KSU E-voting Breach More Serious Than Public Was Informed
(APN) ATLANTA — A recent interview with Logan Lamb, 29, the man who breached highly sensitive election data in Georgia, published by the Politico news service, reveals that the reported breach–involving the Kennesaw State University Center for Election Systems (KSU CES) website–is much more serious than the University previously stated.
The so-called “hacker” was Internet security employee, Logan Lamb, working for a private internet security firm in Georgia. He is a former cyber-security researcher with the federal government’s Oak Ridge National Laboratory in Tennessee.
In August 2016, after reports that Russian hackers were probing voter registration databases in dozens of states, Lamb decided to independently assess the security of the State of Georgia’s voting systems.
Lamb, while looking through a public KSU CES website, found folders of voting system files that could be accessed to hack an election.
Lamb found “a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot,” according to Politico.
There also appeared to be databases for the so-called GEMS servers (Global Election Management Systems), which are used to prepare paper and electronic ballots, tabulate votes, and produce summaries of vote totals, according to Politico.
He downloaded some fifteen Gigabytes of data that included the voter registration database containing names, addresses, and Social Security numbers for 6.7 million voters.
Deja vu; this brings back memories of a similar, unrelated incident. In 2015, Secretary of State Brian Kemp’s office accidentally released over six million Georgia voters’ Social Security numbers, dates of birth, and driver’s license numbers to unauthorized individuals.
Lamb also noticed KSU was using an out of date version of the Drupal content management system with a major security flaw called “Drupageddon” that allows intruders to take control of a site that used the software.
Lamb was concerned that hackers could potentially alter software files prior to the U.S. Presidential Election, depending on where those files were kept.
Lamb says he reported the information to Merle King, Executive Director of KSU CES; and thought the server would be fixed before the Presidential Election, but it wasn’t.
King pressed Lamb to not talk about the issue with anyone, especially the news media.
According to the Politico report, Lamb claims that King said to him: “It would be best if you were to drop this now,” adding, if Lamb did talk, “the people downtown, the politicians….would crush” Lamb.
King did not report the security breach to the SOS.
On March 01, 2017, Chris Grayson, a colleague of Mr. Lamb, found the same files Lamb found and an unencrypted version of Drupal still vulnerable. Grayson contacted KSU.
Soon afterward, the information got out to the media and the March 01 breach became public knowledge. However, KSU did not make clear how serious the breach was, that the Center’s website was still vulnerable, or that there had been a previous known breach.
“KSU is working with federal law enforcement officials to determine whether and to what extent a data breach may have occurred involving records maintained by the Center for Election Systems,” KSU stated at the time.
“Because this involves a pending criminal investigation KSU will have no further comment on this matter and any inquiries should be addressed to the US Attorney’s Office,” KSU stated at the time.
“There is an ongoing investigation and I don’t have any information. I would be glad to share what I’ve got but I don’t have any,” Bob Page with the U.S. Attorney’s office in Atlanta told APN at the time.
According to Politico, the Federal Bureau of Investigations (FBI) investigated the incident and determined that Lamb and Grayson had not committed a crime and told them to delete the files they collected, which they did.
Previously, APN made an Open Records request to the Georgia Secretary of State’s office, requesting:
“Per the Georgia Open Records Act, Atlanta Progressive News hereby requests any and all reports produced by the Federal Bureau of Investigations in their investigation related to the breach of a server at Kennesaw State University on May 1, 2017; as well as any correspondence related to said reports, that are in the custody of Secretary of State Brian Kemp,” APN requested on May 27, 2017.
Kevin Rayburn, Assistant General Counsel for Kemp’s Elections Division, responded that there were no responsive documents, with the exception of a similar request by Garland Favorito, an E-voting critic and activist in Atlanta.
“They did not provide us with any written report of the investigation,” Candice Broce, press secretary of Kemp, told APN.
“During the investigation, we were on a need to know basis. We were made aware of them not finding wrongdoing,” Broce said, explaining why they provided no report to APN.
“We have been asked by U.S. Attorney and the FBI to send media inquiries their way,” Broce said.
Previously, APN sent a Freedom of Information Act request by email to Bob Page, Public Affairs Officer, who referred APN to a Justice Department website to complete a FOIA request form. APN will be filing the FOIA request form.
If an intruder altered the files to record votes incorrectly, officials may never know it, seeing as how there is no verifiable paper trail.
Georgia election officials have defended their security practices despite numerous reports from computer security experts about significant security problems for years.
The most recent red flag was a letter from twenty computer experts from across the U.S. to Secretary Kemp to immediately move to verifiable elections and away from sixteen years of faith-based E-voting.
Last year, in 2016, the Department of Homeland Security offered to help secure state election systems after reports that Russia was trying to hack into the election.
Georgia was the only U.S. state to reject that offer. Pennsylvania had previously been reported to have rejected the offer, but in fact did accept federal assistance.
The Russian Military Intelligence did execute a cyber attack on at least one U.S. voting software supplier and sent spear-phishing email to more than one hundred local election officials days before the November election, according to The Intercept news service, relying on information provided by Georgia whistleblower Reality Winner.
Russians executed cyber espionage operations against a U.S. company in August 2016 to obtain information on election-related software and hardware solutions.
They likely used the data to create a new email account and launch a voter registration themed spear-phishing campaign targeting U. S. local government organizations, according to a NSA document.
“Russian cyberattacks on the U.S. electoral system before the election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems… in a total of 39 states,” according to Bloomberg news. They tried to delete or alter voter data in one state.
Garland Favorito, VoterGa.org and many others have raised the issue of transparency, security and need for a verifiable paper audit since 2002 but all these red flags warnings have been ignored by the SOS.
Many computer experts agree that Georgia has the worst E-voting machines in the country.
Garland Favorito of VoterGA provided APN with a security assessment that was prepared by KSU Information Security Office (UNITS) after the second breach.
As previously reported by APN, several plaintiffs filed an injunction seeking to prevent the U.S. Congressional Sixth District race between Jon Ossoff (D) and Karen Handel (R) from using the touch screen machines and use paper ballots instead.
However, Fulton County Superior Court Judge Kimberly Esmond Adams ruled against the injunction and dismissed the case based on sovereign immunity.