Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/19/2018
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

70 US Election Jurisdictions Adopt Free Website Security Service

Hawaii, Idaho, North Carolina, and Rhode Island are among states now using gratis DDoS mitigation, firewall, and user access control service from Cloudflare.

Escalated concerns over the security of the 2018 midterm election in the wake of revelations of Russian cyberattacks on US election systems and vulnerabilities in voting machines have pressured many state, local, and municipal election agencies into doubling down on securing their websites.

Some 70 different election agencies across 19 states so far have signed up for a new, free Web security service called the Athenian Project, from Cloudflare with an assist from the Center for Democracy & Technology, which is helping with outreach to state boards of elections and municipalities. Cloudflare first announced the project in December.

Among the latest organizations to add the free security service are the San Francisco Board of Elections; the State Boards of Elections in Hawaii, Idaho, North Carolina, and Rhode Island; and that of Pickens County, S.C. In all, 10 state government websites have adopted it.

Matthew Prince, CEO of Cloudflare, which secured the websites of Donald Trump's and Bernie Sanders' campaigns during the 2016 presidential election, says the Athenian Project is a "full enterprise-class service" with all the features Cloudflare sells to big organizations, which pay millions of dollars a year for its service. That includes DDoS mitigation, firewall, site access management, and load balancing, and it's a service offered in perpetuity – not just for the election season.

"There's a full firewall service that sits in front of the apps and prevents SQL injection, credential-stuffing, cross-site request forgery, and dictionary attacks against login access," Prince explains. "The service can also take legacy applications and apply MFA [multifactor authentication] even if the underlying [app] doesn't support [that]," he says.

Project Athenian is a website security service only: It doesn't secure electronic voting machines, for example. "It's for services on the Net," such as public-facing voter registration websites and election information sites, as well as internal sites.

The goal of the free service is to help shore up security in local election systems. "Local election officials are way undersourced and don't have much budget, but they are responsible for really providing the infrastructure of US democracy," Prince says.

The state of Idaho is one of the most recent adopters of the free service. Its Secretary of State site, sos.idaho.gov, and its idahovotes.gov elections information site – which includes voter registration – both use the Cloudflare service.

Chad Houck, Deputy Secretary of State for Idaho, says the state's main security concerns for the sites are distributed denial-of-service (DDoS) attacks, which could hamper site availability, and website defacements. The state got the service online three weeks prior to its May primary elections and immediately started tracking attack attempts on the sites. "We were seeing a baseline of 250 blocked domains a day," he says.

Then just three days prior to primary election day, Idaho's state legislative services and state judicial services websites – which don't use the Project Athenian service – were hit with major website defacements. "A bad actor had written a 'manifesto' in Italian" on the home pages, Houck says. "We immediately went and dove into our systems to see if anything had been compromised, and the first thing we looked at was the dashboard from Cloudflare: In a 24-hour period, it had blocked 27,000 domain requests." 

The high-profile primary in Idaho was likely a foreshadowing of what the state will face in the general election: Houck says he's definitely expecting an increase in attack attempts this fall.

Tip of the Iceberg
So far, the US hasn't had the intensity or volume of cyberattacks on its election systems that other nations have suffered, Prince says. "We help protect candidates and elections in many parts of the world, and 2016 was relatively modest" in the US, he says.

But Prince expects an uptick in attacks and threats to US election systems – not just Russian hackers, but other hackers around the world as well as from within the US. His team spotted attackers during the special election in Alabama earlier this year – where the Athenian Project service was in use – attempting to knock offline some election websites.

The main threats to US election systems, experts say, are disabling or sabotaging voter registration systems. Prince says the most likely goal of attacks will be to disrupt or undermine the process. "We've seen attacks on voter registration systems or spam to grab information to undermine voter rolls," he says.

Information on polling-place locations is a target as well, he notes, as well as servers from counties that collect votes and send them to the official secretary of state office. "It's more about undermining the space in the democratic process itself," Prince says. "You don't have to change the results to undermine the US political process: Just make people doubt the process has integrity."

Cloudflare's free service can only protect sites from incoming attacks: If a server already is compromised with malware, for instance, that's another issue. "If there's command-and-control traffic going through those systems, [however], we can often see that," Prince says.

He says he hopes other security companies will also offer free security tools and services to election agencies – malware scanning and risk assessment would be helpful, for instance. "It would be terrific if a coalition of technology and security vendors would offer their time and services and expertise to ensure that these systems are protected," Prince says.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10102
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
CVE-2019-10102
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
CVE-2019-10102
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
CVE-2019-9959
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
CVE-2019-4236
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...