Those were some of the headlines from this year’s Def Con computer security conference in Las Vegas, where youth and adult hackers had little trouble rooting out flaws in voting equipment and cracking into mock state election websites. But there was one exercise that stumped them: They couldn’t seem to break into a replica of a heavily protected voter registration database.
They tried all weekend to hack the database, which was modeled after a real Ohio county’s and bolstered with extra layers of digital defenses. One got close, but nobody was able to manipulate the voter information inside.
Cyberattacks on voter registration databases have been a major concern for state election officials since the run-up to the 2016 election, in which officials say Russian government hackers broke into an Illinois database and stole records on hundreds of thousands of voters. So the fact that hackers at Def Con’s Voting Village couldn’t change anything in the mock database should bring them some relief -- showing that with the proper defenses, this is no easy task.
And yet, to make it a challenge for the highly skilled security researchers who gathered for the conference, organizers had to fortify the site with additional security features that made it much harder to penetrate. In this sense, the exercise also offers an example of the steps state officials should consider to safeguard their networks against top-notch hackers.
“I’d rather have the people in this room do this than go through it on Election Day,” Amber McReynolds, Denver’s director of elections, told me alongside the Voting Village. “It’s better to identify these vulnerabilities up front.”
Dozens of other state and local election workers stopped by the demonstration at the Caesars Palace Hotel over the weekend, according to Jake Braun, organizer of the Voting Village and a former White House liaison to the Department of Homeland Security. That was a big increase over last year, he told me. “There’s a lot to learn from these hackers. This isn’t out of reach for local election officials to do,” Braun said. “The whole point is that they should be part of it.”
To create the mock database, Voting Village organizers downloaded a publicly available list of voters from the Ohio secretary of state’s website. They then worked with officials from Cook County, Ill., who helped them create a realistic replica of a county computer network. They uploaded the database there and secured it behind layers of firewalls set up by Bash Kazi, a cybersecurity contractor who consulted on the project.
Hackers were invited to try to gain enough access to change voter information. If this were to happen in the real world on Election Day, it could cause long delays and create confusion at the polls. And the risks are well known: The Senate Intelligence Committee found that Russian hackers were in a position to “alter or delete” voter registration data in a “small number” of states when they intruded on election websites in 2016.
Kazi, who runs the firm KIG, which specializes in cybersecurity simulation training, said he hoped the exercise would help election administrators understand the threats. “The idea is to bring attention to the need to train local officials in the vulnerabilities that exist and the types of scenarios they’ll be encountering,” Kazi told me. He said the system he helped set up was “one of the more sophisticated networks relative to other small counties, which haven’t spent much money mitigating the risks that they have.”
Kazi watched as different hackers tried their luck throughout the day Friday. “After six and a half hours, no cigar,” he told me when I stopped by at the end of the afternoon. They didn’t fare any better the rest of the weekend.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Princeton University researchers sought to evaluate the possible effects of a hypothetical attack against the power grid via a botnet made of thousands of hacked connected devices such as water heaters and air conditioners, Wired's Andy Greenberg reported on Monday. “Their answers point to a disturbing, if not quite yet practical scenario: In a power network large enough to serve an area of 38 million people — a population roughly equal to Canada or California — the researchers estimate that just a one percent bump in demand might be enough to take down the majority of the grid,” Greenberg wrote. “That demand increase could be created by a botnet as small as a few tens of thousands of hacked electric water heaters or a couple hundred thousand air conditioners.”
The researchers, who are set to present their work at the Usenix Security Symposium in Baltimore this week, relied on simulations for their study. “The researchers don't actually point to any vulnerabilities in specific household devices, or suggest how exactly they might be hacked,” according to Wired. “Instead, they start from the premise that a large number of those devices could somehow be compromised and silently controlled by a hacker.”
PATCHED: Sen. Edward J. Markey (D-Mass.) wants to know how federal agencies and electric utilities are defending the U.S. electric grid against Russian cyberthreats. “From elections to electricity, we know that Russia will continue to launch cyberattacks on our systems,” Markey said Monday in a statement released with letters he wrote to federal agencies, electric utilities, federal power marketing organizations and North American Electric Reliability Corporation. He added that he was seeking “answers and assurances from stakeholders who operate and oversee the grid that they are doing everything possible to secure our nation’s electrical system against devastating damage from physical or cyber-terrorist attacks.”
Markey said in the letters that he was inquiring about the security of the electric grid after the Wall Street Journal reported last month that Department of Homeland Security officials said Russian hackers managed to reach control rooms of electric utilities last year. However, the cybersecurity firm Dragos, which focuses on threats to industrial control systems, warned earlier this month against overstating the extent of the threat that hackers pose to the grid. “Adversaries have not placed 'cyber implants' into the electric grid to cause blackouts; but they are infiltrating business networks — and in some cases, ICS networks — in an effort to steal information and intelligence to potentially gain access to operational systems,” Selena Larson, a technical writer at Dragos, wrote in a post on Dragos's blog on Aug. 6.
PWNED: Cybercriminals continued to favor phishing to carry out attacks during the second quarter of 2018, according to a report set to be released today by the cybersecurity company RSA. The firm found that phishing represented 41 percent of all observed cyberattacks between April 1 and June 30, compared to 48 percent during the first quarter. “Phishing and malware-based attacks are the most prolific online fraud tactics developed over the past decade,” RSA said in its quarterly fraud report. “Phishing attacks not only enable online financial fraud but these sneaky threats also chip away at our sense of security as they get better at mimicking legitimate links, messages, accounts, individuals and sites.”
Additionally, RSA identified 9,185 “rogue” mobile applications during the second quarter, representing 28 percent of fraud attacks during that period of time. By comparison, such mobile apps amounted to 6 percent of observed attacks during the first quarter. Below are other takeaways from RSA's report:
- “Fraud from mobile browsers and mobile applications increased in Q2 2018 and represented 71 percent of total fraud transactions.”
- “While less than one-half of one percent of legitimate payment transactions were attempted from a new account and new device, this combination accounted for 27 percent of the total value of fraudulent payments.”
— “The Department of Defense kicked off its sixth bug bounty program Aug. 12 with Hack the Marine Corps, a challenge focusing on the Corps’ public-facing websites and services,” Jessie Bur wrote in Fifth Domain on Monday. “‘Hack the Marine Corps allows us to leverage the talents of the global ethical hacker community to take an honest, hard look at our current cybersecurity posture,’ said Maj. Gen. Matthew Glavy, the head of the U.S. Marine Corps Forces Cyberspace Command, in a news release.”
— Raymond Odigie Uadiale, a former Microsoft employee, was sentenced to 18 months in prison on Monday after he pleaded guilty to conspiracy to commit money laundering in a case involving the Reveton ransomware, the Justice Department announced in a statement. Uadiale, who was a student at Florida International University while he was involved in the scam, was also sentenced to three years of supervised release.
The Reveton ransomware displayed a message on infected computers that claimed to be from a law enforcement agency and demanded payment to allow victims to regain access to their files, according to the factual proffer related to the plea agreement, the statement said. “By cashing out and then laundering victim payments, Raymond Uadiale played an essential role in an international criminal operation that victimized unsuspecting Americans by infecting their computers with malicious ransomware,” Brian A. Benczkowski, assistant attorney general for the Justice Department's Criminal Division, said in a statement.
— “A jury in Atlanta has convicted a Nigerian man on federal charges related to hacking universities,” the Associated Press reported. “Prosecutors said in a news release Monday that 34-year-old Olayinka Olaniyi and co-defendant 29-year-old Damilola Solomon Ibiwoye ran several phishing scams targeting employees at U.S. colleges and universities, including Georgia Tech and the University of Virginia.”
— More cybersecurity news from the public sector:
- Senate Commerce Committee hearing to conduct oversight of the Federal Communications Commission on Aug. 16.
- Senate Rules and Administration Committee business meeting about the Secure Elections Act on Aug. 22.
Here is what is on Omarosa's secret White House recordings:
Trump calls fact checkers “bad people”:
This horse is suing his former owner: