Georgia Scrambles To Patch Massive Vulnerabilities In Its Voter Registration System After Insisting It Was Totally Secure
from the so-about-that-voting-system... dept
Yesterday we had a rather incredible story about Georgia's Secretary of State, Brian Kemp, who, despite the conflict of interest, is both running for Governor and in charge of making sure Georgia's elections are fair. Over the weekend, Kemp had made a highly questionable claim that his opponents in the Democratic Party of Georgia had attempted to hack the voter registration system, and he was opening an investigation. As we noted, what appears to have actually happened was that an independent security researcher had discovered massive, stunning, gaping security flaws in Georgia's voter registration system, that would potentially allow anyone to access anyone else's information and even modify it. That's an especially big deal in Georgia, where the very same Secretary of State Brian Kemp had pushed for laws that meant that if any of your ID information was different from what was in the voter system, you didn't get to vote.
Incredibly, despite multiple security experts pointing out some fairly basic flaws, Kemp's office insisted the site was secure. According to press secretary Candice Broce:
“We can also confirm that no personal data was breached and our system remains secure.”
Elsewhere the Secretary of State's Office insisted there were no problems with the site. However, as ProPublica is now reporting, late Sunday night, after it had insisted there was nothing wrong, it appeared that someone behind the scenes was scrambling to patch the vulnerabilities:
ProPublica’s review of the state’s voter system followed a detailed recipe created by the tipster, who was described as having IT experience and alerted Democrats to the possible security problems. Using the name of a valid Georgia voter who gave ProPublica permission to access his voter file, reporters attempted to trace the security lapses that were identified.
ProPublica found the website was returning information in such a way that it revealed hidden locations on the file system. Computer security experts had said that revelation could give an intruder access to a range of information, including personal data about other voters and sensitive operating system details.
ProPublica’s attempt to take the next step — to poke around the concealed files and the innards of the operating system — was blocked by software fixes made that evening.
The same Candice Broce who had insisted that there was absolutely nothing wrong with the site then told ProPublica two obviously bullshit claims. First, that the setup that allowed users to see exactly where files were stored was standard practice, and so was making last minute changes to a voter registration website two days before an election:
Broce said the ability to see where files were stored was “common” across many websites, and she said it was not an inherent vulnerability. She did not deny that the website’s code was rewritten and would not say whether changes were made as a result of the possible security holes.
“We make changes to our website all the time,” Broce said. “We always move our My Voter Page to a static page before Election Day to manage volume and capacity. It is standard practice.” By Monday afternoon, the page did not appear to be static in the way Broce described, and she did not respond to a request to provide evidence of the change.
Of course, as anyone who has done any serious website building in, let's say, the last 10 to 15 years, knows well, that is not at all standard practice. But, let's see the quote from an expert anyway:
Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., disputed that visibility into file storage was common. “It’s definitely not best practice,” he said. He said it appeared the state had made the change in response to being notified of the problem and could see no reason why officials would otherwise make such a change ahead of Election Day.
Security experts frown on making such seemingly ad hoc changes close to major events, such as an election, because they can create unforeseen problems when made so quickly.
Basically, it appears that Kemp and the Secretary of State's office are betting on voters in Georgia being totally ignorant. Meanwhile, this is the same office that just a couple months ago made the following bold statement:
“There has never been a breach in the Secretary of State’s office. We have never been hacked, and according to President Trump and the Department Of Homeland Security, we have never been targeted. Georgia has secure, accessible, and fair elections because Kemp has leveraged private sector solutions for robust cyber security, well before any of those options were offered by the federal government.”
I don't care what side of the partisan divide you fall on, but Kemp's actions in failing to protect the system, overseeing the voting in his own election, then attacking the messenger for pointing out his own vulnerability, denying the vulnerability, and then scrambling to fix the vulnerability at the last minute without telling anyone, should disqualify him from running a Burger King, let alone being Governor of the state of Georgia.
Filed Under: brian kemp, computer security, election, georgia, voter registration, vulnerability