Ben Cotton’s team is auditing the IT-related practices and policies in the 2020 Election in Maricopa County. He shared some important items during his presentation last week that any good IT auditor would find.
We pointed out previously that the Maricopa County Board of Supervisors hired two election firms because they knew these firms would give them a clean bill of health.
But Ben Cotton and his team were selected by the Cyber Ninjas to address the IT work related to Maricopa County’s results in the 2020 Election. Investigator Cotton from CyFIR performed work that the previous auditors should have covered.
It’s a difficult task for these auditors because Maricopa County has been completely uncooperative, even with basic questions, referring auditors to lawyers. This all provides more support that the subjects under audit, the auditees, are guilty and doing everything they can to postpone the election.
Dominion has two full-time staff onsite servicing the Maricopa County election system. The current Dominion software was installed in August 2019. Since that date, there have been no antivirus updates, no operating system updates, or any security patches. Administrator accounts were also created on that date, each having the exact same password. These are actions of a ‘worst in class’ IT Department and it is a deliberate subterfuge of an election system. Common practice is to update patches on a much more regular basis.
Below is a list of items addressed by Cotton during his presentation to the Arizona Senate last Thursday.
- Auditors have collected over 2,000 Terabytes of data, the vast majority is video footage.
- What Maricopa County has told the public is often drastically different than their response to the legal subpoena.
- Maricopa didn’t use a forensically secure process to clone drives. Dates and times were altered by their cloning process.
- On March 11th, 2021 someone with Admin access to the (EMS) election management system ran a script that produced 37,646 queries looking for blank passwords. The system has only 8 user accounts. (see below)
- Windows Security Event Logs before February 5th, 2021 are missing.
- Every election Administrator account, no matter the user, all have the same password.
- When the Dominion software was installed in August 2019, Administrative passwords were created, and haven’t been changed since.
- The vulnerabilities that exist on the Maricopa election systems would take an average script kiddie less than 10 minutes to gain access to these systems.
- Maricopa’s election system uses ibutton key fobs as the 2nd step in logins. Maricopa and Dominion have refused to provide these fobs to auditors. (see below).
- It’s become readily apparent there are severe cybersecurity problems with the way the election management system and network was maintained.
- We are seeing anonymous logins at the system level that do not follow that pattern of normal Windows behavior.
- After both sides agreed on a solution, Maricopa County then refused to release that router data.
- Maricopa can’t check the configuration of its own election system without relying on Dominion employees.
- The two EAC audits hired by Maricopa earlier in the year appear not to have addressed cybersecurity aspects, not even shared passwords.
- Not a single bit of data was changed on any device in the auditor’s possession. Use of a “write block” device prevented this. Images were made bit by bit, then an MD5 hash value was applied. There is no need to purchase new machines.
- There have been no antivirus updates, operating system updates, or security patches applied to the election system since August 2019, the date Dominion software was installed.
Maricopa repeatedly told the public the election system did not touch the internet but this was not true. If so the system could not have comingled with other Maricopa County department’s data. To prevent the release of router information, the Board of Supervisors and Sheriff then said election router data DID mingle with critical information from other county departments. By using EAC auditors, Maricopa told the public election machines were safe and secure. They now say those same auditors can’t be hired to test the same machines. This week they approved the purchase of new Dominion machines at $3 million.
The use of ibuttons is unusual for PC logins, and is very old technology. These ibuttons are typically used to verify a location or for access control. For instance, a security guard touches his ibutton to various doors to verify he walked his patrol. In Maricopa County, after you login as an election Admin, you must also use a preprogrammed ibutton to obtain access to the Dominion election system. Maricopa County stated only Dominion staff have the Admin ibuttons and both organizations have refused to help the auditors obtain them.