First, I would like to thank you for reading this blog post. It is the first of two, maybe more, parts. Before we get started, read the three disclaimers below.
Disclaimer 1: The opinions and ideas expressed in this blog post are mine and mine alone. They do not represent those of my employers: past, present, or future.
Disclaimer 2: The purpose of this blog post series is to shed light on the issues of Cybersecurity & the US 2016 Presidential Election. This is not a venue to bash or endorse one candidate or another. Any statement of a candidate being in support of or in opposition to a measure or topic will be associated with cited evidence.
Disclaimer 3: I am writing this blog to explore the interrelation of Cybersecurity and the Election and vice versa; nothing more.
US Elections Hacked: Relevant Events
News broke across several outlets today, August 29, 2016, saying that at least two state election databases had been hacked or breached. A flash advisory that FBI is circulating around the internet, but I will not be linking to it or posting it because it is technically still classified. Yahoo is reporting that the election databases of Arizona and Illinois were the two known to be compromised. As a result, Jeh Johnson, Homeland Security Secretary, hosted a call with all state election officials to discuss cybersecurity and to provide experts to analyze the systems to try to identify and remediate any issues before “show time” in November.
In Illinois, the voter registration system was shutdown after the information of some 200,000 voters was breached. Arizona was a case of malware in the system, but no signs or known indicators of data exfiltration. With commonalities in the IP Addresses and techniques used, many comparisons are drawn with the DNC Hacks. “In his phone call, Johnson encouraged the state officials to comply with federal cyber recommendations, such as making sure electronic voting machines are not connected to the internet while voting is taking place, the department said” (Reuters).
This is concerning for a variety of reasons. Russia, presumably the Russian government, is trying to influence the 2016 Elections. “With an election in November, some have speculated that the leaks are an attempt to somehow influence the result of the vote” (BBC). I can surmise that they are specifically targeting the presidential election due to their involvement with the DNC leaks. Alternatively, Vladimir Putin and Russia could be trying to embarrass the United States, which they seem to be accomplishing at this point.
In the immediate time frame, this is going to cause people to have a reduced or eliminated level of confidence and trust of the system. Consequently, the term “Voter Fraud” may be tossed around more than normal this November. M. Mouse, D. Duck, and other fictional names may cast their ballots alongside deceased or non-existent people. Aside from this is the aspect of PII. Voter registration (in Georgia) requires the following:
- Name (First and Last at a minimum)
- Date of Birth
- Full SSN/Last 4
This is enough information to warrant “credit monitoring.” More controls should be implemented in securing this data. Because it is PII, but it does not fall under anything like PCI, HIPAA, or other regulated or protected data by program or law. Despite it dealing with federal and local elections, it is under the jurisdiction of the states. This also shows a fundamental flaw in the systems and will encourage further attacks on all states by other nation states, copycats, and script kiddies alike. Now is the time for states to act to ensure that the data of their citizens is protected.
How This Could Have Been Prevented
A question that I have heard being asked is should the voter registration and election systems be considered critical infrastructure? That is up for debate. Implementing a federal standard such as NIST Risk Management Framework (RMF) to systems may be a good place to start. Aside from the bulletin, I have no inside information. I am not sure of the vector(s) used.
Most importantly, employing a sound information security program consisting of technical measures, risk management, and user awareness training could have likely prevented this. It seems as the attackers just did a run of the mill penetration test without authorization and hit the proverbial bank. While it seems phishing could have been used, it does not seem to be a specific vector.
Therefore, with this being a database that was attacked, I can assume with good certainty that a SQL Injection (SQLi) was involved. Per OWASP, the following can prevent many (if not most) SQL Injection attacks from occurring:
- Input Sanitization
- Limit characters that can be input
- Conduct input validation
- Use stored procedures
- Use prepared statements
- Run as an account with limited privileges
- Employ a Web Application Firewall (WAF)
Announcements and Resources
Advanced Persistent Security has partnered with the EC-Council to provide a discounted EC-Council Training Event to our readers and listeners. The codes are only good for the Hacker Halted event in Atlanta, GA September 11-14 and 15-16, 2016. Below are the codes, if you have any questions, Contact Us.
Password Blog Links:
Security Onion Conference: Friday, September 9, 2016 from 7:30 AM to 5:00 PM (EDT)
Jaguar Student Activity Center (JSAC) Ballroom
2500 Walton Way
Augusta, GA 30904
BSides Augusta: September 10, 2016 at 7:45 AM
SEPTEMBER 11TH-14TH, 2016
$1,999 Courses if you register using discount code: HHAPSTRN
Choose one of the following courses and exams:
- Certified Ethical Hacker (C|EH)*
- Computer Hacking Forensic Investigator (C|HFI)*
- Certified Security Analyst (E|CSA/L|PT)*
- Certified Chief Information Security Officer (C|CISO)*
All courses include:
- Official Courseware
- 1 Complimentary Exam Voucher
- Certificate of attendance
- Lunch and coffee breaks throughout the duration of the training
- Complimentary Pass to Hacker Halted – Atlanta conference (September 15 & 16)
*Individual conference passes can be purchased for $35 (down from $199) Use code: HHAPSCON
Instructions for registration:
1) Click here
2) Fill in all the necessary info
3) Enter Qty (1) for conference pass – public
4) Enter promotional code HHAPSCON (for $35 Conference Passes) HHAPSTRN (for $1,999 Courses)
Other APS Posts
Most of What You Need to Know: Passwords
Cybersecurity & the US 2016 Presidential Election
Change Your Email Password Now!
Qatar Bank Breached After Bangladesh
Bangladesh Bank Loses 80 Million USD
Ransomware Infects Android 4.x
Spotify Allegedly Hacked…Again
MedStar Health Cybersecurity Fails to Prevent Attack
Ransomware Locks MBR
Iranian hackers hit with Federal charges
Spear Phishermen Target Corporate W-2 Data
4 Things to Know About Ransomware
Ransomware Hits Mac Computers
Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). This is meant to be informative and to provide value to anyone who listens – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.