Server image mystery in Georgia election security case

July 3, 2019

By FRANK BAJAK

The case of whether hackers may have tampered with elections in Georgia has taken another strange turn.

Nearly two years ago, state lawyers in a closely watched election integrity lawsuit told the judge they intended to subpoena the FBI for the forensic image, or digital snapshot, the agency made of a crucial server before state election officials quietly wiped it clean. Election watchdogs want to examine the data to see if there might have been tampering, given that the server was left exposed by a gaping security hole for more than half a year.

A new email obtained by The Associated Press says state officials never did issue the subpoena, even though the judge had ordered that evidence be preserved, including from the FBI.

The FBI data is central to activists’ challenge to Georgia’s highly questioned, centrally administered elections system, which lacks an auditable paper trail and was run at the time by Gov. Brian Kemp, then Georgia’s secretary of state.

The plaintiffs contend Kemp’s handling of the wiped server is the most glaring example of mismanagement that could be hiding evidence of vote tampering. They have been fighting for access to the state’s black-box voting systems and to individual voting machines, many of which they say have also been altered in violation of court order.

Marilyn Marks of the Coalition for Good Governance, a plaintiff in the case, said that if the state failed to secure the data from the FBI — despite informing U.S. District Judge Amy Totenberg in October 2017 of its intent to do so with the subpoena — it clearly has something to hide.

MORE

WhatsApp flaw let spies take control with calls alone

whatsapp nsoMay 14, 2019

By FRANK BAJAK and RAPHAEL SATTER

Spyware crafted by a sophisticated group of hackers-for-hire took advantage of a flaw in the popular WhatsApp communications program to remotely hijack dozens of phones without any user interaction.

The Financial Times identified the hacking group as Israel’s NSO Group, which has been widely condemned for selling surveillance tools to repressive governments.

WhatsApp all but confirmed the identification, describing hackers as “a private company that has been known to work with governments to deliver spyware.” A spokesman for the Facebook subsidiary later said: “We’re certainly not refuting any of the coverage you’ve seen.”

WhatsApp has released a new version of the app containing a fix.

The spyware did not directly affect the end-to-end encryption that makes WhatsApp chats and calls private. It merely used a bug in the WhatsApp software as an infection vehicle. The malware allows spies to effectively take control of a phone — remotely and surreptitiously controlling its cameras and microphones and vacuuming up personal and location data. Encryption is worthless once a phone’s operating system has been violated.

Hackers are always looking for flaws in apps and operating systems that they can exploit to deliver spyware. State-run intelligence agencies including the U.S. National Security Agency invest tens of millions of dollars on it. Indeed, Google’s ProjectZero bug-hunting team scoured WhatsApp last year looking for vulnerabilities but did not find any. Instead, it was WhatsApp’s security team that found the flaw.

MORE

 

Microsoft offers software tools to secure elections

May 6, 2019

By FRANK BAJAK

Microsoft has announced an ambitious effort to make voting secure, verifiable and subject to reliable audits by registering ballots in encrypted form so they can be accurately and independently tracked long after they are cast.

Two of the three top U.S elections vendors have expressed interest in potentially incorporating the open-source software into their voting systems.

The software is being developed with Galois, an Oregon-based company separately creating a secure voting system prototype under contract with the Pentagon’s advanced research agency, DARPA. Dubbed “ElectionGuard,” it will be available this summer, Microsoft says, with early prototypes ready to pilot for next year’s U.S. general elections.

CEO Satya Nadella announced the initiative Monday at a developer’s conference in Seattle, saying the software development kit would help “modernize all of the election infrastructure everywhere in the world.”

Three little-known U.S. companies control about 90 percent of the market for election equipment, but have long faced criticism for poor security, antiquated technology and insufficient transparency around their proprietary, black-box voting systems.

Open-source software is inherently more secure because the underlying code is easily scrutinized by outside experts but has been shunned by the dominant vendors whose customers — the nation’s 10,000 election jurisdictions — are mostly strapped for cash.

None offered bids when Travis County, Texas, home to Austin, sought to build a system with the “end-to-end” verification attributes that ElectionGuard promises to deliver.

MORE

 

How Facebook stands to profit from its ‘privacy’ push

March 8, 2019

By FRANK BAJAK

At first glance, Mark Zuckerberg’s new ”privacy-focused vision ” for Facebook looks like a transformative mission statement from a CEO under pressure to reverse years of battering over its surveillance practices and privacy failures.

But critics say the announcement obscures Facebook’s deeper motivations: To expand lucrative new commercial services, continue monopolizing the attention of users, develop new data sources to track people and frustrate regulators who might be eyeing a breakup of the social-media behemoth.

Facebook “wants to be the operating system of our lives,” said Siva Vaidhyanathan, director of media studies at the University of Virginia.

zuck hearing

Zuckerberg’s plan, outlined Wednesday, expands Facebook’s commitment to private messaging, in sharp contrast with his traditional focus on public sharing. Facebook would combine its instant-messaging services WhatsApp and Instagram Direct with its core Messenger app so that users of one could message people on the others, and would expand the use of encrypted messaging to keep outsiders — including Facebook — from reading the messages.

The plan also calls for using those messaging services to expand Facebook’s role in e-commerce and payments. A Facebook spokesperson later said it was too early to answer detailed questions about the company’s messaging plans.

Vaidhyanathan said Zuckerberg wants people to abandon competing, person-to-person forms of communication such as email, texting and Apple’s iMessage in order to “do everything through a Facebook product.” The end goal could be transform Facebook into a service like the Chinese app WeChat , which has 1.1 billion users and includes the world’s most popular person-to-person online payment system.

MORE

 

Ahead of court ruling, Census Bureau seeks citizenship data

March 7, 2019

By GARANCE BURKE and FRANK BAJAK

As the U.S. Supreme Court weighs whether the Trump administration can ask people if they are citizens on the 2020 Census, the Census Bureau is quietly seeking comprehensive information about the legal status of millions of immigrants.

Under a proposed plan, the Department of Homeland Security would provide the Census Bureau with a broad swath of personal data about noncitizens, including their immigration status, The Associated Press has learned. A pending agreement between the agencies has been in the works since at least January, the same month a federal judge in New York blocked the administration from adding the citizenship question to the 10-year survey.

On Wednesday, a federal judge in California also declared that adding the citizenship question to the Census was unconstitutional, saying the move “threatens the very foundation of our democratic system.”

The data that Homeland Security would share with Census officials would include noncitizens’ full names and addresses, birth dates and places, as well as Social Security numbers and highly sensitive alien registration numbers, according to a document signed by the Census Bureau and obtained by AP.

Such a data dump would be apparently unprecedented and give the Census Bureau a view of immigrants’ citizenship status that is even more precise than what can be gathered in door-to-door canvassing, according to bureau research.

Supreme Court Census

 

Experts: US anti-Huawei campaign likely exaggerated

February 28, 2019

By FRANK BAJAK

Since last year, the U.S. has waged a vigorous diplomatic offensive against the Chinese telecommunications giant Huawei, claiming that any nation deploying its gear in next-generation wireless networks is giving Beijing a conduit for espionage or worse.

But security experts say the U.S. government is likely exaggerating that threat. Not only is the U.S. case short on specifics, they say, it glosses over the fact that the Chinese don’t need secret access to Huawei routers to infiltrate global networks that already have notoriously poor security.

State-sponsored hackers have shown no preference for one manufacturer’s technology over another, these experts say. Kremlin-backed hackers, for instance, adroitly exploit internet routers and other networking equipment made by companies that are not Russian.

If the Chinese want to disrupt global networks, “they will do so regardless of the type of equipment you are using,” said Jan-Peter Kleinhans, a researcher at the Berlin think tank Neue Verantwortung Stiftung.

One of the most common U.S. fears — that Huawei might install software “backdoors” in its equipment that Chinese intelligence could use to tap into, eavesdrop on or interrupt data transmissions — strikes some experts as highly unlikely.

Priscilla Moriuchi, who retired from the National Security Agency in 2017 after running its Far East operations, does not believe the Huawei threat is overblown. But she called the odds of the company installing backdoors on behalf of Chinese intelligence “almost zero because of the chance that it would be discovered,” thus exposing Huawei’s complicity.

MORE

 

Georgia governor’s race roiled by election security charges

November 5, 2018

By BILL BARROW and FRANK BAJAK

ATLANTA (AP) — The bruising race for governor of Georgia has been roiled by unsupported, eleventh-hour allegations from Republican candidate Brian Kemp, who is also the state’s chief election official, that Democrats sought to hack the voter registration system.

His Democratic opponent, Stacey Abrams, said he is making a baseless accusation to deflect attention from an apparently severe security flaw in the system Kemp is responsible for overseeing.

Here’s a look at the dispute, how it unfolded and what’s at stake.

THE ALLEGATION

Kemp asked the FBI on Sunday to investigate the Democratic Party, accusing it of trying to hack the system he controls as secretary of state. He offered no evidence in support of his request for a probe of the opposition.

The FBI declined to comment.

Kemp leveled the allegation after an attorney for election-security advocates notified the FBI and Kemp’s office on Saturday that a private citizen alerted him to what appeared to be a major flaw in the database used to check in voters at the polls.

Independent computer scientists told The Associated Press that the flaw would enable anyone with access to an individual voter’s personal information to log on to Georgia’s MyVoter registration portal and alter or delete any voter’s record, potentially causing havoc.

MORE

US election integrity depends on security-challenged firms

October 29, 2018

By FRANK BAJAK

It was the kind of security lapse that gives election officials nightmares. In 2017, a private contractor left data on Chicago’s 1.8 million registered voters — including addresses, birth dates and partial Social Security numbers — publicly exposed for months on an Amazon cloud server.

Later, at a tense hearing , Chicago’s Board of Elections dressed down the top three executives of Election Systems & Software, the nation’s dominant supplier of election equipment and services.

The three shifted uneasily on folding chairs as board members grilled them about what went wrong. ES&S CEO Tom Burt apologized and repeatedly stressed that there was no evidence hackers downloaded the data.

Election Vendors Image

The Chicago lapse provided a rare moment of public accountability for the closely held businesses that have come to serve as front-line guardians of U.S. election security.

A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia’s 2016 election meddling.

The businesses also face no significant federal oversight and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy.

In much of the nation, especially where tech expertise and budgets are thin, the companies effectively run elections either directly or through subcontractors.

“They cobble things together as well as they can,” University of Connecticut election-technology expert Alexander Schwartzman said of the industry leaders. Building truly secure systems would likely make them unprofitable, he said.

MORE

ICE shutters detention alternative for asylum-seekers

June 9, 2017

By FRANK BAJAK

HOUSTON (AP) — The Trump administration is shutting down the least restrictive alternative to detention available to asylum-seekers who have entered the U.S. illegally in what it calls a cost-cutting measure that will favor programs with higher deportation rates.

Immigration activists consider the move a callous insult to migrants fleeing traumatic violence and poverty — nearly all the program’s participants are Central American mothers and children — by a White House that has prioritized deportations that break up families over assimilating refugees.

“This is a clear attempt to punish mothers who are trying to save their children’s lives by seeking protection in the United States,” said Michelle Brane of the nonprofit Women’s Refugee Commission. “I think it’s crazy they are shutting down a program that is so incredibly successful.”

The overwhelming majority of asylum-seekers that U.S. Immigration and Customs Enforcement spares confinement at family detention centers — about 70,000 —have been placed in an intrusive “intensive supervision” program as they await court hearings on whether they can stay in the U.S.

GPS ankle monitors are strapped on three in seven. The wearers, mostly women, complain of bruises and public ostracism.

The Family Case Management Program that is being shuttered had 630 families enrolled as of April 19. Essentially a counseling service, it has operated in Chicago, Miami, New York, Los Angeles and Baltimore/Washington, D.C., since January 2016 and the contract was renewed in September for one year. Social workers help participants find lawyers, navigate the overburdened immigration court system, get housing and health care, and enroll the kids in school.

Women who previously would have been eligible can now expect to be put on ankle monitors, said Lilian Alba, program manager at the International Institute of Los Angeles, one of the community-based agencies running the program.

MORE

Mobile carriers cut off flow of location data to brokers

By FRANK BAJAK

Verizon, AT&T, Sprint and T-Mobile have pledged to stop providing information on U.S. phone owners’ locations to data brokers, stepping back from a business practice that has drawn criticism for endangering privacy.

The data has apparently allowed outside companies to pinpoint the location of wireless devices without their owners’ knowledge or consent. Verizon said that about 75 companies have been obtaining its customer data from two little-known California-based brokers that Verizon supplies directly — LocationSmart and Zumigo.

Verizon was the first major carrier to declare it would end sales of such data to brokers that then provide it to others. It did so in a June 15 letter to Sen. Ron Wyden, an Oregon Democrat who has been probing the phone location-tracking market. AT&T, T-Mobile and Sprint followed suit Tuesday after The Associated Press reported the Verizon move.

None of the carriers said they are getting out of the business of selling location data. The carriers together have more than 300 million U.S. subscribers

FULL ARTICLE