A test voting card for a punch voting system.(Photo: Elizabeth Weise)
SAN FRANCISCO Names, addresses, dates of birth and other information about Chicagos 1.8 million registered voters was left exposed and publicly available online on an Amazon cloud-computingserver for an unknown period of time, the Chicago Board of Election Commissions said.
The database file was discovered August 11by asecurity researcher at Upguard, a company that evaluates cyber risk. The companyalerted election officials in Chicago on August 12 and thefile was taken down three hours later. The exposure was first made public on Thursday.
The database was overseen by Election Systems & Software, an Omaha, Neb.-based contractor that provides election equipment and software.
The voter data was a back-up file stored on Amazons AWS servers and included partial Social Security numbers, and in some cases, driver’s license and state ID numbers, Election Systems & Software said in a statement.
Amazon’s AWS cloud service provides online storage, but configuring the security settings for that service is up to the user and is not set by Amazon. The default for all of AWS’ cloud storage is to be secure, so someone within ES&S would have had to choose to configure it as public.
The incident is an example of the potential problems raised by an increasingly networked and connected voting system whose security systems have not necessarily kept up especially at atime when Russia is known to be probing U.S. election systems.
It’s also the latest example of sensitive data left exposed on cloud computing servers, vulnerabilities that cybersecurity firm Upguard has been identifying.Similar configuration issues on Amazon cloud servers have left exposed Verizon, Dow Jones andRepublican National Committee data.
More: Verizon, Dow Jones leaks a reminder: safeguard your cloud data
Every copy of data is a liability, and as it becomes easier, faster, and cheaper to transmit, store, and share data, these problems will get worse, said Ben Johnson, chief technical officer at California-based Obsidian Security, and a Chicago voter.
Electronic Systems & Softwareis in the process of reviewing allprocedures and protocols, including those of its vendors, to ensure all data and systems are secure and prevent similarsituations from occurring,it said in a statement.
No ballot information or vote totals were included in the database files and the information was not connected to Chicago’s voting or tabulation systems, ES&Ssaid.
We were deeply troubled to learn of this incident, and very relieved to have it contained quickly, said Chicago Election Board Chairwoman MariselHernandez. We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&Ss AWS server,” she said.
The database was discovered by Upguard’s director of strategyJon Hendren. The company routinely scans for open and misconfigured files online and on AWS, the biggest provider of the cloud computing services.
The database also included encrypted versions of passwords for ES&S employee accounts.The encryption was strong enough to keep out a casual hacker but by no means impenetrable, said Hendren.
It would take a nation state, but it could be done if you have sufficient computing power, he said. The worse-case scenario is that they could be completely infiltrated right now, he said.
If the passwords are weak, they could be cracked in hours or days. If they are credentials that ES&S employees use elsewhere (corporate VPN) without two-factor authentication, then the breach could be way more serious, said Tony Adams of a Secureworks, an Atlanta-based computer security firm.
The implications of the exposure are much broader thanChicagobecause Election Systems & Software is the largest vendor of voting systems in the United States, said Susan Greenhalgh, an election specialist with Verified Voting, a non-partisan election integrity non-profit.
If the breach in Chicago is an indicator of ES&S’s security competence, it raises a lot of questions about their ability to keep both the voting systems they run and their own networks secure, she said.
Russia is known to have probed at least 38 state voter databases prior to the 2016 election, federal officials have said. Because of that, the fact that the Chicago data was available to anyone with an Internet accounteven if they had to poke around a bit to find it representsa risk, Obsidian Security’s Johnson said.
“Its hard to say malicious actors have found the data, but it is likely some were already hunting for it. Now, with more headlines and more examples of where to look, you can bet that malicious actors have already written the equivalent of search engines to more automatically find these hidden treasures of sensitive data,” Johnson said.
Read or Share this story: https://usat.ly/2wh4aw6
- Brinkster Cloud Servers - VMware, SolidFire SSD-Based ... - June 2nd, 2018
- Virtual Network Virtual Private Cloud | Microsoft Azure - March 29th, 2018
- Keeping Your Files Safe in Google's Cloud - New York Times - September 7th, 2017
- 5 Reasons SD-WAN, 4G LTE Are Cloud Essentials - No Jitter - September 7th, 2017
- Canon USA Advances PRISMAsync Color Print Server in Version 5.2, Offering Cloud-Based PRISMAlytics Dashboard ... - PR Newswire (press release) - September 7th, 2017
- HPE Reports Q3 Gains Along With Cloud Deal - EnterpriseTech - September 6th, 2017
- Huawei Releases the New-Generation Intelligent Cloud Hardware Platform Atlas - Markets Insider - September 6th, 2017
- Unlocking the promise of a connected world through edge cloud ... - ITProPortal - September 5th, 2017
- Want to do IoT right? You'll need more storage, networking, servers, and cloud - TechRepublic - September 5th, 2017
- So you're already in the cloud but need to come back down to Earth - The Register - September 5th, 2017
- Nasa: Our demands for repeat presidential election - Daily Nation - September 5th, 2017
- Chinese smartphone maker Xiaomi open to moving servers to India - Economic Times - September 5th, 2017
- VMware officially lands on AWS cloud with new management and security features - SiliconANGLE News (blog) - September 2nd, 2017
- VMware-on-AWS is live, and Virtzilla is now a proper SaaS player - The Register - September 2nd, 2017
- Socionext Partners with Advantech to Offer High-Density, Low-Cost ... - Design and Reuse (press release) - September 2nd, 2017
- Municipal adoption of the cloud - American City & County (blog) - August 31st, 2017
- Veeam follows Virtzilla's cloud up the Amazon - The Register - August 31st, 2017
- Where does a business's data live? - Information Age - August 31st, 2017
- IBM cooks up a hardware architecture for tastier cloud-based services - TechTarget - August 31st, 2017
- Tachyum bets on flash storage to re-architect the cloud data center - ZDNet - August 29th, 2017
- Juniper adding microsegmentation to Contrail cloud - TechTarget - August 29th, 2017
- The future of serverless cloud looks a lot like physical servers - TechRepublic - August 29th, 2017
- Demand for server specialists increases, but talent pool is small - Network World - August 29th, 2017
- The pros and cons of cloud vs in house servers - Edmonton - August 28th, 2017
- You Can Now Spin Up VMware Servers in Amazon Data Centers - Data Center Knowledge - August 28th, 2017
- Windows Server 2016 changes prompt a new look at management - TechTarget - August 28th, 2017
- Cloud security market to reach $12B by 2024, driven by rise of cyber attacks - TechRepublic - August 28th, 2017
- Jeff Pulver, Internet Pioneer of VoIP and Entrepreneur Joins ... - Markets Insider - August 28th, 2017
- Google Aims to Boost Cloud Security with Titan Chipset - BizTech Magazine - August 28th, 2017
- Oppo and Vivo plan to move cloud storage to India, following India's new directives on data security - Firstpost - August 28th, 2017
- Digital Deluge on the Cloud - Valley News - August 27th, 2017
- How Can You Improve Document Management By Integrating Cloud-Based File Sharing And What You Need To Know ... - Business 2 Community - August 27th, 2017
- Hitachi rack servers get VMware Cloud treatment The Register - The Register - August 26th, 2017
- CenturyLink enhances VMware-based DCC platform, touts software-defined data center approach - FierceTelecom - August 26th, 2017
- Biz sends apps to public cloud, waves 'bye to on-premises server ... - The Register - August 23rd, 2017
- Druva Raises Another $80 Million - Channel Partners - August 23rd, 2017
- CrashPlan alternatives: How to move to another home backup solution - Macworld - August 23rd, 2017
- VMware shares to surge more than 20% because the Amazon cloud threat is overblown: Analyst - Yahoo Finance - August 23rd, 2017
- AMD Lines Up New China Datacenter Partners - EnterpriseTech - August 23rd, 2017
- How do you bring artificial intelligence from the cloud to the edge? - TNW - August 21st, 2017
- The rice of cloud, avocado of virtualization and salmon of doubt: Let's eat storage sushi - The Register - August 21st, 2017
- 70% of firms face skill shortages for server-based roles - Cloud Pro - August 21st, 2017
- Qualcomm moved its Snapdragon designers to its ARM server chip. We peek at the results - The Register - August 21st, 2017
- Microsoft and Google Give Startups Options to Amazon's Cloud - Fortune - August 18th, 2017
- Cloud is the ignored dimension of security: Cisco - ZDNet - August 18th, 2017
- How AIG moved commercial claims to the cloud - Information Management - August 18th, 2017
- Oracle expands database offering to its cloud services - Network World - August 16th, 2017
- Voices Cloud security from all angles - Accounting Today - August 16th, 2017
- HostHatch launches new Cloud Servers - 5x faster than the giants, including AWS & DigitalOcean - PR Web (press release) - August 15th, 2017
- Oracle Exadata Cloud lands on bare-metal servers - Computer Business Review - August 15th, 2017
- School phones go on 'the cloud' - The Ridgefield Press - August 15th, 2017
- Datrium Announces Split Provisioning For Simple Private Cloud Consolidation At Rackscale - Markets Insider - August 15th, 2017
- New McAfee virtual network security platform offered as part of free test drive on Amazon Web Services - CTR - August 14th, 2017
- How to move into a cloud career from traditional IT - InfoWorld - August 14th, 2017
- Oracle Makes the Most Powerful Database Platform Available on the Industry's Most Advanced Cloud Infrastructure - PR Newswire (press release) - August 14th, 2017
- Frank Dinucci's Cloud Accounting Workshop Draws Many ... - Markets Insider - August 13th, 2017
- Frank Dinucci's Cloud Accounting Workshop Draws Many Entrepreneurs - PR Newswire (press release) - August 12th, 2017
- Cryptocurrencies have pulled one of Nvidia's most sluggish businesses out of the gutter - Quartz - August 11th, 2017
- GoDaddy tops Q2 targets, revenue up 22 percent - ZDNet - August 9th, 2017
- Hardware Can Still Make or Break the Cloud - IT Business Edge (blog) - August 9th, 2017
- Serverless Architectures from an MSP's Point of View - MSPmentor - August 4th, 2017
- Unisecure Data Centers Offers 15% Discount On Cloud Server Hosting Services - HostReview.com (press release) - August 2nd, 2017
- How The Cloud Will Disrupt The Ad Tech Stack - AdExchanger - August 2nd, 2017
- Packet launches edge compute service in 15 global locations - RCR Wireless News - August 2nd, 2017
- IBM adds Optane to its cloud, only as storage and without GPUs - The Register - August 2nd, 2017
- Joining Apple, Amazon's China Cloud Service Bows to Censors - New York Times - August 1st, 2017
- Cisco Launches New UCS Servers, Hybrid Cloud Management ... - SDxCentral - July 12th, 2017
- Verizon data of 6 million users leaked online - CNNMoney - July 12th, 2017
- Server vendors board the Xeon SP party bus - The Register - July 12th, 2017
- New Azure servers to pack Intel FPGAs as Microsoft ARM-lessly embraces Xeon - The Register - July 12th, 2017
- Hybrid cloud and blockchain solutions will be the future for data backup - Information Age - July 10th, 2017
- New 'Microsoft 365' package bundles Windows and Office for businesses - GeekWire - July 10th, 2017
- Tech Data Tightens Cloud Integration With Microsoft To Unlock Simpler Experience For SMBs - CRN - July 10th, 2017
- 6502 Retrocomputing Goes to the Cloud - Hackaday - July 8th, 2017
- Retail apocalypse may jump start suburban renewal - Lexington Herald Leader - July 8th, 2017
- Evaluating AMD's Server Market Potential - Seeking Alpha - July 7th, 2017
- Data Center Security: How Cloud Services Keep Your Files Safe - Cloudwards - July 7th, 2017
- Cubic Subsidiary Gets NSA Clearance for Cloud Servers With Aruba Virtual Mobility Controller - ExecutiveBiz (blog) - July 7th, 2017
- As cyberattack hit, Ukrainians turned to Facebook and Google - Houston Chronicle - July 6th, 2017
- Baidu Deploys Xilinx FPGAs in New Public Cloud Acceleration ... - Design and Reuse (press release) - July 6th, 2017