Hacking Elections Is Easy, Study Finds

It’s no longer a question whether hackers will influence the 2016 elections in the United States — only how much they’ll be able to sway them.

Leaked emails already have cost a Democratic Party chairperson her job, and the FBI last month issued a flash warning that foreign cyberadversaries had breached two state election databases.

Those two states — most likely Arizona and Illinois — aren’t alone in having their voter information compromised. Voter registration databases from all 50 states are being hawked on Deep Web marketplaces, an investigation by the Institute for Critical Infrastructure Technology has found.

Those databases could be used for all kinds of mischief, noted ICIT Senior Fellow James Scott, who collaborated with ICIT researcher Drew Spaniel on a study of voting system vulnerabilities.

For example, an attacker could sour a candidate’s supporters by sending bogus robocalls, supposedly originating from the candidate, at 3 a.m.

“An attacker could alter registration records on Election Day to delay and disrupt the election process and to spread disenfranchisement in the U.S. democratic process,” Scott told TechNewsWorld.

Dilapidated Black Boxes

Theft of voter registration records may be just the tip of the iceberg. U.S. voting systems are woefully vulnerable to hacker attacks, the ICIT maintained in the study released last week.

“Western democracy is held hostage to vulnerable code in black boxes on dilapidated bare bones PCs with virtually zero endpoint security, otherwise known as e-voting machines,” Scott and Spaniel wrote.

“Moreover, the systems are maintained and managed either by manufacturer personnel who obfuscate the insecurity of the systems or by local and state voting officials who are the very prototype of victims that repeatedly fall for spear phishing, ransomware and malware attacks and other easily avoidable cyber-attacks,” they continued.

“The problem in the sector is not merely a matter of lacking basic cyber hygiene, rather it is the sheer absence of the technical aptitude required to understand the cyber, physical and technical landscape available for exploit by the multitude of adversaries possessing a keen interest in manipulating the election process,” Scott and Spaniel added.

Safety in Fragmentation?

As vulnerable as U.S. voting systems are, it would be difficult for hackers to influence the outcome of an election, maintained Tellagraff CEO Mark Graff, a former CISO of Nasdaq and Lawrence Livermore Labs.

“It’s one thing to steal voter registration information from websites on the Internet, but it’s quite something else to modify that information on the sites,” he told TechNewsWorld.

There’s a difference between generating noise intended to undermine the credibility of the election and actually influencing the outcome, Graff pointed out.

“I don’t believe there is a credible case right now that they are trying to directly influence the outcome of the election,” he said.

“While our systems do have vulnerabilities, the fact that we have a federal system and all 50 states have their own systems is a strength,” Graff observed. “It might be possible to change some votes, but to change the outcome of an election and do so in a way that could not be detected is not practical at this point.”

Media Illusion

The fragmentation defense is an illusion propagated by the media, claimed ICIT’s Scott.

“The fragmented system does absolutely nothing to mitigate the risk of cybercompromise of election systems,” he argued. “If anything, the disjointed, distributed system makes it easier.”

The cybersecurity requirements of voting systems are not standardized or regulated, Scott explained. As a result, some states protect their systems, while other states only think that they protect their systems.

“Attackers only need to compromise one or a few counties in one or a few states to have a major impact on the national election,” he said. “It does not matter if some of the states adequately protect their systems, because the states that do not undermine the entire process.”

Brass Bull’s-eye

When it comes to ransomware, company brass have a bull’s-eye on their backs.

Upper management and C-level executives were popular targets of ransomware attacks, according to a recent Malwarebytes survey of 540 CIOs, CISOs and IT directors representing companies with an average of 5,400 employees across the U.S., Canada, UK and Germany.

Eighty percent of attacks affected mid-level managers or higher, the survey participants reported. A quarter of the attacks (25 percent) affected senior executives and the C-suite.

Ransomware in the wild increases by 46 percent or more every six months, noted Malwarebytes Senior Security Researcher Nathan Scott told TechNewsWorld. “That’s because ransomware makes so much more money than any other malware that we have ever seen.”

Breach Diary

  • Sept. 19. Active Network of Texas offers two years of free identity repair services in letter to 1 million Oregon and 1.5 million Washington Department of Fish and Wildlife customers potentially affected by data breach of hunting and fishing license sales system maintained by Active in those states.
  • Sept. 19. Payment systems at four Genghis Grill locations were compromised by malware between Feb. 9 and Sept. 7, placing at risk some 55,000 transactions by customers during that period, Dallas Morning News reports.
  • Sept. 20. St. Francis Health Systems in Tulsa, Oklahoma, confirms data breach in which 6,000 names and addresses were stolen from a server.
  • Sept. 20. A federal appeals court in Cincinnati has overturned a lower court ruling and is allowing class action lawsuit to proceed against Nationwide Mutual Insurance over 2012 data breach in which information of 1.1 million policy and non-policy holders was exposed to unauthorized parties, SC Magazine reports.
  • Sept. 20. Paul O’Brien, founder of smartphone news and reviews site MoDaCo, confirms data breach that has exposed 880,000 subscriber identities.
  • Sept. 21. Payment gateway Regpack is notifying its vendors that a data breach has placed at risk personal information in some 324,380 accounts, SC Magazine reports.
  • Sept. 21. U.S. Rep. Ralph Abraham, R-La., has filed a bill allowing the director of management and the budget to recommend the removal of any agency head whose agency suffers a data breach because it failed to comply sufficiently with information security requirements or standards, NextGov reports.
  • Sept. 21. University of Ottawa announces it is launching an investigation into the disappearance of a hard drive containing the personal information of 900 former and current students.
  • Sept. 22. Yahoo confirms 500 million user accounts have been compromised in data breach.
  • Sept. 22. Hacker group DCleaks makes public emails from a White House contractor containing sensitive information about schedules and procedures, as well as about Secret Service, military and White House personnel. DC Leaks is the same group that recently exposed emails of former Secretary Colin Powell.
  • Sept. 22. H&L Australia, which provides point-of-sales systems for more than 300 restaurant and liquor stores, confirms data breach of its customer relationship management system, resulting in theft of 14.1 GB of customer information.
  • Sept. 23. Ronald Schwartz, a New York resident, files class action lawsuit against Yahoo for gross negligence that led to data breach resulting in compromise of 500 million user accounts.
  • Sept. 23. Trump Hotel Collection company agrees to pay $50,000 to settle case with New York State Attorney General’s office over data breach that exposed more than 70,000 credit card numbers and other sensitive data.

Upcoming Security Events

  • Oct. 4. Cyber Crime — Why Are You a Target? 10 a.m. ET. Webinar by Richard Cassidy, UK Cyber Security Evangelist. Free with registration.
  • Oct. 5. Cambridge Cyber Summit. Kresge Auditorium, 48 Massachusetts Ave., Massachusetts Institutue of Technology, Cambridge, Massachusetts. Registration: $250.
  • Oct. 5-6. SecureWorld Denver. Colorado Convention Center, 700 14th St., Denver. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Oct. 6. Smartphone Encryption Is Getting Stronger. Is It Enough To Keep You Safe? Noon ET. Webinar by ManTech. Free with registration.
  • Oct. 5-7. APWG.EU eCrime Symposium 2016. Slovensk sporitelna, Tomsikova 48, 831 04 Nov Mesto, Bratislava, Slovakia. Registration: APWG members, 129 euros; student or faculty, 129 euros; law enforcement and government, 129 euros; all others, 149 euros.
  • Oct. 7-8. B-Sides Delaware. Wilmington University, New Castle Campus, 320 North Dupont Highway, New Castle, Delaware. Free.
  • Oct. 8. B-Sides Denver. SecureSet, 3801 Franklin St., Denver. Free, but tickets limited.
  • Oct. 11. Your Credentials Are Compromised, So Now What? 1 p.m. ET. Webinar by Centrify. Free with registration.
  • Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Non-member, $925; single day, $500; student, $80. Oct. 14-16. B-Sides Warsaw. Panstwomiasto, Andersa 29, Warsaw, Poland. Free.
  • Oct. 12. Can You Really Automate Yourself Secure? Facts vs. Fantasies. Noon ET. Webinar sponsored by Cigital. Free with registration.
  • Oct. 12. Why Are We Still Failing to Stop Cyber Attacks? 1 p.m. ET. Webinar by Cyphort. Free with registration.
  • Oct. 13. ISSA SoCal Security Symposium. Hilton Long Beach & Executive Meeting Center, 701 West Ocean Blvd., Long Beach, California. Registration: members, $115; nonmembers, $140; students, $75; day of event, $190.
  • Oct. 14-16. B-Sides Warsaw. Panstwomiasto, Andersa 29, Warsaw, Poland. Free.
  • Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.
  • Oct. 18. IT Security and Privacy Governance in the Cloud. 1 p.m. ET. Webinar moderated by Rebecca Herold, The Privacy Profesor. Free with registration.
  • Oct. 18-19. Edge2016 Security Conference. Crowne Plaza, 401 W. Summit Hill Drive, Knoxville, Tennessee. Registration: before Aug. 15, $250; after Aug. 15, $300; educators and students, $99.
  • Oct. 18-19. SecureWorld St. Louis. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Oct. 18-19. Security of Things, A Smart Card Alliance Event. Hilton Rosemont Chicago O’Hare Hotel, 5550 N. River Rd., Rosemont, Illinois. Registration: members $775 before Oct. 8, $885; nonmembers, $895 before Oct. 8, $1,045.
  • Oct. 20. Los Angeles Cyber Security Summit. Loews Santa Monica Beach Hotel, 1700 Ocean Ave., Santa Monica, California. Registration: $250.
  • Oct. 20. B-Sides Raleigh. Marbles Kid Museum, 201 E. Hargett St., Raleigh, North Carolina. Registration: $20.
  • Oct. 22. B-Sides Jacksonville. Sheraton Hotel, 10605 Deerwood Park Blvd., Jacksonville, Florida. Registration: $10.
  • Oct. 27. SecureWorld Bay Area. San Jose Marriott, 301 S. Market St., San Jose, California. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • Nov. 1-4. Black Hat Europe. Business Design Centre, 52 Upper Street, London, UK. Registration: before Sept. 3, Pounds 1,199 with VAT; before Oct. 29, Pounds 1,559 with VAT; after Oct. 28, Pounds 1,799 with VAT.
  • Nov. 9-10. SecureWorld Seattle. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • Nov. 28-30. FireEye Cyber Defense Summit 2016. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: through Sept. 30, general admission, $495; government and academic, $295; Oct. 1- Nov. 21, $995/$595; Nov. 22-30, $1,500/$1,500.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

  • I read just recently that the Pennsylvania election system still uses Windows XP for voting. It’s no wonder the system can be hacked easily. If we are to embrace electronic voting, we need to specify better and more secure requirements. The same problems with hacking happens at government levels as it does anywhere else. Weak passwords, clueless users, and people like Hillary Clinton who insist on questionable means of communications because she can’t understand or doesn’t want to use more complex security. It’s this obsession to make things easy that creates gaps in security. No doubt many users who get hacked are at the cause of being hacked because of their actions. If the NYT’s can illegally get Donald Trump’s tax records. What makes anyone think anything is not accessible for a price?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels