Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

10/18/2012
03:15 AM
50%
50%

Could Hackers Change Our Election Results?

Many of the same vulnerabilities exist in electronic voting systems as the last time we elected a president, and new ones abound that could put voter databases at risk and undermine civic confidence

As the rest of the nation's citizens sit on on pins and needles about who will win the presidential election -- Barack Obama or Mitt Romney -- information security pros are even more anxious in their wait to see whether this is the year that hackers find a way to subvert or disrupt the increasingly electronic-voting process. According to security experts, the situation is ripe for the bad guys to strike.

Hacktivist groups like Anonymous and LulzSec have perfected their crowdsourced attack methods, and nation-state hackers have more resources than ever to carry out complicated attacks. Meanwhile, voter databases are increasingly interconnected within complex and often insecure local and state IT infrastructure, while the electronic voting systems many states depend on are plagued with vulnerabilities that the security community has been warning citizens about for the better part of a decade.

"If big, Internet-based companies like Yahoo, LinkedIn, or Sony can fall to hackers, then, yeah, big government databases and local authorities who actually administer the election process can be hacked," says Stephen Cobb, security evangelist for ESET. "I'm somewhat surprised it hasn't happened yet."

First on some security experts' watch list is the potential for hacking online or networked voter databases. Some experts expressed worry that thieves could steal these databases for financial gain, but as Rob Rachwald, director of security strategy for Imperva, put it, "Most voter databases don't contain a whole lot of sensitive data; they typically contain your name and address, which isn't terribly private."

However, if bad actors were able to make changes in the database, that's where the real trouble would start. If attackers can gain access to these databases to switch addresses for the sake of disenfranchising certain select groups of voters who'd find themselves missing from precinct list on election day, or to institute wide-scale mail-in voter fraud, then they could still affect an election's outcome.

Such scenarios are hardly far-fetched or improbable, numerous experts warned. And with states like Washington and Maryland opening up data voter registration online, the potential threat surface only increases.

"Any system that is networked, especially to the Internet, is inherently vulnerable to attacks on its availability, and the confidentiality and integrity of its data," says Steve Santorelli, director of global outreach for the security research group Team Cymru.

[ Oracle's most impactful CPU of the year serves up fixes for flaws with 10.0 and 9.0 CVSS scores. See 3 Must-Fix Vulnerabilities Top Oracle CPU Patches. ]

In Washington's case, the state's co-director of elections, Shane Hamlin, told the New York Times in an investigative piece on the security of its voter database that the government's IT staff would be reviewing transaction logs for unusual activity. But depending on when improprieties were found, particularly after the fact, it could have extreme civic consequences. One of the biggest dangers of voting-related cybercrime is its undermining of voter confidence, says Dr. Hugh Thompson, program committee chairman for RSA Conference and a participant in the 2006 HBO documentary Hacking Democracy.

"Interestingly, the wrong person winning is not the worst thing that can happen," he says. "The real worst case is a hacker proving that the vote was compromised and ultimately undermining the entire voting process."

He warns to just look at the hanging chad controversies of the 2000 election as a barometer of how an e-voting issue could impact the economy and citizen confidence in government engagement.

"It would impact the stock market and erode confidence in the entire system, which is a real motivator for organizations that want to attack critical infrastructure," he says.

A long-time researcher into the vulnerability of electronic voting systems, Thompson is one of many who warn that the potential for hacks extend well beyond voter databases. He warns that many of the same vulnerabilities that existed back in 2006 still stand today, while hacking itself has greatly evolved.

"For the first time, technology is allowing groups of disgruntled people to become empowered. These groups are organized, collected, and collaborative, with a means to get their message and point across through attack tools, like DDoS, that were not possible in 2008," he says.

A check on the OSVDB shows listings for 218 vulnerabilities in various election voting systems, warns Space Rogue, threat intelligence manager for SpiderLabs at Trustwave, who says the flaws involve everything from weak encryption to poor authentication or even voter information leakage. It is critical to remember that these machines aren't that much different than other computer systems that require proper hardening.

"In fact, some even run on the same Windows software as your home PC. Therefore, common vulnerabilities like buffer overflows and SQL Injections can be used against voting machines just like nonvoting machines with the same results," he says.

In spite of these vulnerabilities, some security experts believe they are difficult to take advantage of. Leonid Shtilman is one of them. The CEO and co-founder of privilege management firm Viewfinity, Shtilman also helped develop one of the first touch-screen systems used for primary elections in Israel, and he says that he believes it is very difficult to manipulate the results of elections using these systems.

"For example, on most of these systems, information is stored in a database and is synced in multiple locations so it can be compared for missing, incomplete, or inconsistent data," Shtilman explained. "In my experience, it really requires a complicated large-scale operation to manipulate the data captured by electronic voting systems."

One of the biggest beefs that those critical of these systems' security is the fact that there are very few ways to publicly verify the security claims offered by those like Shtilman and e-voting system manufacturers.

"Proprietary designs are common in this field, and that means it's much harder for researchers to pull a machine and its software apart to check for vulnerabilities," Santorelli says. "Open-source software lends itself to exactly this kind of checking, but that's not the business model that e-voting companies favor."

What's more, security pros believe that local and state authorities are not held accountable for how they deploy the systems or their voter database infrastructure the way that many commercial or federal entities are through regulations such as PCI DSS or FISMA.

"Do we know how many people have access to voter information or which type of security product [the government authorities] have been using to verify that nothing has been done or changed inside the voter database? The simplest answer is we'd have no clue whatsoever," says David Maman, CTO of GreenSQL. "Just think about it. Today if you want to store credit card information, you have to comply with so many requirements, but not with voter information."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
CVE-2021-3420
PUBLISHED: 2021-03-05
A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.