Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/19/2018
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

70 US Election Jurisdictions Adopt Free Website Security Service

Hawaii, Idaho, North Carolina, and Rhode Island are among states now using gratis DDoS mitigation, firewall, and user access control service from Cloudflare.

Escalated concerns over the security of the 2018 midterm election in the wake of revelations of Russian cyberattacks on US election systems and vulnerabilities in voting machines have pressured many state, local, and municipal election agencies into doubling down on securing their websites.

Some 70 different election agencies across 19 states so far have signed up for a new, free Web security service called the Athenian Project, from Cloudflare with an assist from the Center for Democracy & Technology, which is helping with outreach to state boards of elections and municipalities. Cloudflare first announced the project in December.

Among the latest organizations to add the free security service are the San Francisco Board of Elections; the State Boards of Elections in Hawaii, Idaho, North Carolina, and Rhode Island; and that of Pickens County, S.C. In all, 10 state government websites have adopted it.

Matthew Prince, CEO of Cloudflare, which secured the websites of Donald Trump's and Bernie Sanders' campaigns during the 2016 presidential election, says the Athenian Project is a "full enterprise-class service" with all the features Cloudflare sells to big organizations, which pay millions of dollars a year for its service. That includes DDoS mitigation, firewall, site access management, and load balancing, and it's a service offered in perpetuity – not just for the election season.

"There's a full firewall service that sits in front of the apps and prevents SQL injection, credential-stuffing, cross-site request forgery, and dictionary attacks against login access," Prince explains. "The service can also take legacy applications and apply MFA [multifactor authentication] even if the underlying [app] doesn't support [that]," he says.

Project Athenian is a website security service only: It doesn't secure electronic voting machines, for example. "It's for services on the Net," such as public-facing voter registration websites and election information sites, as well as internal sites.

The goal of the free service is to help shore up security in local election systems. "Local election officials are way undersourced and don't have much budget, but they are responsible for really providing the infrastructure of US democracy," Prince says.

The state of Idaho is one of the most recent adopters of the free service. Its Secretary of State site, sos.idaho.gov, and its idahovotes.gov elections information site – which includes voter registration – both use the Cloudflare service.

Chad Houck, Deputy Secretary of State for Idaho, says the state's main security concerns for the sites are distributed denial-of-service (DDoS) attacks, which could hamper site availability, and website defacements. The state got the service online three weeks prior to its May primary elections and immediately started tracking attack attempts on the sites. "We were seeing a baseline of 250 blocked domains a day," he says.

Then just three days prior to primary election day, Idaho's state legislative services and state judicial services websites – which don't use the Project Athenian service – were hit with major website defacements. "A bad actor had written a 'manifesto' in Italian" on the home pages, Houck says. "We immediately went and dove into our systems to see if anything had been compromised, and the first thing we looked at was the dashboard from Cloudflare: In a 24-hour period, it had blocked 27,000 domain requests." 

The high-profile primary in Idaho was likely a foreshadowing of what the state will face in the general election: Houck says he's definitely expecting an increase in attack attempts this fall.

Tip of the Iceberg
So far, the US hasn't had the intensity or volume of cyberattacks on its election systems that other nations have suffered, Prince says. "We help protect candidates and elections in many parts of the world, and 2016 was relatively modest" in the US, he says.

But Prince expects an uptick in attacks and threats to US election systems – not just Russian hackers, but other hackers around the world as well as from within the US. His team spotted attackers during the special election in Alabama earlier this year – where the Athenian Project service was in use – attempting to knock offline some election websites.

The main threats to US election systems, experts say, are disabling or sabotaging voter registration systems. Prince says the most likely goal of attacks will be to disrupt or undermine the process. "We've seen attacks on voter registration systems or spam to grab information to undermine voter rolls," he says.

Information on polling-place locations is a target as well, he notes, as well as servers from counties that collect votes and send them to the official secretary of state office. "It's more about undermining the space in the democratic process itself," Prince says. "You don't have to change the results to undermine the US political process: Just make people doubt the process has integrity."

Cloudflare's free service can only protect sites from incoming attacks: If a server already is compromised with malware, for instance, that's another issue. "If there's command-and-control traffic going through those systems, [however], we can often see that," Prince says.

He says he hopes other security companies will also offer free security tools and services to election agencies – malware scanning and risk assessment would be helpful, for instance. "It would be terrific if a coalition of technology and security vendors would offer their time and services and expertise to ensure that these systems are protected," Prince says.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.