I am beginning to think that America really doesn’t have any tech guys worth a damn. Oh sure, they make all sorts of 4K unboxing videos of a new iPhone and iPad, but those with mad skillz who go after Russian sonsofbitches and their GOP proxies as some kind of patriotic duty? Non-existent.
Which means we’re left with functionaries who have no clue how anything electronic works but are in charge of it because why not have the office secretary manage it as well? I mean, that person also does the website and is pretty good at setting up a listserv. Overqualified!
2 Likes
To recap / expand:
-
FTP is not secure nor securable. The ONLY acceptable use for FTP (as opposed to FTPS or SFTP) past ~2000 and in a site where state level bad actors have a vested interest is as a read-only dump of data that is not at all critical and that NO processes depend on being reliable. Incoming AND outgoing data can be spoofed, easily by a state-level bad actor as would be interested in manipulating elections data. Man-in-the-middle attacks are trivial.
-
If the state had a solid multi-layer security mechanism for encrypting the data here in the FTP server, they should be eager to publish two or more “outer” layers to that mechanism. Security is best done in the open where a community effort can highlight vulnerabilities so they are fixed rather than well-funded efforts finding then exploiting those vulnerabilities for profit.
-
If the state had a multi-layer security mechanism for encrypting the data in the FTP server, a competent administrator would STILL insist on encryption-in-transit (SFTP or FTPS as examples) as an additional layer.
-
The fact that these states are claiming they have a solid multi-layer security effort into which their use of an FTP server fits naturally, without either explaining why they insist on FTP over a secure alternative and without giving high-level details of how that security is obtained, is highly suspicious. Such an approach to security would disqualify any third-party vendor in my company, and we work with sensitive data that is nowhere near as interesting to state-level actors as elections data.
-
Just as a nuance of this:
In addition, ProPublica found Maine’s FTP service on the same internet address as a state website that directs voters to their local polling places. But Kristen Schulze Muszynski, a spokeswoman for the Maine secretary of state, said the FTP service ran on a computer server separately from the lookup tool.
… it is possible that both the FTP and HTTP (local polling place lookup tool) servers are sitting behind a NAT firewall, which will look externally like a single internet address with both services running but internally routes to discrete servers (or clusters of servers). If we already trusted this department’s security that would be sufficient; given that they are already running an insecure FTP service and are not giving visibility into the overall system which alleviates the FTP vulnerabilities in any way, I am highly suspect of this claim. Likely the two are on different servers, but without a strong and multi-layered firewall separating the two in a way which would stop a takeover of the FTP server’s OS from escalating to the HTTP server as well.
3 Likes
The FTP server in Wisconsin required a password. Kentucky’s didn’t.
The fact that some of these are prompting for a username/password is to me more distressing than the “wide open” ones. FTP usernames and passwords are sent in clear text. A state level attack will capture the entered username/password as Step 1 and then use that access to do whatever they want. Username/password in FTP is completely security theater when you are considering state-level bad actor attacks. It gives a false sense of security, which means that other defenses are less likely to be in place or rigorously followed.
If the username/password combination is shared with other systems (and 99% of the time it is) then congratulations; you’ve also given that state-level actor access to other related systems, through the front door.
While Kentucky’s wide-open FTP server is distressing, Wisconsin’s server that requires more of legitimate users without more than a bump in the road for a hacker is far worse.
4 Likes
Don’t you worry. They’ve trained their employees to be on the lookout for people with AOL diskettes. They might be Ruskies.
3 Likes
“ProPublica’s claims regarding Kentucky’s website lack a complete
understanding of the commonwealth’s full approach to security, which is
multi-layered.”
Redacted: “We’ve even got this fella who stands by the door on election day, and if any malicious files get in, he pulls 'em out and throws them in the dumpster.”
2 Likes
Well, properly implemented, with strong ACLs FTP is just fine to use.
However, most admins don’t know how to do it properly and they should at LEAST be using SFTP (Secure File Transfer Protocol) in it’s place and require TFA (Two Factor Authentication) to log in to it.
But remember, most Government IT work is given to the lowest-bid contractor, and you get what you pay for.
2 Likes
You would normally expect the following:
- Red-yellow-green zones (pick your favorite colors). The red zone is usually where the systems that do work will reside. The green zone is wide open to the Internet. The yellow zone is also called the “DMZ”.
- The zones are separated by firewalls. “Firewall” is the term for a device (usually built out of router guts, these days you can buy one for your home network) that can filter network traffic. One of those firewalls (or the routers that are also part of the network) has both a proxy and something called NAT, or network address translation. External internet addresses are mapped to internal addresses; those internal addresses have no meaning outside the inner zones. You can’t ping random addresses hoping to hit someone.
- There are separate firewall rules for the green-yellow and yellow-red boundary. If I have an internal application and it wants to listen on HTTP, it doesn’t listen on port 80, the usual place that browsers look when you type http://www.whatever.com. They pick some off-the-wall address like 8080 or 9080 (these are common ones); nobody is listening on 8080 or 9080. In the DMZ is a proxy that maps from 80 to 8080. The firewall will pass port 8080 if it is coming from the proxy (which must authenticate itself using TLS, so that only the proxy can do so; an intruder in the DMZ can’t access port 8080 or whatever.
-The outside firewall will accept port 80 but only to connect to the proxy server.
- All of the systems in question have their own security.
This is how banks do it. (And they still screw up, although in a lot of cases it involves an inside job. I’m sure nobody in the Kentucky SoS office would participate in an inside job, now would they?)
Oh yes. If you do use an externally visible file transfer utility (these are typically secured beyond SFTP and the like, and the data itself is signed when it is encrypted), both its internal storage (the place where copies are kept) and the data when transmitted are encrypted. The same thing happens with any internal databases.
And you do NOT have shared userids and passwords, and you DO enforce reasonable password rules. (“mypassword0” won’t do, nor will anything that looks like a birthdate or a license plate number.) You also have a sacrosanct rule that says, “do not tell anyone else your password.” They are stored with one way encryption so nobody can find out what they are.
Oh yes, if employees work at home, their laptops will have a VPN client that has its own path into the network and that can’t get into network infrastructure or DMZs, even if the user is otherwise allowed to do so. These all use two-factor authentication, usually consisting of your password and one of those stupid little SecurID keys.
And for God’s sake, you have a separate audit trail! On voting machines, these are called paper ballots.
3 Likes
… KY’s approach to security being, “Hacking is okay, if it’s Russians helping the GOP.”
1 Like
