I poked around on Serv-U's customer testimonials. Lots of US Military, White House, various healthcare providers, etc. And they include specifics on customers too. Almost a ready made hit list. Ouch.
The election infrastructure for much of the country has the security of swiss cheese. And this isn't some new thing created from whole cloth by Trump supporters; people have been raising concern about this for years. Back when Obama was up for election, there were news articles about how election machines could potentially be tampered with to steal the election from Obama. When it was Trump vs Hillary, some were concerned the election would be stolen from Hillary, and when Trump was elected, insinuations and outright accusations were levied that Trump stole the election through, amongst other things, election machine tampering. And then in this most recent election cycle, we have the "Kraken", et. al., which appears to have, in-part, motivated the Capitol riot.
Regardless of what you think of the of the truth of the accusations, whether in this election cycle, prior ones, or future ones, the fact that the underlying (lack-of) security lends a plausibility to such accusations is a problem unto itself. If elections have or are tampered with by malicious agents, foreign or domestic, we do not have free and fair elections, and that's a Big Problem. If demagogues can easily stir up popular sentiment that the elections are not free and fair, that's also a Big Problem. It is the lack of election security that amplifies those problems into big ones.
Sure, we can go after entities that try to tamper with elections, and we would do well educate ourselves to be able to spot demagoguery and misinformation. But we would also do quite well to go after underlying problems that make the aforementioned problems worse.
The problem with electronic voting machines, is no matter how secure you make them, people find the narrative that they are insecure easily believable, regardless of whether the narrative is true or not in any particular case.
If you stick entirely to paper-based voting, you don't have that problem. Of course low-tech means of fraud still exist (stuffing ballot boxes, etc), but there are low-tech means of presenting that – you allow each candidate/party to send poll observers to watch the counting process.
Yep, I changed my view on electronic voting for this reason.
Even if we create a perfect, provable, electronic voting system, a very small percentage of the public is going to be able to understand the proof and even fewer will be able to verify for themselves. Most people will have to rely on experts to tell them if it is secure or not.
For voting, we need most people to be able to both understand why it is secure and be able to verify for themselves that it is. Paper ballots provide that, electronic voting doesn’t.
There's always the issue of not being able to verify for oneself. We tend to trust video, but what if it's video of something tainted (or a straight up deepfake)?
If poll workers hand off ballots to separate counters, but publicly hired counters are diverted and provided with plausible decoys while poll workers actually hand off to secret actors who just capture and release video of the public counters... back to the Swiss cheese we go.
This is the key. Hacking a traditional X-in-the-box and count-in-public ballot at scale is impossible. Yes I could go to a neighbouring ward and claim I'm Joe Bloggs and vote as him. That will work until he turns up later and they tell him he's already voted.
Do that once or twice and it may avoid press coverage. Do it a lot and it's going to get coverage.
That's why the CISA had a huge emphasis on paper backups in the election. You can't hack a physical printout which the voter verifies themself before scanning.
Check out page 20 of this document [0] produced by Dominion. It clearly shows FTP being used to transfer tallied vote data from remote polling sites to central sites.
For early voting reports. Paper ballots are tallied for official results.
A vulnerability in the FTP software, which I don't believe you've provided any proof was actually exploited in the wild during the elections, makes 0 difference to official results.
With all of the controversy (real or imagined) surrounding the recent elections I think the company who makes the voting machines having an open exploit like this is a bad look.
No one is saying they were hacked this way but it definitely can be used as fodder to bolster election fraud claims (real or imagined.)
People that write such "deterrents" should dogfood their own stuff by replacing their door lock (or similar security measures - car keys, payment card PINs, etc) with such a disclaimer.
the serv-u thing looks like a misconfiguration to me. i'd be curious how many installs in the wild are actually vulnerable. ie.
1) was there a previous install process that did set correct permissions for the access list tree?
2) did sites secure the access list tree themselves after install/security review?
the msmq thing isn't great, but any professionally managed site would be protecting/firewalling application level sockets anyhow.
not to say the bugs aren't real, they are, just wondering how much exposure they actually open up in the wild when combined with basic security hygiene.
My organisation uses Serv-U. The permissions in our programdata folder matches the article (we've not applied the most recent Serv-U patch which came out quite recently).
But as the article says you need to be RDP'd to the server which for us would be Administrators. Who already have control over the server. Also we don't run the service as local system just as a regular service account with no admin rights.
So while this is a vulnerability it doesn't seem overly critical in our case. If you let non-privileged users RDP to your application servers and you're running as local system then sure, it's pretty bad.
the name of the previous developer (rhinosoft) of the software appears in the directory tree, which would lead me to guess that maybe the original installer did set correct ACLs but when ported to the new post-acquisition solarwinds installer, that was maybe dropped. (just a guess)
i dunno how modern windows admin is done, but the last time i worked with it it was common for large sites to use deployment automation and do repackaging, even if was less sophisticated than what you'd see in unixland.
Amateur hour