FTP -- the "file transfer protocol" -- is a long-supplanted Unix tool for transferring files between computers, once standard but now considered to be too insecure to use; so it's alarming that it's running on the voting information systems that will be used in elections in Wisconsin and Kentucky tomorrow.
The FBI has warned that "criminal actors" use FTP in targeting US voting systems. The Wisconsin Elections Commission and DHS have reported hacker attacks on Wisconsin voting machines in the 2016 elections.
Propublica portscanned the voting information systems in Kentucky and Wisconsin, which are connected to the fucking internet, and found FTP services being advertised by servers on the machines.
Kentucky's voting information systems did not require a password to access their FTP servers.
As of late Wednesday, Kentucky’s voter-registration server still allowed users to browse a list of files without a password. Even the names of the files contained clues that could conceivably help an intruder. For example, they indicated that Kentucky may use driver’s licenses on file in its motor vehicle software to verify voters’ identities.
Bradford Queen, a spokesman for Kentucky’s secretary of state, declined to say if running an FTP server was problematic. “We are constantly guarding against foreign and domestic bad actors and have confidence in the security measures deployed to protect our infrastructure,” he said.
“ProPublica’s claims regarding Kentucky’s website lack a complete understanding of the commonwealth’s full approach to security, which is multi-layered. Defenses exist within each layer to determine and block offending traffic.”
File-Sharing Software on State Election Servers Could Expose Them to Intruders [Jack Gillum and Jeff Kao/Propublica]
Berlin-based security researcher Sébastien Kaul discovered that Voxox (formerly Telcentris) -- a giant, San Diego-based SMS gateway company -- had left millions of SMSes exposed on an Amazon cloud server, with an easily queried search front end that would allow attackers to watch as SMSes with one-time login codes streamed through the service.
Researchers at NYU and U Michigan have published a paper explaining how they used a pair of machine-learning systems to develop a "universal fingerprint" that can fool the lowest-security fingerprint sensors 76% of the time (it is less effective against higher-security sensors).
A year ago, the Norwegian Consumer Council commissioned a study into kids' smart watches, finding that they were incredibly negligent when it came to security and incredible greedy when it came to surveillance: a deadly combination that meant that these devices were sucking up tons of sensitive data on kids' lives and then leaving it […]
Ever wondered what it takes to make the transition from amateur photography to a full career? If you answered “a better camera,” you’re half right. Before you get the equipment, get the know-how to use it with the Hollywood Art Institute Photography Course & Certification. Taught by experienced pros, this course is geared towards shutterbugs […]
Anyone can learn piano, but don’t tell that to the bored kids who had to endure hours of “Chopsticks” and similar drills in their music lessons. Today, there’s a better way. Pianoforall lets you jump right in to discover what makes music fun, leaving you eager to learn more. In a simple but innovative approach, […]
There are two times you never want to just “eyeball” it: Conducting brain surgery and matching shades of paint for your walls. Whether you’re painting or repainting, make sure you’re never just “close enough” to the color you want. Not when the Nix Mini Color Sensor can scan and match any color perfectly. Small enough […]