Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/30/2016
12:30 PM
Eitan Bremler
Eitan Bremler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

6 Ways To Hack An Election

Threats to our electoral process can come from outside the country or nefarious insiders. Our country needs to be better prepared.

After Russian state security personnel were accused of hacking the Democratic National Committee, the possibility of outsiders manipulating the American political process became a reality. With the reliance on computers to collect votes, report results, communicate campaign strategies, and coordinate voter registration activities, the electoral process has new vulnerabilities. In addition, rogue countries aren’t the only threats; insiders are also capable of manipulating election results. Here are six ways that elections can be hacked.

1. Hacking Into Electronic Voting Machines

Cybersecurity firms such as Symantec and CrowdStrike have confirmed that hacking a voting machine is fairly simple, costing about $15 online and requiring basic to intermediate skills, according to an Inqusitr article. About 25% of America’s votes are cast using electronic voting machines. Five states—Georgia, Delaware, Louisiana, South Carolina, and New Jersey—use machines that don’t provide a paper trail for verification if results are inaccurate, according to the same Inquisitr article. CBS News found that 40% of states with paper trails never audited their results.

2. Hacking Voter Registration Databases

Malicious insiders or outsiders can delete voter registration forms to prevent people from voting, or they can switch a piece of information used for verification of a voter’s identity. If any information is inaccurate at the voting booth, including address or phone number, then the person isn’t eligible to vote. Many voters across the country, including in New York and California, reported that their registrations were changed without their permission. Kelly Tolman Curtis shared this post about how her voter registration status changed three times online in the span of just a few days.

3. Leaking Sensitive Voter Data

Regulations such as the Payment Card Industry Data Security Standard (PCI DSS) mandate the strict protection of sensitive personal financial information. But none of these standards apply to voter sensitive information, including addresses, telephone numbers, and credit card information used for donations.

Since December, hundreds of millions of voters in the U.S., the Philippines, Turkey, and Mexico have had their data left unprotected on the web. In some instances, malicious hackers are suspected of pilfering the data for criminal purposes.

Fifty-five million registered voters were at risk by the Philippines data breach alone, according to security firm Trend Micro, potentially surpassing the Office of Personnel Management data breach, which affected 20 million people.

4. Hacking Into Email Servers

Since hackers broke into the DNC’s servers several months ago, revealing embarrassing details about the committee’s inner workings, email servers are known to be potential targets. If email servers of political candidates and their committee members are hacked, there could be a whole lot of mudslinging by publicizing private information discovered in hijacked emails. In addition, emails could be used to share voter registration information and other sensitive data. Hackers could also take over email accounts of candidates and send inaccurate or embarrassing communications.

5. Shutting Down The Voting System Or Election Agencies

In addition to the vulnerabilities of individual voting machines, the whole network of communications between more than 8,000 jurisdictions of varying size and authority could be hacked. Hackers could use a distributed denial-of-service (DDoS) attack to disable back-end servers in order to deny access to voters, and to interfere with the reporting of election results. Similarly, so they could also launch DDoS attacks against local, state, and federal election agencies to disrupt activities to increase voter participation, including last-minute phone calls and coordinating rides to the voting booths.

6. Committing Insider Fraud

Although the thought of rogue nations taking over and influencing election results has received huge headlines, there is always the threat that someone closer to home can do the tampering. The New York City Board of Elections suspended an official without pay amid allegations that at least 120,000 names were purged from voter rolls in Brooklyn before the presidential primaries.  

After cyber attacks on financial institutions, policies and technologies were implemented to minimize the risks, including regulations for control of personal data such as PCI DSS. Government leaders at the local, state, and federal level, who are responsible for the electoral process, must consider doing the same. But this won’t be easy because there is no single national body that regulates the security or even the execution of what happens on Election Day; it’s a process that’s managed by each individual body. This has to change, and one organization needs to take responsibility for the integrity of the elections. If we are willing to go to war to make the world safe for democracy, how far are we willing to go to protect democracy at home?

Related Content:

Eitan Bremler is responsible for overall global marketing and product management activities of Safe-T, including product strategy and roadmap, product marketing, positioning, go-to-market and corporate marketing. Mr. Bremler brings to Safe-T more than 15 years of experience ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eitanbr
50%
50%
eitanbr,
User Rank: Author
10/9/2016 | 3:34:19 AM
Re: Cyber security
At Safe-T we actually developed a solution which allows accessing external facing apps (Web, SMTP, etc) without the need to deploy a VPN or even open any ports within the firewall.

We call it RSAccess, its a new type of application access solution.
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
10/7/2016 | 10:24:05 AM
Cyber security
It is great that congressional probe has been carried out and issues of such stature must be discussed with higher based authorities. It is also important for users to encrypt their data and also deploy vpn server, purevpn, to access the web freely. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:30:16 PM
Re: Akash Tripathi
I agree. However "there is no single national body that regulates the security or even the execution of what happens on Election Day ...", this is actually news to me. Current federal goverment should be responsible on this.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:15:24 PM
Nice list
 

This is a good list, hopefully election board will keep these in mind and take required measures. Last think we want to hear is that election system is hacked and we need to repeat it.
akashtripathi8
50%
50%
akashtripathi8,
User Rank: Apprentice
8/31/2016 | 11:27:17 AM
Akash Tripathi
This blog will clearly highlight all the details
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27621
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
CVE-2020-27620
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
CVE-2020-27619
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVE-2020-17454
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
CVE-2020-24421
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.