Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/19/2018
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

70 US Election Jurisdictions Adopt Free Website Security Service

Hawaii, Idaho, North Carolina, and Rhode Island are among states now using gratis DDoS mitigation, firewall, and user access control service from Cloudflare.

Escalated concerns over the security of the 2018 midterm election in the wake of revelations of Russian cyberattacks on US election systems and vulnerabilities in voting machines have pressured many state, local, and municipal election agencies into doubling down on securing their websites.

Some 70 different election agencies across 19 states so far have signed up for a new, free Web security service called the Athenian Project, from Cloudflare with an assist from the Center for Democracy & Technology, which is helping with outreach to state boards of elections and municipalities. Cloudflare first announced the project in December.

Among the latest organizations to add the free security service are the San Francisco Board of Elections; the State Boards of Elections in Hawaii, Idaho, North Carolina, and Rhode Island; and that of Pickens County, S.C. In all, 10 state government websites have adopted it.

Matthew Prince, CEO of Cloudflare, which secured the websites of Donald Trump's and Bernie Sanders' campaigns during the 2016 presidential election, says the Athenian Project is a "full enterprise-class service" with all the features Cloudflare sells to big organizations, which pay millions of dollars a year for its service. That includes DDoS mitigation, firewall, site access management, and load balancing, and it's a service offered in perpetuity – not just for the election season.

"There's a full firewall service that sits in front of the apps and prevents SQL injection, credential-stuffing, cross-site request forgery, and dictionary attacks against login access," Prince explains. "The service can also take legacy applications and apply MFA [multifactor authentication] even if the underlying [app] doesn't support [that]," he says.

Project Athenian is a website security service only: It doesn't secure electronic voting machines, for example. "It's for services on the Net," such as public-facing voter registration websites and election information sites, as well as internal sites.

The goal of the free service is to help shore up security in local election systems. "Local election officials are way undersourced and don't have much budget, but they are responsible for really providing the infrastructure of US democracy," Prince says.

The state of Idaho is one of the most recent adopters of the free service. Its Secretary of State site, sos.idaho.gov, and its idahovotes.gov elections information site – which includes voter registration – both use the Cloudflare service.

Chad Houck, Deputy Secretary of State for Idaho, says the state's main security concerns for the sites are distributed denial-of-service (DDoS) attacks, which could hamper site availability, and website defacements. The state got the service online three weeks prior to its May primary elections and immediately started tracking attack attempts on the sites. "We were seeing a baseline of 250 blocked domains a day," he says.

Then just three days prior to primary election day, Idaho's state legislative services and state judicial services websites – which don't use the Project Athenian service – were hit with major website defacements. "A bad actor had written a 'manifesto' in Italian" on the home pages, Houck says. "We immediately went and dove into our systems to see if anything had been compromised, and the first thing we looked at was the dashboard from Cloudflare: In a 24-hour period, it had blocked 27,000 domain requests." 

The high-profile primary in Idaho was likely a foreshadowing of what the state will face in the general election: Houck says he's definitely expecting an increase in attack attempts this fall.

Tip of the Iceberg
So far, the US hasn't had the intensity or volume of cyberattacks on its election systems that other nations have suffered, Prince says. "We help protect candidates and elections in many parts of the world, and 2016 was relatively modest" in the US, he says.

But Prince expects an uptick in attacks and threats to US election systems – not just Russian hackers, but other hackers around the world as well as from within the US. His team spotted attackers during the special election in Alabama earlier this year – where the Athenian Project service was in use – attempting to knock offline some election websites.

The main threats to US election systems, experts say, are disabling or sabotaging voter registration systems. Prince says the most likely goal of attacks will be to disrupt or undermine the process. "We've seen attacks on voter registration systems or spam to grab information to undermine voter rolls," he says.

Information on polling-place locations is a target as well, he notes, as well as servers from counties that collect votes and send them to the official secretary of state office. "It's more about undermining the space in the democratic process itself," Prince says. "You don't have to change the results to undermine the US political process: Just make people doubt the process has integrity."

Cloudflare's free service can only protect sites from incoming attacks: If a server already is compromised with malware, for instance, that's another issue. "If there's command-and-control traffic going through those systems, [however], we can often see that," Prince says.

He says he hopes other security companies will also offer free security tools and services to election agencies – malware scanning and risk assessment would be helpful, for instance. "It would be terrific if a coalition of technology and security vendors would offer their time and services and expertise to ensure that these systems are protected," Prince says.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...