Security on the network that will host the Interstate Crosscheck Program this year is markedly improved from that of its previous host, according to a top security firm, and soon the Department of Homeland Security will lend its own expertise to hardening the network as part of its review of state election systems.
Nevertheless, experts warn that the bolstered security may do little to fend off targeted cyberattacks. After weeks of testimony, Kansas lawmakers, both Republicans and Democrats, are even less convinced that Secretary of State Kris Kobach’s office is equipped to keep sensitive voter data from as many as 27 states out of malicious hackers’ hands.
Fewer still are enthused about the prospect of the state being held financially liable should any of those records be compromised—again.
The Crosscheck program, which rolls out at the start of each year and strives to identify possible double voter registrations, previously relied on a server maintained by the Arkansas Secretary of State’s office to send and receive sensitive voter data from more than two dozen states participating in the program. The records passed from Arkansas to Kobach’s office where the records were cross-checked for potential double voters. The results of Crosscheck’s analysis (the methodology of which has been disputed by academic research) were then transmitted back to Arkansas to be collected by participating states.
This year, however, the program will be housed entirely under Kobach’s roof, where staff are scrambled to harden the office’s network security even as the usual mid-January deadline for submitting voter data has already come and gone. The upgrades follow reports by Gizmodo and ProPublica in November 2017 that detailed critical vulnerabilities in the Arkansas government’s network, as well as a number of security incidents exposing sensitive voter information—including partial Social Security numbers. (Despite Crosscheck’s new urgency with regard to security, Kobach has been dismissive of Gizmodo and ProPublica’s findings in his public statements.)
Researchers at the Boston-based security firm Netragard concluded this week that the Kansas Secretary of State’s office was “far better protected” than its counterpart in Arkansas. But that assessment came with a number of caveats warning about the potential for yet another security misstep.
As with most government domains, Kobach’s office is assigned its own IP range and has its own network and infrastructure and, based on recent changes observable through publicly available information, its security appears to have been recently hardened. However, the rest of the Kansas government’s IT infrastructure is considerably less secure. And while Kobach’s network (sos.ks.gov) is better managed, many other networks associated with the ks.gov domain are, experts said, “significantly exposed.”
Ultimately, the researchers found that infiltration of the larger Kansas government, by even a modestly proficient hacker, would be all but guaranteed.
Essentially, Crosscheck’s ability to keep sensitive voter data from falling into the hands of novice hackers is inextricably tied to the architecture of its host (i.e., the State of Kansas). A single unsecured connection between the Secretary of State’s network and the other networks hosted by the state may pose an imminent threat to Crosscheck, Netragard found.
“Kobach’s office is likely at increased risk due to what appears to be extreme vulnerability in other ks.gov networks,” said Adriel Desautels, Netragard’s founder and CEO. “If an attacker were to breach one of the other ks.gov networks then they’d likely be able to leverage that access to breach the Kansas Secretary of State’s office via the exploitation of existing trust relationships.”
As just one example, at the time of writing, Kansas was hosting two printers that both appear accessible by virtually anyone online. Neither is protected by a password. Even a seemingly innocuous device, such a printer, can serve as an entry point for a hacker dead bent on infiltrating a network.
“One of our recent penetration testing engagements leveraged a printer that did not have any administrative password set,” Desautels said of Netagard’s work testing one of their client’s security. “We were able to use information that we extracted from the printer to eventually compromise the entire corporate domain.”
While declining to provide specifics, Kansas Director of Elections Bryan Caskey told Gizmodo on Wednesday that an “additional layer of security” exists between the Secretary of State’s office and every other state agency.
“The state has their own firewall and their stuff and then we have another layer on top of that,” he said. “We only allow traffic between ourselves and other state agencies for very specific purposes.” The ongoing security review will be examining the way in which data is transmitted between the agency’s office and others, he added.
How would an attacker get access to credentials to begin with?Despite offering better security than its Arkansas counterpart, the Kansas Secretary of State’s office “does not adhere to industry best practices based on what we could see in publicly available information,” Desautels said. At least not at present. For example, Netragard was able to identify what it believed to be VPN services using single-factor authentication rather than two-factor authentication. This means that if an attacker were able to get login credentials, they would likely be able to access the network without detection.
“We do it on every single realistic threat engagement we have,” Desautels explained. “There are multiple avenues of attack here, none of which are particularly complex. The best path would be social engineering.” That may include convincing someone at the Kansas office to surrender their credentials, because they believe the person with whom they are speaking is a boss, colleague, or authorized IT professional; phishing them with a fake form designed capture usernames and passwords; or else just infecting them with some undetected malware delivered via email or a myriad of other ways. (Netragard once compromised a client by mailing an employee a “free” USB mouse loaded with malware.)
From the outside, it’s difficult to say precisely how secure Kobach’s network currently is. Without permission, Netragard can only conduct what’s called “passive reconnaissance” on the network—meaning their research relies on services like Censys, DomainTools, Google, basic DNS enumeration, and the normal browsing of public-facing web pages. That is to say, while the researchers had high confidence a breach was achievable, their findings are limited to publicly available information. Scanning or testing the network any further without permission would be illegal.
And that’s important because the limitations of Netragard’s previous analysis were dismissed by Kobach in testimony two weeks ago before the Kansas House Elections Committee. “I did read the article that suggested, ‘Oh, this would be easy, anyone could hack it,’” he told the legislators, referring to Gizmodo’s November 9th article, which detailed security flaws in the Arkansas government’s network. “Well, they haven’t,” he boasted. “They didn’t succeed in hacking it.”
In reality, Netragard attempted no such hack, which is unnecessary to perform a surface-level security analysis; in fact, doing so would have been a felony.
In testimony on Monday before the Kansas House Government, Technology, and Security, Caskey made a number of questionable claims about the security of the Crosscheck program, all which called into question his comprehension of the issue at hand. But as he told Gizmodo by phone, “I’m not an IT expert.”
The first was in response to a question from Kansas Rep. Pam Curtis, who inquired about the steps taken following Gizmodo’s disclosure of vulnerabilities on the Arkansas network, which previously hosted Crosscheck data for roughly two months every year. Caskey responded, in part: “We asked Arkansas to do a complete scan to see if any unauthorized access had taken place. None had taken place.” (Emphasis ours.)
To be clear: There is no “scan” that can detect a data breach after it has occurred with any real degree of confidence.
“If they did a vulnerability scan, there’s no chance in hell that they would detect a breach,” Desautels said. “When you’re ‘scanning’ for vulnerabilities, you’re looking for ways to breach systems; you’re not looking for evidence that systems have already been breached.” If a hacker does breach a system but fails to leave open any obvious ports or backdoors a “scan” is essentially worthless.
“Maybe my word usage wasn’t as careful as it should have been in responding to a question,” Caskey said. “We were in contact with Arkansas officials and they were reviewing to see if any unauthorized access had taken place on the Arkansas FTP server, and I was told that it had not. So, the use of the word ‘scan’—I probably shouldn’t have used that word.”
As to whether Arkansas had hired actual forensics experts to review the server, Caskey said he could not say. The Arkansas Secretary of State’s office told Gizmodo in an email on Wednesday: “Thank you for reaching out, but we do not comment on issues of network security.”
Caskey’s other mistaken claim came as he repeatedly insisted to lawmakers that Crosscheck has never suffered a data breach. “Let me be clear,” he said, “we have never been breached. Ever. I want to say this again, and again, and again: The Interstate Crosscheck database has never been breached.”
Setting aside that years of Crosscheck data and passwords have been mistakenly exposed by human error—not hackers—the notion that the State of Kansas is equipped to detect a sophisticated breach seems, from a technical standpoint, unlikely.
Consider how many billion-dollar companies have been breached in the past two years alone—that we know about—and how many of those had sophisticated “breach-detection” tools deployed. (Hint: It was all of them.) Before its devastating breach last year, Equifax, a $6 billion company, had endorsed a product from the cybersecurity firm FireEye, boasting that its technology was protecting Equifax from targeted attacks and zero-day malware. Equifax was breached in mid-May. It was on July 29th. (The endorsement vanished from FireEye’s website soon after.)
“They don’t know,” Desautels said. “Just because a breach hasn’t been detected or reported, doesn’t mean it hasn’t happened. Arkansas? They wouldn’t know if they suffered a breach. If the way their network was set up offers any indication of how they manage their security, they wouldn’t know.”
Kansas Rep. Brett Parker, a Democrat who serves on the state’s House Elections Committee, told Gizmodo that the Secretary of State’s office has failed in its repeated attempts to convince lawmakers that Crosscheck is truly secure. “They say they’ve never been breached, but what they mean is that they’ve never detected a breach, and the difference between those two should be concerning to us,” he said.
A source with knowledge of lawmakers’ concerns told Gizmodo that Kansas Republicans have also voice skepticism about Crosscheck’s security. In public hearings, Republicans have repeatedly pressed Kobach’s office to respond to concerns about the financial liability they fear the state could face in the aftermath of a future data breach.
Asked about his emphatic claim that Crosscheck had “never been breached,” Caskey relented in a phone call with Gizmodo: “I always preface that comment with the phrase ‘to the best of my knowledge,’ acknowledging that, tomorrow that fact may change. I’m well aware that what I know today may be different from what I know tomorrow.”
Caskey did not, however, preface his answers with any such remark while being questioned by Kansas legislators on Monday. “If I didn’t say that... I usually am very careful about making sure that I preface that statement because no one can operate in absolutes,” he told Gizmodo, adding: “I’m not trying to say something that’s not true. I’m just saying, based on what we know today, with the tools available today, it was a factual statement.”
Crosscheck’s 2018 rollout is already beset by fresh controversy: The leak of names, dates of birth, and partial Social Security numbers for nearly 1,000 Kansans. The data was transmitted to Florida, which that state’s government then unintentionally released in response to an open records request. And the promise by the Kansas elections director that past mistakes will not be repeated seems starkly at odds with Kobach’s testimony at the Kansas statehouse two weeks ago: “First of all, I would note that I wouldn’t concede that there is a problem,” Kobach said.
Software engineer Brian McClendon, a former vice president at Google and Uber who is running to take over Kobach’s seat as a Democrat, told Gizmodo that, if elected, he wouldn’t hesitate to end the Crosscheck program. “To this day, I still don’t know exactly what they do internally with the data,” he said. “Nobody seems to know after the data jumps inside their firewall what they do with it to produce such terrible results on the outside.”
McClendon said he would replace the program with one offered by ERIC, the Electronic Registration Information Center, which currently has 23 participating states, only a handful fewer than Crosscheck. Its most recent additions are Missouri and Arizona, which joined the program in the past two months.
McClendon said he had already spoken to the staff at ERIC, which uses a matching algorithm developed by Jeff Jonas, chief scientist of the IBM Entity Analytics Group, “which interestingly was the algorithm that I had looked at pretty heavily when I was at Google because we had all kinds of matching challenges with our local business data,” he said.
“Anytime a company or a government takes possession of personal data they need to protect it,” McClendon added. “There are now laws in place that if a company loses control of personal data they need to report it immediately and they need to be responsible for it. Those laws are not good enough, but they’re something.”
State governments, he said, should be “in the exact same boat.”