Application Security

7/19/2018
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

70 US Election Jurisdictions Adopt Free Website Security Service

Hawaii, Idaho, North Carolina, and Rhode Island are among states now using gratis DDoS mitigation, firewall, and user access control service from Cloudflare.

Escalated concerns over the security of the 2018 midterm election in the wake of revelations of Russian cyberattacks on US election systems and vulnerabilities in voting machines have pressured many state, local, and municipal election agencies into doubling down on securing their websites.

Some 70 different election agencies across 19 states so far have signed up for a new, free Web security service called the Athenian Project, from Cloudflare with an assist from the Center for Democracy & Technology, which is helping with outreach to state boards of elections and municipalities. Cloudflare first announced the project in December.

Among the latest organizations to add the free security service are the San Francisco Board of Elections; the State Boards of Elections in Hawaii, Idaho, North Carolina, and Rhode Island; and that of Pickens County, S.C. In all, 10 state government websites have adopted it.

Matthew Prince, CEO of Cloudflare, which secured the websites of Donald Trump's and Bernie Sanders' campaigns during the 2016 presidential election, says the Athenian Project is a "full enterprise-class service" with all the features Cloudflare sells to big organizations, which pay millions of dollars a year for its service. That includes DDoS mitigation, firewall, site access management, and load balancing, and it's a service offered in perpetuity – not just for the election season.

"There's a full firewall service that sits in front of the apps and prevents SQL injection, credential-stuffing, cross-site request forgery, and dictionary attacks against login access," Prince explains. "The service can also take legacy applications and apply MFA [multifactor authentication] even if the underlying [app] doesn't support [that]," he says.

Project Athenian is a website security service only: It doesn't secure electronic voting machines, for example. "It's for services on the Net," such as public-facing voter registration websites and election information sites, as well as internal sites.

The goal of the free service is to help shore up security in local election systems. "Local election officials are way undersourced and don't have much budget, but they are responsible for really providing the infrastructure of US democracy," Prince says.

The state of Idaho is one of the most recent adopters of the free service. Its Secretary of State site, sos.idaho.gov, and its idahovotes.gov elections information site – which includes voter registration – both use the Cloudflare service.

Chad Houck, Deputy Secretary of State for Idaho, says the state's main security concerns for the sites are distributed denial-of-service (DDoS) attacks, which could hamper site availability, and website defacements. The state got the service online three weeks prior to its May primary elections and immediately started tracking attack attempts on the sites. "We were seeing a baseline of 250 blocked domains a day," he says.

Then just three days prior to primary election day, Idaho's state legislative services and state judicial services websites – which don't use the Project Athenian service – were hit with major website defacements. "A bad actor had written a 'manifesto' in Italian" on the home pages, Houck says. "We immediately went and dove into our systems to see if anything had been compromised, and the first thing we looked at was the dashboard from Cloudflare: In a 24-hour period, it had blocked 27,000 domain requests." 

The high-profile primary in Idaho was likely a foreshadowing of what the state will face in the general election: Houck says he's definitely expecting an increase in attack attempts this fall.

Tip of the Iceberg
So far, the US hasn't had the intensity or volume of cyberattacks on its election systems that other nations have suffered, Prince says. "We help protect candidates and elections in many parts of the world, and 2016 was relatively modest" in the US, he says.

But Prince expects an uptick in attacks and threats to US election systems – not just Russian hackers, but other hackers around the world as well as from within the US. His team spotted attackers during the special election in Alabama earlier this year – where the Athenian Project service was in use – attempting to knock offline some election websites.

The main threats to US election systems, experts say, are disabling or sabotaging voter registration systems. Prince says the most likely goal of attacks will be to disrupt or undermine the process. "We've seen attacks on voter registration systems or spam to grab information to undermine voter rolls," he says.

Information on polling-place locations is a target as well, he notes, as well as servers from counties that collect votes and send them to the official secretary of state office. "It's more about undermining the space in the democratic process itself," Prince says. "You don't have to change the results to undermine the US political process: Just make people doubt the process has integrity."

Cloudflare's free service can only protect sites from incoming attacks: If a server already is compromised with malware, for instance, that's another issue. "If there's command-and-control traffic going through those systems, [however], we can often see that," Prince says.

He says he hopes other security companies will also offer free security tools and services to election agencies – malware scanning and risk assessment would be helpful, for instance. "It would be terrific if a coalition of technology and security vendors would offer their time and services and expertise to ensure that these systems are protected," Prince says.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.