States' county government websites that provide vital information on local elections present an easy target for adversaries looking to interfere with the upcoming midterms, a new study shows.
McAfee recently inspected the security measures employed by county government websites in 20 critical swing states and found a majority of them lacking basic controls for protecting voters from misinformation campaigns.
One of the biggest concerns is the high percentage of county websites using top-level domains such as .com, .net, and .us in their Web address rather than a government validated .gov domain. Because anyone can buy a .com or a .net domain without having to go through the vetting process associated with a .gov domain, adversaries have an opening to set up spoofed county websites to spread disinformation, McAfee said.
A high percentage of the county websites that the security vendor surveyed also did not enforce the use of Secure Sockets Layer (SSL) certificates, leaving users visiting these sites vulnerable to data theft and redirection to spurious sites.
The lack of consistency in website naming and in the use of SSL certificates on county government sites pose a much more realistic threat to the integrity of the election process than attacks on physical voting machines, McAfee CTO Steve Grobman said in a blog this week.
Often, county election sites are the first place voters go to for information on eligibility requirements, voting schedules, registration deadlines, voting locations and hours. "A realistic attack wouldn't require mass voting manipulation or the hacking of physical machines," he said. "Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels."
For example, an attacker could easily set up a fraudulent county election website and use a bulk email campaign to direct voters to the site. The spoofed site could be used to convey false information on when and where to vote, the hours for voting, eligibility requirements, and other information.
In recent months, highly detailed voter registration data has become available easily to anyone that wants it—sometimes for free. So an adversary intent on mischief would have little trouble targeting voters by specific regions for such misinformation campaigns, Grobman said.
Because few county sites use the .gov domain, voters would have a hard time identifying cleverly spoofed sites from the real ones. By focusing on key states and congressional districts, a well-crafted campaign could impact close races by reducing voter turnout in districts with a strong correlation to liberal and conservative voting patterns, Grobman said.
"If a malicious actor were to stand up bogus county sites a couple days before an election and then distribute misinformation emails to hundreds of thousands of citizens, it could be possible to disrupt the voting process," Grobman told Dark Reading. "Local governments simply would not have the capacity or the time to counter and correct the confusion before polling stations close at the end of election day."
Minnesota and Texas have the largest percentage of non-.gov county government sites. A startling 95.5% of county sites in Minnesota and 95% in Texas do not use a .gov domain. Other states with similarly high percentages were Michigan, New Hampshire, Mississippi, and Ohio. Arizona has the most number of .gov websites, but even there, more than one-third of county websites use .com, .net, and other top-level domains.
West Virginia, Texas, and Montana topped the list of states with the greatest number of county governments not using SSL. Over 90% of the county websites in each of these states lacked SSL, meaning attackers would have a relatively trivial task redirecting site visitors to rogue locations.
Poorly secured county websites give attackers a much more realistic opportunity to try and influence the outcome of elections than attacks targeting voting machines. Much of the concern about election tampering has focused on the actual voting machines and tallying systems. But the reality is that it is much harder for attackers to have a wide impact even if they managed to breach a voting system, Grobman said.
"Given elections are in two weeks, there is not enough time to switch over all the websites to .gov.," Gobman notes. "Something easy local governments could do for the midterms would be to inform voters that under no circumstance will their local jurisdictions email them about a change in polling locations."
The best strategy for voters to minimize risk, according to Grobman, is for them to rely on state election and voter registration websites because more of them use .gov domains and SSL. Using these state government sites to find and navigate to a county site is a safer option than using a search engine, Grobman noted.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio