Florida Hack 1st Election Cyberattack to Hit US, Say Pros
Something didn't seem right when hundreds of requests for absentee ballots started streaming into the online election system for Miami-Dade County last year. As it happens, officials were witnessing the first documented attack on online voting in the U.S., a potential threat warned about since government entities starting digitizing the voting process. The attempt was thwarted, but officials are now looking at adding more authentication measures.
03/19/13 2:57 PM PT
Florida has again made election-related headlines -- this time for an attempted hacking of online election systems during voting last August in Miami-Dade County. It is the first certified case of an online election attack in the U.S., according to NBC News.
Fraudulent requests for about 2,500 absentee ballots were sent to the election system from various IP addresses, but they were detected by system software and rejected by election workers.
"We should assume more sophisticated attacks against online voting are going to happen sooner rather than later," Tim "TK" Keanini, chief research officer at nCircle, told TechNewsWorld.
"The insecurity of the (online voting) systems is such that there would be a significant incentive for the dishonest to try to force these systems at this time," added Randy Abrams, a research director at NSS Labs.
What Happened in Miami-Dade
Online requests from more than 2,500 real voters who had not applied for absentee ballots streamed into the Miami-Dade elections website over a period of two and a half weeks.
The requests apparently targeted Democratic voters in a congressional district and Republican voters in two Florida House districts. Requests were sent twice for about 500 voters, and three times for seven voters. Florida voters are reportedly allowed to submit two ballot requests per election.
Elections staff are reported to have discovered the requests were fake when they called several of the voters who apparently requested the ballots. It took them several tries to block the 15 IP addresses sending the requests, because the hackers kept switching to different IP addresses.
Three IP addresses apparently originated in the U.S., and the rest had been registered in India and the UK. However, the election IT staff had not provided the U.S. addresses to prosecutors.
The state attorney's office reportedly closed its investigation in January without naming a suspect. It was later revealed in a Miami Herald report in February that the office did not receive the U.S. IP addresses. At least two of those IP addresses are reportedly in Miami. As of February, the state attorney's office was investigating the domestic IP addresses.
A grand jury investigating the issue has apparently made 23 recommendations, one of which is that voters requesting absentee ballots have to log in and enter a password.
As of February, both Miami-Dade County and the vendor supplying it the election software had not made any changes, arguing that the perpetrators had been caught, proving existing procedures worked, the Herald said.
With a Little Bit of Luck
"The fact that election workers who are not security experts by any means were smart enough to reject these requests tells us that this attack was not at all sophisticated," Keanini said. "Attackers are very good at learning from their mistakes and improving their methods."
It's possible that there have been other attempts to hijack the online voting process here in the U.S., Abrams told TechNewsWorld. "In some cases, the triggers may be spotted, but the observer may have priorities that preclude reporting suspicious behavior."
Can Online Voting Systems Be Secured?
Currently, our online electoral systems "are not ready for primetime," W. Hord Tipton, executive director of ISC2, which maintains and administers the Certified Information Systems Security Professional (CISSP) certification exam, told TechNewsWorld.
"I think there should be at least some measures in place much like U.S. federal systems are required to go through before they can even be put online," Tipton said. Such systems have to go through the accreditation and authorization process, and must have controls, risk and vulnerability assessments, security plans drawn up, "and a whole number of other things."
They must have a point person in the department or agency concerned who has to certify the systems are ready and explain those risks to accrediting officials, he added.