Less than a week away from November 6, 2018, US midterm elections is arguably one of the most important election cycles in history where political parties battle for control of the two chambers of Congress. Additionally, thirty-six state governors, three US territory governors, many city mayors, and scores of other local seats are up for contention. Reports of illegitimate access to, or the exposure of, voter information and records have unfortunately become a recurring trend which could disrupt the voting process. This concern was iterated by US Sen. Bill Nelson back in August 2018 and follows the Department of Justice Deputy Attorney General Rod Rosenstein assertion that 500,000 voter records were stolen in 2016 by Russian military intelligence. As interest in the criminal underground rises, disinformation campaigns are uncovered, and researchers find misconfigured servers and websites vulnerabilities hosting sensitive voter information, election security remains at the forefront of protecting democracies. In an effort to raise awareness and confront these challenges, Anomali released widely publicized research on voters lists for sale in the criminal underground in October 2018. This research followed Anomali research on the email spoofing threat to US elections and Anomali CEO Hugh Njemanze’s discussion on safeguarding the integrity of upcoming elections.
Our latest research assessed the security posture of the 50 US States, District of Columbia, and 5 US Territory’s online voting registration and information websites. This involved an evaluation of the HTTP response headers of 56 domains to identify any privacy vulnerabilities or susceptibilities to interception, manipulation, and impersonation. The baseline assessment revealed seven state websites that were served over the HTTP protocol and did not redirect visitors to a secure website connection using the encrypted HTTPS protocol. Anomali researchers also analyzed security weaknesses in SSL/TLS certificates to evaluate additional exploitable opportunities afforded to malicious actors. At a time with unprecedented concerns regarding electoral inference and the integrity of US elections, we believe reducing the attack surface and increasing the adversary’s cost will assist US States and Territories in safeguarding the democratic process and protecting the electorate’s sensitive information.
Since the 2016 US Presidential elections, a body of reporting from the US government, security community, and news media has come to light describing the threats to voter registration systems and voter privacy. These threats range from Russian government efforts to compromise individual states’ voter registration systems to cybercriminals selling or distributing voter lists on underground forums to human errors in database management by state governments and third-party vendors.
In this report, researchers with Anomali’s Labs group assessed the state of security of voter registration and voter information websites ahead of the November 2018 midterm elections. As a base for the research, we explored website security measures as outlined in the October 2017 DHS issuance of Binding Operational Directive 18-01 and threats confronting voter registration databases (VRDB) as stated in the June 2018 DHS release of Securing Voter Registration Data whitepaper. Of note, the BOD 18-01 is a compulsory direction to federal level organizations for the purposes of safeguarding federal information and information systems; however, the listed technical guidance and best practices can be applied by both the public and private sector to ensure the integrity and confidentiality of Internet-connected systems and data.
A common initial access tactic is the exploitation of public-facing applications and services as described in the 2018 Verizon Data Breach Investigation Report (DBIR). The report identified web application attacks such as SQLi and cross-site scripting (XSS) attacks as a leading cause of breach incidents, which totalled 41% of their investigations. To protect against web-based attacks, website owners should transition from the unencrypted HyperText Transfer Protocol (HTTP) to the secure version (HTTPS) and implement secure HTTP headers. HTTP is the protocol that web browsers and web servers use to communicate with each other over the Internet. Since the unencrypted HTTP protocol does not offer data protection from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. By enforcing HTTPS-only and HTTP Strict Transport Security (HSTS) protocols, communications can be protected between a user’s browser including the removal of support for known weak cryptographic protocols and cipher suites, website owners create secure connections by providing authentication and encryption between a web browser and a website. When properly configured, HTTPS and HSTS implementation on all publicly accessible websites and web services can help minimize the web server’s susceptibility to traffic interception, manipulation, and impersonation attacks. Failure to secure these connections can expose site visitors to privacy-related risks such as browser identity, website content, search terms, and other user-submitted information. As previously stated, one of the most common web-based attacks are XSS attacks, which occurs when a malicious script is injected directly into a vulnerable web application and executed in the unsuspecting user’s web browser. These scripts, depending on the threat actor’s motivation, can steal session cookies, scrape or amend content, and perform or modify actions on the site visitor’s behalf. In an election-related attack scenario, a threat actor could exploit an XSS vulnerability in an online State and Territory voter registration website and gain access to site visitors’ account credentials in order to change their registration information or steal sensitive information such as full or partial social security number.
The below represents our analysis of seven secure response headers from online voter information and voter registration websites for the 50 US states, District of Columbia, and 5 US territories:
Strict-Transport-Security - Anomali found 10 out of 56 (17.9%) active domains did not use HTTP Strict Transport Security (HSTS) as defined in RFC 6797. This feature helps prevent against man-in-the-middle (MiTM) attacks as it enforces the use of HTTP over TLS encrypted communications. One of the domains with a Strict-Transport-Security policy had set a “max-age” defined as 86400 (seconds), which is against the minimum recommended configuration (2592000 (30 days)). Another site had the policy set to “0”, which effectively withdraws their sites from HSTS. Of the seven sites with HSTS implemented, only three sites used the “includeSubDomains” directive to ensure coverage for all subdomains.
Figure 2. HSTS adoption for US State and US Territory Online Voting Registration and Information sites and Max-Age values
Figure 3. CSP adoption and number of directives used by US States and US Territories Online Voter Information and Online Voter Registration Websites
Figure 4. CSP Directives Implemented Across Five US States and US Territories Online Voter Information and Online Voter Registration Websites
X-Frame-Options - There were 29 out of 56 (51.8%) active domains without the X-Frame-Options header. A X-Frame-Options header tells the web browser whether you want to allow your site to be framed or not. This is a trivial response header to implement. By preventing a browser from framing your site you can defend against attacks like clickjacking. The “DENY” setting is recommended unless there is a specific requirement otherwise. Of the 29 domains that defined a X-Frame-Options header, there five that defined “DENY”, and the remainder defined “SAMEORIGIN” (23 domains) or specified an “allow-from” domain (1 domain).
Figure 5. X-Frame-Options adoption and parameters
X-XSS-Protection - There were 50 out of 56 active domains without the X-XSS-Protection header set. The X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Setting X-XSS-Protection to "1; mode=block" helps to prevent against common cross-site scripting (XSS) attacks by not rendering the page if an attack is detected. This setting was defined for all of the six domains that use this particular header.
X-Content-Type-Options - There were 46 out of 56 active domains without the X-Content-Type-Options header. This header stops a web browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type.
Referrer-Policy - There were 54 out of 56 active domains without a Referrer Policy header. This is a new header that allows a site to control how much information the web browser includes with navigations away from a document and should be set by all sites.
Feature-Policy - All the evaluated 56 active domains did not have set a Feature Policy. This policy is also a new header that allows a site to control which features and APIs can be used in the browser.
A review of the strength and configuration of installed SSL/TLS certificates on the State and Territory online voting registration and information websites determined the potential security weaknesses of the evaluated sites. Overall, the results were positive in that all the sites analysed were not vulnerable to most of the well-known exposures and weaknesses. Specifically, the following vulnerabilities were assessed;
To complement the above analysis, Anomali also looked for the presence of self-signed certificates, certificate name mismatches, or expired certificates. Overall, the results were overwhelmingly positive with no major issues such as misconfigurations or certificate weaknesses observed that could be leveraged by a threat actor to compromise online voter information and voter registration websites.
Figure 6. Google Chrome certificate expiry warning
Figure 7. Mozilla Firefox certificate expiry warning
Figure 8. Microsoft Edge certificate expiry warning
As more US States and US Territories transition to an online system for registering voters, these Internet-facing sites become targets for threat actors. These actors will continue to attempt to profit from the illicit sale of voter data or attempt to influence the outcome of elections through the spread of disinformation. A successful cyberattack against online voter information or voter registration sites could result in a web defacement, denial-of-service (DoS) condition, or allow a threat actor to obtain sensitive information such as voter data and PII. Therefore, implementation and enforcement of secure web standards such as HTTPS and HSTS on not only election-related websites but all publicly-accessible websites and web services. Additional web security best practices can be obtained at OWASP’s Web Application Security Project Top 10 Cheat Sheet on common critical risks to web applications, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-44: Guidelines on Securing Public Web Servers, and NIST SP 800-95: Guide to Secure Web Services.
Lastly, Anomali highly encourages all state, local, tribal, and territorial (SLTT) government organizations government organizations take advantage of the no-cost membership offered by the Multi-State Information Sharing & Analysis Center (MS-ISAC) and the Elections Infrastructure ISAC (EI-ISAC) to receive and share threat intelligence and mitigation procedures. Proactive membership in MS-ISAC and EI-ISAC can help organizations manage cyber and physical security risks and drive informed decision making to counter recent and emerging threats to your organization.