Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/30/2016
12:30 PM
Eitan Bremler
Eitan Bremler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

6 Ways To Hack An Election

Threats to our electoral process can come from outside the country or nefarious insiders. Our country needs to be better prepared.

After Russian state security personnel were accused of hacking the Democratic National Committee, the possibility of outsiders manipulating the American political process became a reality. With the reliance on computers to collect votes, report results, communicate campaign strategies, and coordinate voter registration activities, the electoral process has new vulnerabilities. In addition, rogue countries aren’t the only threats; insiders are also capable of manipulating election results. Here are six ways that elections can be hacked.

1. Hacking Into Electronic Voting Machines

Cybersecurity firms such as Symantec and CrowdStrike have confirmed that hacking a voting machine is fairly simple, costing about $15 online and requiring basic to intermediate skills, according to an Inqusitr article. About 25% of America’s votes are cast using electronic voting machines. Five states—Georgia, Delaware, Louisiana, South Carolina, and New Jersey—use machines that don’t provide a paper trail for verification if results are inaccurate, according to the same Inquisitr article. CBS News found that 40% of states with paper trails never audited their results.

2. Hacking Voter Registration Databases

Malicious insiders or outsiders can delete voter registration forms to prevent people from voting, or they can switch a piece of information used for verification of a voter’s identity. If any information is inaccurate at the voting booth, including address or phone number, then the person isn’t eligible to vote. Many voters across the country, including in New York and California, reported that their registrations were changed without their permission. Kelly Tolman Curtis shared this post about how her voter registration status changed three times online in the span of just a few days.

3. Leaking Sensitive Voter Data

Regulations such as the Payment Card Industry Data Security Standard (PCI DSS) mandate the strict protection of sensitive personal financial information. But none of these standards apply to voter sensitive information, including addresses, telephone numbers, and credit card information used for donations.

Since December, hundreds of millions of voters in the U.S., the Philippines, Turkey, and Mexico have had their data left unprotected on the web. In some instances, malicious hackers are suspected of pilfering the data for criminal purposes.

Fifty-five million registered voters were at risk by the Philippines data breach alone, according to security firm Trend Micro, potentially surpassing the Office of Personnel Management data breach, which affected 20 million people.

4. Hacking Into Email Servers

Since hackers broke into the DNC’s servers several months ago, revealing embarrassing details about the committee’s inner workings, email servers are known to be potential targets. If email servers of political candidates and their committee members are hacked, there could be a whole lot of mudslinging by publicizing private information discovered in hijacked emails. In addition, emails could be used to share voter registration information and other sensitive data. Hackers could also take over email accounts of candidates and send inaccurate or embarrassing communications.

5. Shutting Down The Voting System Or Election Agencies

In addition to the vulnerabilities of individual voting machines, the whole network of communications between more than 8,000 jurisdictions of varying size and authority could be hacked. Hackers could use a distributed denial-of-service (DDoS) attack to disable back-end servers in order to deny access to voters, and to interfere with the reporting of election results. Similarly, so they could also launch DDoS attacks against local, state, and federal election agencies to disrupt activities to increase voter participation, including last-minute phone calls and coordinating rides to the voting booths.

6. Committing Insider Fraud

Although the thought of rogue nations taking over and influencing election results has received huge headlines, there is always the threat that someone closer to home can do the tampering. The New York City Board of Elections suspended an official without pay amid allegations that at least 120,000 names were purged from voter rolls in Brooklyn before the presidential primaries.  

After cyber attacks on financial institutions, policies and technologies were implemented to minimize the risks, including regulations for control of personal data such as PCI DSS. Government leaders at the local, state, and federal level, who are responsible for the electoral process, must consider doing the same. But this won’t be easy because there is no single national body that regulates the security or even the execution of what happens on Election Day; it’s a process that’s managed by each individual body. This has to change, and one organization needs to take responsibility for the integrity of the elections. If we are willing to go to war to make the world safe for democracy, how far are we willing to go to protect democracy at home?

Related Content:

Eitan Bremler is responsible for overall global marketing and product management activities of Safe-T, including product strategy and roadmap, product marketing, positioning, go-to-market and corporate marketing. Mr. Bremler brings to Safe-T more than 15 years of experience ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
akashtripathi8
50%
50%
akashtripathi8,
User Rank: Apprentice
8/31/2016 | 11:27:17 AM
Akash Tripathi
This blog will clearly highlight all the details
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:15:24 PM
Nice list
 

This is a good list, hopefully election board will keep these in mind and take required measures. Last think we want to hear is that election system is hacked and we need to repeat it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:30:16 PM
Re: Akash Tripathi
I agree. However "there is no single national body that regulates the security or even the execution of what happens on Election Day ...", this is actually news to me. Current federal goverment should be responsible on this.
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
10/7/2016 | 10:24:05 AM
Cyber security
It is great that congressional probe has been carried out and issues of such stature must be discussed with higher based authorities. It is also important for users to encrypt their data and also deploy vpn server, purevpn, to access the web freely. 
eitanbr
50%
50%
eitanbr,
User Rank: Author
10/9/2016 | 3:34:19 AM
Re: Cyber security
At Safe-T we actually developed a solution which allows accessing external facing apps (Web, SMTP, etc) without the need to deploy a VPN or even open any ports within the firewall.

We call it RSAccess, its a new type of application access solution.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.