What has been done with the open and public internet? Edward Fowler says the information flow trove in Illinois addresses voter registrations and voter fraud
Fowler believes that there has been progress on basic data security. I found this using the open and public internet. And at the end of the day, this is critical infrastructure that was exposed.”
Fowler points out that while the exposed information would potentially make impacted individuals more susceptible to identity theft and other scams, it could also be abused to submit multiple absentee ballot requests or to conduct other suspicious activity that could call a voter’s legitimate vote into question and take time to reconcile. But he adds that the death certificates and other documentation contained in the trove reflect the work election officials do all over the country to manage voter registrations and ensure that everyone’s vote is accurately counted.
Illinois’s data breach notification law requires notification to the state within 45 days of an incident. A standard version of a county’s contract for technology services requires a contractor to notify the affected county within 15 minutes if a data breach occurs.
Information Security Alert to the Advancements in Electoral Control: The Case of Platinum Technology Resource, an Illinois-Based Election Management Service, and Fowler
On Friday, Platinum began to distribute a notification to impacted counties. Platinum said there is evidence that voter registration documents were scanned, but that the exposed databases don’t indicate a deeper compromise of its systems. “There was a thorough investigation executed. The findings support our ongoing belief there is no evidence of voter registration forms being leaked or stolen … We used this opportunity to deploy new and additional safeguards around voter registration documents.”
Fowler reported the unprotected databases to Platinum on July 18, but he says he didn’t receive a response and the databases remained exposed. As Fowler dug deeper into public records, he realized that Platinum works with the Illinois-based managed services provider Magenium, so he sent a disclosure to this company as well on July 19. Again, he says he did not receive a response, but shortly after the databases were secured, pulling them from public view. WIRED requested comment from Platinum and Magenium, but they did not reply.
According to Fowler, all of the counties seem to have a contract with Platinum Technology Resource, an Illinois-based election management service which provides voter registration software and other digital tools along with services like ballot printing. Many Illinois counties use Platinum Technology Resource for their election services, and it was confirmed to WIRED.
As state-backed hacking becomes more sophisticated and aggressive, the threats to critical infrastructure loom. But often, the biggest vulnerabilities come not from esoteric software issues, but from gaping errors that leave the safe door open and the crown jewels exposed. After years of efforts to shore up election security across the United States, state and local awareness about cybersecurity issues has improved significantly. But as this year’s US election quickly approaches, the findings reflect the reality that there are always more oversights to catch.
If it seems like there’s suddenly a whole lot more data breaches, you may be right. The popularity of infostealer is a reason for the apparent spike. These types of malicious software are increasingly being used by cybercriminals to scoop up as many login credentials and other sensitive data as possible. Criminal hacker forums allow for the sale of stolen data and the break-in of victims’ accounts that can include large corporations. It is a good reminder to allow multi-factorauthentication anywhere it is available.
Privacy, Security and Reporter-Swap: RayV Lite, Black Hat, Defcon, and Other News from WIRED
The history of confidential FBI informants is long and sordid—and ongoing. A WIRED investigation published this week revealed how one informant infiltrated far-right groups and turned over their secrets to the Feds—all while pushing hateful ideologies that helped inspire a new generation of violent extremists online.
Hacking computers with lasers has always been a rich person’s game—until now. Sam and Larry went to work releasing an open source laser hacking tool called RayV lite, which is a tiny fraction of the cost of traditional laser equipment for hardware hacking. The pair will be detailing the RayV Lite at the Black Hat security conference next week in Las Vegas. We’ll be on the ground for Black Hat and Defcon, which will be happening in Vegas next week, so check back for our full coverage starting on Tuesday.
But there is more, and it isn’t all. We did not cover all the privacy and security news in depth. Click the headlines to read the full stories. Stay safe out there.
Source: US Hands Over Russian Cybercriminals in WSJ Reporter Prisoner Swap
A US-US Prisoner Swap Settlement During a Wall Street Journal Reporter Break-up: Roman Seleznev, a Democrat, and a Texas Attorney General
In a historic prisoner swap between Russia and the US, two people were freed from Russian jails, including a Wall Street Journal reporter. The White House said a secret deal involved 24 prisoners including 16 who were moved from Russia to the west and eight who were moved from the west to Russia. NBC News reports this is likely the first time the US has released international hackers in a prisoner exchange.
Roman Seleznev is one of the two Russian hackers. Seleznev was sentenced in 2017 to 27 years in prison for racketeering convictions. According to the US Department of Justice, he installed malware on point-of-sale systems software that allowed him to steal millions of credit card numbers from more than 500 US businesses. In September 2023, Klyushin was sentenced to nine years in prison for what US prosecutors described as a “$93 million hack-to-trade conspiracy.”
Meta, the parent company of Facebook and Instagram, will pay $1.4 billion to settle a lawsuit brought by the Texas attorney general, whose office accused the social media behemoth of illegally capturing the biometric data of millions of Texans. The state sued Meta over a feature that used face recognition to suggest who to tag in photos and video uploaded to social networking site Facebook. Prosecutors say the feature, initially called Tag Suggestions, violated a Texas law that makes it illegal for companies to capture and profit from someone’s biometric identifiers without their consent. While Meta did not admit to any wrongdoing as part of the agreement, according to Texas attorney general Ken Paxton’s office, it’s the single largest privacy settlement ever obtained by a state.
Source: US Hands Over Russian Cybercriminals in WSJ Reporter Prisoner Swap
Microsoft Azure Outage Aware of a Distributed Denial-of-Service Attack on an E-commerce Site, As Confirmed by PCMag
The tech company revealed on Wednesday that a widespread Microsoft Azure outage that affected a range of services was caused by a cyberattack. An incident lasting approximately eight hours on Tuesday, affected a subset of customers around the world.
A distributed denial of service is a malicious attack on a target company by hackers that overloads its infrastructure with internet traffic. According to PCMag, two hacktivist groups have claimed responsibility. Microsoft plans on publishing a review of the incident.