Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/25/2018
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

County Election Websites Can Be Easily Spoofed to Spread Misinformation

Majority of county sites in 20 key swing states have non-.gov domains and don't enforce use of SSL, McAfee researchers found.

States' county government websites that provide vital information on local elections present an easy target for adversaries looking to interfere with the upcoming midterms, a new study shows.

McAfee recently inspected the security measures employed by county government websites in 20 critical swing states and found a majority of them lacking basic controls for protecting voters from misinformation campaigns.

One of the biggest concerns is the high percentage of county websites using top-level domains such as .com, .net, and .us in their Web address rather than a government validated .gov domain. Because anyone can buy a .com or a .net domain without having to go through the vetting process associated with a .gov domain, adversaries have an opening to set up spoofed county websites to spread disinformation, McAfee said.

A high percentage of the county websites that the security vendor surveyed also did not enforce the use of Secure Sockets Layer (SSL) certificates, leaving users visiting these sites vulnerable to data theft and redirection to spurious sites.

The lack of consistency in website naming and in the use of SSL certificates on county government sites pose a much more realistic threat to the integrity of the election process than attacks on physical voting machines, McAfee CTO Steve Grobman said in a blog this week.

Often, county election sites are the first place voters go to for information on eligibility requirements, voting schedules, registration deadlines, voting locations and hours. "A realistic attack wouldn't require mass voting manipulation or the hacking of physical machines," he said. "Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels."

For example, an attacker could easily set up a fraudulent county election website and use a bulk email campaign to direct voters to the site. The spoofed site could be used to convey false information on when and where to vote, the hours for voting, eligibility requirements, and other information.

In recent months, highly detailed voter registration data has become available easily to anyone that wants it—sometimes for free. So an adversary intent on mischief would have little trouble targeting voters by specific regions for such misinformation campaigns, Grobman said.

Because few county sites use the .gov domain, voters would have a hard time identifying cleverly spoofed sites from the real ones. By focusing on key states and congressional districts, a well-crafted campaign could impact close races by reducing voter turnout in districts with a strong correlation to liberal and conservative voting patterns, Grobman said.

"If a malicious actor were to stand up bogus county sites a couple days before an election and then distribute misinformation emails to hundreds of thousands of citizens, it could be possible to disrupt the voting process," Grobman told Dark Reading. "Local governments simply would not have the capacity or the time to counter and correct the confusion before polling stations close at the end of election day."

.Gov Gap
Minnesota and Texas have the largest percentage of non-.gov county government sites. A startling 95.5% of county sites in Minnesota and 95% in Texas do not use a .gov domain. Other states with similarly high percentages were Michigan, New Hampshire, Mississippi, and Ohio. Arizona has the most number of .gov websites, but even there, more than one-third of county websites use .com, .net, and other top-level domains.

West Virginia, Texas, and Montana topped the list of states with the greatest number of county governments not using SSL. Over 90% of the county websites in each of these states lacked SSL, meaning attackers would have a relatively trivial task redirecting site visitors to rogue locations.

Poorly secured county websites give attackers a much more realistic opportunity to try and influence the outcome of elections than attacks targeting voting machines. Much of the concern about election tampering has focused on the actual voting machines and tallying systems. But the reality is that it is much harder for attackers to have a wide impact even if they managed to breach a voting system, Grobman said.

"Given elections are in two weeks, there is not enough time to switch over all the websites to .gov.," Gobman notes. "Something easy local governments could do for the midterms would be to inform voters that under no circumstance will their local jurisdictions email them about a change in polling locations."

The best strategy for voters to minimize risk, according to Grobman, is for them to rely on state election and voter registration websites because more of them use .gov domains and SSL. Using these state government sites to find and navigate to a county site is a safer option than using a search engine, Grobman noted.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2019-10134
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2019-10154
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVE-2019-9039
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
CVE-2018-20846
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).