The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

GOP operatives' troubling trend of copying election systems

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Hope everyone has come back healthy from Def Con and Black Hat. I expect to see you next year at “Hacker Summer Camp.” 

Below: Journalists and lawyers accuse the CIA of spying on them as they visited Julian Assange, and Signal says it was affected in a breach of Twilio.

Making copies of election tech poses risks to the whole system

Donald Trump-allied attorneys directed a team of computer experts to copy sensitive data from Georgia election systems, part of a broader trend of assorted GOP efforts to copy such data, The Post reported Monday.

Election authorities told me these copies pose a security risk and could be used to build false narratives about the integrity of the vote.

First, the key section of the story from Emma Brown, Jon Swaine, Aaron C. Davis and Amy Gardner:

“Attorney Sidney Powell sent the team to Michigan to copy a rural county’s election data and later helped arrange for them to do the same in the Detroit area, according to the records. A Trump campaign attorney engaged the team to travel to Nevada. And the day after the Jan. 6 attack on the Capitol the team was in southern Georgia, copying data from a Dominion voting system in rural Coffee County.”

Copies or images of vote tabulators, hard drives, software and voting data have also been at the center of controversies in Mesa County, Colo.; Maricopa County, Ariz.; and Antrim County, Mich.

Copying can help breach the chain of custody

Outsiders accessing such equipment is just the start of what’s problematic about the copying trend, election specialists say. It’s one of the reasons Maricopa County concluded it needed to stop using the machines that the Cyber Ninjas examined as part of a bungled partisan “audit.”

In Michigan and Colorado, “chain of custody — which is both a good idea, standard practice and required by law, that you don’t just give anyone access to the voting machines — that was likely breached,” David Becker, executive director of the Center for Election Innovation & Research, told me. 

My colleagues Patrick Marley and Tom Hamburger have more on this in a story that ran over the weekend.

Copying can make hacking easier

The copies of Dominion voting software in several locations would include “object code,” or the language that allows machines to understand the underlying source code, said University of Michigan computer scientist J. Alex Halderman. Such code is mostly straightforward to reverse-engineer.

“The format is a speed bump for someone wanting to understand or exploit the system, not a real roadblock,” Halderman told me.

Halderman said election security is too often a game of “security by obscurity,” one where everything is kept secret until suddenly “the cat’s out of the bag” with, say, imaged voting systems making their way into the broader public. That creates a period of heightened vulnerability, he said, where the bad guys have the edge over good guys who have to spend a lot of time working to patch flaws.

Said Susan Greenhalgh, senior adviser on election security at Free Speech For People: “It democratizes the ability for anybody to get a hold of the software and try to game out attacks on it to exploit its vulnerabilities.”

There are limits to what people can do with the copies, however. As my colleagues reported Monday, “Both Dominion and independent experts have said that, even with the release of copies of election equipment, there are many safeguards in place to prevent attempts to alter results. Accuracy testing ahead of an election and post-election audits that include the hand-counting of ballots are among the measures intended to detect any such activity.”

Copying can be used for false claims

The saying about “knowing just enough to be dangerous” applies here. Someone with some basic understanding about computer security might look at the copies and “draw conclusions not supported by evidence they see,” Trevor Timmons, chief information officer for Colorado’s Department of State, told me.

Copies could also fuel another kind of false narrative, one that’s not so inadvertent — sort of like how “deep fakes” take real images and make new phony versions of them. “It opens the door to people making false claims about compromises, having taken over systems and modifying things because they’ve got some details on how those systems work,” Timmons said. 

Copying highlights other dangers

In Colorado, a grand jury indicted Mesa County Clerk Tina Peters over allegations that she made copies of sensitive systems. It’s a little like the urban legend horror story about “the call is coming from inside the house.”

“This is just one expression of the threat posed by insiders,” Timmons said.

The keys

Lawyers, journalists sue U.S. government for alleged spying amid Assange visits

Two lawyers and two journalists — all Americans — are accusing a Spanish security firm that was hired to protect Ecuador’s London embassy of secretly spying on them for the CIA when they visited WikiLeaks founder Julian Assange, Newsweek’s Shaun Waterman reports. Assange faces potential extradition to the United States on charges of violating the Espionage Act.

The lawsuit, filed in federal court, names the CIA, its former director Mike Pompeo, Spanish security firm Undercover Global and its founder, David Morales Guillen, as defendants.

The lawsuit argues that Undercover Global secretly began working for the CIA in 2017. The firm violated the plaintiffs’ privacy when it “seized, dismantled, imaged, photographed and digitized the computers, laptops, mobile phones, recording devices and other electronics brought into the Embassy by the plaintiffs,” the suit argues.

Morales Guillen told Newsweek the allegations in the lawsuit are “totally false,” and that he has “had nothing to do with the CIA or any exercise in spying on Mr. Assange.” The CIA declined to comment to Newsweek. A spokesperson for Pompeo’s political action committee didn’t respond to the outlet’s request for comment.

Signal says it was targeted in Twilio breach

The encrypted messaging service says it will notify around 1,900 users whose phone numbers or verification codes were accessed when they managed to gain access to systems at Twilio, which lets firms automate their messages, TechCrunch’s Carly Page reports. Twilio says around 125 of its clients had data that was accessed by the hackers.

“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal,” Signal said. “Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.”

Such an attack could allow the hackers to re-register a phone number to get future messages and calls from their devices. But it wouldn’t have given them access to data like messaging histories.

Dutch authorities arrest suspected developer behind sanctioned crypto mixer

The Netherlands’s Fiscal Information and Investigation Service announced last week that the 29-year-old man it arrested is “suspected of involvement in concealing criminal financial flows and facilitating money laundering,” and “multiple arrests are not ruled out,” the Verge’s James Vincent reports. The arrest came days after U.S. authorities sanctioned Tornado Cash, a popular cryptocurrency anonymization service that North Korean hackers used to launder hundreds of millions of dollars worth of stolen cryptocurrency.

“The arrest in Amsterdam marks an escalation in global authorities’ crackdown against Tornado Cash and other crypto mixers,” Vincent writes. “Such services operate by pooling together contributors’ funds and then redistributing them, making it harder for law enforcement to track the digital breadcrumbs that accompany cryptocurrency transactions.” Despite drawing praise in cybersecurity circles, cryptocurrency industry-aligned groups criticized the sanctions on Tornado Cash. 

Law enforcement and U.S. regulators have looked closely at cryptocurrency mixers for years:

  • Larry Harmon, an Ohio man behind cryptocurrency mixer Helix, last year pleaded guilty to conspiring to launder money. He admitted to working with online marketplaces that sell illegal drugs and other products to help offer money laundering services, the Wall Street Journal reported at the time. Harmon was charged in 2020. The Financial Crimes Enforcement Network levied a $60 million penalty against Harmon that year.
  • In May, the Treasury Department sanctioned another mixer, called Blender, which officials said was also used by North Korean hackers.

Global cyberspace

Head of Ukraine’s cybersecurity says Russia has committed ‘cyber war crimes’ (Motherboard)

Microsoft disrupts Russian hackers' operation on NATO targets (Bleeping Computer)

Securing the ballot

Hacker conference DEF CON bans pro-Trump outlet OAN (Motherboard)

Cyber insecurity

Zoom’s latest update on Mac includes a fix for a dangerous security flaw (The Verge)

Secure log off

Thanks for reading. See you tomorrow.