The Unsexy Threat to Election Security

25
Jul 19

The Unsexy Threat to Election Security

Much has been written about the need to further secure our elections, from ensuring the integrity of voting machines to combating fake news. But according to a report quietly issued by a California grand jury this week, more attention needs to be paid to securing social media and email accounts used by election officials at the state and local level.

California has a civil grand jury system designed to serve as an independent oversight of local government functions, and each county impanels jurors to perform this service annually. On Wednesday, a grand jury from San Mateo County in northern California released a report which envisions the havoc that might be wrought on the election process if malicious hackers were able to hijack social media and/or email accounts and disseminate false voting instructions or phony election results.

“Imagine that a hacker hijacks one of the County’s official social media accounts and uses it to report false results on election night and that local news outlets then redistribute those fraudulent election results to the public,” the report reads.

“Such a scenario could cause great confusion and erode public confidence in our elections, even if the vote itself is actually secure,” the report continues. “Alternatively, imagine that a hacker hijacks the County’s elections website before an election and circulates false voting instructions designed to frustrate the efforts of some voters to participate in the election. In that case, the interference could affect the election outcome, or at least call the results into question.”

In San Mateo County, the office of the Assessor-County Clerk-Recorder and Elections (ACRE) is responsible for carrying out elections and announcing local results. The ACRE sends election information to some 43,000 registered voters who’ve subscribed to receive sample ballots and voter information, and its Web site publishes voter eligibility information along with instructions on how and where to cast ballots.

The report notes that concerns about the security of these channels is hardly theoretical: In 2010, intruders hijacked ACRE’s election results Web page, and in 2016, cyber thieves successfully breached several county employee email accounts in a spear-phishing attack.

In the wake of the 2016 attack, San Mateo County instituted two-factor authentication for its email accounts — requiring each user to log in with a password and a one-time code sent via text message to their mobile device. However, the county uses its own Twitter, Facebook, Instagram and YouTube accounts to share election information, and these accounts are not currently secured by two-factor authentication, the report found.

“The Grand Jury finds that the security protections against hijacking of ACRE’s website, email, and social media accounts are not adequate to protect against the current cyber threats. These vulnerabilities expose the public to potential disinformation by hackers who could hijack an ACRE online communication platform to mislead voters before an election or sow confusion afterward. Public confidence is at stake, even if the vote itself is secure.”

The jury recommended the county take full advantage of the most secure two-factor authentication now offered by all of these social media platforms: The use of a FIDO physical security key, a small hardware device which allows the user to complete the login process simply by inserting the USB device and pressing a button. The key works without the need for any special software drivers [full disclosure: Yubico, a major manufacturer of security keys, is currently an advertiser on this site.]

Additionally, the report urges election officials to migrate away from one-time codes sent via text message, as these can be intercepted via man-in-the-middle (MitM) and SIM-swapping attacks.  MitM attacks use counterfeit login pages to steal credentials and one-time codes.

An unauthorized SIM swap is an increasingly rampant form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Samy Tarazi is a sergeant with the sheriff’s office in nearby Santa Clara County and a supervisor with the REACT Task Force, a team of law enforcement officers that has been tracking down individuals perpetrating SIM swapping attacks. Tarazi said he fully expects SIM swapping to emerge as a real threat to state and local election workers, as well as to staff and volunteers working for candidates.

“I wouldn’t be surprised if some major candidate or their staff has an email or social media account with tons of important stuff on there [whose password] can be reset with just a text message,” Tarazi told KrebsOnSecurity. “I hope that doesn’t happen, but politicians are regular people who use the same tools we use.”

A copy of the San Mateo County grand jury report is available here (PDF).

Tags: , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Wi-Fi Security Demands More than WPA3

We all know what can happen when we use an unsecured Wi-Fi network — anyone can see the data we’re sending and receiving. A Wi-Fi network must be encrypted, and it should have the latest, strongest encryption, WPA3. If it does, everything’s fine, right? You might have thought so until April 2019 when several WPA3 vulnerabilities came to light.

Granted, the vulnerabilities have been patched. But unless you know there will be no further weaknesses discovered in WPA3, it’s clear you should not rely solely on a wireless encryption protocol to protect your data. I recently caught up with Bruce McCorkindale, vice-president of technology and distinguished engineer at Symantec. If you want to understand how to secure devices on wireless networks, Bruce is your man. His advice: Implement WPA3 within a Zero Trust strategy.

Zero Trust starts with the assumption that you can’t trust your network or the endpoints on it. That means doing away with the idea that your network has a perimeter that can be secured, and assuming that compromise might have – and probably has — already occurred. “When you’re at work, treat it like you’re at Starbucks,” says McCorkindale.

Zero Trust starts with the assumption that you can’t trust your network or the endpoints on it.

If you’ve been reading up on Zero Trust, you realize there is no such thing as a Zero Trust product per se. Zero Trust is a strategy that has been embraced by standards and advisory organizations. For example,  NIST has developed its Cyber Security Framework with Zero Trust principles in mind (although Zero Trust is not mentioned by name in the framework.) Forrester has created its Zero Trust framework that it encourages its clients to implement. And Gartner has done something similar in its CARTA framework. You can start with any of these frameworks, but the end result will consist of technologies and methods you select, tailored to your own organization’s distinct needs.

Zero Trust strategies implement layered defense, or defense-in-depth, not a new concept by any means. No single piece of your strategy will be absolutely secure, but the combination of all the measures together will create a defense that will be very difficult to penetrate. For Wi-Fi networks, McCorkindale recommends these essential layers:

  • Transport Layer Security (TLS). TLS is an IETF standard and the successor to SSL. TLS 1.3, completed in 2018, is faster and more secure than its predecessor.
     
  • VPN. Establishing a VPN connection creates a tunnel in which traffic is encrypted using protocols such as IPSec.
     
  • Multi-factor authentication. The combination of two or more of the following: What a user knows (password), what a user has (security token) and what the user is (biometric factor).

It’s important to use these measures in combination, beginning with TLS, then adding VPN and multifactor authentication. Experience has shown that traditional passwords just don’t cut it. If a bad actor obtains a user’s credentials, all the encryption in the world won’t matter. He or she will simply enjoy encrypted access to your corporate data.

Enterprise Zero Trust implementations often go further, including technologies such as User and Entity-Based Analytics (UEBA), that analyze the behavior of users and devices to detect suspicious anomalies. And Micro-segmentation might be implemented to limit the ability of users to access applications and for applications to talk to each other.

Symantec Technologies

You can implement a Zero Trust defense of your Wi-Fi traffic by stocking your arsenal with several key Symantec products. Most important are Norton Mobile Security (for consumers), SEP Mobile (for enterprises), and Norton Secure VPN products.

Both SEP Mobile and Norton Mobile Security for iOS can detect when a user is on an insecure Wi-Fi network and automatically launch a VPN connection on the user’s mobile device. NMS will also do you the favor of telling you whether your OS is out of date. This is an important feature, since many breaches result from users neglecting to update their endpoint systems and routers with the latest OS versions and security patches.

Symantec also offers VIP Security Keys, devices that plug into a USB port to enable users to verify who they are by tapping a finger. The VIP Security Keys implement the Universal 2nd Factor (U2F) standard, a protocol specified by the FIDO Alliance, a non-profit organization that is developing standards for authentication devices. VIP is also available as a mobile app that issues soft tokens.

After you implement WPA3 and these Zero Trust measures, will it be safe to relax? Um, no. Adhering to the practices above will make your defenses significantly more robust. But any security strategy is a work in progress and it’s only as effective as your own dedication to carrying it out. Forget to update your router software and you’ve created a weakness that will render the rest of your defense little more than a cyber Maginot Line. To paraphrase a famous quotation, the price of data security is eternal vigilance.

Implementing a Zero Trust framework to Secure Modern Workflows

Join our cloud security experts to learn how new product enhancements within the Symantec Integrated Cyber Defense Platform are delivering on the promise of Zero Trust while reducing cost and complexity for network security professionals.

CLICK TO REGISTER

About the Author

Stan Gibson

Technical Writer

Stan is an award-winning technology editor, writer and speaker, with 34 years experience covering information technology. Formerly executive editor at eWEEK and PC Week, he is currently principal at Stan Gibson Communications.