Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/30/2016
12:30 PM
Eitan Bremler
Eitan Bremler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

6 Ways To Hack An Election

Threats to our electoral process can come from outside the country or nefarious insiders. Our country needs to be better prepared.

After Russian state security personnel were accused of hacking the Democratic National Committee, the possibility of outsiders manipulating the American political process became a reality. With the reliance on computers to collect votes, report results, communicate campaign strategies, and coordinate voter registration activities, the electoral process has new vulnerabilities. In addition, rogue countries aren’t the only threats; insiders are also capable of manipulating election results. Here are six ways that elections can be hacked.

1. Hacking Into Electronic Voting Machines

Cybersecurity firms such as Symantec and CrowdStrike have confirmed that hacking a voting machine is fairly simple, costing about $15 online and requiring basic to intermediate skills, according to an Inqusitr article. About 25% of America’s votes are cast using electronic voting machines. Five states—Georgia, Delaware, Louisiana, South Carolina, and New Jersey—use machines that don’t provide a paper trail for verification if results are inaccurate, according to the same Inquisitr article. CBS News found that 40% of states with paper trails never audited their results.

2. Hacking Voter Registration Databases

Malicious insiders or outsiders can delete voter registration forms to prevent people from voting, or they can switch a piece of information used for verification of a voter’s identity. If any information is inaccurate at the voting booth, including address or phone number, then the person isn’t eligible to vote. Many voters across the country, including in New York and California, reported that their registrations were changed without their permission. Kelly Tolman Curtis shared this post about how her voter registration status changed three times online in the span of just a few days.

3. Leaking Sensitive Voter Data

Regulations such as the Payment Card Industry Data Security Standard (PCI DSS) mandate the strict protection of sensitive personal financial information. But none of these standards apply to voter sensitive information, including addresses, telephone numbers, and credit card information used for donations.

Since December, hundreds of millions of voters in the U.S., the Philippines, Turkey, and Mexico have had their data left unprotected on the web. In some instances, malicious hackers are suspected of pilfering the data for criminal purposes.

Fifty-five million registered voters were at risk by the Philippines data breach alone, according to security firm Trend Micro, potentially surpassing the Office of Personnel Management data breach, which affected 20 million people.

4. Hacking Into Email Servers

Since hackers broke into the DNC’s servers several months ago, revealing embarrassing details about the committee’s inner workings, email servers are known to be potential targets. If email servers of political candidates and their committee members are hacked, there could be a whole lot of mudslinging by publicizing private information discovered in hijacked emails. In addition, emails could be used to share voter registration information and other sensitive data. Hackers could also take over email accounts of candidates and send inaccurate or embarrassing communications.

5. Shutting Down The Voting System Or Election Agencies

In addition to the vulnerabilities of individual voting machines, the whole network of communications between more than 8,000 jurisdictions of varying size and authority could be hacked. Hackers could use a distributed denial-of-service (DDoS) attack to disable back-end servers in order to deny access to voters, and to interfere with the reporting of election results. Similarly, so they could also launch DDoS attacks against local, state, and federal election agencies to disrupt activities to increase voter participation, including last-minute phone calls and coordinating rides to the voting booths.

6. Committing Insider Fraud

Although the thought of rogue nations taking over and influencing election results has received huge headlines, there is always the threat that someone closer to home can do the tampering. The New York City Board of Elections suspended an official without pay amid allegations that at least 120,000 names were purged from voter rolls in Brooklyn before the presidential primaries.  

After cyber attacks on financial institutions, policies and technologies were implemented to minimize the risks, including regulations for control of personal data such as PCI DSS. Government leaders at the local, state, and federal level, who are responsible for the electoral process, must consider doing the same. But this won’t be easy because there is no single national body that regulates the security or even the execution of what happens on Election Day; it’s a process that’s managed by each individual body. This has to change, and one organization needs to take responsibility for the integrity of the elections. If we are willing to go to war to make the world safe for democracy, how far are we willing to go to protect democracy at home?

Related Content:

Eitan Bremler is responsible for overall global marketing and product management activities of Safe-T, including product strategy and roadmap, product marketing, positioning, go-to-market and corporate marketing. Mr. Bremler brings to Safe-T more than 15 years of experience ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eitanbr
50%
50%
eitanbr,
User Rank: Author
10/9/2016 | 3:34:19 AM
Re: Cyber security
At Safe-T we actually developed a solution which allows accessing external facing apps (Web, SMTP, etc) without the need to deploy a VPN or even open any ports within the firewall.

We call it RSAccess, its a new type of application access solution.
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
10/7/2016 | 10:24:05 AM
Cyber security
It is great that congressional probe has been carried out and issues of such stature must be discussed with higher based authorities. It is also important for users to encrypt their data and also deploy vpn server, purevpn, to access the web freely. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:30:16 PM
Re: Akash Tripathi
I agree. However "there is no single national body that regulates the security or even the execution of what happens on Election Day ...", this is actually news to me. Current federal goverment should be responsible on this.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:15:24 PM
Nice list
 

This is a good list, hopefully election board will keep these in mind and take required measures. Last think we want to hear is that election system is hacked and we need to repeat it.
akashtripathi8
50%
50%
akashtripathi8,
User Rank: Apprentice
8/31/2016 | 11:27:17 AM
Akash Tripathi
This blog will clearly highlight all the details
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...