Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2018
01:55 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail

8 Steps Toward Safer Elections

Here's some advice from leading authorities on how state and local governments can adapt to an environment where election systems will inevitably be hacked.
2 of 10

1. Get familiar with the evolving threat landscape
People who work at government agencies and election commissions are aware of hacking and phishing, but they don't always have security experts on board who can keep them up-to-date with evolving threats. The threats change every day and election officials don't always have the staff to have an experienced security expert or threat hunter. Start by seeking out the latest threat information at organizations such as the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).
Image Source: Africa Studio, via Shutterstock

1. Get familiar with the evolving threat landscape

People who work at government agencies and election commissions are aware of hacking and phishing, but they dont always have security experts on board who can keep them up-to-date with evolving threats. The threats change every day and election officials dont always have the staff to have an experienced security expert or threat hunter. Start by seeking out the latest threat information at organizations such as the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).

Image Source: Africa Studio, via Shutterstock

2 of 10
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
BanduraCSO
50%
50%
BanduraCSO,
User Rank: Author
8/14/2018 | 6:58:04 AM
Threat Intelligence
This article hits on a number of important points.  Part of this is basic cyber hygiene practices and it's not clear to me why the election networks themselves should be connected to the public Internet.  Threat intelligence and information sharing are very important.  We are seeing TI and info sharing become more important in guidelines like NIST Cyber Security Framework.  As the article points out a lack of skilled security staff is a challenge.  There is a newer technology called a Threat Intelligence Gateway (TIG) that gives you access to significant amounts of threat intelligence, enables you to integrate ISAC and other TI sources, and allows you to make use of TI to protect your network.  The cool thing about the TIG is that it enables organizations to access and act with enterprise grade TI without needing an army of security analysts.
rcash
50%
50%
rcash,
User Rank: Strategist
8/2/2018 | 12:00:30 PM
Illinois and election integrity are mutually exclusive terms
"What I've been telling everyone as I speak to groups is that we have to run a successful election that people can trust even if we are hacked," says Noah Praetz, director of elections in the Cook County Clerk's Office in Illinois

When 130% more people vote in Cook county than are actually alive one could be preplexed with priorities.
  • Secure voter registration and validate the roles
  • Secure integrity with auditable chain of custody
  • Secure and isolate voting machines from tampering, verifiably.
  • TRAIN the poll personnel on best practices and validate their skills! 
  • Bring in accounting oversight at every step.

These are a few of my favorite things.
orderhangtrungquoc1221
50%
50%
orderhangtrungquoc1221,
User Rank: Apprentice
8/2/2018 | 9:48:47 AM
Re: Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!
tks for share
szurier210
50%
50%
szurier210,
User Rank: Moderator
7/30/2018 | 3:32:06 PM
Re: Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!
Thanks very much Robert for your long comments. I don't have the answer but my expansive hope was that this story would generate some good discussion and sharing of ideas. I just think given the current state of politics in Washington a solution won't come from Washington. Average citizens, state and local governments and security people who know how to solve at least the technical issues need to be more vocal. 
bobfrank
100%
0%
bobfrank,
User Rank: Apprentice
7/27/2018 | 7:10:47 PM
Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!
Outstanding article! Unfortunately, it is just the latest in hundreds of valid articles about U.S. failures to provide trustworthy elections.  Just do web searches on "election fraud" and "elections integrity" to see some of them. 

This is a much more complex issue than the typical "voter fraud" component focused on just the voter registration elements.  Even if a 100% accurate voter registration system was implemented where only valid U.S. Citizens could register, that element would miss the most urgent need for end-to-end audit trails, chain-of-custody records and appropriate background checks on those allowed access to voting machines and within the ballot processing system.

In Nevada, our citizens task force composed of professionals has worked for almost a decade trying to stimulate interest in "Trustworthy Elections" by all levels of government and by both political parties. Check out my profile for my past expertise.

We have demonstrated that "Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!"

But, so far, we have been unable to get leading government officials to make any significant improvements.  And, detected government failures and suspected fraud is never prosecuted by District Attorneys because they are prohibited from investigating the evidence.

Conduct a web search on "NevadansCAN elections integrity some voting machines allow remote access" to find some of our exhaustive research, documentation and Nevada court hearing records up through the Nevada  Supreme Court on this vital issue. 

We have tried often to amend Nevada statutes to require independent audits of the systems components before, during and after elections (proposed to be done by accredited members of the Association of Certified Fraud Examiners), but leaders of both political parties at all levels have refused to cooperate.  Imaginie if our society refused to have such certified fraud examiner reviews of banking records and government secrets! How could we trust the financial institutions?

Find some of our legislative video testimony by searching on YouTube with the words "elections integrity robert frank"

We have twice contested elections in state courts the results of the Nevada Elections System by following statutes and appealed one particularly improper ruling at the district level to the Nevada Supreme Court and been summarily dismissed. 

The President's and Vice President's federal commission on elections integrity was sabotaged and had to be terminated because of opposition by both parties.  The Federal Elections Commission and Elections Assistance Commission refuse to ensure that at least the federal elections are conducted on trustworthy systems and are independently audited by unconflicted fraud examiners. 

Does anyone have a viable way to "fix" this problem of untrustworthy election systems?  We have exhausted our list of possible ideas for action.  

Robert Frank, Chair, NevadansCAN.com, Las Vegas, Nevada
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-8087
PUBLISHED: 2019-10-22
Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with Firmware versions Fritz!OS 6.80 and 6.83 allows physically proximate attackers to view slices of previously transmitted packets or portions of memory via via unspecified vectors.
CVE-2019-10079
PUBLISHED: 2019-10-22
Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
CVE-2019-12147
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the...
CVE-2019-12148
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin ...
CVE-2019-12290
PUBLISHED: 2019-10-22
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusi...