Say, remember back in 2020, when Chris Krebs told Congress (under oath) and America that "The 2020 election was the most secure in US history"? Those who have been active on the Chat for a while may recall that I posted several years ago that there was no way he could make any sort of informed conclusion at that point. Several states, including Georgia and Arizona, were still dealing with election issues and irregularities.
This was just weeks after the Solar Winds security breach made national news. Solar Winds was used by several government agencies, as well as Dominion election management system software. The FBI had just arrested a man in Arizona, Elliot Kerwin, who had compromised the voter registration system at least 9 times during the early voting period and on election day. Agents seized 3 computers, 8 hard drives, a bag of thumb drives similar to the ones used in Maricopa County to record votes, and Kerwin's car.
Turns out that Krebs was not only speaking without any facts behind him, but actually had knowledge to the contrary, based on information collected by CISA in the year leading up to the election. The CISA report, published in March of 2021, is now available here for your reading pleasure.
The highlights (from the executive summary of the attached report):
• 76% of Election Infrastructure entities for which CISA performed a Risk and Vulnerability Assessment (RVA) had spear phishing* weaknesses, which provide an entry point for adversaries to launch attacks;
• 48% of entities had a critical or high severity vulnerability on at least one internet accessible host, 4 providing potential attack vectors to adversaries;
• 39% of entities ran at least one risky service on an internet-accessible host, providing the opportunity for threat actors to attack otherwise legitimate services; and
• 34% of entities ran unsupported operating systems (OSs) on at least one internet accessible host, which exposes entities to compromise
The CISA report was not made available to the public voluntarily. It was obtained by journalist Yehuda Miller along with several other documents via FOIA requests. More will be released this week.
* Spear phishing (or Social Engineering) is a type of cyberattack that targets specific individuals or companies with personalized emails that appear legitimate. This type of scam was illustrated in detail in the HBO Documentary Kill Chain: The Cyber War on America's Elections.
This was just weeks after the Solar Winds security breach made national news. Solar Winds was used by several government agencies, as well as Dominion election management system software. The FBI had just arrested a man in Arizona, Elliot Kerwin, who had compromised the voter registration system at least 9 times during the early voting period and on election day. Agents seized 3 computers, 8 hard drives, a bag of thumb drives similar to the ones used in Maricopa County to record votes, and Kerwin's car.
Turns out that Krebs was not only speaking without any facts behind him, but actually had knowledge to the contrary, based on information collected by CISA in the year leading up to the election. The CISA report, published in March of 2021, is now available here for your reading pleasure.
The highlights (from the executive summary of the attached report):
• 76% of Election Infrastructure entities for which CISA performed a Risk and Vulnerability Assessment (RVA) had spear phishing* weaknesses, which provide an entry point for adversaries to launch attacks;
• 48% of entities had a critical or high severity vulnerability on at least one internet accessible host, 4 providing potential attack vectors to adversaries;
• 39% of entities ran at least one risky service on an internet-accessible host, providing the opportunity for threat actors to attack otherwise legitimate services; and
• 34% of entities ran unsupported operating systems (OSs) on at least one internet accessible host, which exposes entities to compromise
The CISA report was not made available to the public voluntarily. It was obtained by journalist Yehuda Miller along with several other documents via FOIA requests. More will be released this week.
* Spear phishing (or Social Engineering) is a type of cyberattack that targets specific individuals or companies with personalized emails that appear legitimate. This type of scam was illustrated in detail in the HBO Documentary Kill Chain: The Cyber War on America's Elections.
