Over the course of the last several weeks and months leading up the November 2018 Mid-Term Elections, McAfee, a US based anti-virus software provider, has been analyzing various Government website in several important “Swing States” and state counties across the country. More specifically, “McAfee surveyed the security measures of county websites in 20 states.” What researchers have found is that there is an alarmingly large number of Government run websites that remain unprotected by even some of the most basic and fundamental security measures, presenting an easy target for hackers ahead of important election dates.
Due to these critical vulnerabilities, in a blog post publishing their finding earlier this week, McAfee researchers were primarily concerned with 2 major issues. First, the spamming of unprotected email subscriber/voter registration lists tied to state owned websites allowing for phishing attacks to spread and second, the spoofing of websites, domain names and/or vulnerability to DNS poisoning attacks leading potential voters to fake or spoofed versions of state/election/Government websites.
To their surprise, what McAfee uncovered is that there is an unusually large number of of US Government websites not running on .gov Top Level Domains (TLD), instead using .com or .net. This is important to understand because .com domains are far less secure and much easier to obtain than .gov TLD’s, which require far more authentication/investigation to register. However, because of this, McAfee concludes that state employed website administrators simply didn’t want to go through the “hassle” or “red tap” to obtain .gov TLD’s – deliberately choosing to make their websites less secure for the sake of convenience. Moreover, according to McAfee‘s press release, “Our findings essentially revealed that there is no official U.S. governing body validating whether the majority of county websites are legitimately owned by actual legitimate county entities” – therefore making it easier for malicious actors to spoof or set up fake election web pages to fool the voting public.
For some perspective on this, McAfee notes how “Minnesota and Texas had the largest percentage of non-.gov domain names with 95.4% and 95% respectively.” Adding that “They were followed by Michigan (91.2%), New Hampshire (90%), Mississippi (86.6%) and Ohio (85.9%).” On the other end, “Arizona had the largest percentage of .gov domain names, but even this state could only confirm 66.7% of county sites as using the validated addresses.”
— DarkReading (@DarkReading) October 25, 2018
On top of this, McAfee discovered that several state owned websites didn’t even utilize some of the simplest, most basic and easy to install security measures – such as SSL’s. This means that there are Government owned websites across different states that actively refuse to protect/encrypt any information their constituents enter onto them – something with is absolutely unacceptable in 2018, especially given all the state-wide voter registration data dumps throughout 2015/2016. For example, the study found that “Maine had the highest number of county websites protected by SSL,” but even then only 56.2% of them utilized one. On the other end of the spectrum, “West Virginia had the greatest number of websites lacking SSL security,” with approximately 92.6% of their sites lacking SSL certificates. This was followed by Texas (91%), Montana (90%), Mississippi (85.1%) and New Jersey (81%). Highlighting just how pathetic this is, most SSL certificates can be obtained for $2-$5 and come standard, for free, on most website hosting platforms.
“Influencing the electorate through false communications is more practical, efficient and simpler than attempting to successfully hack into hundreds of thousands of voting machines. Such a scenario is much easier to execute than tampering with voting machines themselves,” notes McAfee CTO Steve Grobman. “Given how important the democratic process of voting is to our society and way of life, we must work to better secure these critical information systems.”
Safe & Secure Voting Registration Websites To Utilize for November:
- New Hampshire
- New Jersey
- New Mexico
- New York
- North Carolina
- North Dakota
- Rhode Island
- South Carolina
- South Dakota
- West Virginia
Categories: Hacking News