佐治亞投票系統原來有重大安全漏洞？州政府仲要遮遮掩掩？

恆智德

呢兩日佐治亞連續有兩個郡發現漏計超過2500張選票，又咁啱得咁巧兩度都係當撈侵大幅領先（一度57%，一度65%），一共追返成千三張選票差距；又咁啱得咁巧兩度都係因爲scan完嘅選票無上傳

https://xsden.info/topic/1232/ga-佐治亞-發現超過2600張選票漏計-其中六成半投畀當撈侵
https://xsden.info/topic/1236/佐治亞又計漏2700幾張選票-當撈侵又追返四百幾票

其實佐治亞個投票系統早於2016年就爆出有重大安全漏洞，更有選舉監察組向2017年提起訴訟，不過調查進展緩慢，州政府更加遮遮掩掩甚至涉嫌毀滅證據。下面詳細梳理下呢單case。

• 安全專家揭露重大安全漏洞：https://xsden.info/post/10574
• 州政府遮遮掩掩，欲蓋彌彰：https://xsden.info/post/10579

恆智德

重大安全漏洞

網絡安全專家Logan Lamb嘅證詞（宣誓書）

• 2016年8月，發現 elections.kennesaw.edu （隸屬KSU，儲存選舉數據）有安全漏洞：内容管理系統Drupal兩年之後仍未更新，儘管相關補丁2014年9月就已經發佈；軟件公司聲明話如果補丁發佈之後7個鐘無更新，就可以認爲個server已受侵害

in August 2016 I discovered serious vulnerabilities affecting elections.kennesaw.edu. The website was misconfigured so that it leaked confidential election data and the version of its content management system, Drupal, was out of date and vulnerable to a well-known exploit called drupageddon. An announcement from the Drupal security team on October 29, 2014 details how severe this vulnerability is, stating that if a vulnerable Drupal server was not updated within 7 hours of the announcement it should be assumed compromised.

• 直到2017年3月2日收到第二次警告，KSU先將以上網站撤除；3月6日FBI將server存檔

The server running elections.kennesaw.edu was taken offline on March 2nd, 2017 after KSU was notified a second time the server was still leaking sensitive election data. A forensic image of this server was created on March 6th, 2017 by the FBI.

• 遲至2019年12月先收到FBI份存檔，初步檢查之後發現四個問題：

1. 有證據顯示個server2014年12月已經被hack過
2. server log淨係去到2016年11月10日，之後就唔見（大選兩日之後）
3. 部分同選舉相關嘅文件於2017年3月2日已被刪除（網站撤除及FBI存檔之前）
4. 投票機上邊嘅BallotStation系統（而家佐治亞個版本係4.5.2!）極有可能被hacker利用，之前嘅版本4.3.15已被踢爆有類似漏洞（安裝文件包含DES key明文F2654hD4，呢條key一早就街知巷聞，用來破解投票機應該輕而易舉 ）

點解呢個server咁重要？

• 佐治亞選舉由Kennesaw State University下屬選舉系統中心（Center for Elections Systems，CSE）提供技術支持，而CES就係用 elections.kennesaw.edu 做主要server
• 呢個server儲存嘅重要資料有：BallotStation系統安裝文件，會裝落投票機度；佐治亞選民登記冊，包含可辨認嘅個人信息（personally identifiable information）；佐治亞各種選舉嘅管理軟件下面嘅數據庫
• 雖然個server已經向2017年被撤除，不過上面儲存嘅各種文件可能仲用緊，特別係各種投票機上面

恆智德

@恆智德 喺 佐治亞計票系統原來有重大安全漏洞？州政府仲要遮遮掩掩？ 入面講：

個server2014年12月已經被hack過

2014年12月2日，即係軟件公司發佈補丁三個月之後，個server仲未更新，有人創建咗用戶“shellshock” （shellshock本身就係安全漏洞嘅名 ，利用呢個漏洞可以操控成個server），之後出現以下活動

• 12/2/2014 10:45 – the user mpearso9 is modified using the Webmin console
• 12/2/2014 10:47 - shellshock user created using Webmin console
• 12/2/2014 10:49 - /home/shellshock/.bash_history last modified
• 12/2/2014 11:02 - /home/shellshock/shellsh0ck file is deleted
• 12/2/2014 11:06 - bash patched to version 4.2+dfsg-0.1+deb7u3 to prevent shellshock
• 12/2/2014 11:40 - shellshock user disabled using Webmin console

表面睇來，就係有人用shellshock嘅用戶名幫手補返個安全漏洞shellshock
不過修改之後嘅日誌文件.bash_history就得log out一條記錄，令人懷疑呢個人仲做過其他事，唔想俾人知
另外，hacker一般會幫手補返安全漏洞，唔俾其他人利用
當然，都唔排除係CES員工用呢種咁複雜嘅方法補返個窿

恆智德

@恆智德 喺 佐治亞計票系統原來有重大安全漏洞？州政府仲要遮遮掩掩？ 入面講：

投票機上邊嘅BallotStation系統（而家佐治亞個版本係4.5.2!）極有可能被hacker利用，之前嘅版本4.3.15已被踢爆有類似漏洞（安裝文件包含DES key明文F2654hD4，呢條key一早就街知巷聞，用來破解投票機應該輕而易舉 ）

2016年9月有人向IEEE Journal "Computer"屌鳩個系統
Coda in the Key of F2654hD4

• 每部投票機都係用同一條key，古羅馬時期都唔會咁做
• DES key得56位，用窮舉就可以破解，70年代中期開始就漸漸唔興

呢句直綫抽擊個投票機公司：

The Diebold debacle is fascinating chronicle of corporate irresponsibility, hubris, incompetence, political chicanery, and power politics.

唔爭在抽埋成個投票機行業 ：

Diebold's story is a shining example of the voting machine industry's heritage of stupidity and arrogance and the public's tolerance of proprietary electronics and software that have never been adequately tested by impartial, legitimate domain experts.

恆智德

@恆智德
@XsDenGuard 點睇呢一個鐘之内嘅活動？同埋shellshock呢個bug

XDen

@恆智德 就睇呢幾條log似係玩嘢，工作人員玩呢啲文字遊戲會麻煩到其他人

恆智德

州政府遮遮掩掩，欲蓋彌彰

2017年7月3日，有佐治亞選民聯同Colorado選舉監察組CGG（Coalition for Good Governance）向佐治亞Fulton County法院提告，要求推翻上月第六選區嘅選舉結果，並取締佐治亞州現有投票系統（159頁起訴書）
理由係呢個投票系統一直都有安全隱患，甚至無投票紙check返投票結果，而且從2016年開始可能就已受侵害

https://electionlawblog.org/?p=93549
A group of Georgia voters and a Colorado-based watchdog organization filed a lawsuit late Monday asking a judge to overturn the results of last month’s 6th Congressional District special election and scrap the state’s voting system.

The complaint, filed in Fulton County Superior Court, alleges that state and local election officials ignored warnings for months that Georgia’s centralized election system — already known for potential security flaws and lacking a paper trail to verify results — had been compromised and left unprotected from intruders since at least last summer.

四日之後，KSU嘅選舉系統中心就將上文講嘅server（elections.kennesaw.edu）清理一空

October 27, 2017 APNewsBreak: Georgia election server wiped after suit filed
The server’s data was destroyed July 7 by technicians at the Center for Elections Systems at Kennesaw State University, which runs the state’s election system. The data wipe was revealed in an email sent last week from an assistant state attorney general to plaintiffs in the case that was later obtained by the AP. More emails obtained in a public records request confirmed the wipe.

KSU傳媒辦公室足足一日都拒絕評論，之後先話清理係標準程序 ，同時都唔肯透露邊個落命令清理

After declining comment for more than 24 hours, Kennesaw State’s media office issued a statement late Thursday attributing the server wiping to “standard operating procedure.” It did not respond to the AP’s question on who ordered the action.

而當時州務卿Brian Kemp（共和黨人，直接負責選舉事務）嘅發言人就話，唔關我事，我乜都唔知，全部都係選舉中心嘅錯

The Kennesaw elections center answers to Georgia’s secretary of state, Brian Kemp, a Republican running for governor in 2018 and the suit’s main defendant. His spokeswoman issued a statement Thursday saying his office had neither involvement nor advanced warning of the decision. It blamed “the undeniable ineptitude” at the Kennesaw State elections center.

恆智德

@XsDenGuard 有patch唔裝，就係fix一個單丁bug，又改過log，正常員工會唔會咁玩？

XDen

@恆智德 清log係hacker基本嘢...

恆智德

@恆智德 喺 佐治亞投票系統原來有重大安全漏洞？州政府仲要遮遮掩掩？ 入面講：

直到2017年3月2日收到第二次警告，KSU先將以上網站撤除

原來Logan Lamb2016年就已經警告過KSU，呢個安全漏洞真係成個隕石坑咁大
個server任睇任上（Google都有收錄，識耖就肯定耖到），包括選民登記冊同大選日中央選舉伺服器嘅密碼
Lamb哥話自己都down咗15G，不過已經銷毀

June 16, 2017 AP Georgia official discounts threat of exposed voter records
Lamb discovered the security hole as he did a search of the website of the Center for Election Systems at Kennesaw State, which manages voting statewide. There, he found a directory open to the internet that contained not just the state voter database, but PDF files with instructions and passwords used by poll workers to sign into a central server used on Election Day. Lamb said he downloaded 15 gigabytes of data, which he later destroyed.

The directory of files “was already indexed by Google,” Lamb said in an interview — meaning that anyone could have found it with the right search.

“I don’t know if the vote could have been rigged, but compromising that server would have served as a great pivot point and malware could have been planted easily,” he added.

恆智德

@恆智德 喺 佐治亞投票系統原來有重大安全漏洞？州政府仲要遮遮掩掩？ 入面講：

Logan Lamb2016年就已經警告過KSU

Lamb哥通知咗CES嘅執事，執事叫Lamb哥咪出聲

NOV 14, 2017 https://www.wabe.org/two-georgia-election-servers-timeline/
Lamb notified Merle King, the executive director of the KSU Center for Elections Systems, where a server (elections.kennesaw.edu) was housed that contained the information Lamb accessed. King pressed Lamb not to talk to anyone about what he’d found.

點知個問題一直無處理到，直到17年2月又有人發現呢個漏洞，第二次通知CES先有人做嘢

Information security specialist Christopher Grayson accesses the server at the Center for Elections Systems and finds the same information discovered in August by Lamb is still available.

March 2017

1st: Grayson contacts a friend, Andy Green, who teaches IT security at KSU. Green discovers the vulnerability for himself and contacts KSU’s Chief Information Security Officer, Stephen Gay. Gay alerts the Center for Elections Systems of an “alleged data breach” on the server (elections.kennesaw.edu). The KSU information security office seizes the server.

仲有人通報FBI，過兩日KSU就局住交server

3rd: KSU turns the server (elections.kennesaw.edu) over to the FBI, which has recently opened an investigation into the breach.

恆智德

@恆智德 喺 佐治亞投票系統原來有重大安全漏洞？州政府仲要遮遮掩掩？ 入面講：

呢個安全漏洞真係成個隕石坑咁大

KSU呢間乜L野鷄學校，執柒咗算
連郵件都可以google到，上邊清空server銷毀數據嘅指令都係咁耖到

A 180-page collection of Kennesaw State emails, obtained Friday by the Coalition for Good Governments via an open records search, details the destruction of the data on all three servers and a partial and ultimately ineffective effort by Kennesaw State systems engineers to fix the main server’s security hole.

恆智德

@恆智德

恆智德

@恆智德 喺 佐治亞投票系統原來有重大安全漏洞？州政府仲要遮遮掩掩？ 入面講：

A 180-page collection of Kennesaw State emails, obtained Friday by the Coalition for Good Governments via an open records search

@XsDenGuard 真係有大學乜嘢安全措施都無？

XDen

@恆智德 年久失修啩，其實唔少政府都係

恆智德

@XsDenGuard 即係無錢，請唔起安全專家？
不過大學郵件服務唔係一般請大公司做咩？

XDen

@恆智德 似係個admin失誤，比如話push嗮啲logs上github之類

恆智德

@XsDenGuard 都唔排除有人通水
17年2月有人再次發現安全漏洞之後通知CES，三月三CES就收到FBI通知交server

舊使用者

推，我分享上覺醒者聯盟，想補充：

• 5 個搖擺州，包括佐治亞州喺大選日晚同時停止點票，趕走監票嘅人，更加有大量民煮党員拎咗幾十個喼入去，開始點100%俾敗登嘅票，仲要每張scan 20次
• 爆水喉做藉口，但一滴水都冇漏
• 木版釘住玻璃窗，唔俾人睇
• 有人拍片，唔駛40秒，唔駛密碼，唔駛咩技術，篤幾粒制，輕鬆有盜票機superuser access
• 證據多到寫2000 頁都寫唔完