 Hi, Vody Village. My name is Forrest Senty. I'm the Director of Business and Government Affairs at the National Cybersecurity Center. I'm Caleb Gardner. I'm a fellow at the National Cybersecurity Center in Scroogeville. And we're going to be presenting you our Hack of Facts presentation today. For a little background to start, National Cybersecurity Center is a 501c3 center in Colorado Springs. A lot of our focus has to do with cyber innovation awareness and a lot of our projects have to do with tackle global problems, whether it comes in smart cities, elections, space. Some of our colleagues in the Space ISAC are presenting today in the Earthspace Village. We want to give them good congratulations and a shout out over there. But the big reason why we're here today ultimately is that we want to talk about the gap, the security gap, and specifically it has to do with policy in addition to different agencies and groups. A lot of people ask, why NCC? Why us? Why do we care about some of these issues? And the reality is that between the different groups that exist in the United States that are multi-agency, multi-party, multi-policy, you know, depending on where you come from, whether it's the election security ISAC, groups like Verified Voting, MIT, even places like EIC, CISA, CIS, all serve a specific segment. But our focus is on identifying gaps in critical infrastructure. And the presentation you're going to be hearing from us today is going to be talking about that gap. One gap we've identified specifically has to do with the population affecting the overseas voter, or UACAVA. This is specific to the Uniformed and Overseas Citizens Absentee Voting Act. Many of you here at the Voting Village are going to be no secret and surprise to you. You know what this means. You know how many people and, you know, kind of the different challenges these people face, whether they're voting from Afghanistan or Italy, or even from a remote jungle of the Amazon. So a lot of what we're focused on today is on this area. So one of the pieces I want to call out is specific to fax machines, like we mentioned earlier on. Under the current documentation of the move that was established in 2009, 31 states currently allow for ballot return via email and fax. This means that these 31 states have to provide a place for these people that are voting from overseas to provide a place from the sender ballot via fax or email. So knowing this information, and us seeing this different research that was coming out, we want to do a quick breakdown and see how many ballots were actually transmitted back in 2018. According to the EAC, roughly 29,000 ballots were sent. Now this is one of the category of others. So some of these in there could be mobile voting like from West Virginia or a web portal like in Colorado, Montana, Arizona or Michigan. But 29,000 ballots, although not statistically significant to the rest of the United States, still represents a population that is voting using this method. And this shows that election offices are still allowing for this method and pushing for it, even in some cases. Although it has been on the decline, it's important to know that security is still paramount for every single vote that comes out. So now I'll hand it over to Caleb and talk a little more about the research that we did specific to fax machines and election jurisdictions and kind of give you a little more of the issue. Thanks Forrest. So first off, we're going to reference you guys back to some presentations that probably made an impression on you when you first saw them. They were specifically focused on fax and printer faxes. So first off in DEF CON 26, we saw a lot of fax from checkpoint research. And that was a big sticking point for me. And we came back to that a lot as we went to do our own research in other counties and cities. So we'll move to the next slide. And what checkpoint research really showed us was that it was a possible to exploit printer fax, just with a publicly available fax number. No city or county that I looked for their fax number was not available every single time I can find it for the city quick or the county quick, and which is where you'd be submitting your vote for if you were one of the other voters. So using that phone number, checkpoint research was able to hack printer fax and actually they're also able to get to the network behind that print fax if there was on a flat network apology or no segmentation. So we'll talk about how they did that really fast. They discovered that in the T 30 protocol, we have access to both the data and headers and this enabled us to have full control of the JPEG file. So that's how we use JPEG over any other file type. And over the PST networks, the publicly switched telephone network, we are able to get to that printer fax, and use the priority JPEG parser base physically with that HP. But this is probably going to be the case for any of the big solutions if that's zero access that's HP if that's someone else, they're probably insubmitting their own JPEG parser and then using some sort of open source publicly known secure pressure. And since they did that themselves, they found a lot of CBEs in there they found a buffer overflow with parts and gauge teamers. And with that, they had a controllable stack based overflow they could do anything with it and they were able to get a great exploit, which they put on the network to the rest of the network. And so it was really great demonstration. What could you do with this a lot practically everything you have confidential attacks integrity attacks and availability tax you have a full CIA try add. You're seeing voter registration info, particularly if you're getting through to the network behind these print faxes, you're seeing ballots hopefully not but potentially, and you're able to maybe change those ballots. And that's something that we're going to look at in the future is if we can get into one of these print faxes, can we get to the ballots or can we get the incoming ballots and change them before they're stored. And also you have availability tax, you're potentially able to bring down entire city or counties infrastructure for receiving votes for that election, which would make a recount necessary which make a lot of bad things happen obviously we don't want to be saying. We did some research we did some confidential research with different cities and counties, and we have to keep that confidential we're under NDA, but we can generalize we can say what are rough takeaways we're seeing from two main different types of cities. First off, we have city a this is your medium to large size city, they probably have good infrastructure investment in it, they're probably able to actually hire talented professionals for security conscience, and they're able to enforce strict adherence to best practices for security. These are all great things that you're probably to see a pretty secure off that current facts implementation, we did when we were looking at these types of cities. City be, however, is the city that we talk about pretty much every time Defconn rolls around with voting billage that at once we're still running the DREs that we have shown vulnerabilities and every year, you know, it's obviously a urban system that they're still running, but they're not going to spend the money to fix it they're not going to spend any money to become security conscious to probably a really poor mismanaged IT department, and they probably don't have the patching policies or security posture. So looking at city a more in depth, the things that they have that makes them stand apart from other cities is that they have users segment networks. This keeps their print effects separate from their data servers that keeps them separate from their daily workstations. And it's even segmented on a very in depth level so every fire station and police station, there would be those three things the data servers at workstations and the print servers would all be different things in every single location. So it's an extremely segmented network that keeps you from getting to a lot of access through that one printer fax so basically city a knows that printer fax is a potential point of intrusion. They probably have good patching policies for the printers. Hopefully they have both a factor in general and also for the tax servers, and they're probably using fax or IP over PSTM fax t 38 over t 30 city be however doesn't have any of these things factory and flat nerve topology you exploit the print fax you exploit the network, and they have bad patching bad multi factor authentication implementation and bad security posture. So, if you're a city beat, you're thinking, Well, this is a apply me, you know, do I how can I know. Well, what our high level attack overview is specifically geared towards is what checkpoint research day and showing that specifically is HP Office Jet Pro 6830 on prayer. It wasn't the printer that had the vulnerability it was HP implementation the JPEG parser you remember. So, HP releases security bulletin and July 2018 talking about this providing patches. However, maybe not all city be saw that maybe the play that patch maybe they didn't think to apply patch or they're not even keeping in track with their water recycle machine. Yeah, these there was a things are not important to lots of states, and they're not going to look at security patches when they're available for them. So, I would recommend if you're a city be looking to see if you have an issue where did you buy it after 2418 did you apply a patch if you bought before and then it and you're using Christian, you're probably susceptible to attack right now. Nice has some things to say about it as well. This says that there's no widely used standard facts encryption. This information set by fax is that risk for the possible intersectional modification jurisdictions should carefully lay the risks that transmission over other alternatives. This is a big deal. And I think this is one of the biggest vulnerabilities that we're seeing in fax and the thing that we'd like to see change most in the future is the unencryption of it and we would like to see a default encryption method used on fax in the future to your T 38 making encryption standard rather than optional would probably be a great step in that direction. They also stress secure location of fax machines, because often with T 30 voting records or registration of though might be actually still stored on the machine as it comes through, unknown to the user. So physical access would allow access to all those. Yeah, T 38 teeth 30 will go over that we quickly if we haven't gone enough over already. So PSN. That's going to be 30, it's going to be unencrypted and it's not real time to 38 is the future that we're currently living in but we also need to see the future as far as encryption implementations. So we saw baby cells company and they have an AS implementation that's very useful for companies that are regulated and that are mandated to use potential accounts here networks along the way towards the delivery to the user. However, this AS implementation by baby cell isn't ensuring that you will have encrypted transport all the way across. So more stuff like that is what we need to see on a default level and the industry, and we're not seeing right now which is why we're talking about it and getting that on the on the record. So fact security versus public perception. The big issue we kind of based and push back from different cities and counties was that they say they only maybe the last facts about they received just 2012 minutes eight years ago so they don't think about it at all. So they don't see on a daily basis best themselves why do we need to secure this doesn't seem like a security risk. But the point is, is that zero about me to be cashed for to be a security risk. The fact of the matter is that having your publicly available city or county clerk number online and knowing and most sectors knowing that that's the phone number they need to have access to if they need to own that printer or print facts. And if you are not patched if you're on a potentially vulnerable solution. That's it, you're done that printer fact is done you potentially put yourself up for integrity tax the very least, confidentiality and availability. If you have bad network solutions. So we face a lot of pushback but we definitely need to acknowledge that that's the issue is the root of matters having a public way available. So let's talk about the security gap analysis is moved towards the future state. Well, what do we want to see, like we talked about we want to see encryption, we want to maybe even see facts no longer being a needed method for transmission. But the reality is that many industries still rely on facts medical is 70% of all medical transmissions. But maybe elections doesn't have to be one of those industries where facts is reality. So what are we going to do in the future as we continue to work on this with secure the vote. Well, we want to reconstruct the fax plate but we also want to demonstrate with the T 38 expert call and facts of IP, because a lot of what we're seeing from cities and counties. Well, we do do facts sometimes but it's all electronically. And sometimes for the city be yours county be scenarios IP just mean security to them over the internet mean security, maybe they have some sort of bias against phone lines but not p when that's not the case. And so we need to demonstrate that exploits various election officials around the around the country and show actions and secure and it can be changed and we need to make sure that this is your place to secure our votes and secure democracy. So we're going to continue to raise awareness about facts and security. So why now. Well, for one thing, COVID-19 has made this a very interesting age and potentially could drop voter turnout as people are cannot come up to physical voting locations. And maybe jurisdictions will look to things traditionally offered to cover and often that's the general public so facts the web portals and mobile voting. And we need to be very conscious when we look at adding facts to the general public, because that is adding a huge attack surface. And that's adding many, you know, the millions more votes that could potentially be cast by facts even though they, we probably won't see how many votes cast by facts the potential is the point and that potential millions of votes that could be changed or maliciously attacked is very juicy target for nation states maybe that are looking to influence it. So we need to keep that in mind as we potentially add facts and for more people. So if it does get added, we need to look at a very security minded as an emergency ballot return method, not as something that everybody should think about doing over anything election offices should probably secure the form security audits on their backs machines to make sure you know potentially if you were exactly what we've been talking about disease be printers that you bought after 2018 and it has a security patchplot all that good stuff. Because if it's not, that's the first step of the grass is fixing the situation. So short term recommendations. If you're a position of power, you need to talk to your IT department about these things that we've been talking about. Specifically, you have security posture like multi factor, you have that already strong across our IT department and you have that for your printer backs or you have a statement not never to apologize that will help you defend from these confidentiality and availability attacks that we've been talking about. And even the integrity attacks that will keep the current facts from exploiting the rest of your election member. And do you have a passion policy, you are even secure conscious about the network machines that you have in your office. If you don't have these things or you don't know, I would definitely recommend talking to your IT department about this and try to secure your network by this fall. And in the further future, we need to talk about how the 38 facts of IP using encrypted solution should be the standard default and whatever one is using especially in this election context. The real time vaccine for everyone so we're not storing on especially I've been on to the users on both voter records on the effects machines and the 30 having an encryption profile would also be great because a lot of people are still going to be stuck on legacy systems for various reasons. And having a question for that would be great as well. So, the medical industry has actually had a little bit of a comments to or eliminated facts and simply would do that 2020 for one of the main providers for fact solutions for medical companies. It hasn't happened yet, you know, it's been crazy time, but they're definitely looking at your effects. So can we maybe eventually follow the medical industry. It's a great question somewhere in the future. What's the point of all this with all of 2020 is craziness leading down to the end of 2020. Everything that's happened, this election is going to be a tantamount importance, obviously. So we cannot let this opportunity to further secure America's democracy going spoken. That's all that we're about here the voting villages, showing exploits showing vulnerabilities and saying, we are not securing democracy properly if we really care. And that's just one of those things, even though it's a few ballots, it's a few ballots and those few belts matter. So, at the same time, can we leverage you guys. Can we say, if you guys have facts machine if you're interested if you want to keep following this up. How about you have your facts machine. First about a hashtag hack facts, and we'll be able to see that and we'll be able to continue looking at that and showing that the officials as we go about the country for the next few years with security with security though. So that's what we have. I have been killed gardener by force I do, and we were the National Security Center, and that's a pack of bags. So, thanks guys.