FTP -- the "file transfer protocol" -- is a long-supplanted Unix tool for transferring files between computers, once standard but now considered to be too insecure to use; so it's alarming that it's running on the voting information systems that will be used in elections in Wisconsin and Kentucky tomorrow.
The FBI has warned that "criminal actors" use FTP in targeting US voting systems. The Wisconsin Elections Commission and DHS have reported hacker attacks on Wisconsin voting machines in the 2016 elections.
Propublica portscanned the voting information systems in Kentucky and Wisconsin, which are connected to the fucking internet, and found FTP services being advertised by servers on the machines.
Kentucky's voting information systems did not require a password to access their FTP servers.
As of late Wednesday, Kentucky’s voter-registration server still allowed users to browse a list of files without a password. Even the names of the files contained clues that could conceivably help an intruder. For example, they indicated that Kentucky may use driver’s licenses on file in its motor vehicle software to verify voters’ identities.
Bradford Queen, a spokesman for Kentucky’s secretary of state, declined to say if running an FTP server was problematic. “We are constantly guarding against foreign and domestic bad actors and have confidence in the security measures deployed to protect our infrastructure,” he said.
“ProPublica’s claims regarding Kentucky’s website lack a complete understanding of the commonwealth’s full approach to security, which is multi-layered. Defenses exist within each layer to determine and block offending traffic.”
File-Sharing Software on State Election Servers Could Expose Them to Intruders [Jack Gillum and Jeff Kao/Propublica]
Every year, the Electronic Frontier Foundation presents its Pioneer Awards (previously); now renamed the Barlow Award in honor of EFF co-founder John Perry Barlow, who died last year.
In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries […]
Thangrycat is a newly disclosed vulnerability in Cisco routers that allows attackers to subvert the router's trusted computing module, which allows malicious software to run undetectably and makes it virtually impossible to eliminate malware once it has been installed.
If you can build a cloud infrastructure, you can build a business. Companies are overwhelmingly turning to cloud computing to set up or bolster their network, and it’s easy to see why. It allows on-demand access to processing power, a la carte services, and nearly unlimited storage, all without adding extra systems and the maintenance […]
Does your gaming setup need an upgrade? No need to wait for Christmas. We’ve rounded up the latest tech accessories for your favorite video game platforms. All of them are already sale priced, but you can knock an additional 15% off the final price for Memorial Day by using the online code WEEKEND15. Audeze Mobius […]
Raspberry Pi is one of the world’s most versatile open-source computers. Alexa is a home automation hub with limitless potential. Together, they’re a dream team for ambitious makers, opening the door to everything from automatic lights to voice-controlled robots. Learning Raspberry Pi is meant to be relatively easy for newbies, but its applications with Alexa […]