|
U.S. House candidates vulnerable to
hacks: researchers
Send a link to a friend
 [August 13, 2018]
By Joseph Menn
LAS VEGAS (Reuters) - Three of every 10
candidates running for the U.S. House of Representatives have
significant security problems with their websites, according to a new
study by independent researchers that underscores the threat hackers
pose to the November elections.
The research was due to be unveiled on Sunday at the annual Def Con
security conference in Las Vegas, where some attendees have spent three
days hacking into voting machines to highlight vulnerabilities in
technology running polling operations.
A team of four independent researchers led by former National Institutes
for Standards and Technology security expert Joshua Franklin concluded
that the websites of nearly one-third of U.S. House candidates,
Democrats and Republicans alike, are vulnerable to attacks. NIST is a
U.S. Commerce Department laboratory that provides advice on technical
issues, including cyber security.
Using automated scans and test programs, the team identified multiple
vulnerabilities, including problems with digital certificates used to
verify secure connections with users, Franklin told Reuters ahead of the
presentation.
The warnings about the midterm elections, which are less than three
months away, come after Democrats have spent more than a year working to
bolster cyber defenses of the party's national, state and campaign
operations.
Democratic National Committee officials told Reuters they have
completely rebuilt the party's computer network, including email systems
and databases, to avert a repeat of 2016, when Russian intelligence
agents hacked into Democratic accounts and then used stolen data to
undermine support for Hillary Clinton's presidential bid.
"No one wants to be the next 'patient zero,'" said DNC Chief Technology
Officer Raffi Krikorian, a former executive with Twitter and Uber.
The report follows a string of warnings by Trump administration security
officials that Russia is actively interfering in the November elections.
FBI Director Christopher Wray recently warned that Russian government
agents were working around the clock to sow discord ahead of the
election.
Democratic Senator Claire McCaskill, who is facing a tough re-election
battle in Missouri, last month said that hackers had tried and failed to
access her office's computer network. The Def Con study did not address
that incident.
The researchers did not identify any cases where it appeared that
politically motivated hackers had exploited those vulnerabilities.
"We're trying to figure out a way to contact all the candidates" so they
can fix the problems, said Franklin, who joined the nonprofit Center for
Internet Security last month.
Department of Homeland Security officials said at Def Con that they are
offering aid to states and counties for securing election equipment.
Still, some states said they are not getting enough help, and new
funding efforts failed in Congress. Individual campaigns are not
eligible for federal assistance, so they rely on party officials, an
increased number of tech-savvy volunteers and nonprofit groups such as
Defending Digital Democracy, a bipartisan project at the Kennedy School
of Government at Harvard University.
[to top of second column]
|
A man types into a keyboard during the Def Con hacker convention in
Las Vegas, Nevada, U.S. July 29, 2017. REUTERS/Steve Marcus/File
Photo
Franklin also said he found numerous potentially malicious web pages
that closely resemble the names of candidates. Hackers use that
practice, known as “typo-squatting,” to develop copycat sites for
use in phishing campaigns to steal credentials or to criticize
candidates.
The candidates at most risk of hacks are ones with small campaigns
that have with little expertise in computer technology or security,
Franklin said.
STEPS BY THE DNC
The Democratic National Committee agreed to discuss some steps it
has taken to bolster security in the hope it can serve as a model
for other election offices.
Since Krikorian joined the DNC a year ago, the party has moved email
and data storage to Google cloud and replaced most Windows computers
with easier-to-defend Apple hardware and Google Chromebooks, he
said.
The party also requires staff to fill out monthly surveys pledging
that they are following key security practices, including use of
two-factor authentication for personal accounts, long and unique
passwords, and encryption on computers. They are also asked if they
are running operating systems and application software with
up-to-date security patches.
The party uses software from San Francisco-based Okta that grants
access to DNC systems only after testing devices to confirm the
identity of users and verify they are not running malicious
software.
The biggest change has been psychological, as staffers and
volunteers are trained to assume that the network has been breached,
avoid putting the most sensitive information in emails and use
end-to-end encrypted messaging like Signal.
The party is also reaching out to campaigns and stressing basic
precautions.
DNC Chief Security Officer Bob Lord, a former security executive
with Yahoo and Twitter, sent an email a week ago to state party
leaders, urging them not to use phones from Chinese manufacturers
Huawei [HWT.UL] and ZTE Corp.
U.S. intelligence officials have warned that Chinese authorities
could seek to use those devices to spy on Americans.
(Reporting by Joseph Menn in Las Vegas; Editing by Jim Finkle and
Steve Orlofsky)
[© 2018 Thomson Reuters. All rights
reserved.]
Copyright 2018 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
