Despite Georgia Secretary of State Brian Kemp's contentions that reports questioning the security of the state's election systems are fake news, a breach discovered in 2016 exposed the records of more than six million George voters, according to a lawsuit.
"The data was open to anyone in the world who had an internet connection," said Marilyn Marks, executive director of the Coalition for Good Governance, one of the plaintiffs in the suit cited by CNN. "Even when confronted with a security disaster, she noted, Kemp, who's currently running at a GOP gubernatorial candidate, blamed “managers under his supervision for their incompetence and [left] the security disaster without so much as a forensic review of the impacts of the security failures."
Kemp reiterated to the news outlet the state's election systems were secure and pilloried those causing for changes this close to the November midterms. "The hysteria of some people seeking to force Georgia to switch to an all paper ballot system is based on misinformation, and making this change would spend money to create problems that we should avoid," said Kemp. "The chaos of switching to a completely different voting system this close to an election would cause inconvenience, voter confusion, and potentially suppressed turn-out."
Security researcher Logan Lamb found the voter registration data – 15GB's worth – in August 2016 that it could be easily downloaded from the Kennesaw State University website.
Lamb began looking into the voting systems when he learned that Kennesaw State University's Center for Election Systems tests and programs voting machines. He began looking for PDFs or documents that would give him more insight into the center's work when he set up an automated script to scrape the site and see what he could find.
His finds included a database containing the state's 6.7 million voter registration records, multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day, and software files for electronic devices used by the state's poll workers to verify that a voter is registered before allowing them to cast a ballot.
The data was supposed to be behind a password protected firewall, but the center misconfigured the server so that the files were accessible to anyone and the site was also using an outdated version of Drupal containing a critical vulnerability dubbed “Drupageddon.”
The bug would allow an attacker to gain control of any site containing the vulnerability and it is unclear if any of these vulnerabilities have already been exploited before or after Lamb's discovery. Lamb reported the issues to the executive director at the center who told him the server would be fixed.
However, in March 2017 another independent researcher Chris Grayson discovered that although the Drupal vulnerability had been patched for the encrypted https version of the website, the unencrypted http version was still vulnerable and all of the previously discovered data was still accessible. Following the March incident, the center was forced to bring in outside security experts to assess its networks and advise on how to secure firewall installation and network configuration the center,
Lamb said last year the state continuously ignored efforts to patch the vulnerabilities of Georgia's 2017 special election between Democratic candidate Jon Ossoff and Republican former Secretary of State Karen Handel.
“The reported breach of Georgia's election database is a classic case of too little, too late,” said Netskope CEO Sanjay Beri. “According to the researcher, the state failed to patch critical vulnerabilities in its website for over six months, which might as well have been a decade given how quickly hackers can move.”
The state's implications that the well-intentioned researcher would be ‘crushed' by local politicians if he came forward with his findings,” Beri said, set “an awful precedent for future White Hat hackers.”
While it is unclear what the fallout from the breach ultimately will be, “the data exposed was far from trivial and could have costly ramifications,” he said. “Without being able to confirm whether or not someone managed to access the data of six million voters, I don't expect calls for a return to paper ballots to quiet anytime soon.”
Research released at Def Con last week found the websites of three out of 10 candidates running for seats in the House of Representatives are riddled with security vulnerabilities.
“Many seem to focus on the voting machines, but that is only part of the risk. We saw, and continue to see, manipulation of social networks, new sites, and even the integrity of data stored in the cloud,” said David Ginsburg, vice president of marketing at Cavirin. “This last threat, where the very accuracy of critical records comes into question, is sometimes overlooked.”
Concerns over election security renewed calls to involve security professionals in safeguarding systems and processes.
“Security professionals with niche expertise should support the government machinery to ensure free, fair and robust elections,” said Rishi Bhargava, co-founder of Demisto, who noted that “the rate of advancement in, and compromise of, the technical infrastructure surrounding elections has grown faster than the rate of awareness and knowledge that government officials need to stop these attacks.”
Calling elections “a confluence of many potentially vulnerable elements – voting systems, networks and databases, email accounts, and misleading news – that increase “the possibility of mischief manifold,” Bhargava said “local and state governments cannot be proficient in every element of security and will need all the help they can get.”
Ginsburg said he'd “put out a challenge, in the same way that we prepared for Y2K and then GDPR, for organizations that have anything to do with the election process or data, to put in place the necessary processes and technology. An E-80 if you may.”
Thycotic this week released a free Cybersecurity Election Protection Toolkit to help secure U.S. candidates and their staffs from hacking during the midterms. The kit offers protection against methods used to attack campaigns such as exploiting weak user passwords, using phishing attacks to spread malware and stealing confidential communications. It also provides an incident Response Template for campaigns that get hacked.