File-Sharing Software On State Election Servers Could Expose Them To Intruders (propublica.org) 125
An anonymous reader quotes a report from ProPublica: As recently as Monday, computer servers that powered Kentucky's online voter registration and Wisconsin's reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password. The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky's was accessible from other Eastern European countries.
The service, known as FTP, provides public access to files -- sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server's operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives. Officials in both states said that voter-registration data has not been compromised and that their states' infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica's inquiries. Kentucky left its password-free service running and said ProPublica didn't understand its approach to security. "FTP is a 40-year-old protocol that is insecure and not being retired quickly enough," said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. "Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change."
The service, known as FTP, provides public access to files -- sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server's operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives. Officials in both states said that voter-registration data has not been compromised and that their states' infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica's inquiries. Kentucky left its password-free service running and said ProPublica didn't understand its approach to security. "FTP is a 40-year-old protocol that is insecure and not being retired quickly enough," said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. "Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change."
FTP can be secure (Score:1, Informative)
The article talks about the how ftp can be used to peek at the operating system but any worthwhile ftp blocks that sort of nonsense. No, ftp doesn't encrypt or sign data but neither does http and people love that protocol.
Ftp actually can be secure. See gss.
Re: FTP can be secure (Score:1)
Until you man in the middle attack it and read all the data or change the contents of the files being sent.
Just use sftp, its standardised and secure
Re: (Score:2)
Or FTPS, you can create TLS channels over "modern" FTP.
Re: (Score:3)
All this is true, ftp *can* be done secure.
However, it's *much* easier to do rsync or sftp in so many ways that I could hardly see a reason to bother with ftp and trying to bolt on security through kerberos and/or tls.
Re: (Score:2)
Kerberos with SSH is also bolted on. Often it's easier to use an existing library or migrate existing infrastructure by simply checking a "secure" box. Windows until 2017 did not have native SSH support, many systems still rely on (virtualized) mainframes with complex programs in COBOL where you certainly won't find SSH. Anonymous SSH doesn't exist either.
FTP is also more robust than SSH when it comes to establishing and maintaining connections and allows for point-to-point (eg external connections) TLS whi
Re: (Score:1, Troll)
No, ftp doesn't encrypt or sign data but neither does http and people love that protocol.
Not for elections, you anontard! You seemed to have missed that this is a critical system that should NOT have ANY file sharing software on it at all.
How dense can you be?! What fool modded you up?!
Re: (Score:1)
These computers are not VOTING systems. These are the servers "used to report voting results" - most likely web servers. Who gives a flip if someone defaces a web page? It'll be fixed shortly, and the results won't change. At worst, you're talking about a minor delay in the public finding out the results.
For all your over-reaction, you seem to have failed to think through what the actual threats or risks are.
Re: (Score:2)
Yes.
But what other systems are these connected to behind the scenes? Can you move laterally from these servers and deeper into more sensitive parts of the votins system?
Idiot (Score:1)
It's not a voting machine, and it's not a critical system. It's a reporting machine that has to be publicly facing to give the public the election reports. In fact, putting FTP on it is a *good* idea to allow bulk transfer of data, as it's a much more appropriate protocol than HTTP for file transfer. Oh, and you idiots suggesting rsync or scp, the entire point is to allow the data to be available without a login. FTP does that, your favorite protocols don't.
Re: FTP can be secure (Score:2)
I think the article is misleading. They only imply this is a critical server to elections. They never actually said it. They said it was a server used for results. Well the state lottery websites are used for âresultsâ(TM) also. But try as you might, feel free to compromise the hell out of it if you want. Youâ(TM)re never actually getting access to the real lottery servers where all the information is stores. Bi-weekly the winnjng numbers are manually entered into the public server.
They inte
Re: (Score:3)
Ftp actually can be secure.
Maybe it CAN be secure, but it isn't by default, and there are more secure protocols, such as scp, that make ftp unnecessary. There is no good reason to run it on any system, much less an election server.
Re: (Score:2)
The only sensible way to do this, if you really must have remote access to the voting machines, is to have the machines connect to a VPN in your secure data centre. Anything that requires the machines to accept connections is a bad idea, they should be connecting to your secure network and verifying with up to date certificates and encryption protocols.
Re: (Score:3)
Why would you want to make an old protocol secure, when there are other protocols out that solve the issues FTP has from the ground up. FTPS (as in SSL/TLS over FTP) is a band-aid at best. Why even bother with that, when you have SFTP which is designed from the ground up to be secure, can be configured to allow for RSA authentication from both ends, so a password never goes in the clear, can't be brute-forced, and goes over only one port.
With how easy it is to use SSH, why even bother with FTP these days?
Re: (Score:2)
FTP is for sales (Score:3)
100% of real-world FTP servers I've seen running in the last decade were setup on orders from Sales or Marketing departments. Those folks tend to have low technical ability, zero understanding of security, and far more political power than Dev or IT.
In fact, the presence of an FTP server on an important host tells us something about their organizational structure. It tells us there is at least one zero-tech-knowledge person in the org, whose mere whim carries more weight than the CTO's (or CSO's) total offi
Never heard of breaches in the tech news (Score:2)
FTP doesn't seem to be reported for getting compromised. Is that because it is mostly non-existent now?
Or is it like the Vice item, where they reported on a something, browser history sniffing, that would only occur for those that don't care about how much they lose.
Re: (Score:2)
FTP doesn't seem to be reported for getting compromised. Is that because it is mostly non-existent now? ...
Or maybe because people that don't know how to secure stuff, also don't know about FTP...
Re: (Score:2)
My guess is that you don't hear much because it is no longer on any default install package and why the hell would you install it when OpenSSH gives you scp which is secure and so much easier to use?
Even in Windows.
Also, most FTP install packages generally set it up so that it can only see one target directory that has nothing in it. You really have to go out of your way even with FTP to fsck yourself up.
Re: (Score:2)
Re: (Score:3)
It is just standard basic precautions, not a major attack vector.
The fear isn't so much related to that it might be compromised, but that it isn't encrypted and so everybody on your subnet can read the traffic, and if somebody p0wned your router they could also alter that traffic. And the router in question really might be a consumer wifi router!
Personally, I think election systems demand even stronger security than banks, but if we could at least get the security up to the level the local public library ha
Re: (Score:2)
FTP doesn't seem to be reported for getting compromised.
How can one compromise a protocol which is insecure by design? There’s not really anything secure there which needs to be broken - the transactions are already out in the open.
Re: (Score:2)
There have been privilege escalation attacks against FTP servers in the past.
Snooping on an ftp transaction should only give you the credentials for an unprivileged account. If you can escalate to Administrator privileges, then you can do anything.
Re: (Score:2)
There have been privilege escalation attacks against lots of protocols and the programs which implement them in the past...
FTP at least is a relatively simple protocol, how it works is well known as is how to harden it... I'm actually far more comfortable with a simple protocol like FTP that provides a clear demarcation between authenticated and unauthenticated, than something extremely complex like SMB running as a high privilege process on the host box.
Re: (Score:2)
I also recall back in the day a wave of vulnerabilities to escape the anonymous ftp folder and get other things...
Re: (Score:3)
A common configuration for FTP servers was that they support all logins, both privileged and unprivileged. That means you can simply run a password guesser at it until you find the login for a privileged account. Alternatively, you can snoop on the traffic until someone logs in, steal there credentials, and hope they have privileged access. A privilege escalation attack works too.
If you had the ability to snoop and modify the traffic, then a good approach would be to wait until the wait until election
Re: (Score:3)
So drop all the electronic bullshit and go back to pencil and paper and eyeballs. Make you mark on you bit of paper and afterwards, reps of those representatives seeking election, count the votes togethor, tabulate them and put them up on a board and phone that information to the state vote counting centres, who under public camera view put the numbers up and tabulate, keeping in mind those who originally counted them can see their numbers go up on the central board for the total count.
Elections should be
Re: (Score:2)
can the MPAA and RIAA's shut down the vote if (Score:4, Interesting)
can the MPAA and RIAA's shut down the vote if say the hot new movies where to be hosted there?
Re: (Score:2)
can the MPAA and RIAA's shut down the vote if say the hot new movies where to be hosted there?
I can't tell if that is serious or joking. Maybe it is -both-? ;-)
Re: (Score:2)
can the MPAA and RIAA's shut down the vote if say the hot new movies where to be hosted there?
You need new movies that are hot, to do this.
Re: (Score:2)
Only by the definition of the MPAA.
Re: (Score:2)
FTP use by State and local employees at that level wouldn't have dedicated infrastructure, so accessing it from the wifi provided by coffee shops and hotels would be totally expected.
So yes, you can be 100% certain that many involved routers are easily infiltrated.
If you found a sucker to take that sort of bet; switch to sales. You have a gift and don't need to take chances.
FTP you say? (Score:1)
Well surely this new internet evil "FTP" should be banned. We need to draft new legislation against this new insidious threat actor.
Re: (Score:2)
Building a wall around your router isn't going to help. You're going to need a wall and razor wire to be really effective. Maybe a few gun turrets.
Re: (Score:3)
How the internet works (Score:2)
These could also be reached from internet addresses based in any other country, because it's facing the internet and poorly secured.
Oh Good Lord (Score:4, Insightful)
Regardless of the presence of state actors wanting to interfere in our elections...
WHAT KIND OF MORON RUNS FTP ON AN ELECTIONS SERVER?
Re: Oh Good Lord (Score:2)
Only dumbasses win elections. Or so it seems.
Re: (Score:2)
Maybe not a moron. It is possible, and I do not know this to be the case, that someone could set that up so that certain groups inside the U.S. could have access that they shouldn't.
Re: (Score:1, Interesting)
The kind that welcomes foreign interference?
The kind that removes the only polling place in a town just because it has 60% Hispanic voters? The kind that will block your voter registration if your signature at age 60 looks at all different from your signature when you first registered to vote at 18? The kind that "loses" 60,000 vote-by-mail ballots from minority districts? The kind that tries to block half a state's population because they are Native Am
Re:Oh Good Lord (Score:5, Insightful)
I understand what you’re saying - and why - but I still ascribe to “never attribute to malice what can be adequately explained by incompetence”.
Re: (Score:2)
That presupposes that incompetence is substantially more common than malice - I'm not sure that holds in politics, where both seem nearly ubiquitous.
Re: (Score:3)
That presupposes that incompetence is substantially more common than malice - I'm not sure that holds in politics, where both seem nearly ubiquitous.
What about incompetent malice?
I assert that competence is rare everywhere -- including in politics -- and that this is the true basis of Hanlon's Razor. The reason you should never attribute to malice what can be adequately explained by stupidity (or incompetence) isn't so much that malice is rare [*], but that incompetence is so incredibly common. Nearly all attributions of malice implicitly assume competent malice, because the incompetently malicious generally screw up in some way, and it's this assump
Re: (Score:2)
[*] It's worth pointing out that malice is actually pretty rare, and that malice in its purest form -- malice for its own sake -- is extremely uncommon.
I'm guessing you browse at +1 and just never see all the Anonymous Coward posts here.
Re: (Score:2)
[*] It's worth pointing out that malice is actually pretty rare, and that malice in its purest form -- malice for its own sake -- is extremely uncommon.
I'm guessing you browse at +1 and just never see all the Anonymous Coward posts here.
Trolling is boredom, not actual malice.
Re: (Score:2)
Incompetence is the correct answer. Their software sucks and is buggy. Installing updates and doing diagnostics on site is an expensive process, so the bosses demand it be made cheaper. They could do it properly, have the machine VPN back to their servers or something, but that requires infrastructure and administration... Cheapest option is just to enable FTP.
Security is an expense they don't need. If someone hacks their machines they can just play the victim and besides which failure isn't really a proble
Re: Oh Good Lord (Score:2)
"The kind that welcomes foreign interference?"
Or the kind that welcomes domestic interference. Or both!
Re: (Score:2)
The much more important question is, "What directories were exposed, and what was in them?"
If -- and I mean if -- it's only /pub, and there's nothing in /pub then what's to worry about?
Re: (Score:2)
Once upon a time, that would have been nearly excusable, as ftp as a common default was a thing, but locked down to uselessness. However it would be best practice to remove it.
For anything in the last decade or so, the presence of an ftp server indicates intentional set up of ftp. Again this doesn't *have* to mean it is used poorly or can be attacked, but the presence certainly suggests that it is probably being used and it's almost certainly being used insecurely by someone. Someone mentioned theoretica
Re: (Score:2)
For anything in the last decade or so, the presence of an ftp server indicates intentional set up of ftp.
You don't know government (or Big Business) very well. I wouldn't be surprised if that server is actually a 15 year old SCO server, not patched in 12 years, and the hardware out of support for 10 years.
Re: (Score:2)
For anything in the last decade or so, the presence of an ftp server indicates intentional set up of ftp.
You don't know government (or Big Business) very well. I wouldn't be surprised if that server is actually a 15 year old SCO server, not patched in 12 years, and the hardware out of support for 10 years.
In which case it almost certainly has a raft of well-known vulnerabilities which can be exploited to break out of the locked-down configuration.
Re: (Score:2)
My uncle's invoice management system was written to run on a SCO server and has been running for 20+ years. Yes on a Pentium II processor! He's not concerned about it because the server is not even connected to the network. All connected via serial WYSE terminals. For giggles I've made a ghost image of the server and got it running as a VM but unfortunately the way the special serial cards are designed it won't work as a VM. The TCP/IP stack can't be installed on the version of the server he has now du
Re: (Score:3)
The much more important question is, "What directories were exposed, and what was in them?"
If -- and I mean if -- it's only /pub, and there's nothing in /pub then what's to worry about?
Vulnerabilities in the FTP server and, far more likely, misconfigurations that mean that /pub isn't the only thing exposed. If a system is badly misconfigured enough to have an FTP server enabled by accident, what are the odds that it's configured correctly and patched up?
Re: (Score:1)
Regardless of the presence of state actors wanting to interfere in our elections...
WHAT KIND OF MORON RUNS FTP ON AN ELECTIONS SERVER?
Well... You could ask Brian Kemp, Georgia's Secretary of State and the Republican gubernatorial candidate in Georgia. He's overseeing his own election.
He and his office just (two days before the election), without citing any evidence, just opened an investigation [nytimes.com] (and other sources) into Georgia Democrats over an alleged ‘hack’. Maybe it was an FTP hack.
Re: (Score:1)
Plausible deniability. Manipulation of a secure system would leave very few possible suspects.
Re: Oh Good Lord (Score:2)
If you leave your front door hanging wide open, there's very little chance a burglar will try to climb in the window.
Re: (Score:2)
While I do have to wonder why anyone would run an FTP server on a server being used for Elections (what EXACTLY is an election server?), what has been described is not necessarily a problem.
A properly configured FTP server used to be how the Internet shared files, long before WWW became as abused as it is today. Anonymous login is/was a feature that is/was routinely used.
Assuming a secure and intelligent setup and purpose for the FTP server, sharing data is not necessarily an issue.
Perhaps I should read the
Re: Intruders, oh my! (Score:2)
Rumor has it that AWS us-east-1, at least, is protected by a SAM battery (among other things, no doubt).
Pure FUDD (Score:1)
This article is so much FUDD that is disgusts me.
Yes, the servers the allow people to register and post the election results are connected to the Internet and they should have FTP so the public can get election data.
The missing part is that the tabulation servers and equipment are air gapped and on their own separate system, as well as the state database that maintains registration. Can you hack the site and change the results? Yes, you can change the html export from the tabulation system to say whatever y
Is it really necessary (Score:1)
This the kind of razorsharp technical analysis we' (Score:2)
Yea, there's this thing called the Internet, it's like a network of computers that can connect to other computers o
Oblig XKCD (Score:3)
there is nothing wrong with ftp (Score:2)
there is nothing wrong with ftp, as long as it is used in the correct way.
FTP still has uses. (Score:2)
I still use FTP for file transfer. It's simple to set up and has many good features, it's extremely handy for transferring multiple and large files. I mean what else are you going to use? HTTP? Good luck trying to transfer that 500GB file without restarting the transfer when you are losing the connection every once in a while. FTP has restarts and retries and I don't see how you are going to get that with HTTP. FTP isn't insecure by default, it's just as secure as any other protocol.