Attempts to Manipulate Florida Elections Thwarted…
Evidence now shows that there was at least one concerted attempt to manipulate the primary results for the state’s legislative election in Florida last year, according to reports. The attackers apparently used an application to falsely request some 2500 absentee ballots through a website portal belonging to the Miami-Dade County Department of Elections.
Though the attempt to throw off the election tally ultimately failed due to security protocols in the election site that flagged the requests as invalid, the incident leads some security experts to believe that hackers are making strides in their efforts to exploit vulnerabilities in the information systems used by elections officials, and that this event may have been a dry run to perfect election fraud techniques.
“I believe that the attackers couldn’t get all the way through, but that doesn’t mean there isn’t another vector. There are so many ways you can get fraudulent data in [voting systems], and some of the ways are yet to be tested by hackers and security researchers. There’s also a chance [hackers] have another door and they are waiting for something else, like a bigger election. It might be a timing thing,” said Imperva’s Barry Shteiman.
The episode resulted in a grand jury report issued in December of last year, but the investigation was called off due to a lack of suspects in the case. Some IP addresses tied to the operation were known to correspond to computers in the U.S., but most were obscured by the use of proxies. The few IPs authorities do have may not belong to the attackers, but instead may be associated with devices that had been compromised and used in the operation without the owners’ knowledge.
Fraudulent requests are not the only means hackers have of manipulating election results. In 2011, a research team from Argonne National Laboratory, a Department of Energy facility, successfully demonstrated how Diebold voting machines can be hacked to allow vote counts to be altered by attackers with rudimentary skills utilizing off-the-shelf hardware, all while leaving no trace of the manipulation.
Early in 2012, a University of Michigan research team published a report demonstrating the hack of a prototype online absentee voting system developed by the District of Columbia in cooperation with the Open Source Digital Voting Foundation. The researchers were able to completely infiltrate the systems for the project and alter vote counts by exploiting weaknesses in the software’s open source architecture, particularly a previously disclosed vulnerability in the Linux kernel protocol, and were also able to undermine the system’s encryption protocols.
The anxiety over voting machine security culminated with DHS senior cybersecurity adviser Bruce McConnell warning election officials that “it is premature to deploy Internet voting in real elections at this time,” and Susannah Goodman of the Election Verification Network saying that, “election officials who run and pursue online voting programs must understand that they are putting voters’ ballots at risk of being altered or deleted without anyone realizing it.”
Despite the risks, the non-partisan advocacy group VerifiedVoting.org said that about on-third of all voters in the 2012 presidential election would be using voting machines susceptible to exploit, and that 33 states allow the transmission of ballot information via the Internet.
SCADA – ICA Honeypot Project Snares Hackers…
We all know too well that Industrial Control Systems (ICS), which include supervisory control and data acquisition (SCADA) networks that administer operations for critical infrastructure, manufacturing facilities, refineries, hydroelectric and nuclear power plants, etc. are a legacy-system-with-bolt-on-security nightmare. But how often are they actually being targeted?
Kyle Wilhoit, a security researcher with Trend Micro decided to find out by setting up what for all intents and purposes would appear to be three ICS systems dispersed across the nation and connected to the Internet. Wilhoit’s intention was to record the number, variety, intensity, and duration of attacks that might be directed at such systems.
“All three were internet-facing and used three different static IP addresses in different subnets scattered across the US. One honeypot featured a programmable logic controller (PLC) system running on a virtual instance of Ubuntu hosted on Amazon EC2, and configured as a web page that mimics that of a water pressure station. Another honeypot featured a web server that mimicked a control interface connected to a PLC production system. The final honeypot was an actual PLC device set up to mimic temperature controller systems in a factory,” wrote The Register’s John Leyden.
Wilhoit made it easy for the attackers to find the decoys by optimizing their SEO and publishing their presence on Google, as well as having vulnerable devices that are indexed in the Shodan project. – not as far-fetched of a circumstance as one would hope. Thw results of the study are documented in the report Who’s Really Attacking Your ICS Equipment? (PDF), and here is what Wilhoit found:
“It took only 18 hours to find the first signs of attack on one of the honeypots. While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing. The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.” All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same netback.”
While the majority of the attacks (one in three) appeared to be emanating from China (but who really knows given attribution is tough), a surprising number were also seemingly coming from the U.S. (one in five) and a large number from, believe it or not, Laos (more than one in ten). Moral of the story: SCADA systems are really important, really vulnerable to attack, really hard to defend, and really desirable as a target.
Good grief, as Charlie Brown would say.
Hot Security Skills for a Hot Security Jobs Market…
Recently we reported on the GISWS study (.pdf) conducted by (ISC)² with partners Booz Allen Hamilton and Frost & Sullivan which indicated that there is still a significant shortage of highly trained security professionals, and that the demand for such expertise is going to continue to grow. Key to taking advantage of this market, the study notes, is the ability for information security professionals to continually enhance their skills sets.
Lauren Gibbons Paul has a great writeup in InfoWorld that outlines what some of these skills that are in high demand might be, according to a few industry experts. The following is a brief overview of Paul’s offerings:
- – Diverse technology experience: Familiarity with both information and physical-security technologies
- – Ability to anticipate needs: Keeping on top of new technologies and threats
- – Fluency in the IT side of physical security: Physical-security professionals who are fluent in technology
- – Advanced data-protection expertise: Enterprise rights management, multilevel security models, data classification techniques and biometrics
- – Business and financial acumen: Understanding the key business lines in their respective organizations and the impact of security
- – Good communication skills: Be able to communicate with diverse audiences, both technical and business oriented
- Adaptability: The ability to self-teach
Paul’s advice to CSOs: “You may need to bring in some of these skills by maintaining a well-rounded staff, rather than by acquiring them yourself…” Good advice.
Images courtesy of ShutterStock