Thousands of voting machine vendor employees' work emails and plaintext passwords appear in freely available third-party data breach dumps reviewed by CSO, raising questions about the security of voting machines and the integrity of past election results.
While breached sites, like LinkedIn after the 2012 breach, force users to change their passwords, a significant number of people reuse passwords on other platforms, making third-party data breaches a gold mine for criminals and spies.
For many years voting machine vendors have claimed that voting machines were air gapped — not connected to the internet — and were thus unhackable. Kim Zetter debunked that idea in The New York Times in February.
[...] CSO found five voting machine vendors in the third-party data breaches we reviewed, including more than two thousand credentials for the defunct Diebold, now owned by Dominion Voting.
[...] The breached credentials include key members of management, engineering, and operations teams for these companies. One case of password reuse over the last ten years would have been enough for an attacker to gain a foothold in a voting machine vendor's network and potentially compromise the integrity of voting machines — and election results.
Source: CSO
Related Stories
The project Protect Democracy is suing the state of South Carolina because its insecure, unreliable voting systems are effectively denying people the right to vote. The project has filed a 45-page lawsuit pointing out the inherent lack of security and inauditability of these systems and concludes that "by failing to provide S.C. voters with a system that can record their votes reliably," South Carolinians have been deprived of their constitutional right to vote. Late last year, Def Con 25's Voting Village reported on the ongoing, egregious, and fraudulent state of electronic voting in the US, a situation which has been getting steadily worse since at least 2000. The elephant in the room is that these machines are built from the ground up on Microsoft products, which is protected with a cult-like vigor standing in the way of rolling back to the only known secure method, hand counted paper ballots.
Bruce Schneier is an advisor to Protect Democracy
Earlier on SN:
Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States (2018)
Want to Hack a Voting Machine? Hack the Voting Machine Vendor First (2018)
Georgia Election Server Wiped after Lawsuit Filed (2017)
It Took DEF CON Hackers Minutes to Pwn These US Voting Machines (2017)
Russian Hackers [sic] Penetrated US Electoral Systems and Tried to Delete Voter Registration Data (2017)
5 Ways to Improve Voting Security in the U.S. (2016)
FBI Says Foreign Hackers Penetrated State Election Systems (2016)
and so on ...
(Score: 2) by frojack on Wednesday April 04 2018, @08:03AM (2 children)
The New York Times article proves nothing, and it never makes the claim that Voting machines are Not Air gapped, and certainly does not debunk that claim. It a mish-mash of confused reporting, speculating that election tampering happens when random people come into possession of a Stingray and somehow intercept telephone transmissions of data over cellular modems.
Fake news.
Gaining a password to an email account does not give anyone access to a voting machine. It doesn't even give access to the software of a voting machine.
The whole article is juvinile, and tracking down who CSO actually is amounts to an exercise in futility. Even Bloomberg doesn't know who these clowns are.
Come on AC, pick your sources more carefully. I rather suspect a planted story here.
No, you are mistaken. I've always had this sig.
(Score: 4, Informative) by takyon on Wednesday April 04 2018, @08:14AM
CSO's parent company is the Chinese-owned, American-based International Data Group [wikipedia.org] (IDG), which operates CIO, Computerworld, CSO, Macworld, Network World, PC Advisor, PC World, InfoWorld, ITworld, JavaWorld, TechWorld, and LinuxWorld.
Actual reporting from CSO looks like a happy accident.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by el_oscuro on Thursday April 05 2018, @02:22AM
You might want to read https://www.theregister.co.uk/2017/09/11/virginia_to_scrap_touchscreen_voting_machines/ [theregister.co.uk]
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by maxwell demon on Wednesday April 04 2018, @09:27AM
Wait, the voting machines are now owned by Dominion [wikia.com] voting?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Funny) by DannyB on Wednesday April 04 2018, @02:42PM
Voting machines should be built only by big secure companies.
I propose that precincts should only purchase voting machine equipment built by Facebook.
Why is it that when I hold a stick, everyone begins to look like a pinata?
(Score: 1, Funny) by Anonymous Coward on Wednesday April 04 2018, @04:34PM
Is it possible to elect a voting machine to congress, then control how it votes via the internet?