities that allowed them to access voting software.


Colorado Implements Risk-Limiting Audit Process to Verify Election Results
The main thrust of the Risk-Limiting Audit Process is to require all jurisdictions to have a sound ballot accounting process and use a batch size of one ballot, which requires that a cast vote record (CVR) exist and be available and retrievable for each individual ballot, according to the State of Colorado Risk-Limiting Audit Final report.


House Committee Examining Personnel and Organizational Changes at HHS Cybersecurity Center 
“An HHS official says the agency is investigating irregularities and possible fraud in contracts they signed. The two executives, Leo Scanlon and Maggie Amato, allege they were targeted by disgruntled government employees and private-sector companies worried the cyber center would take away some of their business,” Politico’s Darius Tahir reported.


Tennessee City Still Not Recovered from Ransomware Attack
The attack has essentially stopped the city from being able to conduct many of its usual functions as its IT department attempts to rebuild the database from backed up files.   The attack has locked city workers out of their email accounts, and residents are unable to make online payments, use payment cards to pay utility bills and court fines, or conduct any other business transaction.


How Can an Election be Hacked?
Amid the flurry, it’s easy to blur these conversations—especially because they all seem to feature Russia. But the election-hacking conversation desperately needs to be untangled. Whatever other revelations may come, it helps to remember that election hacking is really about three separate threats: hacking voters, hacking votes, and causing disruption or chaos.


Stay up to date on the Public Sector Information Security news that you need to know by signing up for our Public Sector Briefing Here.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.