Voting machine vendor firewall config, passwords posted on public support forum

"This is gold" for a nation-state attacker that wanted to hack an election.

Election 2016 teaser - Electronic voting security

A sysadmin at a leading voting machine vendor posted a firewall configuration file, including passwords, into a public Cisco support forum in 2011, opening the company up to possible attack. 

The config files expose a wealth of information useful to an attacker, including domain name, hostname, and ASA version number. While there is no evidence that the voting machine vendor was compromised, this accidental leakage of information is "juicy intelligence," Dan Tentler, founder and CEO of Phobos Group, an attack simulation security company, tells CSO.

"If you have a crack team of cat burglar types and they're all going to break into a building, this firewall configuration file is the equivalent of finding the floor plan of the building they are planning to break into," Tentler says.

Compromising the software supply chain of a voting machine vendor would be a years-long undertaking, requiring careful planning and long-term persistence in the company's network. It remains unclear if this "floor plan" was ever used by an attacker as the voting machine vendor has not answered that question with forensic certainty.

One of the ASA devices appears to be a firewall on the company's development and testing network ("devtestnet"). An attacker who used this intelligence to compromise the voting machine vendor's network could have used factory backdoors ("remote access software") to hack voting machines. They could have implanted subtle firmware backdoors or engaged in spearphishing attacks against local election officials.

A nation-state attacker could also have copied the voting machine source code and used it to look for security flaws. "The voting machine vendors...are certainly on the radar of powerful attackers, including nation-state adversaries," Alex Halderman, a professor of computer science at the University of Michigan, and an expert of voting machine security, tells CSO. "The networks they are using for developing, testing, and debugging election system software are likely to be probed by attackers who would want to weaken the security of our elections."

"If you can get into one of these vendors," he adds, "take the source code to the voting machines, that's of enormous advantage to someone who wants to attack them."

In the forum postings, which are still public at the time of this writing, the voting machine vendor employee asked for help configuring a Cisco ASA 5505 — a firewall appliance — and includes sensitive details about the company's internal network layout, as well as passwords (likely the default passwords), writing, "Here is my running config." 

Both encrypted passwords appearing in that forum post also appear in the Cisco ASA manual.

In one forum post, the employee asks for help:

I am trying to set up a DMZ with an inside VLAN to transfer SFTP (SSH) securely. I can't get the inside pc to connect to the SFTP (SSH) server. I have bought and activated the Security upgrade My DMZ server is [REDACTED BY CSO]. My PC trying to go from the inside to the DMZ is [REDACTED BY CSO].

The employee continues to ask for help, writing in another forum post, "I would like to tighten up the security on my Firewall. Can I remove my ‘any any’ statements in my access lists? Here's my config."

It's possible, of course, that the sysadmin changed the passwords before posting to the Cisco support forum, although the language used ("Here is my running config") suggests otherwise. It's also possible the passwords were changed afterwards.

Even if the passwords were never valid, this firewall config gives an attacker valuable intelligence. "This information is very useful for an attacker that is targeting this organization with a political goal in mind," Tentler says. "If Russia found this and was deciding to target this organization, this is gold."

CSO found what we believe to be the employee’s LinkedIn profile, which shows the employee no longer works for the company. Neither the voting machine vendor nor the former employee responded to our press enquiries.

"I hope that [the voting machine vendor] has implemented vastly better security training since 2011 in order to avoid further security leaks of this nature," Halderman says, "but nothing that I have seen would lead me to believe their security has improved to the level necessary to fend off nation-state adversaries."

Security Smart: 4 Common Password Myths ... Debunked!