LadyDraza

7 Jun 2022

https://t.me/ladydraza

Let's talk about CISA FINALLY speaking up.

https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01

Now, [CISA (Cybersecurity and Infrastructure Security Agency) has released a report regarding] Dominion [voting machines and software]. I believe that this was just to get out ahead of the Halderman Report [Dr. Alex Halderman is Professor of Computer Science and Engineering and Director of the Center for Computer Security and Society at the University of Michigan] so they focused on what he wrote a report on, and he is listed as the researcher. I do not believe that any of the current vendors would be any better, and it is negligent on the part of CISA to ONLY put out a CVE [Common Vulnerabilities and Exposures] about Dominion. But, that being said, let's look at a few things they found about Dominion:

https://cwe.mitre.org/data/definitions/912.html
CISA claims that: "The tested version of ImageCast X [Dominion Voting Systems ImageCast X is a voting device with a touchscreen display. It can be deployed as either a ballot marking device (without tabulation capabilities), or as a Direct Recording Electronic Device (DRE) that] has a Terminal Emulator application [and terminal emulation is often used to give remote users the ability to log on and get direct access to programs on another computer] which could be leveraged by an attacker to gain elevated privileges on a device and/or install malicious code."

What the heck are they thinking that this could be leveraged by an attacker? How about this is an intentional functionality, and [the remote Dominion engineers can use the terminal emulator so] the people paying for elections to go a certain way suddenly have them go a certain way because the DOMINION ENGINEERS have access to this same terminal emulator that THEY PROGRAMMED IN THERE IN THE FIRST PLACE! What about the usage of this terminal emulator to elevate privileges and - oh, say - dump the votes and make a new database that has the votes that they are being paid to ensure are in place? Exactly how ridiculous is it that the software that is being used to count the votes for the leader of the free world would have "Easter Eggs" in place? 🤦🏼‍♀️

https://cwe.mitre.org/data/definitions/424.html
CISA claims that: The tested version of ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.

So, we have code in place that allows for rebooting into a different mode of operation than was tested for security by any agency or testing before the counties are sometimes even FORCED to spend taxpayer dollars on this crappy software? How many business owners are reading this? Let me know your thoughts about the idea of purchasing software to run your business only to find out that the machines could be booted into a different mode that would allow exfiltration of your company data or insertion of data that could impact your business by returning false reports?

The fact that the mitigations section does not include a link to a reliable sledgehammer salesman and some good lawsuit attorneys is a failure on the part of CISA.