Voting Machines Easy Hack for DEF CON® Teams

Elite hackers from around the world visited Las Vegas in late July for the annual DEF CON conference. Among this year’s events was the Voting Village. Hackers formed teams and attempted to hack voting machines commonly used in elections that were brought on site for the event.

The results, while not surprising, are still sobering. The teams only needed 90 minutes to find vulnerabilities in every machine. The security news service Threatpost interviewed Matt Blaze, an election security expert at the University of Pennsylvania, about the project. He said, “What the Voting Village experiment demonstrated was just how quickly someone can take a never-before-seen machine and find ways to exploit it from top to bottom.”

Lessons Beyond Voting Machines

The experiment also draws out some fundamental characteristics of “hackers”:

  • They work well in teams to leverage all available talent
  • They embrace unconventional but highly effective tactics
  • They are highly motivated to succeed, especially when told the task is impossible

Given their success with highly secure voting machines, what they can do to your network should be clear. Here are some tips to consider for your own cybersecurity:

  • Have a cybersecurity incident response plan in place. It’s a best practice to use resources with experience developing these plans and helping implement them.
  • Perform an information technology (IT) risk audit. This service can help identify weaknesses in your policies and practices, with steps to remediate them. This should be performed by professionals with experience in generally accepted frameworks such as Committee of Sponsoring Organizations of the Treadway Commission or National Institute of Standards and Technology, as well as forensics, risk management and incident response.
  • Conduct robust penetration (pen) testing. Most pen tests use automated high-level scanning tools, and the testing window is very short. That’s not how hackers work. A pen test should mirror their habits and timing—they’re patient and use a variety of tools that go well beyond scanning. Their testing window is measured in weeks to months, and sometimes more. Make sure your pen testing consultants use these techniques and aren’t merely performing automated scanning. Robust pen testing also should include creative social engineering.
  • Train your personnel. Most cybersecurity incidents are the result of human error. Software vulnerabilities go unpatched, policies and procedures aren’t carefully followed or an employee may be duped into clicking a malicious email link. Training is essential, not just on organizational policies, but personal cybersecurity habits. While it may seem personal habits are the employee’s responsibility, truly proactive organizations understand most cyber threats begin with employee actions at the personal level. Invest in robust training for your employees.
  • Go beyond the norm. Many organizations that have been hacked or held for ransom have cybersecurity policies and have conducted recent IT risk audits and pen testing. Again, these services often only address surface-level organizational weaknesses. Here are some points to consider that go deeper into an organization’s true nature:
    • Complexity Cybersecurity and incident response plans should not only address obvious standalone risks, but also “emergent risks” that only exist when people, departments or functions interact in unpredictable ways. When modeling cyber risks, consideration should be given to cascading failures and unlikely but high-impact risks. Ask if your consultant considers risk in “complex adaptive systems” to verify these types of risks are being addressed. Hackers rely on complexity for their success.
    • Executive Footprinting Hackers conduct “executive footprinting,” or gathering all available information about an organization’s high-level targets. Sources of this intelligence include social media, corporate websites, public records, socially engineered phone calls to company employees and even physical and electronic surveillance. Hackers then use this information to launch phishing emails and conduct business email compromise (BEC) operations such as fraudulent wire transfer requests and other schemes. A robust cybersecurity plan that includes performing proactive footprinting to raise awareness about what information is available on prime targets, along with other techniques that go beyond the norm, can address these issues as well.
    • Fire Drills – Even the best-laid plans never fully mirror an actual situation as it unfolds. Well-prepared organizations conduct periodic simulations of various cybersecurity events such as BEC operations and ransomware attacks. Only through stress testing a plan can true weaknesses be exposed and mitigated. Don’t let an actual incident be your first fire drill.
    • Physical Security – Hackers have been known to “dumpster dive” the trash of organizations. They often find important documents, discarded CD/DVD media or electronics that still contain data. Even an inconspicuous employee listing with phone extensions is useful in gathering information about an organization. Take a periodic look at what’s going in your trash, as well as documents and digital media in plain sight on desks. Some hacker groups have been known to take jobs as janitors and maintenance staff for the sole purpose of gaining access to such information.

The price of cybersecurity is eternal vigilance. Acting on the tips and tricks above will go a long way toward being a more proactive, digitally secure organization.

The following two tabs change content below.
Lanny Morrow

Lanny Morrow

With 20 years of experience at BKD, Lanny is the senior data scientist and technical lead in advanced data mining and digital forensics for BKD’s Forensics & Valuation Services division. Lanny is a frequent speaker and writer on data mining and digital forensics, including contributions to university textbooks and the Association of Certified Fraud Examiners’ Fraud Magazine.

Leave a Reply

Your email address will not be published. Required fields are marked *