Lädt...


📰 Investigation Finds 'Little Oversight' Over Crucial Supply Chain for US Election Software


Nachrichtenbereich: 📰 IT Security Nachrichten
🔗 Quelle: news.slashdot.org

Politico reports U.S. states have no uniform way of policing the use of overseas subcontractors in election technology, "let alone to understand which individual software components make up a piece of code." For example, to replace New Hampshire's old voter registration database, state election officials "turned to one of the best — and only — choices on the market," Politico: "a small, Connecticut-based IT firm that was just getting into election software." But last fall, as the new company, WSD Digital, raced to complete the project, New Hampshire officials made an unsettling discovery: The firm had offshored part of the work. That meant unknown coders outside the U.S. had access to the software that would determine which New Hampshirites would be welcome at the polls this November. The revelation prompted the state to take a precaution that is rare among election officials: It hired a forensic firm to scour the technology for signs that hackers had hidden malware deep inside the coding supply chain. The probe unearthed some unwelcome surprises: software misconfigured to connect to servers in Russia ["probably by accident," they write later] and the use of open-source code — which is freely available online — overseen by a Russian computer engineer convicted of manslaughter, according to a person familiar with the examination and granted anonymity because they were not authorized to speak about it... New Hampshire officials say the scan revealed another issue: A programmer had hard-coded the Ukrainian national anthem into the database, in an apparent gesture of solidarity with Kyiv. None of the findings amounted to evidence of wrongdoing, the officials said, and the company resolved the issues before the new database came into use ahead of the presidential vote this spring. This was "a disaster averted," said the person familiar with the probe, citing the risk that hackers could have exploited the first two issues to surreptitiously edit the state's voter rolls, or use them and the presence of the Ukrainian national anthem to stoke election conspiracies. [Though WSD only maintains one other state's voter registration database — Vermont] the supply-chain scare in New Hampshire — which has not been reported before — underscores a broader vulnerability in the U.S. election system, POLITICO found during a six-month-long investigation: There is little oversight of the supply chain that produces crucial election software, leaving financially strapped state and county offices to do the best they can with scant resources and expertise. The technology vendors who build software used on Election Day face razor-thin profit margins in a market that is unforgiving commercially and toxic politically. That provides little room for needed investments in security, POLITICO found. It also leaves states with minimal leverage over underperforming vendors, who provide them with everything from software to check in Americans at their polling stations to voting machines and election night reporting systems. Many states lack a uniform or rigorous system to verify what goes into software used on Election Day and whether it is secure. The article also points out that many state and federal election officials "insist there has been significant progress" since 2016, with more regular state-federal communication. "The Cybersecurity and Infrastructure Security Agency, now the lead federal agency on election security, didn't even exist back then. "Perhaps most importantly, more than 95% of U.S. voters now vote by hand or on machines that leave some type of paper trail, which officials can audit after Election Day."

Read more of this story at Slashdot.

...

...

📰 Investigation Finds 'Little Oversight' Over Crucial Supply Chain for US Election Software


📈 101.96 Punkte
📰 IT Security Nachrichten

📰 An earlier supply chain attack led to the 3CX supply chain attack, Mandiant says


📈 36.08 Punkte
📰 IT Security Nachrichten

📰 AWS Supply Chain helps businesses optimize supply chain processes


📈 36.08 Punkte
📰 IT Security Nachrichten

📰 Attack inception: Compromised supply chain within a supply chain poses new risks


📈 36.08 Punkte
📰 IT Security Nachrichten

📰 An Oversight Model for AI in National Security: The Privacy and Civil Liberties Oversight Board


📈 33.79 Punkte
📰 IT Security Nachrichten

📰 chain-bench: auditing your software supply chain stack for security compliance


📈 31.1 Punkte
📰 IT Security Nachrichten

📰 Oversight Orders Reddit To Preserve Deleted Posts In Clinton Investigation


📈 29.39 Punkte
📰 IT Security

📰 Oversight Orders Reddit To Preserve Deleted Posts In Clinton Investigation


📈 29.39 Punkte
📰 IT Security

📰 Too Little, Too Late: Facebook's Oversight Board Won't Launch Until 'Late Fall'


📈 27.69 Punkte
📰 IT Security Nachrichten

📰 Facebook's Oversight Board Won't Launch In Time To Oversee the Election


📈 27.62 Punkte
📰 IT Security Nachrichten

📰 Supply Chain Attacks or Vulnerabilities Experienced by 80% of Orgs, BlackBerry Finds


📈 27.57 Punkte
📰 IT Security Nachrichten

📰 Why Reduce Software Supply Chain Risks with Intelligent Software Security


📈 26.4 Punkte
📰 IT Security Nachrichten

📰 Software bill of materials: a critical component of software supply chain security


📈 26.4 Punkte
📰 IT Security Nachrichten

📰 Tanium Software Bill of Materials identifies software supply-chain vulnerabilities


📈 26.4 Punkte
📰 IT Security Nachrichten

📰 How the Secure Software Factory Reference Architecture protects the software supply chain


📈 26.4 Punkte
📰 IT Security Nachrichten

📰 Amid Africa’s Spate of Coups, Improved Election Observation Will be Crucial to Transition


📈 24.54 Punkte
📰 IT Security Nachrichten

📰 Concerns Over Supply Chain Attacks on US Seaports Grow


📈 23.53 Punkte
📰 IT Security Nachrichten

📰 Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms


📈 23.53 Punkte
📰 IT Security Nachrichten

📰 Polyfill Supply Chain Attack Hits Over 100k Websites


📈 23.53 Punkte
📰 IT Security Nachrichten

📰 Polyfill Supply Chain Attack Hits Over 100k Websites 


📈 23.53 Punkte
📰 IT Security Nachrichten

📰 Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack


📈 23.53 Punkte
📰 IT Security Nachrichten

📰 Polyfill.io JavaScript supply chain attack impacts over 100K sites


📈 23.53 Punkte
📰 IT Security Nachrichten

📰 Supply-chain ransomware attack causes outages at over 60 credit unions


📈 23.53 Punkte
📰 IT Security Nachrichten

📰 Supply-chain ransomware attack causes outages at over 60 credit unions


📈 23.53 Punkte
📰 IT Security Nachrichten

matomo