Category: Internet Security Issues

Elections and Voting Summit Joseph Kiniry: Technical Tradeoffs

Last January I attended the annual Elections and Voting Summit. I was most interested in a presentation by Joseph Kiniry on Technical Trade0ffs. It is a relatively brief presentation, with some important thoughts: Online voting convenience vs. risks, transparent systems vs. proprietary rights etc.

Last January I attended the annual Elections and Voting Summit.  I was most interested in a presentation by Joseph Kiniry on Technical Trade0ffs.  It is a relatively brief presentation, with some important deep ideas:  Online voting convenience vs. risks, transparent systems vs. proprietary rights, etc.

New South Wales wails: Researchers find flaws in Internet voting system

New South Wales, Australia is holding an election with a significant number of online votes. Researchers point out several concerns…

New South Wales, Australia is holding an election with a significant number of online votes.  Researchers point out several concerns:

  • Votes could have been easily changed with nobody the wiser
  • The touted user verification has its own flaws.
  • The system was taken down to fix (correct) the ballot.
  • The source code is not disclosed, so there is no means to assess its vulnerabilities

Read the summary report and the researchers response to the response/criticisms from New South Wales officials <read>

As the summary concludes, this is not the first time flaws and risks have been exposed in Internet voting schemes:

The vulnerability to the FREAK attack [name for the particular attack mechanism demonstrated]  illustrates once again why Internet Voting is hard to do securely. The system has been in development for years, but FREAK was announced only a couple of weeks before the election. Perhaps there wasn’t time to thoroughly retest the iVote system for exposure. We can bet that there are one or more major HTTPS vulnerabilities waiting to be discovered (and perhaps already known to sophisticated attackers). Verification is a vital safeguard against such unknown problems, but at best it detects problems rather than preventing them.

To election security researchers, these problems aren’t surprising. We’ve already seen dire security problems with Internet voting in Estonia and Washington, D.C. Securing Internet voting requires solving some of the hardest problems in computer security, and even the smallest mistakes can undermine the integrity of the election result. That’s why most experts agree that Internet voting cannot be adequately secured with current technology.

WNPR Where We Live: Inside Cyber Security

Yesterday, Where We Live, with John Dankowski, was a discussion of Cyber Security for consumers and business.

At about 17:49 into the show, I called in and reminded John Dankoski of the Secretary of the State’s Symposium on Online voting that he moderated just over three years ago. In response to my comment, Professor Bryan Ford of Yale, gave a very thorough summary of the potential risks of Internet voting.

Yesterday, Where We Live, with John Dankoski, was a discussion of Cyber Security for consumers and business.  Listen to the program here <podcast>

At about 17:49 into the show, I called in and reminded John Dankoski of the Secretary of the State’s Symposium on Online Voting that he moderated just over three years ago. The Symposium was intended for legislators. Only three actually attended.

To little avail, the legislature twice passed Internet voting for military and overseas voters – every time a business, government agency, or the Military is hacked it gets less and less believable that Internet voting is safe for democracy, less and less believable that the State or all of our 169 towns can defend Internet voting from attackers.

In response to my comment, Professor Bryan Ford of Yale, gave a very thorough summary of the potential risks of Internet voting.

The whole show is a great summary of the wide range of risks to consumers and the challenges to our infrastructure, specifically utilities.

General Assembly ready to protect everything Internet. Except voting?

Meanwhile Congress, in-spite of gridlock, takes the time to appeal old law calling for Internet voting experiments. Isn’t it time for the General Assembly to follow suit?

Hartford Courant article yesterday: Drones, Privacy: Legislative Issues Reflect Changing Times <read>

The coming legislative session is likely to be dominated by the usual fights over taxes and spending. But lawmakers are also poised to ponder other issues that reflect changes in the social fabric propelled by technology.

From protecting student privacy from firms seeking to access a burgeoning trove of educational data to regulating smartphone – based car services such as Uber to a bold future of drones and driverless cars, the General Assembly could be asked to craft public policy on concepts that scarcely existed a few years ago…

Rep. Vin Candelora, the deputy leader of the House Republican caucus, said that in many ways these are the issues that define our times. “I really think issues are as big as the budget. One is dealing with our fiscal health but these are dealing with the health of our society,” he said.

“The big theme here is data collection. What are people’s rights to privacy? Once information gets out on the Internet, it can never be taken back,”

In 2013 the Legislature unanimously passed Internet voting for the second time. It was vetoed the 1st time for good reason by Governor Malloy, yet signed inexplicably the second time. It would force the Secretary of the State and 169 towns individually to do what the State, the U.S. Government, (including the Military), retailers, and big banks, not to mention Sony have failed to do: Defy science and secure the Internet. <read our past stories on Internet voting here>

Time to ask your legislator “If Internet banking attacks annualy cost banks billions, and Sony cannot protect its email from North Korea, how can you expect our town registrars to protect Internet voting? Who will pay for an election debacle?”

Some related  good news:

Congress, in-spite of gridlock, takes the time to appeal 2002 law calling for Internet voting experiments. Isn’t it time for the General Assembly to follow suit?

Last week the National Defense Authorization Act contained a small provision appreciated by voting integrity advocates, repealing a mandate for demonstration project for Internet voting project:

FY 15 NDAA Bill Text (RULES COMMITTEE PRINT 113–58 HOUSE AMENDMENT TO THE TEXT OF S. 1847)  (now Act):

“SEC. 593. REPEAL OF ELECTRONIC VOTING DEMONSTRATION PROJECT.

Section 1604 of the National Defense Authorization Act for Fiscal Year 2002 (Public Law 107–107; 52 U.S.C. 20301 note) is repealed.”

 Joint Explanatory Statement (JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2015 (which accompanies the Act):

Repeal of electronic voting demonstration project (sec. 593)

The Senate committee-reported bill contained a provision(sec. 1076) that would repeal section 1604 of the National Defense Authorization Act for Fiscal Year 2002 (Public Law 107- 107)that requires the Secretary of Defense to carry out an electronic voting demonstration project. The House bill contained no similar provision. The agreement includes this provision.

Advocates have long worked to have the act repealed and to get the FVAP to reveal results of a study of Internet voting. As we posted last September: What is FVAP hiding? Whom if anyone are they assisting?

Hopefully, it won’t take 12 years for Connecticut to understand the risks of Internet voting and repeal its risky 2013 law.

Will it take a Pearl Harbor or 9/11 for Internet security (and voting integrity)?

To err is human, to react without thinking is to compound the err

The goal should be to solve a problem of huge risk, without requiring a catastrophe, without attacking others, spending what is necessary and moving on.

Let us also not forget the twin risks of doing nothing and doing too much of the wrong thing, apply as Connecticut tackles our voting system which may have had a wake up call this November, but nothing like Pearl Harbor or 9/11.

To err is human,  to react without thinking is to compound the err

A thoughtful post at the NY Times, that deserves a better title: Hacked vs. Hackers: Game On <read>

The problem, Mr. Kocher and security experts reason, is a lack of liability and urgency. The Internet is still largely held together with Band-Aid fixes. Computer security is not well regulated, even as enormous amounts of private, medical and financial data and the nation’s computerized critical infrastructure — oil pipelines, railroad tracks, water treatment facilities and the power grid — move online.

After a year of record-setting hacking incidents, companies and consumers are finally learning how to defend themselves and are altering how they approach computer security.

If a stunning number of airplanes in the United States crashed tomorrow, there would be investigations, lawsuits and a cutback in air travel, and the airlines’ stock prices would most likely plummet. That has not been true for hacking attacks, which surged 62 percent last year, according to the security company Symantec. As for long-term consequences, Home Depot, which suffered the worst security breach of any retailer in history this year, has seen its stock float to a high point.

In a speech two years ago, Leon E. Panetta, the former defense secretary, predicted it would take a “cyber-Pearl Harbor” — a crippling attack that would cause physical destruction and loss of life — to wake up the nation to the vulnerabilities in its computer systems.

No such attack has occurred. Nonetheless, at every level, there has been an awakening that the threats are real and growing worse, and that the prevailing “patch and pray” approach to computer security simply will not do.

I agree that the problem is huge.  We should hope that it does not take an attack like Pearl Harbor or 9/11 to change things. How would World War II have gone without Pearl Harbor – I suspect not much different. I am not a historian. I was not alive then, but overall our reaction to Pearl Harbor was on balance justified, appropriate, and successful.  I do not think that 9/11 worked out that way, our wars “of choice” in Iraq and Afghanistan have yet to be successful, have been arguably unjustified and inappropriate as well. They certainly have been costly with no end in sight. When it comes to security, again the Patriot Act was a knee-jerk reaction, with every wishlist item of the security state fulfilled. It is questionable that the fortune and liberties we have sacrificed have been worth it or that all in all we are safer.

The goal should be to solve a problem of huge risk, without requiring a catastrophe, without attacking others, spending what is necessary and moving on.

That has happened once that I know of.  It was called Y2K, a disaster avoided, a significant yet limited expense.  Y2K was real, those warning about it in the late 1980’s were ignored for many years.  The ultimate risk was overblown by the media, then when all went well we had years of poopooing the risk as overblown.  For the record, I was a Y2K contractor for a bit over two years for three companies – I did small jobs that needed to be accomplished, where I was uniquely qualified. There were excesses. In fact, I helped save a client from a wasteful proposal. Yet overall we solved and prevented a problem that could have been avoided at a lower cost if more leaders had listened to those who warned us early.  Even now, occasionally someone in a discussion will complain about “all the money computer programmers took home working on Y2K”, as if that caused our deficit. Yet, it is worth it to me, it to know that a real problem was avoided, despite the occasional uninformed criticism.

Yet as this article points out, we have already paid a huge, largely unrecognized price for Internet vulnerablity:

The Wake-Up Call
A bleak recap: In the last two years, breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers and even the Postal Service. In nearly every case, by the time the victims noticed that hackers were inside their systems, their most sensitive government secrets, trade secrets and customer data had already left the building. And in just the last week Sony Pictures Entertainment had to take computer systems offline because of an aggressive attack on its network.

The impact on consumers has been vast. Last year, over 552 million people had their identities stolen, according to Symantec, and nearly 25,000 Americans had sensitive health information compromised — every day — according to the Department of Health and Human Services. Over half of Americans, including President Obama, had to have their credit cards replaced at least once because of a breach, according to the Ponemon Group, an independent research organization.

But the value of those stolen credit cards, which trade freely in underground criminal markets, is eclipsed by the value of the intellectual property that has been siphoned out of United States corporations, universities and research groups by hackers in China — so much so that security experts now say there are only two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked.

And this year, American companies learned it was not just Beijing they were up against. Thanks to revelations by the former intelligence agency contractor Edward J. Snowden, companies worry about protecting their networks from their own government. If the tech sector cannot persuade foreign customers that their data is safe from the National Security Agency, the tech industry analysis firm Forrester Research predicts that America’s cloud computing industry stands to lose $180 billion — a quarter of its current revenue — over the next two years to competitors abroad.

Finally, let us also not forget the twin risks of doing nothing and doing too much of the wrong thing, apply as Connecticut tackles our voting system which may have had a wake up call this November, but nothing like Pearl Harbor or 9/11. On 9/11, I had a temporary pass to enter the World Trade Center and had friends that worked there – what happened in Hartford on November 4th, and the Courant not getting all the results that night was no 9/11.

Cyber Risk to Power – Is not just electricity and gas

Utility Regulator Arthur House writes on cyber risks and precautions for utilities in a Hartford Courant Op-ed. We point out the similar risks to Internet voting. While Utah takes a more studied approach to expanding their Internet voting.

Utility Regulator Arthur House writes on cyber risks and precautions for utilities in a Hartford Courant Op-ed:  Cyber Defense Requires National Coordination <read>

It does not take an overactive imagination to picture the fallout from a cyber attack on an
American public utility. The consequences of knocking out the generation and/or distribution of
electricity, water, natural gas or communications could ripple so far and wide, it could be
considered an act of war. No wonder that some call the efforts that nations, individuals and
groups make to “test” our systems and conduct intrusions “battlefield preparations.”

Our intelligence community and the Federal Energy Regulatory Commission are rightly concerned about cyber threats to our public utilities. As with air travel and financial services, the relatively open United States is vulnerable to an array of dangers involving computer management.

Intrusions are increasing in frequency and sop histication and reported in the media. Perpetrators  include those with ties to countries that have little commitment to, or even disdain for, cyber security. Individuals and groups can be particularly dangerous, because they do not fear the consequences that might befall a nation.

There is a gap between those at the federal level who are actively engaged against cyber threats and those in states who oversee public utilities and are trying to understand and develop approaches to the problem…

Using federal expertise and experience, the regulators and the utilities can jointly establish cyber security standards — covering modernizing management practices, vetting personnel, establishing cultures of security, implementing software defenses, ensuring physical security and participating in trade association cyber defense programs

We wrote a letter  to the editor, posted online and slightly modified by the Courant, still containing one of our typos: Cyber Risks To Voting As Well <read>

Arthur House’s July 21 op-ed, ” Cyber Attacks Require National Coordination” articulates the cyber risks to our power utilities, as should be expected from a former director of communications for the director of national intelligence.

Yet, voters and the legislature should be concerned beyond physical power. Cyber risks are just as threatening to political power — the power to vote and to choose our government.

Twice the Connecticut legislature has unanimously passed Internet voting. For good reasons the governor vetoed it in 2012, yet inexplicably signed it in 2013. Many computer scientists and security experts oppose Internet voting because in cannot be made safe. Internet voting has been discredited by a Department of Defense study, security experts from the Department of Homeland Security, and the National Institute of Standards and Technology. Thoughtful leaders of all persuasions oppose internet voting, including Secretary of the State Denise Merrill and former Federal Elections Commission member Hans von Spakovsky of the Heritage Foundation.

Mr. House’s central point us that, without federal expertise and assistance, cyber security is beyond the capabilities of state government and utilities. It follows that Internet voting cannot be accomplished safely by the state and each of our 169 municipalities.

Meanwhile, in Utah, they plan wider adoption of Internet voting. The only good thing over Connecticut is that they recognize some of the risks and plan on studying them before they move forward:  State committee studying feasibility of extending online voting to more Utahns <read>

Utah Director of Elections Mark Thomas said making online voting available more widely could be a challenge.

“The lieutenant governor wanted to look at if we were to expand that, what are some of the hurdles,” Thomas said. “It would be nice to have kind of a road map on where to go, what are the landmines we need to be aware of.”

The biggest issue, he said, is security.

“Security is going to be No. 1. Part of the reason security is such a big issue is because you have the issue of a secret ballot. If I cast my ballot online, it can’t be able to be traced back to me. That’s my constitutional protection,” Thomas said.

The hope is that the lieutenant governor’s iVote Advisory Committee that began meeting earlier this month will have identified a half-dozen or so issues associated with statewide online voting before the 2015 Legislature starts in January, he said.

At that point, the next step may be hiring security experts to tackle those issues, Thomas said.

“We certainly aren’t going to, by the end of the year, have this all figured out and put to bed,” he said. “There are some very complicated issues.”

Another member of the new committee, Salt Lake County Clerk Sherrie Swensen, also questions whether Utahns will be voting online anytime soon.

“I hope that sometime in the future it will be something that happens,” Swensen said. “I admire the lieutenant governor’s office for wanting to explore this and be progressive, but I think there’s a lot to overcome before we get to that point.”

Like Thomas, Swensen said she’s not sure how a system can both identify those voting online while maintaining the secrecy of their ballots. Election officials now keep the names of voters separate from their ballots.

“That’s a huge challenge,” Swensen said, along with an online system being hacked. “For all of the clever ways people figure out how to hack into various systems, I think that’s the biggest danger, if they could hack in and skew results.”

The longtime county clerk recalled the controversy over the switch in recent years to electronic voting machines that aren’t connected to the Internet. The public’s concern was eased by the paper trail created by the machines, Swensen said.

The paper records are audited each election and could be used to tabulate the results if the machines were to malfunction.

“We could recreate an entire election,” she said.

Carter Center: Study of Norway’s Internet Voting

A recent post, brought the Carter Center’s report to our attention. Today we highlight Scott M. Fulton’s thoughtful post based on the report.

I look at a chart like this and see a gold mine of potential exploits–handoffs, air-gaps,… How long before such a system is cracked once, someplace in the world?

A recent post, brought the Carter Center’s report to our attention: Expert Study Mission Report The Carter Center Internet Voting Pilot: Norway’s 2013 Parliamentary Elections. <.pdf> The Carter Center report is highly enlightening, covering Norway’s pilot, Internet voting in general, and the challenges of credible observation of elections.

Today we highlight Scott M. Fulton’s thoughtful post based on the report: Scytl e-voting exposes the dangers of automating a democracy <read>

The truth is, any forward progress we make toward better communication with one another, toward social awareness, toward even expanded conscience of the world around us, can only be accomplished by each of us individually. Technology can empower us to do that, or to do the precise opposite. It is neither to credit nor to blame.

But the corollary to that principle is this, and it is a caution I try to repeat as often as possible: Because technology has no inherent polarization toward progress, simply applying it to a problem does not solve it…

The process of voting in Norway, according to that [Carter Center] report, was not at all dissimilar to the way B-52 bombers were told to attack Moscow in the movie Dr. Strangelove:

In order to vote, a voter had to register their mobile phone with a centralized government register (one could do so online while the voting was underway). The voter should have also received a special card… delivered through the postal service, with personalized numeric return codes. These cards provided the voter a list of four-digit numbers corresponding to each party running for election. The four-digit numbers were randomly assigned for every voter so that, for example, any two voters who wanted to cast their vote for Labour would unlikely have the same return codes associated to the Labour party.

The Carter Center charted the conceptual model of the technology involved:

Imagine your local school board election being charted by a process model this complex. Consider the degree to which people who are already disenchanted by the whole concept of contributing their 1/10,000 of a preference, will simply avoid the process altogether. Maybe this fact alone is what makes it so attractive to people in the election business.

As someone who has regularly sat next to security engineers, I look at a chart like this and see a gold mine of potential exploits–handoffs, air-gaps, SMS as the communications medium. Perhaps Scytl’s system is lock-tight today, but the very fact of its complexity, coupled with its wide-ranging impact on the public, makes it an automatic target. How long before such a system is cracked once, someplace in the world? And when that happens, how many other elections’ veracity will be called into question? How many Bush v. Gore cases will this nation withstand?

The Carter Center report goes into further details that add to the understanding of complexity of the system. Thinking about each part it is easy to speculate on the risks of attack, especially attacks by insiders – from public employees, vendor personnel from the system vendor, and various network support contractors.  Add that the near impossibility of independent verification of every possible critical point; along with the impossibility of public trust in any such complex and technically sophisticated evaluation.

Crumbling infrastructure – its not just highways and bridges anymore

The big news in Connecticut these days is Congress’s patched-up highway bill to continue patching-up our highways, while Connecticut has the the worst highway conditions in the nation.

But we are also just as dependent on electricity and the Internet. A Washington Post editorial highlights the risks, while Ed Snowden through Glenn Greenwald confirms the reality.

The big news in Connecticut these days is Congress’s patched-up highway bill to continue patching-up our highways, while Connecticut has the the worst highway conditions in the nation. CTMirror: White House says CT roads and bridges deficient <read>

The White House issued an alarming report Monday that said 41 percent of Connecticut’s roads are in poor condition and more than 9,500 jobs in the state will be lost unless Congress acts quickly to replenish a fund that pays for a lion’s share of the state’s infrastructure construction and repair.

But we are also just as dependent on electricity and the Internet.  A Washington Post editorial highlights the risks: Congress is overdue in dealing with the cybersecurity threat <read>

THE INTERNET security company Symantec revealed recently that a group of hackers known as Dragonfly infiltrated malware into legitimate software belonging to three manufacturers of industrial control systems — the stuff that controls factories and power grids. In one case, the contaminated control software was downloaded 250 times by unsuspecting users before the compromise was discovered.
This kind of cyberattack is not new, but it is audacious and dangerous. One of the first such assaults was the Stuxnet campaign, which had sabotage as its primary goal, against the Iranian nuclear program. By contrast, Dragonfly was a multi-pronged infiltrator, aimed at cyber- espionage and gaining long-term access to computers, with sabotage as a future option, perhaps flicking off the electrical power to a city or shutting down a factory. Dragonfly probably was state-sponsored from somewhere in Eastern Europe…
A torrent of cyberattacks — disruption, espionage, theft — is costing U.S. business and government billions of dollars. This is reality, not science fiction. In March, Chinese hackers broke into the U.S. government agency that houses the personal information of all federal employees.
For several years, it has been clear to many in government and the private sector that the nation needs to vastly improve protection of its private networks and that only government has the sophisticated tools to do that. But Congress has balked at legislation that would ease the necessary cooperation….

State Sponsored – is that some kind of official conspiracy theory to spend gobs of money on another threat beyond terrorism? Of course that could be the result even if the threat is real.  But we don’t have to believe the Government – we could read  proof from the Snowden documents:  Hacking Online Polls and Other Ways British Spies Seek to Control the Internet<read>

The secretive British spy agency GCHQ has developed covert tools to seed the internet with false information, including the ability to manipulate the results of online polls, artificially inflate pageview counts on web sites, “amplif[y]” sanctioned messages on YouTube, and censor video content judged to be “extremist.” The capabilities, detailed in documents provided by NSA whistleblower Edward Snowden, even include an old standby for pre-adolescent prank callers everywhere: A way to connect two unsuspecting phone users together in a call.

The tools were created by GCHQ’s Joint Threat Research Intelligence Group (JTRIG), and constitute some of the most startling methods of propaganda and internet deception contained within the Snowden archive. Previously disclosed documents have detailed JTRIG’s use of “fake victim blog posts,” “false flag operations,” “honey traps” and psychological manipulation to target online activists, monitor visitors to WikiLeaks, and spy on YouTube and Facebook users. [Hi English spy guys, welcome back to CTVotersCount]

Prime Minister David Cameron has justified as an “emergency” to “help keep us safe,” a newly released top-secret GCHQ document called “JTRIG Tools and Techniques” provides a comprehensive, birds-eye view of just how underhanded and invasive this unit’s operations are. The document..is designed to notify other GCHQ units of JTRIG’s “weaponised capability” when it comes to the dark internet arts, and serves as a sort of hacker’s buffet for wreaking online havoc.

Yes, nothing to worry about, just our friends the British and probably our friend Israel is even farther along, every body does it…ask Germany about their friend in North America.  What chance is there that the Russians and Chinese are up to the same things, along with all sorts on non-government friends and non-friends as well? And of course nobody inside the U.S. Government itself would have any interest in influencing election outcomes, would they?

Internet voting, that is probably as safe and trustworthy as Facebook.

Ethical Hackers 2, Internet Voting 0

Two days ago an international team of investigators demonstrated attacks and articulated weaknesses in the Estonian voting system used by 20% to 25% of voters in their national elections.

In the fall of 2010 Washington D.C. ran a brief open test of the Internet voting system it was proposing for use in that year’s November election. It was quickly hacked by a team of graduate students from the University of Michigan, lead by Professor Alex Halderman. <summary and video>

Two days ago an international team of investigators including Professor Halderman and graduate students demonstrated attacks and articulated weaknesses in the Estonian voting system used by 20% to 25% of voters in their national elections. Information is all available at https://estoniaevoting.org/

The video summary is a great way to understand what they did.

What we found alarmed us. There were staggering gaps in procedural and operational security, and the architecture of the system leaves it open to cyberattacks from foreign powers that could alter votes or leave election outcomes in dispute. We have confirmed these attacks in our lab — they are real threats. We are urgently recommending that Estonia discontinue use of the system.

They easily demonstrated attacks on the election servers and on personal computers used for voting. They found additional means of attack that they could have demonstrated. While they applauded Estonia’s efforts at transparency, they found it both insufficient and that it exposed server passwords on the Internet during the voting period.

CyberDissonence? State concern of Biblical Proportions

In Connecticut, apparently: Electricity is Critical! .., when it comes to elections, the message is “What Us Worry?”

You could say the State’s concern with Electoral attack is of Biblical proportions, i.e. criticizing utilities while not noticing the XP in our own systems.

New report from the Public Utilities Regulatory Authority highlights the risks of the power grid to cyber attack: Cyber Security and Connecticut’s Public Utilities <read>

There is a profound distance in perspective between the consume r of electricity, natural gas and water , who sees consumption as a normal, secure part of life, and the U.S. Intelligence Community , which sees threats to such consumption. The latter witnesses sophisticated, daily probes and penetrations of U.S. institutions , including not only corporate information technology networks but also regional electric distribution networks and private utilities. In the August 16, 2013 New York Times , reporter Matthew L. Wald noted that both government and private experts describe the U.S. electric grid as “the glass jaw of American industry.” Such experts fear that a successful strike by an adversary “could black out vast areas of the continent for weeks; interrupt supplies of water, gasoline, diesel fuel and fresh food; shut down communications; and create disruptions of a scale that was only hinted at by Hurricane Sandy and the attacks of September 11.”…

Efforts to hack into public utilities are significant , and by many reports , growing both in volume and sophistication. Public utility regulators and state authorities  ould be dereli t to ignore what national security personnel call ongoing “battlefield preparation”…

The stark fact is that the United States is vulnerable; probes are active, dangerous and widespread. T his national pregnability pertains directly to Connecticut. There is no option but to acknowledge this reality and resolve to resist, defend and take countermeasures to ensure operational security in our public utilities

The report mentions the NIST (National Institute of Standards) Cybersecurity Framework and concerns within Homeland security.

As the Legislature considers for the third year in a row, passing legislation that would enable Internet voting, ignoring the concerns of our Secretary of the State, Department of Defense, experts from NIST and Homeland Security. In 2012 Governor Malloy was concerned and vetoed the bill based on security concerns, yet in 2013 he signed a similar bill.  Now the Legislature is considering a bill to eliminate our constitutional right to a secret vote. You could say the State’s concern with Electoral attack is of Biblical proportions, i.e. criticizing utilities while not noticing the XP in our own systems.

*****Update 04/28*******

As we were saying, CT State Computers and Municipal Computers running XP could be vulnerable. In fact, all computers running Microsoft Internet Explorer are vulnerable. For the latest bug XP computers may never be “safe(*)” again.  Washington Post: Hackers targeting newly discovered flaw in Internet Explorer  <read>

This is the first major security disaster for users who still run Microsoft XP, the 12-year-old operating system that Microsoft discontinued support for earlier this month. The short-term solutions do not work with the old operating system, and no patches will be released to fix it.

Many federal agencies still use XP despite repeated advance warnings from Microsoft that impending discontinuance of support would leave their computers vulnerable.

About 10 percent of government computers still run XP, including thousands of computers on classified military and diplomatic networks

* Remember all computers and browsers are vulnerable to as bugs and traps, as yet undiscovered by good guys.