​

I t’s no longer a question whether hackers willinfluence the 2016 elections in the United States

— only how much they’ll be able to sway them.

Leaked emails already have cost a Democratic

Party chairperson her job, and the FBI last month issued a flash warning that foreign

cyberadversaries had breached two state election

databases.

Those two states — most likely Arizona and

Illinois — aren’t alone in having their voter

information compromised. Voter registration

databases from all 50 states are being hawked on

Deep Web marketplaces, an investigation by the

Institute for Critical Infrastructure Technology has

found.

Those databases could be used for all kinds of

mischief, noted ICIT Senior Fellow James Scott,

who collaborated with ICIT researcher Drew

Spaniel on a study of voting system

vulnerabilities.

For example, an attacker could sour a

candidate’s supporters by sending bogus

robocalls, supposedly originating from the

candidate, at 3 a.m.

“An attacker could alter registration records on

Election Day to delay and disrupt the election

process and to spread disenfranchisement in the

U.S. democratic process,” Scott told

TechNewsWorld.

Dilapidated Black Boxes

Theft of voter registration records may be just

the tip of the iceberg. U.S. voting systems are

woefully vulnerable to hacker attacks, the ICIT

maintained in the study released last week.

“Western democracy is held hostage to vulnerable

code in black boxes on dilapidated bare bones

PCs with virtually zero endpoint security,

otherwise known as e-voting machines,” Scott

and Spaniel wrote.

“Moreover, the systems are maintained and

managed either by manufacturer personnel who

obfuscate the insecurity of the systems or by

local and state voting officials who are the very

prototype of victims that repeatedly fall for spear

phishing, ransomware and malware attacks and

other easily avoidable cyber-attacks,” they

continued.

“The problem in the sector is not merely a matter

of lacking basic cyber hygiene, rather it is the

sheer absence of the technical aptitude required

to understand the cyber, physical and technical

landscape available for exploit by the multitude of

adversaries possessing a keen interest in

manipulating the election process,” Scott and

Spaniel added.

Safety in Fragmentation?

As vulnerable as U.S. voting systems are, it

would be difficult for hackers to influence the

outcome of an election, maintained Tellagraff

CEO Mark Graff, a former CISO of Nasdaq and

Lawrence Livermore Labs.

“It’s one thing to steal voter registration

information from websites on the Internet, but it’s

quite something else to modify that information

on the sites,” he told TechNewsWorld.

There’s a difference between generating noise

intended to undermine the credibility of the

election and actually influencing the outcome,

Graff pointed out.

“I don’t believe there is a credible case right now

that they are trying to directly influence the

outcome of the election,” he said.

“While our systems do have vulnerabilities, the

fact that we have a federal system and all 50

states have their own systems is a strength,”

Graff observed. “It might be possible to change

some votes, but to change the outcome of an

election and do so in a way that could not be

detected is not practical at this point.”

Media Illusion

The fragmentation defense is an illusion

propagated by the media, claimed ICIT’s Scott.

“The fragmented system does absolutely nothing

to mitigate the risk of cybercompromise of

election systems,” he argued. “If anything, the

disjointed, distributed system makes it easier.”

The cybersecurity requirements of voting systems

are not standardized or regulated, Scott

explained. As a result, some states protect their

systems, while other states only think that they

protect their systems.

“Attackers only need to compromise one or a few

counties in one or a few states to have a major

impact on the national election,” he said. “It does

not matter if some of the states adequately

protect their systems, because the states that do

not undermine the entire process.”

Brass Bull’s-eye

When it comes to ransomware, company brass

have a bull’s-eye on their backs.

Upper management and C-level executives were

popular targets of ransomware attacks, according

to a recent Malwarebytes survey of 540 CIOs,

CISOs and IT directors representing companies

with an average of 5,400 employees across the

U.S., Canada, UK and Germany.

Eighty percent of attacks affected mid-level

managers or higher, the survey participants

reported. A quarter of the attacks (25 percent)

affected senior executives and the C-suite.

Ransomware in the wild increases by 46 percent

or more every six months, noted Malwarebytes

Senior Security Researcher Nathan Scott told

TechNewsWorld. “That’s because ransomware

makes so much more money than any other

malware that we have ever seen.”

Breach Diary

Sept. 19. Active Network of Texas offers two

years of free identity repair services in letter to

1 million Oregon and 1.5 million Washington

Department of Fish and Wildlife customers

potentially affected by data breach of hunting

and fishing license sales system maintained by

Active in those states.

Sept. 19. Payment systems at four Genghis

Grill locations were compromised by malware

between Feb. 9 and Sept. 7, placing at risk

some 55,000 transactions by customers during

that period, Dallas Morning News reports.

Sept. 20. St. Francis Health Systems in

Tulsa, Oklahoma, confirms data breach in

which 6,000 names and addresses were stolen

from a server.

Sept. 20. A federal appeals court in

Cincinnati has overturned a lower court ruling

and is allowing class action lawsuit to proceed

against Nationwide Mutual Insurance over 2012

data breach in which information of 1.1 million

policy and non-policy holders was exposed to

unauthorized parties, SC Magazine reports.

Sept. 20. Paul O’Brien, founder of

smartphone news and reviews site MoDaCo,

confirms data breach that has exposed 880,000

subscriber identities.

Sept. 21. Payment gateway Regpack is

notifying its vendors that a data breach has

placed at risk personal information in some

324,380 accounts, SC Magazine reports.

Sept. 21. U.S. Rep. Ralph Abraham, R-La.,

has filed a bill allowing the director of

management and the budget to recommend the

removal of any agency head whose agency

suffers a data breach because it failed to

comply sufficiently with information security

requirements or standards, NextGov reports.

Sept. 21. University of Ottawa announces it

is launching an investigation into the

disappearance of a hard drive containing the

personal information of 900 former and current

students.

Sept. 22. Yahoo confirms 500 million user

accounts have been compromised in data

breach.

Sept. 22. Hacker group DCleaks makes public

emails from a White House contractor

containing sensitive information about

schedules and procedures, as well as about

Secret Service, military and White House

personnel. DC Leaks is the same group that

recently exposed emails of former Secretary

Colin Powell.

Sept. 22. H&L Australia, which provides

point-of-sales systems for more than 300

restaurant and liquor stores, confirms data

breach of its customer relationship

management system, resulting in theft of 14.1

GB of customer information.

Sept. 23. Ronald Schwartz, a New York

resident, files class action lawsuit against

Yahoo for gross negligence that led to data

breach resulting in compromise of 500 million

user accounts.

Sept. 23. Trump Hotel Collection company

agrees to pay $50,000 to settle case with New

York State Attorney General’s office over data

breach that exposed more than 70,000 credit

card numbers and other sensitive data.

Upcoming Security Events

Oct. 4. Cyber Crime — Why Are You a Target?

10 a.m. ET. Webinar by Richard Cassidy, UK

Cyber Security Evangelist. Free with

registration.

Oct. 5. Cambridge Cyber Summit. Kresge

Auditorium, 48 Massachusetts Ave.,

Massachusetts Institutue of Technology,

Cambridge, Massachusetts. Registration: $250.

Oct. 5-6. SecureWorld Denver. Colorado

Convention Center, 700 14th St., Denver.

Registration: conference pass, $325;

SecureWorld Plus, $725; exhibits and open

sessions, $30.

Oct. 6. Smartphone Encryption Is Getting

Stronger. Is It Enough To Keep You Safe? Noon

ET. Webinar by ManTech. Free with registration.

Oct. 5-7. APWG.EU eCrime Symposium 2016.

Slovenská sporitelna, Tomásikova 48, 831 04

Nové Mesto, Bratislava, Slovakia. Registration:

APWG members, 129 euros; student or faculty,

129 euros; law enforcement and government,

129 euros; all others, 149 euros.

Oct. 7-8. B-Sides Delaware. Wilmington

University, New Castle Campus, 320 North

Dupont Highway, New Castle, Delaware. Free.

Oct. 8. B-Sides Denver. SecureSet, 3801

Franklin St., Denver. Free, but tickets limited.

Oct. 11. Your Credentials Are Compromised,

So Now What? 1 p.m. ET. Webinar by Centrify.

Free with registration.

Oct. 11-14. OWASP AppSec USA.

Renaissance Marriott, 999 9th St. NW,

Washington, D.C. Registration: Non-member,

$925; single day, $500; student, $80. Oct.

14-16. B-Sides Warsaw. Panstwomiasto,

Andersa 29, Warsaw, Poland. Free.

Oct. 12. Can You Really Automate Yourself

Secure? Facts vs. Fantasies. Noon ET. Webinar

sponsored by Cigital. Free with registration.

Oct. 12. Why Are We Still Failing to Stop

Cyber Attacks? 1 p.m. ET. Webinar by Cyphort.

Free with registration.

Oct. 13. ISSA SoCal Security Symposium.

Hilton Long Beach & Executive Meeting Center,

701 West Ocean Blvd., Long Beach, California.

Registration: members, $115; nonmembers,

$140; students, $75; day of event, $190.

Oct. 14-16. B-Sides Warsaw. Panstwomiasto,

Andersa 29, Warsaw, Poland. Free.

Oct. 17-19. CSX North America. The

Cosmopolitan, 3708 Las Vegas Blvd. South, Las

Vegas. Registration: before Aug. 11, ISACA

member, $1,550; nonmember, $1,750. Before

Oct. 13, member, $1,750; nonmember, $1,950.

Onsite, member, $1,950; nonmember, $2,150.

Oct. 18. IT Security and Privacy Governance

in the Cloud. 1 p.m. ET. Webinar moderated by

Rebecca Herold, The Privacy Profesor. Free

with registration.

Oct. 18-19. Edge2016 Security Conference.

Crowne Plaza, 401 W. Summit Hill Drive,

Knoxville, Tennessee. Registration: before Aug.

15, $250; after Aug. 15, $300; educators and

students, $99.

Oct. 18-19. SecureWorld St. Louis. America’s

Center Convention Complex, 701 Convention

Plaza, St. Louis. Registration: conference pass,

$325; SecureWorld Plus, $725; exhibits and

open sessions, $30.

Oct. 18-19. Security of Things, A Smart Card

Alliance Event. Hilton Rosemont Chicago

O’Hare Hotel, 5550 N. River Rd., Rosemont,

Illinois. Registration: members $775 before Oct.

8, $885; nonmembers, $895 before Oct. 8,

$1,045.

Oct. 20. Los Angeles Cyber Security Summit.

Loews Santa Monica Beach Hotel, 1700 Ocean

Ave., Santa Monica, California. Registration:

$250.

Oct. 20. B-Sides Raleigh. Marbles Kid

Museum, 201 E. Hargett St., Raleigh, North

Carolina. Registration: $20.

Oct. 22. B-Sides Jacksonville. Sheraton Hotel,

10605 Deerwood Park Blvd., Jacksonville,

Florida. Registration: $10.

Oct. 27. SecureWorld Bay Area. San Jose

Marriott, 301 S. Market St., San Jose,

California. Registration: conference pass, $195;

SecureWorld Plus, $625; exhibits and open

sessions, $30.

Nov. 1-4. Black Hat Europe. Business Design

Centre, 52 Upper Street, London, UK.

Registration: before Sept. 3, Pounds 1,199 with

VAT; before Oct. 29, Pounds 1,559 with VAT;

after Oct. 28, Pounds 1,799 with VAT.

Nov. 9-10. SecureWorld Seattle. Meydenbauer

Center, 11100 NE 6th St., Bellevue, Washington.

Registration: conference pass, $325;

SecureWorld Plus, $725; exhibits and open

sessions, $30.

Nov. 28-30. FireEye Cyber Defense Summit

2016. Washington Hilton, 1919 Connecticut

Ave. NW, Washington, D.C. Registration:

through Sept. 30, general admission, $495;

government and academic, $295; Oct. 1- Nov.

• 21, $995/$595; Nov. 22-30, $1,500/$1,500.