California & Florida Voter Websites Vulnerable To Hackers

Two cyber security firms sent the Department of Homeland Security (DHS) a troubling report in July this year that described a possible vulnerability in the online voter registration systems in dozens of counties in California and Florida. 

Many states, including Florida, make voters' information, including their names and party affiliations, easily accessible to members of the public who request it. Iranian intelligence was responsible for a recent campaign of emails sent to intimidate Florida voters, the FBI announced recently, adding that Russia was also working to influence the election

Now the Director of National Intelligence John Ratcliffe has announced that Russian and Iranian hackers had used some voter registration information in a bid to send misinformation to voters and sow discord ahead of the election. 

Both Iran and Russia had obtained some Americans' voter registration information, Ratcliffe said. Last year, a cybersecurity company found a software flaw in Riverside County in California voter registration lookup system, which it believes could have been the source of the breach.

The cyber security company, RiskIQ, said it was similar to the vulnerability that appears to have allowed hacks by Russian military hackers.The election threat report that flagged the vulnerability was written by cybersecurity experts  RiskIQ and  Northrop Grumman compared voter registration websites around the country with those that appeared to have been hacked in 2016. 

Administration officials have confirmed publicly that they believe that several counties in Florida, the State of Illinois Board of Elections, and possibly several counties in California had been victims of a hacking campaign four years ago.

The RiskIQ / Northrop Grumman report found that dozens of counties in Florida had voter registration websites that had lots of similarities to those in Riverside County in 2016. The report also raises the concern that these Florida counties could potentially be even more vulnerable than Riverside County was four years ago because they all share the same website management system. So if a hacker is inside one website he or she could have access to all the others too. 

In May, the FBI briefed Florida lawmakers on which of their 67 counties were successfully breached back in 2016. The officials were not allowed to divulge what they had learned, but they stressed that there was no evidence that cyber attacks changed any votes. "The actors got loud and essentially shut down the voter registration database, and that called attention to the problem," said Neil Jenkins, Chief Analytic Officer at the Cyber Threat Alliance

The report also looked at the websites' vulnerability to a particular kind of hack, something called a Padding Oracle Exploit (POE)  It was popular with hackers over a decade ago and is used to decrypt encrypted information. One of the concerns laid out in the report is that bad actors could use a POE to decrypt credentials to give themselves administrator access to the voter registration website.

Armed with this type of access hackers could potentially plant malware, change code, and even insert errors into the data.

The report also said, however, that the websites could have been compromised before the migration happened. The last voter website to migrate to a new operating system did so in 2019. The report says that the DHS do an audit of the Florida voter registration websites to make sure some vulnerability didn't accidentally slip in. However, DHS officials might hesitate to address details of the report or contact local officials about its findings because they haven't seen any indication that this hack is imminent.

As a general matter, local officials are unlikely to patch their systems against a possible vulnerability this close to the election. The last thing election officials would want to do just a week before their big day, he said, is to patch a website against a vulnerability that might not be severe and then find themselves watching helplessly when the patch makes their website crash. 

NPR:      NBC News:      Tallahassee Democrat:        NBC:   

You Might Also Read: 

Foreign Influence In The American Election Of 2020 Is Declining

 

« Cyber Spying Laws Are Changing
Securing AI In Military Systems »

Quartz Conference
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

KPMG

KPMG

KPMG s a leading provider of professional services including information technology and cyber security consulting.

Computer Weekly

Computer Weekly

ComputerWeekly provides the latest news and analysis through its website and weekly digital magazine, as well as award-winning, exclusive premium content.

CYBERPOL

CYBERPOL

CYBERPOL's mission is to facilitate the widest possible mutual assistance between all cyber crime law enforcement authorities to help mitigate global cyber threats.

Blue Ridge Networks

Blue Ridge Networks

Blue Ridge offers a suite of solutions that enable secure remote access to the enterprise network with protection and control of endpoints.

Precise Biometrics

Precise Biometrics

Precise Biometrics develop and sell fingerprint software for convenient and secure authentication of people’s identity in mobile devices, smart cards and other products with fingerprint sensors.

7 Elements

7 Elements

7 Elements is an independent IT security testing company providing expertise in technical information assurance through security testing, incident response and consultancy.

Cycura

Cycura

Cycura provide advanced, customized, and confidential cyber security services, cyber investigation services, and digital forensic services to governments, companies, and organizations.

Infosistem

Infosistem

Infosistem is a Croatian ICT company with extensive expertise and experience in enterprise and SMB ICT projects and solutions.

Lirex

Lirex

Lirex offer consulting and outsourcing services, complete design, construction and maintenance of ICT solutions and systems including cybersecurity.

CyberCareers.gov

CyberCareers.gov

CyberCareers.gov is a platform for Cybersecurity Job Seekers, Federal Hiring Managers and Supervisors, Current Federal Cybersecurity Employees, Students and Universities.

Cyber Threat Defense (CT Defense)

Cyber Threat Defense (CT Defense)

CT Defense specialize in penetration testing and security assessments.

Pioneer Search

Pioneer Search

Pioneer Search is a UK based Technology & Change, Electronics Engineering, Cyber Security & Cloud and Data & Analytics Employment Agency.

River Loop Security

River Loop Security

River Loop Security specialize in solving complex cybersecurity challenges in the IoT and embedded devices space.

Black Cybersecurity Association (BCA)

Black Cybersecurity Association (BCA)

Black Cybersecurity Association is an inclusive non-profit organization focused on community, and career mentorship for underrepresented minorities in the cybersecurity industry.

ADVA Optical Networking

ADVA Optical Networking

ADVA is a company founded on innovation and focused on helping our customers succeed. Our technology forms the building blocks of a shared digital future and empowers networks across the globe.

Artifice Security

Artifice Security

Artifice Security will demonstrate real-world attacks on your network, web applications, infrastructure, and personnel to expose your hidden security risks.