Cyber Countdown to November 6...

<h4 style="text-align: center;">Securing US State and Territory Voter Registration and Information Websites</h4><h2>Executive Summary</h2>Less than a week away from November 6, 2018, US midterm elections is arguably one of the most important election cycles in history where political parties battle for control of the two chambers of Congress. Additionally, <a href="https://www.usa.gov/midterm-state-and-local-elections" target="_blank">thirty-six state governors, three US territory governors, many city mayors</a>, and scores of other local seats are up for contention. Reports of illegitimate access to, or the exposure of, voter information and records have unfortunately become a recurring trend which could disrupt the voting process. This concern was iterated by <a href="https://www.tampabay.com/florida-politics/buzz/2018/08/08/bill-nelson-the-russians-have-penetrated-some-florida-voter-election-systems/" target="_blank">US Sen. Bill Nelson back in August</a> 2018 and follows the <a href="https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-announcing-indictment-twelve" target="_blank">Department of Justice Deputy Attorney General Rod Rosenstein assertion that 500,000 voter records were stolen</a> in 2016 by Russian military intelligence. As interest in the criminal underground rises, disinformation campaigns are uncovered, and researchers find misconfigured servers and websites vulnerabilities hosting sensitive voter information, election security remains at the forefront of protecting democracies. In an effort to raise awareness and confront these challenges, Anomali released widely publicized research on voters lists for sale in the criminal underground in <a href="https://www.forbes.com/sites/leemathews/2018/10/16/millions-of-voter-records-are-for-sale-on-hacker-forums/1" target="_blank">October 2018</a>. This research followed Anomali research on the <a href="https://www.anomali.com/blog/anomali-labs-research-shows-email-based-attacks-continue-to-threaten-election-security" target="_blank">email spoofing threat to US elections</a> and <a href="https://www.anomali.com/resources/videos/how-secure-are-our-voting-systems-for-november-2018" target="_blank">Anomali CEO Hugh Njemanze’s discussion on safeguarding the integrity of upcoming elections</a>.Our latest research assessed the security posture of the 50 US States, District of Columbia, and 5 US Territory’s online voting registration and information websites. This involved an evaluation of the HTTP response headers of 56 domains to identify any privacy vulnerabilities or susceptibilities to interception, manipulation, and impersonation. The baseline assessment revealed seven state websites that were served over the HTTP protocol and did not redirect visitors to a secure website connection using the encrypted HTTPS protocol. Anomali researchers also analyzed security weaknesses in SSL/TLS certificates to evaluate additional exploitable opportunities afforded to malicious actors. At a time with unprecedented concerns regarding electoral inference and the integrity of US elections, we believe reducing the attack surface and increasing the adversary’s cost will assist US States and Territories in safeguarding the democratic process and protecting the electorate’s sensitive information.<h2>Introduction</h2>Since the 2016 US Presidential elections, a body of reporting from the US government, security community, and news media has come to light describing the threats to voter registration systems and voter privacy. These threats range from Russian government efforts to compromise individual states’ voter registration systems to cybercriminals selling or distributing voter lists on underground forums to human errors in database management by state governments and third-party vendors.<ul><li>According to US Department of Homeland Security (<a href="https://www.nbcnews.com/politics/elections/russians-penetrated-u-s-voter-systems-says-top-u-s-n845721" target="_blank">DHS</a>), they notified 21 states during the 2016 Presidential election that (<a href="https://www.nbcnews.com/politics/elections/russians-penetrated-u-s-voter-systems-says-top-u-s-n845721" target="_blank">Russian</a>) hackers targeted their voter registration systems using techniques such as <a href="https://www.nbcnews.com/storyline/hacking-of-america/federal-government-tells-21-states-election-systems-targeted-hackers-n804031" target="_blank">vulnerability scanning</a>; however, this was refuted by those states with the exception of Illinois and Arizona. These two states were the unnamed organizations of a summer 2016 <a href="https://s.yimg.com/dh/ap/politics/images/boe_flash_aug_2016_final.pdf" target="_blank">FBI alert</a> and later identified in press reporting with <a href="https://www.intelligence.senate.gov/sites/default/files/documents/os-ssandvoss-062117_0.pdf" target="_blank">Illinois’s </a><a href="https://www.intelligence.senate.gov/sites/default/files/documents/os-ssandvoss-062117_0.pdf" target="_blank">voting</a><a href="https://www.intelligence.senate.gov/sites/default/files/documents/os-ssandvoss-062117_0.pdf" target="_blank"> registration database (VRDB)</a> as compromised in a Structured Query Language (SQL) injection (<a href="https://www.owasp.org/index.php/SQL_Injection" target="_blank">SQLi</a>) attack while a county-level VRDB in Arizona was probed but the intrusion attempt blocked by security controls. In both cases, no registration data was modified or deleted.</li><li>Since at least 2015, there have been multiple Deep and Dark Web forum posts offering for sale US voter registration records at prices ranging from $2 USD to as high as $12,500 USD. These <a href="https://techscience.org/a/2017090601/#Authors" target="_blank">voter records</a> are also available at no-cost (minus a processing fee) or up to $34,000 USD at state government offices or third-party data brokers for authorized parties such as political campaigns, academic researchers, or journalists. These seemingly innocuous voter records, if combined with other breached data, could offer threat actors enhanced knowledge of their potential victims for use in identity fraud and social engineering attacks. For recent underground activity showing interest in the sale of US voter records reference our blog, “<a href="https://www.anomali.com/blog/estimated-35-million-voter-records-for-sale-on-popular-hacking-forum" target="_blank">Estimated 35 Million Voter Records For Sale on Popular Hacking Forum</a>”.</li><li>In the last three years, multiple press reports highlight two vulnerability types, server misconfigurations and poor coding practices, as contributing factors to the public exposure of voter registration data. At <a href="https://techcrunch.com/2018/08/12/hacking-the-websites-responsible-for-election-information-is-so-easy-an-11-year-old-did-it/" target="_blank">DEFCON 26</a> in August 2018 in a demonstration of poorly written code, an 11-year old used an SQLi attack to compromise a replica site for the Florida Secretary of State web page. In the largest known exposure of US voter information, a publicly accessible Amazon Web Services (AWS) S3 bucket owned by <a href="https://www.upguard.com/breaches/the-rnc-files" target="_blank">Deep Root Analytics (DRA)</a> in June 2018 exposed 198 million voter details such as names, dates of birth, and voter registration details. Other instances involving the exposure of US voter records include a publicly accessible <a href="https://www.linkedin.com/pulse/hundreds-thousands-us-voter-data-appeared-online-again-bob-diachenko/?published=t" target="_blank">RoboCent</a> AWS S3 bucket affecting hundreds of thousands of US voter data in July 2018; an unsecured MongoDB database that was later held for ransom that exposed data of over <a href="https://kromtech.com/blog/security-center/cyber-criminals-steal-voter-database-of-the-state-of-california" target="_blank">19 million California voters</a> in December 2017; exposure of <a href="https://www.usatoday.com/story/tech/2017/08/18/information-1-8-million-chicago-voters-exposed/579656001/" target="_blank">1.8 million Chicago-based voter’s</a> information that were stored on a misconfigured AWS server platform in August 2017; and a <a href="https://www.politico.com/magazine/story/2017/06/14/will-the-georgia-special-election-get-hacked-215255" target="_blank">Kennesaw State University</a> misconfigured server hosting an older version of web server software Drupal content management system (CMS) exposing 6.7 million registered Georgia voters in August 2016. Unfortunately, exposure of voter registration records are not isolated to the US, as private records of <a href="https://www.dailydot.com/layer8/amazon-mexican-voting-records/" target="_blank">93.4 million Mexican</a> voters were found on a publicly accessible AWS S3 server in April 2016 and <a href="https://www.wired.co.uk/article/philippines-data-breach-fingerprint-data" target="_blank">55 million Philippine voter records</a> to include fingerprints and passport numbers were compromised by hacktivists using an <a href="https://www.youtube.com/watch?v=cTJjMTnEJdE" target="_blank">SQLi</a><a href="https://www.youtube.com/watch?v=cTJjMTnEJdE" target="_blank"> attack</a> in March 2016.</li></ul>In this report, researchers with Anomali’s Labs group assessed the state of security of voter registration and voter information websites ahead of the November 2018 midterm elections. As a base for the research, we explored website security measures as outlined in the October 2017 DHS issuance of <a href="https://cyber.dhs.gov/assets/report/bod-18-01.pdf" target="_blank">Binding Operational Directive 18-01</a> and threats confronting voter registration databases (VRDB) as stated in the June 2018 DHS release of <a href="https://www.dhs.gov/sites/default/files/publications/Securing%20Voter%20Registration%20Data_0.pdf" target="_blank">Securing Voter Registration Data</a> whitepaper. Of note, the BOD 18-01 is a compulsory direction to federal level organizations for the purposes of safeguarding federal information and information systems; however, the listed technical guidance and best practices can be applied by both the public and private sector to ensure the integrity and confidentiality of Internet-connected systems and data.<h2>Website Security</h2>A common initial access tactic is the exploitation of public-facing applications and services as described in the <a href="https://enterprise.verizon.com/resources/reports/dbir/" target="_blank">2018 Verizon Data Breach Investigation Report (DBIR)</a>. The report identified web application attacks such as SQLi and cross-site scripting (XSS) attacks as a leading cause of breach incidents, which totalled 41% of their investigations. To protect against web-based attacks, website owners should transition from the unencrypted HyperText Transfer Protocol (HTTP) to the secure version (HTTPS) and implement secure HTTP headers. HTTP is the protocol that web browsers and web servers use to communicate with each other over the Internet. Since the unencrypted HTTP protocol does not offer data protection from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. By enforcing HTTPS-only and HTTP Strict Transport Security (HSTS) protocols, communications can be protected between a user’s browser including the removal of support for known weak cryptographic protocols and cipher suites, website owners create secure connections by providing authentication and encryption between a web browser and a website. When properly configured, HTTPS and HSTS implementation on all publicly accessible websites and web services can help minimize the web server’s susceptibility to traffic interception, manipulation, and impersonation attacks. Failure to secure these connections can expose site visitors to privacy-related risks such as browser identity, website content, search terms, and other user-submitted information. As previously stated, one of the most common web-based attacks are XSS attacks, which occurs when a malicious script is injected directly into a vulnerable web application and executed in the unsuspecting user’s web browser. These scripts, depending on the threat actor’s motivation, can steal session cookies, scrape or amend content, and perform or modify actions on the site visitor’s behalf. In an election-related attack scenario, a threat actor could exploit an XSS vulnerability in an online State and Territory voter registration website and gain access to site visitors’ account credentials in order to change their registration information or steal sensitive information such as full or partial social security number.<h3>Secure Response Headers</h3>The below represents our analysis of seven secure response headers from online voter information and voter registration websites for the 50 US states, District of Columbia, and 5 US territories:<ol><li>Strict-Transport-Security - Anomali found 10 out of 56 (17.9%) active domains did not use HTTP Strict Transport Security (HSTS) as defined in RFC 6797. This feature helps prevent against man-in-the-middle (MiTM) attacks as it enforces the use of HTTP over TLS encrypted communications. One of the domains with a Strict-Transport-Security policy had set a “max-age” defined as 86400 (seconds), which is against the minimum recommended configuration (2592000 (30 days)). Another site had the policy set to “0”, which effectively withdraws their sites from HSTS. Of the seven sites with HSTS implemented, only three sites used the “includeSubDomains” directive to ensure coverage for all subdomains.<img alt="" src="https://cdn.filestackcontent.com/DwAOLERTdK001GmG7EIN"/> Figure 2. HSTS adoption for US State and US Territory Online Voting Registration and Information sites and Max-Age values</li><li>Content-Security-Policy - There were only five out of 56 active domains with a Content Security Policy (CSP) header set, and of these five there is evidence of weak configuration definition. CSP is a W3C standard which, if set, instructs the client browser from which location and/or which type of resources are allowed to be loaded. It is recommended that a “default-src” policy directive is set as it provides a fallback for other resource types when they don’t have specific policies, which only a single domain had defined. Two of the domains are currently using the deprecated “frame-src” directive, “child-src” is preferred in CSP 2. “script-src” is a high priority directive and only two domains have this defined. However, both of these domains have declared “unsafe-inline” which allows the execution of unsafe in-page scripts and event handlers. Only one domain has defined the “report-uri” directive, which means 55 active domains are not receiving violation reporting in this manner. A properly configured Content-Security-Policy (CSP) can help prevent cross-site scripting (XSS) attacks by restricting the origins of JavaScript, CSS, and other potentially dangerous resources. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.<img alt="" src="https://cdn.filestackcontent.com/5wqCakr8THqMhbuNkUTC"/> Figure 3. CSP adoption and number of directives used by US States and US Territories Online Voter Information and Online Voter Registration Websites<img alt="" src="https://cdn.filestackcontent.com/turp2VlSuizCKbUEyeUg"/> Figure 4. CSP Directives Implemented Across Five US States and US Territories Online Voter Information and Online Voter Registration Websites</li><li>X-Frame-Options - There were 29 out of 56 (51.8%) active domains without the X-Frame-Options header. A X-Frame-Options header tells the web browser whether you want to allow your site to be framed or not. This is a trivial response header to implement. By preventing a browser from framing your site you can defend against attacks like clickjacking. The “DENY” setting is recommended unless there is a specific requirement otherwise. Of the 29 domains that defined a X-Frame-Options header, there five that defined “DENY”, and the remainder defined “SAMEORIGIN” (23 domains) or specified an “allow-from” domain (1 domain).<img alt="" src="https://cdn.filestackcontent.com/Pyr0P1SJRtq0KaAoBckU"/> Figure 5. X-Frame-Options adoption and parameters</li><li>X-XSS-Protection - There were 50 out of 56 active domains without the X-XSS-Protection header set. The X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Setting X-XSS-Protection to "1; mode=block" helps to prevent against common cross-site scripting (XSS) attacks by not rendering the page if an attack is detected. This setting was defined for all of the six domains that use this particular header.</li><li>X-Content-Type-Options - There were 46 out of 56 active domains without the X-Content-Type-Options header. This header stops a web browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type.</li><li>Referrer-Policy - There were 54 out of 56 active domains without a Referrer Policy header. This is a new header that allows a site to control how much information the web browser includes with navigations away from a document and should be set by all sites.</li><li>Feature-Policy - All the evaluated 56 active domains did not have set a Feature Policy. This policy is also a new header that allows a site to control which features and APIs can be used in the browser.</li></ol><h3>SSL/TLS Certificates</h3>A review of the strength and configuration of installed SSL/TLS certificates on the State and Territory online voting registration and information websites determined the potential security weaknesses of the evaluated sites. Overall, the results were positive in that all the sites analysed were not vulnerable to most of the well-known exposures and weaknesses. Specifically, the following vulnerabilities were assessed;<ul><li><a href="http://heartbleed.com/" target="_blank">Heartbleed</a> (CVE-2014-0160)</li><li><a href="https://nvd.nist.gov/vuln/detail/CVE-2016-9244" target="_blank">Ticketbleed</a> (CVE-2016-9244)</li><li><a href="https://www.us-cert.gov/ncas/alerts/TA14-290A" target="_blank">POODLE</a> (CVE-2014-3566)</li><li><a href="https://drownattack.com/" target="_blank">DROWN Attack</a> (CVE-2016-0800)</li><li><a href="https://nvd.nist.gov/vuln/detail/CVE-2012-4929" target="_blank">CRIME</a> (CVE-2012-4929)</li><li><a href="https://robotattack.org/" target="_blank">ROBOT Attack</a> (CVE-2017-13099)</li></ul>To complement the above analysis, Anomali also looked for the presence of self-signed certificates, certificate name mismatches, or expired certificates. Overall, the results were overwhelmingly positive with no major issues such as misconfigurations or certificate weaknesses observed that could be leveraged by a threat actor to compromise online voter information and voter registration websites.<ul><li>Self-Signed Certificates - The use of self-signed certificates may allow attackers to conduct a Man-in-The-Middle (MiTM) attack using a spoofed certificate for any Distinguished Name (DN). Since no trusted third-party verification has taken place, security warnings associated with the use of self-signed certificates may degrade trust with visitors of the site. Modern web browsers such as Microsoft Edge, Google Chrome, and Mozilla Firefox will display a warning to clients if the website certificate is self-signed.</li><li>Certificate Name Mismatch - A certificate name mismatch error occurs when the domain name or IP address is not found within the Subject Alternative Name (SAN) or common name of the SSL certificate. The SAN allows you to list multiple domain names and subdomain names in a single certificate. A name mismatch most often occurs due to a configuration error; however, it can also be indicative of a malicious actor intercepting the communications in a Man-in-The-Middle (MiTM) attack. A likely consequence from certificate name mismatches is modern web browsers such as Google Chrome or Mozilla FireFox rejecting the certificate to prevent any security implications. For instance, when Internet users attempt to access your webpage, they may not be able to access it and instead be greeted with an error message that could result in a loss of trust, which was observed in 2003.</li><li>Expired Certificates - When a SSL certificate extends beyond its validity period, the protected resource may be susceptible to a MiTM attack and fraud and identity theft. Failure to implement an updated certificate could present website visitors with a security warning or dialog box requesting their approval to proceed. These warnings are extremely confusing for Internet users, and cause most of them to question the authenticity of the site they are attempting to view. Therefore, it most likely will result in reduced website traffic and negative corporate brand and reputation.</li></ul><img alt="" src="https://cdn.filestackcontent.com/EASrytlJTeytyvms3ZdD"/> Figure 6. Google Chrome certificate expiry warning<img alt="" src="https://cdn.filestackcontent.com/3hAx5FjwSrCCotOULsHF"/> Figure 7. Mozilla Firefox certificate expiry warning<img alt="" src="https://cdn.filestackcontent.com/G53bF0AyS4eRaJVzt6mA"/> Figure 8. Microsoft Edge certificate expiry warning<h2>Conclusion</h2>As more US States and US Territories transition to an online system for registering voters, these Internet-facing sites become targets for threat actors. These actors will continue to attempt to profit from the illicit sale of voter data or attempt to influence the outcome of elections through the spread of disinformation. A successful cyberattack against online voter information or voter registration sites could result in a web defacement, denial-of-service (DoS) condition, or allow a threat actor to obtain sensitive information such as voter data and PII. Therefore, implementation and enforcement of secure web standards such as HTTPS and HSTS on not only election-related websites but all publicly-accessible websites and web services. Additional web security best practices can be obtained at OWASP’s <a href="https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet" target="_blank">Web Application Security Project Top 10 Cheat Sheet</a> on common critical risks to web applications, the National Institute of Standards and Technology (NIST) <a href="https://csrc.nist.gov/publications/detail/sp/800-44/version-2/final" target="_blank">Special Publication (SP) 800-44: Guidelines on Securing Public Web Servers</a>, and NIST <a href="https://csrc.nist.gov/publications/detail/sp/800-95/final" target="_blank">SP 800-95: Guide to Secure Web Services</a>.Lastly, Anomali highly encourages all state, local, tribal, and territorial (SLTT) government organizations government organizations take advantage of the no-cost membership offered by the Multi-State Information Sharing & Analysis Center (<a href="https://www.cisecurity.org/ms-isac/" target="_blank">MS-ISAC</a>) and the Elections Infrastructure ISAC (<a href="https://www.cisecurity.org/ei-isac/ei-isac-services/" target="_blank">EI-ISAC</a>) to receive and share threat intelligence and mitigation procedures. Proactive membership in MS-ISAC and EI-ISAC can help organizations manage cyber and physical security risks and drive informed decision making to counter recent and emerging threats to your organization.