Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/25/2018
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

County Election Websites Can Be Easily Spoofed to Spread Misinformation

Majority of county sites in 20 key swing states have non-.gov domains and don't enforce use of SSL, McAfee researchers found.

States' county government websites that provide vital information on local elections present an easy target for adversaries looking to interfere with the upcoming midterms, a new study shows.

McAfee recently inspected the security measures employed by county government websites in 20 critical swing states and found a majority of them lacking basic controls for protecting voters from misinformation campaigns.

One of the biggest concerns is the high percentage of county websites using top-level domains such as .com, .net, and .us in their Web address rather than a government validated .gov domain. Because anyone can buy a .com or a .net domain without having to go through the vetting process associated with a .gov domain, adversaries have an opening to set up spoofed county websites to spread disinformation, McAfee said.

A high percentage of the county websites that the security vendor surveyed also did not enforce the use of Secure Sockets Layer (SSL) certificates, leaving users visiting these sites vulnerable to data theft and redirection to spurious sites.

The lack of consistency in website naming and in the use of SSL certificates on county government sites pose a much more realistic threat to the integrity of the election process than attacks on physical voting machines, McAfee CTO Steve Grobman said in a blog this week.

Often, county election sites are the first place voters go to for information on eligibility requirements, voting schedules, registration deadlines, voting locations and hours. "A realistic attack wouldn't require mass voting manipulation or the hacking of physical machines," he said. "Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels."

For example, an attacker could easily set up a fraudulent county election website and use a bulk email campaign to direct voters to the site. The spoofed site could be used to convey false information on when and where to vote, the hours for voting, eligibility requirements, and other information.

In recent months, highly detailed voter registration data has become available easily to anyone that wants it—sometimes for free. So an adversary intent on mischief would have little trouble targeting voters by specific regions for such misinformation campaigns, Grobman said.

Because few county sites use the .gov domain, voters would have a hard time identifying cleverly spoofed sites from the real ones. By focusing on key states and congressional districts, a well-crafted campaign could impact close races by reducing voter turnout in districts with a strong correlation to liberal and conservative voting patterns, Grobman said.

"If a malicious actor were to stand up bogus county sites a couple days before an election and then distribute misinformation emails to hundreds of thousands of citizens, it could be possible to disrupt the voting process," Grobman told Dark Reading. "Local governments simply would not have the capacity or the time to counter and correct the confusion before polling stations close at the end of election day."

.Gov Gap
Minnesota and Texas have the largest percentage of non-.gov county government sites. A startling 95.5% of county sites in Minnesota and 95% in Texas do not use a .gov domain. Other states with similarly high percentages were Michigan, New Hampshire, Mississippi, and Ohio. Arizona has the most number of .gov websites, but even there, more than one-third of county websites use .com, .net, and other top-level domains.

West Virginia, Texas, and Montana topped the list of states with the greatest number of county governments not using SSL. Over 90% of the county websites in each of these states lacked SSL, meaning attackers would have a relatively trivial task redirecting site visitors to rogue locations.

Poorly secured county websites give attackers a much more realistic opportunity to try and influence the outcome of elections than attacks targeting voting machines. Much of the concern about election tampering has focused on the actual voting machines and tallying systems. But the reality is that it is much harder for attackers to have a wide impact even if they managed to breach a voting system, Grobman said.

"Given elections are in two weeks, there is not enough time to switch over all the websites to .gov.," Gobman notes. "Something easy local governments could do for the midterms would be to inform voters that under no circumstance will their local jurisdictions email them about a change in polling locations."

The best strategy for voters to minimize risk, according to Grobman, is for them to rely on state election and voter registration websites because more of them use .gov domains and SSL. Using these state government sites to find and navigate to a county site is a safer option than using a search engine, Grobman noted.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...