Let's Go Back To Hand-Delivery? ... No!
I always find it strange that the public sector tell companies that they should be more cyber security, but it is often government departments that have some of the weakest levels of security.
And so we see the Election Fraud Commission in the US demanding that voter data is sent through insecure email channel. This could lead to a large-scale breach of data such as for names, addresses, date of births, Social Security numbers, driver license numbers, and several other things. To send over unprotected email leaves the data open to external snoopers and insiders, with a minimal level of encryption used.
The letter sent is in the form:
But the main problem arises on the second page:
We can see that the sender is given an option, without any guidance on the security of the communications. With the email method the data is sent to “ElectionIntegrityStaff @ovp.eop.gov,” and where there is no additional student. At least the sender should be using STARTTLS for email encryption of the contents. With the SAFE site for FTP uploads, there is improved security, as it uses encryption keys to create a tunnel.
The Computer says "No"
Many of the states have already declined the request saying that it is illegal to release of the information required, or that it is a complete waste of money. In fact Delbert Hosemann, the Mississippi’s Republican Secretary of State, replied with:
Go jump in the Gulf of Mexico
Many, too, have responded asking how the data will be handled, in order that they can assess if it will be kept secure.
Trump, who setup the commission, has already made his viewpoints known on Internet Security and has been quoted that internet security was all but impossible and that the best method of communications is:
delivery by hand via courier
Hacking Voters
On 7 Apr 2016, it was discovered that the votes of 55 million Philippine voters had been leaked from the COMELEC (Philippines’ Commission on Elections) website. It was suspected that the site was hacked by Anonymous Philippines and within days the data was posted by LulzSec Pilipinas.
Using Shodan, and in 2015, Chris Vickery found voter registration records for over 191 million US citizens and where a database of over 300GB could be accessed over the Internet without a password. Vickey, at the time, also found over 13 million customer records related to the MacKeeper MongoDB database.
In 2016, Vickery then found that over 93 million Mexican voters exposed online because of a configuration error on the MongoDB database (and where no password was required to access the data). The database included voter names, addresses, ID numbers, dates of birth, parents’ names, and occupations.
And now ... 198 million
So, one of the largest data breaches around an election has exposed over 198 Million United States votes (more than 60% of the US population). It happened when a company named Deep Root Analytics put 198 million votes on Amazon S3 storage, and without any restrictions on its access. Deep Root Analytics was employed by the Republican National Committee and was paid nearly a million dollars between January 2015 and November 2016, in order to provide election analytics.
The data breach was uncovered by Chris Vickery (from UpGuard and who previously found over 191 million US voter records in 2015 and 93 million Mexican votes) and who found terabytes of files which did not need a password to access them.
The details included first and last name, date of birth, phone number, home and mailing address, party affiliation, voter registration data, and ethnicity:
For FAX sake
As the world has moved on from FAXs to using email, it is always strange when you get asked for your FAX number. So, in May 2015, it came as a shock that Northumbria Healthcare NHS Foundation Trust had mistakenly sent five faxes with personal information on patients to a member of the public. They were meant to go to a social care team but ended up getting sent to an incorrect number. The first breach had happened in March 2014, and new policies were applied. All of the pre-programmed numbers for the FAX machine were changed, but it still didn't stop other four FAXs being sent to the same person just two months later.
Conclusions
In the EU, with GDPR coming along, there is increased awareness of the handling of data, and government departments need to understand how they store, transmit and process data. One thing I know, the security of Internet communications is almost infinitely secure than courier posts, but only if it is done properly.