Silicon Valley Issues Election Security Report
Info Security News, July 26, 2019, with comments by Satya Gupta
Vulnerable communications platforms could allow hackers to hijack messages, mislead public
At the end of July, a grand jury in San Mateo, California published an Elections Security Report that highlights areas of online communication that are vulnerable to cyber hacking. The report describes ways San Mateo County’s email and online communication platforms could be hijacked, taken over by a hacker who might pose as one of the County’s officials.
The hacker can then use the official’s social media account to circulate false election information on election night, info that might subsequently spread via local news. The false election news would mislead people by leading them to believe inaccurate results. Such an event would cause the public’s faith in their election system to crumble. If the situation became severe, people might even refrain from voting altogether.
Hacks and breaches have happened, yet security practices still inadequate
The Assessor-County Clerk-Recorder and Elections (ACRE) office in San Mateo county uses social media, websites and email to gather voter information. These platforms are vulnerable and attackers have already shown they can hijack election results. Nine years ago in 2010, election results were grabbed off a webpage and in 2016, the county database was breached through a spear-phishing email.
San Mateo’s grand jury concluded that ACRE’s current security for its website, email and social media is not up to par to protect its contents against cyber attack. Hackers can leverage the weaknesses to hijack an ACRE online platform, misconstrue data and trick voters on or near election day. The report stated that even if votes themselves were valid, the risk of using falsified information after the fact could still undermine voter confidence and jeopardize the election.
Strong authentication should be an existing best practice, but it isn’t
One method the county is currently not using to protect and verify transactions two-factor authentication.
The report goes on to make specific recommendations that include the use of FIDO physical security keys, which Satya Gupta, CTO of Virsec, said is a bit unsettling. “Two-factor authentication should be the norm for any important business transaction and is used and offered by most online services. Intercepting SMS codes with a [man-in-the-middle] attack is actually quite difficult, and hardware authentication devices, while more secure, are less practical to distribute widely and securely. Stepping back, the real problem seems to be county agencies using social media platforms to communicate official business. Stronger authentication may help but will not stop the torrent of false social media information we should expect during this election cycle.”
Given how many times experts have advised and endorsed strong authentication for users, It’s frustrating that such a system is not in place. People in charge of security are letting key practices go by the wayside instead of following best practices.
San Mateo, California, grand jury report https://www.sanmateocourt.org/documents/grand_jury/2018/elections.pdf