Political Parties Still Have Cybersecurity Hygiene Problems
Credit to Author: Issie Lapowsky| Date: Mon, 20 May 2019 23:00:00 +0000
In the three years since Russian operatives breached the servers of the Democratic National Committee and threw presidential politics into a state of perpetual chaos, countries around the world have been on notice to the threat of foreign interference in elections. But as the US prepares for another presidential election next year, and as the European Union holds parliamentary elections this week, a new report reveals a range of obvious and ongoing security flaws that could leave political parties in both places vulnerable to attack.
The report, which will publish Tuesday, was compiled by SecurityScorecard, a New York–based risk analysis firm that monitors IT infrastructure for more than 1 million entities around the world. For this report, the researchers drilled down into the networks operated by 29 political parties from 11 countries during the first quarter of this year. In general, they found that smaller parties in both the EU and the US pose the biggest risks.
In the US, their analysis included the Democratic National Committee, the Republican National Committee, the Green Party, and the Libertarian Party. They found that while the DNC and the RNC have strengthened their defenses since 2016, both major parties have cybersecurity hygiene issues that could still make them targets for dedicated adversaries. Another US party, which the researchers declined to name in the report, left a searchable tool exposed, leaking voter names, dates of birth, and addresses, information that is not publicly available in most states. That flaw has since been patched, after the researchers contacted the party.
In Europe, meanwhile, the researchers detected active malware running on one network registered to the EU.
According to Jasson Casey, chief technology officer of SecurityScorecard, the findings point to the scope of the challenge for political parties, which are often under-resourced, but are nonetheless collecting data sets that both organized criminals and foreign adversaries would find valuable. “The obvious question that comes out is: Is it even possible for these political parties to run effective defenses?” Casey says. “If large companies have a hard time with this, how can small political organizations do it?”
The SecurityScorecard researchers used a standard checklist to grade the parties on their security practices on a scale from 1 to 100, docking points based on the severity of the issues they discovered. Generally, a score of 80 or higher is considered good, with an organization less likely to experience a breach.
In the US, both the DNC and the RNC have worked to fortify their technical infrastructure since 2016, and, based on SecurityScorecard's findings from 2016, it shows, Casey says. That year, the firm's researchers gave Republicans a score of 84, after discovering a large number of expired security certificates on websites affiliated with the RNC. The Democrats, meanwhile, received an 80 in 2016, thanks to malware operating on the DNC system. Those issues now appear to be fixed, raising the parties' scores to 87 and 84, respectively. And yet, there are still some chinks in each organization's armor.
The DNC, for instance, has begun using a two-factor authentication tool called Okta, which is generally a good thing. But the researchers discovered one instance where what appears to be a calendar tool that uses two-factor authentication was being served over an HTTP connection, instead of the more secure HTTPS, which encrypts data as it travels between a browser and web server. Because it’s an unencrypted connection, a dedicated hacker could stage what’s called a man-in-the-middle attack, redirecting traffic from the initial URL to a fake Okta site. There, an attacker could harvest the DNC staffer’s login credentials without the staffer realizing.
The DNC's head of cybersecurity, Bob Lord, says that particular URL isn't actually being used by any DNC staffers and that his team is looking into its origins. After being contacted by WIRED, the DNC shut down the URL just to be safe. "It's a good thing to clean up. It’s good to make sure that things that are built out, for whatever purpose, get deprecated and removed," Lord says. "I love that we’ve been able to get people to notify us when they've detected something that’s not quite right or something that could be improved."
The RNC scored slightly higher than the DNC on the SecurityScorecard test, but it also wasn’t perfect. The researchers were able to detect subdomains for an internal mapping tool that appeared to be linked to the RNC’s operations in Arizona. While that’s hardly damning, it could give an attacker an indication of the types of tools the RNC is using and where, says Paul Gagliardi, a threat researcher at SecurityScorecard. “Not leaking information about products and services is the best common practice, because it just raises the cost of someone targeting that part of the organization,” Gagliardi says.
The researchers also found an unencrypted login page for an API linked to the RNC, which would also leave RNC staffers open to credential theft. It’s unclear whether that API is still in use. An RNC spokesperson wouldn’t comment on the specific findings, but said in a statement, “Our team is constantly working to stay ahead of emerging threats. Data security remains a priority for the RNC, and we continue to proactively work with top IT vendors to stay abreast and monitor potential risks.”
None of these issues compared to what the researchers found when they went hunting for vulnerabilities among smaller parties in the US and the EU. The researchers found that some domain names affiliated with the Libertarian Party lacked what are known as SPF records, which validate that an email coming from a given domain is actually affiliated with that domain. This helps protect organizations from email spoofing, in which attackers make emails appear to come from people and domains their targets recognize. “One of the easiest ways of getting malware onto a target system is to just send that person an email, and make the email basically look like it's coming from someone in their organization,” says Casey.
Dan Fishman, the Libertarian National Committee’s newly hired executive director, told WIRED his goal is to fortify the party’s technical infrastructure. That includes addressing this vulnerability. Since he started last month, Fishman says, members of his staff have already caught and reported spoofed emails purporting to be from him, asking for sensitive information.
Breaking into the Libertarian Party may not seem as lucrative as penetrating one of the two major political parties in the US, but Fishman says the Libertarians are collecting vast amounts of data that still need protecting. “We are in the process of, like every other political party, accumulating as much data as we can about not just our members but potential voters,” he says.
A major breach of even a smaller political party could further degrade Americans’ trust in the security of the election. “It's really about belief in the system, and as belief in the system starts to erode, it leads to other problems,” Casey says. “Even the smaller parties … deserve an adequate level of protection that they certainly don't have right now.”
That said, in the US, the Green Party actually outperformed the other political organizations on the SecurityScorecard test, with a score of 93 out of 100. But the party's co-chair of media, Holly Hart, declined to elaborate on the party's cybersecurity operations. "The Green Party has an ongoing concern for cybersecurity, privacy, and accessibility. We try to make sure our services are hosted by responsible providers," Hart says. "Beyond that, we do not believe that it is appropriate to make publicly known the plans we have in place."
The SecurityScorecard researchers won't say which political party was leaking voters' names, dates of birth, and addresses via a searchable API, except that it wasn’t the Democrats or Republicans. Within 10 minutes of finding the flaw, however, Gagliardi says he called the party and left a message with the receptionist, using the main phone number he found on Google. Gagliardi never heard back, but he says the issue was resolved within 12 hours of the call.
“Obviously, the message was received,” he says.
Among the 11 countries the researchers monitored, the US came in fifth place in terms of overall security. Sweden performed the best, with a score of 94 out of 100. The country lagging the farthest behind was France, whose political parties "show systematically lower security ratings" than all of the others. In particular, the Democratic Movement, a centrist party which launched after the 2007 French election, has a login system that sends user names and passwords unencrypted over plaintext on what's known as an end-of-life server, meaning it's no longer receiving security updates. The Democratic Movement didn't respond to WIRED's request for comment.
"If you were logged into a Wi-Fi at Starbucks, other users that were even barely technically proficient could observe those passwords," Gagliardi says. "It's egregious."
What is perhaps most concerning to Gagliardi and Casey is the fact that their team was able to detect these flaws in such a short amount of time. All in, the researchers spent about two days hunting for bounty. If the 2016 presidential election taught us anything, it's that countries like Russia have far more sophisticated, well-funded operations in place. "Someone with more intent, who's not concerned with violating laws, would probably come back with a bigger treasure chest," Casey says.