The controversy erupted after Georgia Secretary of State Brian Kemp sent and publicly released a letter addressed to DHS Secretary Jeh Johnson. In it, Kemp made a series of statements so vague in their technical detail that it’s impossible to conclude any kind of hacking or breach—at least as those terms are used by security professionals—took place.
“On November 15, 2016, an IP address associated with the Department of Homeland Security made an unsuccessful attempt to penetrate the Georgia Secretary of State’s firewall,” Kemp wrote. “I am writing you to ask whether DHS was aware of this attempt and, if so, why DHS was attempting to breach our firewall.”
Kemp continued:The private-sector security provider that monitors the agency’s firewall detected a large unblocked scan event on November 15 at 8:43 AM. The event was an IP address (18.104.22.168) attempting to scan certain aspects of the Georgia Secretary of State’s infrastructure. The attempt to breach our system was unsuccessful.
At no time has my office agreed to or permitted DHS to conduct penetration testing or security scans of our network. Moreover, your Department has not contacted my office since this unsuccessful incident to alert us of any security event that would require testing or scanning of our network. This is especially odd and concerning since I serve on the Election Cyber Security Working Group that your office created.
As you may know, the Georgia Secretary of State’s office maintains the statewide voter registration database containing the personal information of over 6.5 million Georgians. In addition, we hold the information for over 800,000 corporate entities and over 500,000 licensed or registered professionals.
As Georgia’s Secretary of State, I take cyber security very seriously. That is why I have contracted with a global leader in monitored security services to provide immediate responses to these types of threats. This firm analyzes more than 180 billion events a day globally across a 5,000+ customer base which includes many Fortune 500 companies. Clearly, this type of resource and service is necessary to protect Georgians’ data against the type of event that occurred on November 15.
The letter uses some scary language, including an “attempt to penetrate” and “breach” the agency’s firewall and system plus “security event.” However, nowhere does it say what gives rise to such claims. The phrases “large blocked scan event” and “attempting to scan certain aspects of the Georgia Secretary of State’s infrastructure” are vague to the point of being almost meaningless. Many security professionals on social media are interpreting them to mean a computer with an IP address belonging to the DHS sent a request to one or more Internet ports on a Georgia Secretary of State network to see if they provided some sort of response.
Such scans allow someone to know if network ports reserved for e-mail, Web traffic, and all sorts of other Internet services are responding to queries from outside services. Security professionals and blackhat hackers alike use such scans all the time to identify vulnerable networks. For instance, in the weeks following the 2014 discovery of the Heartbleed vulnerability—arguably one of the most severe security bugs ever to hit the Internet—it was network scans that allowed the public to learn that huge swaths of the Internet remained vulnerable and to identify the 300,000 specific sites that had yet to install a patch.
It was the same sort of scan in 2013 that identified more than 81 million IP addresses that were exposing a networking feature known as Universal Plug and Play to the Internet at large. The setting, which was in violation of guidelines that say UPnP isn’t supposed to communicate with devices that are outside a local network, put them at risk of being remotely hijacked by people halfway around the world. The discovery was only possible by performing a scan on every routable IPv4 address about once a week over a six-month period.
As a security researcher and CEO of penetration testing firm Errata Security, Rob Graham regularly scans the entire Internet for insights about vulnerabilities.
“I get these letters all the time,” he told Ars, referring to the type of letter Kemp sent.
While some people argue the practice is unethical or even illegal, Graham has never been sued or prosecuted for it, and Ars isn’t aware of any practicing attorneys who say such scans are unlawful. (Graham does agree to stop sending IP addresses upon request by the owners of those addresses.)
Playing devil’s advocate
In fairness, there’s no way to be certain Kemp’s letter is complaining of a network scan. The references to penetration testing and attempts to breach the agency’s system and to penetrate or breach its firewall raise the possibility of something that went beyond passive scans. If, for example, the DHS computer attempted to exploit a SQL injection vulnerability that divulged protected data or accounts, such a move could very well run afoul of criminal hacking statutes. Trying to exploit specific vulnerabilities in the agency’s firewall might also be unlawful. Meanwhile, the phrase “large unblocked scan event” is so technically clumsy that security practitioners say it could mean just about anything.
The problem with Kemp’s letter is that readers have no way of knowing what gave rise to his exceptional claims. Yet despite the vagueness, the Internet is now awash with reports that the DHS tried and failed to hack Georgia’s Secretary of State office, an event that if true, would amount to an extremely serious offense. Georgia Secretary of State officials didn’t respond to Ars’ request for an interview. In the absence of crucial details left out of Thursday’s letter, there’s little that’s odd or concerning about the reported November 15 complaint, and there’s certainly no evidence of an attempted breach by the DHS at this time.