As recently as Monday, computer servers that powered Kentucky’s online voter registration and Wisconsin’s reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password. The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky’s was accessible from other Eastern European countries. The service, known as FTP, provides public access to files — sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server’s operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives. Officials in both states said that voter-registration data has not been compromised and that their states’ infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica’s inquiries. Kentucky left its password-free service running and said ProPublica didn’t understand its approach to security.
The states’ reliance on FTP highlights the uneven security practices in online election systems just days before the midterm elections. In September, ProPublica reported that more than one-third of counties overseeing closely contested elections for congressional seats ran email systems that could make it easy for hackers to log in and steal potentially sensitive information.
… “FTP is a 40-year-old protocol that is insecure and not being retired quickly enough,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. “Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change.”
The mere presence of superfluous services on a public server, such as FTP, raises the risk of a hacker gaining access to sensitive configuration details about the server, Hall said. “Unnecessary services like FTP,” he said, can be used to cripple a server by bombarding it with traffic — known as a distributed denial of service attack — or allow hackers to break into other computers on the same network. Secure FTP services, or SFTP, which were introduced more recently, should be used instead, Hall said.