Endpoint
8/30/2016
12:30 PM
Eitan Bremler
Eitan Bremler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

6 Ways To Hack An Election

Threats to our electoral process can come from outside the country or nefarious insiders. Our country needs to be better prepared.

After Russian state security personnel were accused of hacking the Democratic National Committee, the possibility of outsiders manipulating the American political process became a reality. With the reliance on computers to collect votes, report results, communicate campaign strategies, and coordinate voter registration activities, the electoral process has new vulnerabilities. In addition, rogue countries aren’t the only threats; insiders are also capable of manipulating election results. Here are six ways that elections can be hacked.

1. Hacking Into Electronic Voting Machines

Cybersecurity firms such as Symantec and CrowdStrike have confirmed that hacking a voting machine is fairly simple, costing about $15 online and requiring basic to intermediate skills, according to an Inqusitr article. About 25% of America’s votes are cast using electronic voting machines. Five states—Georgia, Delaware, Louisiana, South Carolina, and New Jersey—use machines that don’t provide a paper trail for verification if results are inaccurate, according to the same Inquisitr article. CBS News found that 40% of states with paper trails never audited their results.

2. Hacking Voter Registration Databases

Malicious insiders or outsiders can delete voter registration forms to prevent people from voting, or they can switch a piece of information used for verification of a voter’s identity. If any information is inaccurate at the voting booth, including address or phone number, then the person isn’t eligible to vote. Many voters across the country, including in New York and California, reported that their registrations were changed without their permission. Kelly Tolman Curtis shared this post about how her voter registration status changed three times online in the span of just a few days.

3. Leaking Sensitive Voter Data

Regulations such as the Payment Card Industry Data Security Standard (PCI DSS) mandate the strict protection of sensitive personal financial information. But none of these standards apply to voter sensitive information, including addresses, telephone numbers, and credit card information used for donations.

Since December, hundreds of millions of voters in the U.S., the Philippines, Turkey, and Mexico have had their data left unprotected on the web. In some instances, malicious hackers are suspected of pilfering the data for criminal purposes.

Fifty-five million registered voters were at risk by the Philippines data breach alone, according to security firm Trend Micro, potentially surpassing the Office of Personnel Management data breach, which affected 20 million people.

4. Hacking Into Email Servers

Since hackers broke into the DNC’s servers several months ago, revealing embarrassing details about the committee’s inner workings, email servers are known to be potential targets. If email servers of political candidates and their committee members are hacked, there could be a whole lot of mudslinging by publicizing private information discovered in hijacked emails. In addition, emails could be used to share voter registration information and other sensitive data. Hackers could also take over email accounts of candidates and send inaccurate or embarrassing communications.

5. Shutting Down The Voting System Or Election Agencies

In addition to the vulnerabilities of individual voting machines, the whole network of communications between more than 8,000 jurisdictions of varying size and authority could be hacked. Hackers could use a distributed denial-of-service (DDoS) attack to disable back-end servers in order to deny access to voters, and to interfere with the reporting of election results. Similarly, so they could also launch DDoS attacks against local, state, and federal election agencies to disrupt activities to increase voter participation, including last-minute phone calls and coordinating rides to the voting booths.

6. Committing Insider Fraud

Although the thought of rogue nations taking over and influencing election results has received huge headlines, there is always the threat that someone closer to home can do the tampering. The New York City Board of Elections suspended an official without pay amid allegations that at least 120,000 names were purged from voter rolls in Brooklyn before the presidential primaries.  

After cyber attacks on financial institutions, policies and technologies were implemented to minimize the risks, including regulations for control of personal data such as PCI DSS. Government leaders at the local, state, and federal level, who are responsible for the electoral process, must consider doing the same. But this won’t be easy because there is no single national body that regulates the security or even the execution of what happens on Election Day; it’s a process that’s managed by each individual body. This has to change, and one organization needs to take responsibility for the integrity of the elections. If we are willing to go to war to make the world safe for democracy, how far are we willing to go to protect democracy at home?

Related Content:

Eitan Bremler is responsible for overall global marketing and product management activities of Safe-T, including product strategy and roadmap, product marketing, positioning, go-to-market and corporate marketing. Mr. Bremler brings to Safe-T more than 15 years of experience ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eitanbr
50%
50%
eitanbr,
User Rank: Author
10/9/2016 | 3:34:19 AM
Re: Cyber security
At Safe-T we actually developed a solution which allows accessing external facing apps (Web, SMTP, etc) without the need to deploy a VPN or even open any ports within the firewall.

We call it RSAccess, its a new type of application access solution.
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
10/7/2016 | 10:24:05 AM
Cyber security
It is great that congressional probe has been carried out and issues of such stature must be discussed with higher based authorities. It is also important for users to encrypt their data and also deploy vpn server, purevpn, to access the web freely. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:30:16 PM
Re: Akash Tripathi
I agree. However "there is no single national body that regulates the security or even the execution of what happens on Election Day ...", this is actually news to me. Current federal goverment should be responsible on this.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:15:24 PM
Nice list
 

This is a good list, hopefully election board will keep these in mind and take required measures. Last think we want to hear is that election system is hacked and we need to repeat it.
akashtripathi8
50%
50%
akashtripathi8,
User Rank: Apprentice
8/31/2016 | 11:27:17 AM
Akash Tripathi
This blog will clearly highlight all the details
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.