Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/19/2016
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Russia, Others Indeed Could Hack The Vote

DHS official 'confident' in electoral system security, but offers security assistance to localities and urges vigilance.

With less than 50 days until Americans cast their votes for a new President on Election Day, once-distant concerns of hackers disrupting the voting process are increasingly becoming a heightened concern.

While security experts say they don't expect a massive breach or large-scale disruption on Election Day, they say the possibility exists that hackers could attack voting systems this year given the recent high-profile activity of Russian government-supported hacker groups, as well as the volatile political climate in this contentious Presidential race. But the underlying problem that could leave Election Day at risk is really nothing new: the well-known security flaws in various electronic voting systems used nationwide.

The US Department of Homeland Security has reached out to state and local election officials and offered assistance in helping them better security voting systems amid the very public breaches of the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC), and voter registration systems in Arizona and Illinois.

DHS administrator Jeh Johnson attempted to balance calm with vigilance in a statement he issued on Friday: "We have confidence in the overall integrity of our electoral systems. It is diverse, subject to local control, and has many checks and balance built in," Johnson said. "Nevertheless, we must face the reality that cyber intrusions and attacks in this country are increasingly sophisticated, from a range of increasingly capable actors that include nation-states, cyber hacktivists, and criminals. In this environment, we must be vigilant."

Johnson said DHS is offering localities vulnerability and risk assessments of their voting systems, including those of Internet-facing ones, as well as a best practices guide for securing voter registration databases as well as protecting election systems from threats such as ransomware. He also urged states and election officials to use the Multi-State Information Sharing and Analysis Center (MS-ISAC) to share and receive threat intel.

Dmitri Alperovitch, co-founder and CTO at CrowdStrike, which identified Russian nation-state groups as the culprits behind the DNC and DCCC breaches, says the nation-state attackers could well target voting systems this election year as well.

"We absolutely see that as a potential threat. This is something we are very concerned about, a disruption to the election," Alperovitch says. The recent breaches of state voter registration systems could just be the beginning, he notes.

"There is certainly significant potential for more damage," he says.

Arizona's registration system reportedly was infected with malware, and Illinois' has some 200,000 voters' data stolen this summer. While no source of the attacks has been named publicly, security experts say it's possible that the Russian state actors were looking to alter voter registration data in an attempt to disrupt voting by preventing citizens from voting or sabotaging their voter identity information. Or they were merely testing the security of those systems for further attacks.

Researchers at ThreatConnect recently found a new clue pointing to Russia as the possible source of the attacks that circumstantially indicates possible nation-state actors.

E-voting system security has been in the spotlight for some time now. Security expert Bruce Schneier says some states and precincts are more vulnerable than others. The distributed and diverse nature of the nation's voting systems indeed provide some general security cover since there's not just one brand of machine to target, but at the same time are vulnerable, according to Schneier. "A localized hack can have huge implications," he says.

The key is a paper trail for votes, he says. Optical-scanning of paper votes is the "gold standard of voting, but most [precincts] don't have it," Schneier says.

According to a new Institute for Critical Infrastructure Technology (ICIT) report, just 60% of states require paper trails of their voting systems, and 70% of all 9,000 US voting precincts use e-voting.

"We don't have a [national] bureaucracy for voting," Schneier notes. Voting systems and machines are administered by volunteers or non-technical people, he says, every couple of years. "That makes it harder to make usability and security correct."

Not Just Russia

It's not just Russian state hackers who could wreak some havoc on the election, either. "I don't think we should limit the conversation to Russia," says James Scott, senior fellow with ICIT. China also has a stake in the outcome of the US election, he says, as do hacktivists unhappy that Bernie Sanders isn't the Democratic nominee or even radicalized extremists, for example.

Scott argues it's also easy for one nation-state group to mimic another's behavior as cover. "Most of APT 28 and APT 29's exploit kits and malware are readily available on the deep Web. Reproducing" their MO is easy, he says, of the infamous nation-state Russian attack teams.

The bottom line, he says, is there are plenty of attack groups who would want to mess with the US election. "I think we have to" expect it, he says.

Scott co-authored ICIT's new report published today called "Hacking Elections is Easy! Part 2: Psst! Wanna Buy a National Voter Database? Hacking E-Voting Systems Was Just the Beginning," which outlines the weak spots in various electronic voting systems and processes and also includes screenshots of voter registration found for sale in the Deep Web.

He contends that even paper-based trails are no protection from hacks. "At the end of the day, paper is being scanned onto a machine" that has some network connectivity, he says. Many systems also rely on insertable media, which also could be compromised, he says.

Voting system manufacturers could be targeted in an attack, or a malicious insider there could poison a software update, for example, he says. "All of these machines operate off black-box technology, with proprietary programs nobody gets access to so you can't audit or pen-test it," he says.

A compromised update could be malicious code that calculates vote values higher for one candidate over another, for instance, he says.

Other security experts echo Scott's warnings of supply chain compromise.

"A lot of components go in these DREs [direct recording electronic systems], without a remote connection," says Levi Gundert, vice president of intelligence & strategy at Recorded Future. That would mean possible tampering or compromise of voting systems at the hardware level, for example, he notes.

Silent Breach?

Meantime, experts warn we don't really know if voting systems have previously been hacked. "We were just as exploitable before" as we are now, ICIT's Scott says. "Someone hacked this key region in this state [for example] … are we going to know?"

It takes an average of six months for most companies to detect a data breach, and 90 days for organizations who are closely watching their network infrastructure. "The voting window is shorter than that, so we wouldn't pick it up until the President is already elected," says James Carder, CISO of LogRhythm."That's unnerving to me."

And even if it turns out there is no hack of voting systems, the threat of one could hang over this year's election, Schneier says.

"It's not just hacking; it's the appearance of hacking," Schneier says. "If the loser is not convinced [he or she] lost fairly, you're going to have a problem with the election." 

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10101
PUBLISHED: 2019-07-23
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side valid...
CVE-2019-10102
PUBLISHED: 2019-07-23
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the...
CVE-2019-10102
PUBLISHED: 2019-07-23
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticat...
CVE-2018-18670
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
CVE-2018-18672
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.