This was a big week with the US election drawing concerns about election security. Despite widespread worry about election interference from state-sponsored hackers, one trend we saw in the week’s election security news was a focus on internal threats.
On Tuesday, Politico reported watchdog groups and online researchers were on high alert for any signs of people using social media to try to upend the midterm elections. Their biggest concerns were not the Russians, but Americans; a growing force behind efforts on Facebook and Twitter to suppress turnout, confuse or anger voters, or otherwise spread false rumors that could tip tight races or shake faith in the results. According to the story, in many cases, these homegrown American “trolls” are adopting the same tactics that Russian operatives used in 2016 to disrupt the U.S. presidential election.
As Bugcrowd Founder Casey Ellis wrote in a blog post on the news,
“The fact that five security professionals took a trivial amount of time to identify the ‘My Vote Page” system within Georgia’s voting infrastructure was vulnerable is only part of the issue. The most troubling issue from my standpoint is exactly what Kris Constable, who runs a privacy law and data security consulting firm, told WhoWhatWhy — that ‘Instead of holding the custodian of the data responsible for not protecting it, the people who find the flaw are attacked.’”
Similar news continued yesterday with Motherboard reporting an election security expert, who had done risk-assessments in several states starting in 2016, recently found a reference manual created by voting machine vendor, California-based Unisyn Voting Solutions, for county election officials that lists critical usernames and passwords for the vendor’s tabulation system. Additionally, the passwords, including a system administrator and root password, are trivial and easy to crack, including one composed from the vendor’s name.
Outside of the election, this week The Register reported that once again, home routers have been targeted via a Universal Plug and Play (UPnP) vulnerability first discovered in 2013. The botnet included more than 100,000 home routers.
Meanwhile in the UK, Reuters and the BBC reported the Bank of England planned to test the financial sector’s ability to withstand a major cyber attack in a one-day exercise in partnership with the finance ministry and the Financial Conduct Authority. “The exercise will help authorities and firms identify improvements to our collective response arrangements, improving the resilience of the sector as a whole,” the BoE said in a statement.
At Bugcrowd, we’re always bolstered by this type of news. Identifying vulnerabilities early and often is the best way to help prevent a breach. As more companies and agencies adopt a stronger stance on security, we can hope to see a more secure internet in the future.
That’s all for this week. Have a great and safe weekend.
Happy Veterans Day and for all those who have served, thank you.