Just say no to online Internet voting: Cyberattack on Florida election is first known case in US

Posted by AzBlueMeanie:

SB 1387,
a bill sponsored by Sen. Bob Worsley (R-Mesa), the founder of retail
catalog giant SkyMall, seeks to establish an online voting pilot program in
time for the 2014 primary election. The Arizona Capitol Times (subscription required) reported earlier this month, Senator proposes online voting for 2014.

I posted about this election scandal out of Miami not being reported anywhere outside of Florida. The case of the phantom ballots: an electoral whodunit – Miamia Herald:

It had all the appearances of a political
dirty trick, a high-tech effort by an unknown hacker to sway three key
Aug. 14 primary elections, a Miami Herald investigation has found.

The plot failed. The elections department’s software flagged the requests as suspicious. The ballots weren’t sent out.

But who was behind it? And next time, would a more skilled hacker be able to rig an election?

Six months and a grand-jury probe later,
there still are few answers about the phantom requests, which targeted
Democratic voters in a congressional district and Republican voters in
two Florida House districts.

NBC News today has a follow-up to this story. Cyberattack on Florida election is first known case in US, experts say:

An attempt to illegally obtain absentee ballots in Florida last year
is the first known case in the U.S. of a cyberattack against an online
election system, according to computer scientists and lawyers working to
safeguard voting security.

The case involved more than 2,500
“phantom requests” for absentee ballots, apparently sent to the
Miami-Dade County elections website using a computer program, according to a grand jury report on problems in the Aug. 14 primary election.
It is not clear whether the bogus requests were an attempt to influence
a specific race, test the system or simply interfere with the voting.
Because of the enormous number of requests – and the fact that most were
sent from a small number of computer IP addresses in Ireland, England,
India and other overseas locations
– software used by the county flagged
them and elections workers rejected them.

Computer experts say the case exposes the danger of putting states’
voting systems online – whether that’s allowing voters to register or
actually vote.

“It’s the first documented attack I know of on an online U.S.
election-related system that’s not (involving) a mock election,” said
David Jefferson, a computer scientist at Lawrence Livermore National
Laboratory who is on the board of directors of the Verified Voting Foundation and the California Voter Foundation.

Other
experts contacted by NBC News agreed that the attempt to obtain the
ballots is the first known case of a cyberattack on voting, though they
noted that there are so many local elections systems in use that it's
possible that a similar attempt has gone unnoticed.

* * *

[E]xperts say they’ve been warning about this sort of attack for years.

“This has been in the cards, it’s been foreseeable,” said law Professor Candice Hoke, founding director of the Center for Election Integrity at Cleveland State University.

The
primary election in Miami-Dade County in August 2012 involved state and
local races along with U.S. Senate and congressional contests (see a sample ballot here). The Miami Herald, which first reported the irregularities,
said the fraudulent requests for ballots targeted Democratic voters in
the 26th Congressional District and Republicans in Florida House
districts 103 and 112. None of the races’ outcomes could have been
altered by that number of phantom ballots, the Herald said.

Overseas “anonymizers” — proxy servers that make Internet activity
untraceable — kept the originating computers’ location secret and
prevented law enforcement from figuring out who was responsible,
according to the grand jury report, issued in December
. The state
attorney’s office closed the case in January without identifying a
suspect.

Then came the Herald report, which said that three IP addresses in
the United States had been identified among those sending the requests
and that there had been a delay in getting that information to
investigators, which a Miami-Dade elections official confirmed to NBC
News
. Terry Chavez, spokeswoman for the state attorney’s office for
Miami-Dade County, also confirmed to NBC News that the investigation was
reopened to look into those IP addresses
. Chavez said she could release
no details on the investigation.

Rep. Joe Garcia won the
Democratic primary in the 26th District and went on to win the general
election. Jeff Garcia, his chief of staff and no relation, said last
week that no state or federal investigators had contacted the
congressman's office about the case.

State Rep. Jose Javier Rodriguez, a Democrat who won the District 112
seat, said Thursday that his office had not heard from investigators
about the case either. A message left at the legislative office of state
Rep. Manny Diaz Jr., the Republican who won the primary and the general
election in District 103, was not immediately returned.

The
Herald report said that as the requests began coming in, elections
officials figured out that they were improper and started blocking the
IP addresses. “I guess they finally gave up,” the newspaper quoted Bob
Vinock, an assistant deputy elections supervisor for information
systems, as saying. 

People who study election security say the
fact that this attempt did not succeed should be of little comfort to
election officials. They warn that attempts to attack voting systems are
likely to increase.

“In this case the attack was not as sophisticated as it could have been,
and it was easy for elections officials to spot and turn back,” said J. Alex Halderman,
an assistant professor of computer science and engineering at the
University of Michigan who studies the security of electronic voting.
An attack somewhat more sophisticated than the one in Florida,
completely within the norm for computer fraud these days, would likely
be able to circumvent the checks
.”

Fraudulently obtaining absentee ballots is just one way elections
might be subverted by digital means, experts say. Among the other
methods and attack points:

  • Malware. Rogue software infects millions of home computers across
    the country. Jefferson said hackers could use malware to change votes or
    prevent them from being cast in an online election.
  • Denial of service attacks. Jefferson said that hackers could use
    botnets to prevent election-system servers from working for hours, or
    perhaps longer. In fact, during an election in June 2012, a DOS attack hit the San Diego County Registrar of Voters' website, preventing voters from tracking the results.
  • “Spoofing” of election websites. For example, Hoke said, legitimate
    requests for absentee ballots could be misdirected to another site. The
    data then could be misused, or the requests could hit a dead end, and
    voters would be left wondering where their ballots were.
  • Exploiting software flaws in digital voting machines, known as DREs.
    The flaws could allow insertion of viruses or alteration of programming
    code that would change votes or delete them. (Read one description of hacking a voting machine.)
  • Tampering with email return of marked ballots. Experts say email
    return is troublesome because of the multiple points for attack along
    the ballots’ electronic path. “The overwhelming consensus of the
    computer science community is don’t do it, it’s a bad idea,”
    said Jeremy
    Epstein, a senior computer scientist at SRI International.
    But in about half the states, email absentee ballot return is an option
    for members of the military and their families, along with some other
    U.S. citizens living overseas.
  • Wholesale hijacking of an online voting system. In 2010, the
    District of Columbia Board of Elections and Ethics tested an
    Internet-based voting system for a week, asking computer experts to
    probe it for flaws. It took only 48 hours for a team led by Halderman
    to break in and take control of the site
    – even altering it so that the
    University of Michigan fight song played after a vote was cast.

In terms of illegally getting access to absentee ballots, Epstein
said, the attacker or attackers who failed in Florida might have had an
easier time with Washington state and Maryland.

He said that last
summer he demonstrated to the FBI a method of changing individual
voters’ addresses and other information online in those two states by
predicting their driver’s license numbers.

First he used publicly available information to gain a voter’s full
name and address. Then, he predicted the individual’s driver’s license
number – which is based on a combination of the person’s name and
numbers and letters — and used the information to access their voter
registration online. From there, he said, he could have changed their
addresses and had absentee ballots sent out
.

“Imagine if
(attackers) changed the address for 2,500 votes. It could be completely
automated, and they have the ballots sent to a post office box or
whatever,” Epstein said. “Then the registered voters would have no idea
until they tried to vote.”

In October, Halderman and other
researchers sent letters warning elections officials in both states
of the danger of staking system security on driver’s license numbers.

The letter to Washington officials (read it here in PDF) also said that other security features in the state’s MyVote system would be only a speed bump to a dedicated hacker.

“Although
the MyVote system uses a CAPTCHA, an image of distorted text intended
to deter simple automated attacks, this provides only minimal defense,”
the letter says. “Attackers can use commercial services to defeat the
CAPTCHA at a cost of less than $0.001 per voter.”

Shane Hamlin, assistant director of elections in the Washington Secretary of State's Office,
told NBC News that state election officials have acted on the
recommendations in the October letter and will require additional
information to register to vote or change registration online.

Maryland election officials did not immediately return a call from NBC News seeking comment, but the Washington Post reported last month that Ross K. Goldstein, deputy administrator of the Maryland State Board of Elections, acknowledged the security hole and said the online voter registration system was being updated to address the issue.

* * *

While elections officials are attracted to the savings that online
voting and registration systems promise, the cost of guarding online
registration and voting systems is large, Hoke said. And that might
negate the financial advantage of online balloting touted by some
elections officials and vendors who want to sell electronic voting
products.

“It’s cheap, if you don’t care whether elections are stolen,” she said.

That
possibility — of an election being stolen through digital means —
haunts researchers. For Jefferson, it’s a matter of national security.

“The legitimacy of government depends on it being impossible for single parties to change the results of elections,” he said.

So maybe you should contact Sen. Bob Worsley (R-Mesa) and Secretary of State Ken "Birther" Bennett and tell them to forget about this foolish idea of online internet voting, and oh by the way, maybe Secretary Bennet should be investing more time looking into the security issues identified in this NBC News report for online voter registration and voter information systems currently in use in Arizona.

Comments are closed.