Voting portal, you know, syndication that is can be popped and in you go as a customer to view or manipulate data. You know, all the different site that is can be popped as well. This is different from the web side of it. Its, you know, it doesnt take an act or sophistication to run simple tools to manipulate the sites or try to force their way into the site to maintain access. I think thats a really important point you just made as well. It doesnt take a nation state to be successful doing this. Think about the resources in the nation state that want to manipulate it to bear and manipulate these. It is not a high level of sophistication to compromise these systems. It gos down to getting into the website brute force sequel injection, getting into the network, stealing credentials, mapping the network, gaining intelligence. Yeah, i think this is arizona so, this is already happened. Some learn from whats already worked, so they will mimic this breach. Next wee move on to breaching state servers. Yeah, um, statewide, steal credentials, elevate privileges, move laterally throughout the network, try to find treasure troefs of data, Voter Registration data bases that you can exfiltrate and exfiltrate in sizes that dont go detected or go undetected. Again, these websites, these servers dont have properly layered security, so, you know, if you get admin credentials, they dont have User Behavior analytics to detect the abnormality with that users behavior. They are going to get the credentials the same way they have for years now. The number one method of achieving that first stage of access has been spear fishing attacks. Its been that way for years. They are going to use what works. Identify key individuals in the state that are associated with the running of elections, but then that state, which is very easy to do through, you know, available osint and, you know, phishing emails to them and see what you get in return. Generally, you will be able to, you know, you get at least one hit out of however many you try. At that point, you can start to collect credentials and laterally move from there. Job offers always work in that one. Grafted pdfa, great jobs. For a better job. Take a look at this and we would love to talk to you about this. Take a look at the job announcement. They always open that announcement. Linked in is a starting point. Linked in always moving on to Insider Threat. We know theres malicious insiders, unintentional insider. Talk a little bit about this vulnerability. Its a huge as a rule nerkt. The unintentional is one we could fix. Most security people today will state the use zers of the problem and why we have a job. Its important for us to remember that. What we need is a Large Campaign for anybody that is part of an enterprise to be involved in and understand the dos and donts of Cyber Security. Theres a lot of challenges in that space force today. People dont know when that weaponized attachment comes in. It looks like a normal email they werent expecting. They dont check on it. They dont know what they should and shouldnt do. Instead, they open it. It leads to compromise. Now you have a set of credentials to go out and utilize them. To compromise an election data base. They were a huge problem and one thats fixable. For some reason, we dont focus on bringing the users in. Understanding what they should and shouldnt do. All the way down to our kids before they actually grow up to be part of a large enterprise. We simply dont do it and we should. The Insider Threat, the malicious insider the very difficult to identify at this level because its so inexpensive to hire somebody. In my county, 145 a day for loudoun county, virginia. 145 bucks a day you get paid for the election. Most counties have little background checks. They do little on that side as all. Most requirements were a High School Diploma or ged to actually be an election official. Think about that. No background checks. Thats it. They just want to know you can take simple steps in the i. T. Realm and simple interpersonal communication skills to interact with others there. So, very, very easy, probably for some nation state to come in and actually implant somebody inside that environment, getting more than 145 a day, im sure, to go in and try to compromise the systems and impact our elections. James, you and i were talking about infected state pcs. You want to kick off that . Yeah. So, state pcs can be infected any number of ways. It can be the contractor who comes in at night for janitorial services. Mostly these state level pcs have totally exposed towers to inject any type of malicious payload using a usb drive. Social engineering always works with spear phishing attacks at the state level. They lack cyber hygiene training. They will click on dancing kittens playing with baby puppies and toddlers. Its cute, you have to click. They will click, download a malicious payload. From there, its funny because we were asked to put a sample exploit. I think a sample exploit, if we were targeting a pc at the state level, you would want solid functionality across the board t. Malicious payload would have a rat, additional droppers, key logger, screen grabber, camera and microphone capture tool, network mapper, Lateral Movement procedures, code injection mechanisms, social media spread and activation tool and usb infection capability. Also with selfdeleting capability as well. All that stuff already exists. If you, you know, the malicious actor, you dont have to write that or code it, you can grab your own cracked version of zeus or poison ivy, infinity rat, you name it. All those tools are just out there for you to slightly customize it, create a fake file and do all the things you just described. Its an easy step. You know, today, in the dark web, its a very robust economy like if you run a large enterprise, you buy product and get maintenance and support. Go to the underground, buy tools, you can get Maintenance Support for the tools as well to compromise somebodys system or do a distributed Service Attack against somebodys system. Think about that, if somebody went after one of the states and distributed the service against one of those data bases online. It knocks it off in the middle of the election. The next thing well talk about is poison updates at the manufacturer level. I think we already covered that. Okay. Spreading malware to state election systems. Sure. A lot of these methods are interchangeable. You can use them for local pc. But, it comes down to, for me, if i were the adversary coming in, i would poison the update. I would start at the manufacture level and gain access to the state server, get access to the data base, and the pact size and have some type of malicious payload to bridge the air gap and have full functionality. I would also add a ransomware feature. Its something nobody is really talking about whether its the Voter Registration data or the final tabulation, total tally of the vote for that night. It would be interesting to ransom that. Again, all it is is a weaponization of encryption injected through normal channels. With all these different malware discussions, theres a lot of overlap. The response would be largely similar. At that level, you probably see a lot of the same sort of behavi behavior, identify the target, do your recon on them. Infect them via spear phish or if you have physical access, then that much more easy in terms of just plugging in a usb drive or dropping your payload any other way that is available to you. But, you know, outside of that, its going to be mostly the same. Utilizing the same sort of tools. I think that most of these systems are so easily compromised that, number one, they should have never been released. There should have been a standard that they are held to when its not security to security as we like to say. Quite frankly, its been proven time and time again to not work and have a set of standards they are measured against with people actually doing the measuring that have a large component of Cyber Security expertise to ensure the systems cant be compromised. Today, we can standup here and talk about the methods to compromise for hours because there are so many different as a rule neshlts in the system. Everything is documented out there. You can get technical maintenance manuals for these things. Things that should be internal are all available on these machine that is have been around since the early 2000s, mid2000s. They are all still in use today. There are not a lot of brandnew machines undocumented or where it hasnt been leaked out there. Go to black box voting or any number of sites that tend to collect this information and pull down whatever you want in terms of Field Service guides or firmware update manuals or codes to do the firmware updates, things you would assume would be internal and closely held secrets but they are not. Theres no obscurity on these things. I think you emphasized my point further, better than i did. Now that all the manuals are out there, some have been for quite some time, there is no obscurity. It Shows Security through obscurity never works. Great. The last one, if you have any additional comments, we talked about compromising state tabulators, any other comments on that . You know, a lot of the modern systems are running derivatives of windows or a special build of windows. They would behave like any other host in terms of how you would affect them or what you could affect them with. A lot of states or officials argue that because the systems are air gapped, you cant compromise them in that way. Oftentimes, you have to move data from those systems to, you know, connected systems to get to the full results external. That may be, you know, i have to move this usb drive or a zip drive or, in some cases, a pc card to this connected system to get the results out. That could be a point of compromise. Same thing if you have to which is the case with at least 10 manufacturers, if you have to move the data to a connected machine to get the results outward. You, as the user of these tabulators and the systems are going to end up breaking the air gap at one point or the other. Perfect. We are going to close out the conversation by talking about the current climate we are living in, especially given the time frame around this upcoming election. So, Media Coverage has talked about dnc hack, rnc hack, certain individuals talking about the possible integrity of the results. What is your take on who is behind some of these incidents . I think its very clear that most of us in the Community Today feel its the russians. You know, they have been behind some of these compromises. So, whether you look at reports of my company from crowd strike and many others, you know, its clearly been linked back to the russians manipulating the systems. Its important to, like, with a lot of these incidents, we are not always talking breaches or compromises of the voting systems and the Voting Machines that may the officials tie to the process. In terms of leaked data, its a sway of opinion as a result of the leaked data. Not necessarily a compromise. Theres no reason to assume that wouldnt be part of it. You know, a lot of these things are still going on. When we comment on these things, they should be, you know, treated as ongoing. Time will still continue to reveal a lot about whats going on with the leaks but it would also be safe to assume that they havent just left the building, so to speak. I would urge people to understand that, you know, once the actors are in, they tend to hang around for a while and, you know, continue to pull what they want to pull. Fascinating reports on apt28, apt29, cozy bear, fancy bear, whatever you want to call them. Good reads on the capabilities. I think we have to be careful with attribution with this sort of thing. When we say its the russians, where . What russians . The apt nation state . Apt mercenary. Cyber criminal gangs . They are looking to do Something Big . Could it be china . Their strategy has a smash and grab aspect to it for technology. To dwindle our democratic process. It coincides with the psychological warfare aspect of what they do. Also taking into consideration the access of a service, hacker for hire, that levels the Playing Field for cyber caliphate, selfradicalized Insider Threats. Cyber jihad, that sort of thing. Cyber selfradicalized wolves is a classification. Yeah. Yeah. I think the media does tend to paint an oversimplified picture of the groups. When you talk about, you know, a specific group like russia, you know, they paint the image in your or they try to infer the image of your mind of a roomful of specific individual that is are part of this super hacker team that is known as cozy bear, fancy bear, whatever mammal it happens to be. Its not always that simple or cut and dry. Oftentimes you see people traversing different teams. There is a huge for hire aspect, you know, whoever is behind some of these things or is controlling the resources behind the groups and incidents. They will find people to carry out what they need to have carried out and, you know, one day they might be part of team fancy bear. If enough money comes along for the next job, they may be team cozy bear or on and on and on. You see the same dynamic with the chinese groups as well. Its important to know that the picture of one specific group of, you know, state affiliated actors working together as a team, its not always that simple. Certainly allows for a nation state to create a level of separation as well. Yeah, chinese pla are known for discovering vulnerabilities, o days things like that during the day. They take that and freelance at night. They go through english language handlers. I had Something Else on the russian aspect. Oh, yeah. When you forensically decide whats happening with a breach or stealth and sophistication like we see out of russia, once you define the forensic value of that breach, you see a lot of copy cat breaches, copy cat hacks. So, i think thats another thing nobody is talking about. The copy aspect. Its not enough to just say we think its cozy bear or apt29. Apt28 is right . Yeah. Once you have defined from a forensic perspective the tool kits, the exploits, time stamps on the code, all these factors you can easily duplicate with some technical sophistication and capability. You are going to see a lot of mimicking of nation state and high level mercenary criminal gang activity. To expand, you are hinting at it. You also see deliver it, you know, massacquerading in terms a group and tool kits associated with another group or infrastructure that is known to a specific group to throw off analysts, throw off security so its attributed in the wrong way. Thats a problem with the chinese stuff in particular. You see a lot of, back in the common cruise atp1 days, all these other groups were using the same tools, same infrastructure. So the attacks would get wrongly attributed to a common crew when it may have been someone else. That same sort of thing extends to other regions, russia incl e included. They want it attributed to somebody else. Yeah. A lot of methods to do that. You look at the sophistication of the russians or the willingens to throw as much funding at it as possible to promote the smash and grab aspect and you look at these sophisticated attack factors, the exploits capitalizing off o days. They are used to going into systems that are highly guarded, you know, look at energetic bear and, yeah, energetic bear and key ranger. Perfect example of poisoning the update. This is something that, these are highly sophisticated people and what they are able to do is go into highly protected areas. This isnt a state website with no layers of Cyber Security, no uba, no encryption of data intransit and stationary. The election system is fair game. Think about that. Fair game. One thing, the people that should be protecting us, the people that should be the gate keepers protecting the election process, the manufacturers with Cyber Security through the life cycle of the technology and the secretaries after state and the Election Officials and they are doing nothing. They are not sophisticated enough to do anything. Its time to have a changing of the guard, i think. I wanted to add to that, its interesting your point there, so it was just in the press yesterday or the day before yesterday, i think it came from a Deputy Director at nsa. Its something all of us know that attackers only bring out, you know, the tool set needed to require their objectives. They are not going to go out and bring out a bunch of zero days they have vulnerabilities with exploit code and release it if they dont need to to accomplish what they can do. We are talking about this with sophisticated attacks taking place around the world. South korea, the nuclear hydroelectrical plants. They took out atms a number of years ago and Media Companies with sophisticated attacks. Thats the point we are trying to make. Theres no sophistication required to hit these election systems. None. Its very, very simple to do. For us to say the systems cant be hacked is being very naive on our parts. Its something we dont want the election to happen. So, this gets tucked away for four more years. It needs action, funding, resourcing and a focus. On that note, we are less than 20 days away from a major election. Is there anything that can be realistically done between now and then even if its not going to address all the problems . What can we do now and talk about doing for the 2018 and 2020 local and federal elections . First and foremost, protect the tabulator at the local and state level. Anything that comes in remotely close contact with the tabulation algorithm process, protect it. You know, then forensically analyze before the elections and the black Box Technology that the manufactures and the state level mutually support. Bring forensic people in to hammer the the the swing regions specifically of the swing states from a forensic perspective. The black box aspect, gems tabulation software, the election system as a whole. Physical security has to be way better, you know, realistic or not, the ideal situation would be people sort of in the know or people that are if mill yar with the different ways to compromise these systems should be available a