by Kate Howard, Kentucky Center for Investigative Reporting
November 2, 2018
As recently as Monday, computer servers that powered Kentucky’s online voter registration and Wisconsin’s reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password.The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky’s was accessible from other Eastern European countries.
The service, known as FTP, provides public access to files — sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server’s operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives.
Officials in both states said that voter-registration data has not been compromised and that their states’ infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica’s inquiries. Kentucky left its password-free service running and said ProPublica didn’t understand its approach to security.
The states’ reliance on FTP highlights the uneven security practices in online election systems just days before the midterm elections. In September, ProPublica reported that more than one-third of counties overseeing closely contested elections for congressional seats ran email systems that could make it easy for hackers to log in and steal potentially sensitive information.
Some states remain hampered by bureaucratic disagreements, or regard other needs as more pressing. If intruders were able to gain access to election-related server files, for instance, they could prevent people from registering to vote, compromise unofficial tallies or direct voters to the wrong polling place. Those actions could potentially sow chaos on Election Day and raise questions as to whether the vote was legitimate.
“FTP is a 40-year-old protocol that is insecure and not being retired quickly enough,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. “Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change.”
The mere presence of superfluous services on a public server, such as FTP, raises the risk of a hacker gaining access to sensitive configuration details about the server, Hall said. “Unnecessary services like FTP,” he said, can be used to cripple a server by bombarding it with traffic — known as a distributed denial of service attack — or allow hackers to break into other computers on the same network. Secure FTP services, or SFTP, which were introduced more recently, should be used instead, Hall said.
In March 2017, the FBI warned of “criminal actors” targeting FTP servers that allow access to anyone on the internet without a password. This year, the website DataBreaches.net said a security researcher discovered an FTP server was configured in a similar manner and accidentally exposed the details of more than 200,000 patients.
Using a list of internet addresses for websites run by each state’s election agency, ProPublica scanned them for open “ports,” or virtual doors, which allow any computer on the internet to access them. Those ports can reveal some of the software a server is running, such as a website or FTP.
The FTP server in Wisconsin required a password. Kentucky’s didn’t. In addition, ProPublica found Maine’s FTP service on the same internet address as a state website that directs voters to their local polling places. But Kristen Schulze Muszynski, a spokeswoman for the Maine secretary of state, said the FTP service ran on a computer server separately from the lookup tool. It “never jeopardized Maine’s election process, and at no time was voter data at risk of being manipulated,” she said.
Several other states appear to have open FTP ports that weren’t operating. In one of those states, West Virginia, Chief Information Officer David Tackett said FTP services are protected behind a firewall.
Cyberattacks on state election systems marred the 2016 campaign. For example, special counsel Robert Mueller charged 12 Russians this past July in connection with an unspecified breach that Illinois officials say was very likely an attack on its voter registration database that exposed the personal details of thousands of people. A hacker’s ability to alter unofficial or early voting results was “a very real threat” ahead of the 2016 election, former Homeland Security Secretary Jeh Johnson testified in March before a Senate intelligence panel.
The Wisconsin Elections Commission revealed in September 2017 that the U.S. Department of Homeland Security notified it of an unsuccessful Russian hacking attempt the previous year that involved scanning for computer system vulnerabilities. Commission spokesman Reid Magney said the Russians did not scan the state’s “commercially-hosted agency websites,” including the commission’s site.
Major search engines like Google often prominently post voting results gathered automatically from state election commission sites. Magney said Wisconsin’s website ran an FTP service for years because the hosting provider, Cruiskeen Consulting, never turned it off. Cruiskeen is a mostly one-person operation that sometimes uses freelance consultants, according to its website.
Asked if Cruiskeen has ever alerted officials about suspicious activity or unauthorized access attempts, Magney said: “Cruiskeen does a lot of monitoring for unsuccessful login attempts and blocks them at the firewall. They also check the logs regularly for suspicious activity.” The same internet address previously hosted commercial websites like BoutiqueLiquidators.com.
Cruiskeen did not return phone calls or messages from ProPublica this week seeking comment. Magney said the owner is retiring soon, and the state plans to transfer the election-results website to a state-run computer system.
As of late Wednesday, Kentucky’s voter-registration server still allowed users to browse a list of files without a password. Even the names of the files contained clues that could conceivably help an intruder. For example, they indicated that Kentucky may use driver’s licenses on file in its motor vehicle software to verify voters’ identities.
Bradford Queen, a spokesman for Kentucky’s secretary of state, declined to say if running an FTP server was problematic. “We are constantly guarding against foreign and domestic bad actors and have confidence in the security measures deployed to protect our infrastructure,” he said.
“ProPublica’s claims regarding Kentucky’s website lack a complete understanding of the commonwealth’s full approach to security, which is multi-layered. Defenses exist within each layer to determine and block offending traffic.”
ProPublica’s Electionland project covers problems at the polls that prevent people from voting. If you experience or witness something on Election Day, let us know at https://www.propublica.org/electionland
Mike Tigas and Ken Schwencke contributed to this report.
For more coverage, read ProPublica’s previous reporting on elections.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.