WND
Remote-access software found on popular v****g machines
Senator addresses security gap following discovery of pre-installed internet connection
Despite alleged Russian hacking of the 2016 p**********l e******n, no evidence has been produced showing Moscow’s hackers – or anyone else – being able to remotely access and change v**es on any of the 350,000 electronic v****g machines used in the U.S.
Americans have largely accepted that the machines are safe from hackers because they’ve repeatedly been told the devices are “air-gapped” – isolated from all unsecured networks, including the internet.
That is untrue, according to a New York Times Magazine investigation last month that described E******n Systems & Software, the largest manufacturer of v****g machines, selling hardware with e******n-management systems pre-installed with remote-access software. The company also is said to have encouraged past purchasers to install the software on machines that did not currently have it so ES&S technicians could do troubleshooting and maintenance without having to be onsite.
“The American public has been repeatedly assured that v****g machines are not connected to the internet, and thus, cannot be remotely c*********d by hackers,” Wyden wrote in the letter to ES&S.
“The default installation or subsequent use of remote-access software on sensitive e******n systems runs contrary to cybersecurity best practices and needlessly exposes our e******n infrastructure to cyberattacks.”
Wyden, a senior member of the Senate Intelligence Committee, questioned ES&S officials last year about the company’s cyber security practices, but it was less than forthcoming.
“ES&S did not answer Wyden’s questions about whether the company follows basic cybersecurity best practices,” a spokesman for the senator’s office told Gizmodo.
In his most recent questioning of ES&S, Wyden is addressing the issues raised in the New York Times Magazine report:
Has ES&S sold devices on which remote-access software was pre-installed?
Have ES&S officials or technical-support personnel recommended customers install remote-access software on v****g machines or other e******n systems that did not already have it?
In the last 24 hours, the company has issued a response that seems to deny any knowledge of pre- or post-installed remote-access software:
“E******n Systems and Software certifies our v****g systems to the Voluntary V****g System Standards (VVSG) adopted by the E******n Assistance Commission (EAC). The EAC VVSG does not allow for v****g systems to be tested or approved with any form of remote-access software. In fact, an e******n-management system that is approved and tested to the EAC standard is required to be hardened. The term hardened in this case means that the server is locked down from any use other than that which has been approved under the standard and that it cannot contain any software application, including remote access software, which is not part of the certified end to end configuration. ES&S always adheres to these guidelines and, as such, does not sell or distribute products with remote access software installed.”
What do YOU think? Are you concerned about the integrity of v****g machines?
Sound off in today’s WND poll.
But this denial fies in the face of evidence reported in last month’s report.
In 2011, the e******n board in Pennsylvania’s Venango County, had its system examined by a computer-science professor from Carnegie Mellon University following complaints by v**ers that their v**es were “flipped” from candidates they had selected on the screen to their opponents. While serious in terms of the v**e outcome, that problem proved to be a simple calibration error that could be easily fixed. But of greater alarm was the discovery of remote-access software installed on the county’s e******n-management computer. This computer is used to tally results and, in some cases, program v****g machines. In this case, the culprit was not a hacker but an approved contractor who was accessing the system from home. Still, the county had no knowledge such access was installed in the system they had purchased from ES&S or that it was possible to do so.
An ES&S contract with Michigan from 2006 describes how the company’s tech-support workers used remote-access software called pcAnywhere to access customer-e******n systems. That same year, ES&S technicians spent hours connected to a Pennsylvania county’s system trying to track down the reason for v**e discrepancies in a local race. According to an official for the county, the software had been pre-installed.
As now, ES&S denied any knowledge of such a breach of cybersecurity protocol. “None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our v****g systems have ever been sold with remote-access software.”
It’s a toss-up as to whether it’s worse that ES&S secretly installed the software or that it is unaware of how it came to be on systems that were sold.
Even without the installed access software, there are other areas of vulnerability.
Many counties have modems connected to their machines to t***smit results to their central e******n office. While e******n officials say such t***smissions are safe because the information is sent over phone lines and not the internet, the fact is that many of the modems are cellular, which use radio signals to send data to cell towers and routers that are part of the internet. It is theoretically possible to intercept and change the data being t***smitted.
Like the reporting you see here? Sign up for free news alerts from WND.com, America’s independent news network.
The E******n Assistance Commission, which oversees testing and certification of v****g machines, says modems aren’t a problem.
“The caution about not permitting network access does not apply to the use of modems on e******n night to t***smit unofficial polling place results to the central office,” the commission’s e******n guidelines state. “The technical expertise required to intercept and alter a telephone communication without detection is extremely complex. Therefore, it is unlikely that anyone will be able to intercept and alter these results without detection.”
But that does not address the problem of hackers using the connected modem and the pre-installed remote-access software to gain access to machines if they have the password or exploit some vulnerability. Indeed, trust in the e******n process can be undermined simply by the public never being certain the v**e results are true.
“The incorrect assertion that v****g machines or v****g systems can’t be hacked by remote attackers because they are ‘not connected to the internet’ is not just wrong, it’s damaging,” Susan Greenhalgh, a spokeswoman for the National E******n Defense Coalition, an e******ns integrity group, told New York Times Magazine.
“This oft-repeated myth instills a false sense of security that is inhibiting officials and lawmakers from urgently requiring that all v****g systems use paper b****ts and that all e******ns be robustly audited.”
Keep in mind that this is a New York Times magazine article. Perhaps some other source can validate it.
Go back to the paper b****t and monitor its t***sportation as the Fed monitors the people who do the v**e tally.
no propaganda please wrote:
WND
Remote-access software found on popular v****g machines
Senator addresses security gap following discovery of pre-installed internet connection
Despite alleged Russian hacking of the 2016 p**********l e******n, no evidence has been produced showing Moscow’s hackers – or anyone else – being able to remotely access and change v**es on any of the 350,000 electronic v****g machines used in the U.S.
Americans have largely accepted that the machines are safe from hackers because they’ve repeatedly been told the devices are “air-gapped” – isolated from all unsecured networks, including the internet.
That is untrue, according to a New York Times Magazine investigation last month that described E******n Systems & Software, the largest manufacturer of v****g machines, selling hardware with e******n-management systems pre-installed with remote-access software. The company also is said to have encouraged past purchasers to install the software on machines that did not currently have it so ES&S technicians could do troubleshooting and maintenance without having to be onsite.
“The American public has been repeatedly assured that v****g machines are not connected to the internet, and thus, cannot be remotely c*********d by hackers,” Wyden wrote in the letter to ES&S.
“The default installation or subsequent use of remote-access software on sensitive e******n systems runs contrary to cybersecurity best practices and needlessly exposes our e******n infrastructure to cyberattacks.”
Wyden, a senior member of the Senate Intelligence Committee, questioned ES&S officials last year about the company’s cyber security practices, but it was less than forthcoming.
“ES&S did not answer Wyden’s questions about whether the company follows basic cybersecurity best practices,” a spokesman for the senator’s office told Gizmodo.
In his most recent questioning of ES&S, Wyden is addressing the issues raised in the New York Times Magazine report:
Has ES&S sold devices on which remote-access software was pre-installed?
Have ES&S officials or technical-support personnel recommended customers install remote-access software on v****g machines or other e******n systems that did not already have it?
In the last 24 hours, the company has issued a response that seems to deny any knowledge of pre- or post-installed remote-access software:
“E******n Systems and Software certifies our v****g systems to the Voluntary V****g System Standards (VVSG) adopted by the E******n Assistance Commission (EAC). The EAC VVSG does not allow for v****g systems to be tested or approved with any form of remote-access software. In fact, an e******n-management system that is approved and tested to the EAC standard is required to be hardened. The term hardened in this case means that the server is locked down from any use other than that which has been approved under the standard and that it cannot contain any software application, including remote access software, which is not part of the certified end to end configuration. ES&S always adheres to these guidelines and, as such, does not sell or distribute products with remote access software installed.”
What do YOU think? Are you concerned about the integrity of v****g machines?
Sound off in today’s WND poll.
But this denial fies in the face of evidence reported in last month’s report.
In 2011, the e******n board in Pennsylvania’s Venango County, had its system examined by a computer-science professor from Carnegie Mellon University following complaints by v**ers that their v**es were “flipped” from candidates they had selected on the screen to their opponents. While serious in terms of the v**e outcome, that problem proved to be a simple calibration error that could be easily fixed. But of greater alarm was the discovery of remote-access software installed on the county’s e******n-management computer. This computer is used to tally results and, in some cases, program v****g machines. In this case, the culprit was not a hacker but an approved contractor who was accessing the system from home. Still, the county had no knowledge such access was installed in the system they had purchased from ES&S or that it was possible to do so.
An ES&S contract with Michigan from 2006 describes how the company’s tech-support workers used remote-access software called pcAnywhere to access customer-e******n systems. That same year, ES&S technicians spent hours connected to a Pennsylvania county’s system trying to track down the reason for v**e discrepancies in a local race. According to an official for the county, the software had been pre-installed.
As now, ES&S denied any knowledge of such a breach of cybersecurity protocol. “None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our v****g systems have ever been sold with remote-access software.”
It’s a toss-up as to whether it’s worse that ES&S secretly installed the software or that it is unaware of how it came to be on systems that were sold.
Even without the installed access software, there are other areas of vulnerability.
Many counties have modems connected to their machines to t***smit results to their central e******n office. While e******n officials say such t***smissions are safe because the information is sent over phone lines and not the internet, the fact is that many of the modems are cellular, which use radio signals to send data to cell towers and routers that are part of the internet. It is theoretically possible to intercept and change the data being t***smitted.
Like the reporting you see here? Sign up for free news alerts from WND.com, America’s independent news network.
The E******n Assistance Commission, which oversees testing and certification of v****g machines, says modems aren’t a problem.
“The caution about not permitting network access does not apply to the use of modems on e******n night to t***smit unofficial polling place results to the central office,” the commission’s e******n guidelines state. “The technical expertise required to intercept and alter a telephone communication without detection is extremely complex. Therefore, it is unlikely that anyone will be able to intercept and alter these results without detection.”
But that does not address the problem of hackers using the connected modem and the pre-installed remote-access software to gain access to machines if they have the password or exploit some vulnerability. Indeed, trust in the e******n process can be undermined simply by the public never being certain the v**e results are true.
“The incorrect assertion that v****g machines or v****g systems can’t be hacked by remote attackers because they are ‘not connected to the internet’ is not just wrong, it’s damaging,” Susan Greenhalgh, a spokeswoman for the National E******n Defense Coalition, an e******ns integrity group, told New York Times Magazine.
“This oft-repeated myth instills a false sense of security that is inhibiting officials and lawmakers from urgently requiring that all v****g systems use paper b****ts and that all e******ns be robustly audited.”
Keep in mind that this is a New York Times magazine article. Perhaps some other source can validate it.
WND br Remote-access software found on popular v**... (
show quote)
My b****t for 2016 included county and city races that weren't mine to v**e in. I reported this to our e******n folks................who claimed it couldn't happen. " Are you're calling me a liar?" I ask, " NO " she says, "I'm just telling you such an error is impossible". I've tried numerous times to follow up on this, and nothing. The point is, there is no evidence of actual v**e tampering...............because no State is willing to look for or report such an occurrence.
Electronic devices are only as accurate and/or fool proof, as the humans that build, program and maintain them. P***e, embarrassment, and good old "covering your ass", are good motivations to hide or ignore v**e tampering.
lpnmajor wrote:
My b****t for 2016 included county and city races that weren't mine to v**e in. I reported this to our e******n folks................who claimed it couldn't happen. " Are you're calling me a liar?" I ask, " NO " she says, "I'm just telling you such an error is impossible". I've tried numerous times to follow up on this, and nothing. The point is, there is no evidence of actual v**e tampering...............because no State is willing to look for or report such an occurrence.
Electronic devices are only as accurate and/or fool proof, as the humans that build, program and maintain them. P***e, embarrassment, and good old "covering your ass", are good motivations to hide or ignore v**e tampering.
My b****t for 2016 included county and city races ... (
show quote)
You are so right. Thank you for your comments
no propaganda please wrote:
WND
Remote-access software found on popular v****g machines
Senator addresses security gap following discovery of pre-installed internet connection
Despite alleged Russian hacking of the 2016 p**********l e******n, no evidence has been produced showing Moscow’s hackers – or anyone else – being able to remotely access and change v**es on any of the 350,000 electronic v****g machines used in the U.S.
Americans have largely accepted that the machines are safe from hackers because they’ve repeatedly been told the devices are “air-gapped” – isolated from all unsecured networks, including the internet.
That is untrue, according to a New York Times Magazine investigation last month that described E******n Systems & Software, the largest manufacturer of v****g machines, selling hardware with e******n-management systems pre-installed with remote-access software. The company also is said to have encouraged past purchasers to install the software on machines that did not currently have it so ES&S technicians could do troubleshooting and maintenance without having to be onsite.
“The American public has been repeatedly assured that v****g machines are not connected to the internet, and thus, cannot be remotely c*********d by hackers,” Wyden wrote in the letter to ES&S.
“The default installation or subsequent use of remote-access software on sensitive e******n systems runs contrary to cybersecurity best practices and needlessly exposes our e******n infrastructure to cyberattacks.”
Wyden, a senior member of the Senate Intelligence Committee, questioned ES&S officials last year about the company’s cyber security practices, but it was less than forthcoming.
“ES&S did not answer Wyden’s questions about whether the company follows basic cybersecurity best practices,” a spokesman for the senator’s office told Gizmodo.
In his most recent questioning of ES&S, Wyden is addressing the issues raised in the New York Times Magazine report:
Has ES&S sold devices on which remote-access software was pre-installed?
Have ES&S officials or technical-support personnel recommended customers install remote-access software on v****g machines or other e******n systems that did not already have it?
In the last 24 hours, the company has issued a response that seems to deny any knowledge of pre- or post-installed remote-access software:
“E******n Systems and Software certifies our v****g systems to the Voluntary V****g System Standards (VVSG) adopted by the E******n Assistance Commission (EAC). The EAC VVSG does not allow for v****g systems to be tested or approved with any form of remote-access software. In fact, an e******n-management system that is approved and tested to the EAC standard is required to be hardened. The term hardened in this case means that the server is locked down from any use other than that which has been approved under the standard and that it cannot contain any software application, including remote access software, which is not part of the certified end to end configuration. ES&S always adheres to these guidelines and, as such, does not sell or distribute products with remote access software installed.”
What do YOU think? Are you concerned about the integrity of v****g machines?
Sound off in today’s WND poll.
But this denial fies in the face of evidence reported in last month’s report.
In 2011, the e******n board in Pennsylvania’s Venango County, had its system examined by a computer-science professor from Carnegie Mellon University following complaints by v**ers that their v**es were “flipped” from candidates they had selected on the screen to their opponents. While serious in terms of the v**e outcome, that problem proved to be a simple calibration error that could be easily fixed. But of greater alarm was the discovery of remote-access software installed on the county’s e******n-management computer. This computer is used to tally results and, in some cases, program v****g machines. In this case, the culprit was not a hacker but an approved contractor who was accessing the system from home. Still, the county had no knowledge such access was installed in the system they had purchased from ES&S or that it was possible to do so.
An ES&S contract with Michigan from 2006 describes how the company’s tech-support workers used remote-access software called pcAnywhere to access customer-e******n systems. That same year, ES&S technicians spent hours connected to a Pennsylvania county’s system trying to track down the reason for v**e discrepancies in a local race. According to an official for the county, the software had been pre-installed.
As now, ES&S denied any knowledge of such a breach of cybersecurity protocol. “None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our v****g systems have ever been sold with remote-access software.”
It’s a toss-up as to whether it’s worse that ES&S secretly installed the software or that it is unaware of how it came to be on systems that were sold.
Even without the installed access software, there are other areas of vulnerability.
Many counties have modems connected to their machines to t***smit results to their central e******n office. While e******n officials say such t***smissions are safe because the information is sent over phone lines and not the internet, the fact is that many of the modems are cellular, which use radio signals to send data to cell towers and routers that are part of the internet. It is theoretically possible to intercept and change the data being t***smitted.
Like the reporting you see here? Sign up for free news alerts from WND.com, America’s independent news network.
The E******n Assistance Commission, which oversees testing and certification of v****g machines, says modems aren’t a problem.
“The caution about not permitting network access does not apply to the use of modems on e******n night to t***smit unofficial polling place results to the central office,” the commission’s e******n guidelines state. “The technical expertise required to intercept and alter a telephone communication without detection is extremely complex. Therefore, it is unlikely that anyone will be able to intercept and alter these results without detection.”
But that does not address the problem of hackers using the connected modem and the pre-installed remote-access software to gain access to machines if they have the password or exploit some vulnerability. Indeed, trust in the e******n process can be undermined simply by the public never being certain the v**e results are true.
“The incorrect assertion that v****g machines or v****g systems can’t be hacked by remote attackers because they are ‘not connected to the internet’ is not just wrong, it’s damaging,” Susan Greenhalgh, a spokeswoman for the National E******n Defense Coalition, an e******ns integrity group, told New York Times Magazine.
“This oft-repeated myth instills a false sense of security that is inhibiting officials and lawmakers from urgently requiring that all v****g systems use paper b****ts and that all e******ns be robustly audited.”
Keep in mind that this is a New York Times magazine article. Perhaps some other source can validate it.
WND br Remote-access software found on popular v**... (
show quote)
The Swamp has its fingers in every thing.
Its their World & we are there for their pleasure & amusement.
To do with us as they will.
SOME DAY WE WILL ALL AWAKE & DO SOMETHING ABOUT IT.
Perhaps it will be like my son who hearing me say some day.
Would question me: Sunday?
So may we all look forward to that Sunday.
What we should do. Paper b****ts may be either too confusing for liberals or they just aren't strong enough to push the hole all the way through.
currahee wrote:
Go back to the paper b****t and monitor its t***sportation as the Fed monitors the people who do the v**e tally.
She actually said that to someone she doesn't even know? You must have one hell of an even temper. I think we should go back to paper b****ts.
If they were good enough for the greatest generation, good enough for me.
lpnmajor wrote:
My b****t for 2016 included county and city races that weren't mine to v**e in. I reported this to our e******n folks................who claimed it couldn't happen. " Are you're calling me a liar?" I ask, " NO " she says, "I'm just telling you such an error is impossible". I've tried numerous times to follow up on this, and nothing. The point is, there is no evidence of actual v**e tampering...............because no State is willing to look for or report such an occurrence.
Electronic devices are only as accurate and/or fool proof, as the humans that build, program and maintain them. P***e, embarrassment, and good old "covering your ass", are good motivations to hide or ignore v**e tampering.
My b****t for 2016 included county and city races ... (
show quote)
If you want to reply, then
register here. Registration is free and your account is created instantly, so you can post right away.