Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/4/2020
01:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

McAfee Research Reveals Election Website Security Shortcomings in 2020 Battleground States

Lack of .GOV Validation and HTTPS Encryption Among County and County Election Websites Could Render 13 Battleground States Susceptible to Voter Disinformation Campaigns in 2020 Elections

Key Findings

  • Survey finds 83.3% of 2020 election battleground state counties use websites lacking U.S. government .GOV certification
  • 88.9% of Iowa county websites lack .GOV validation
  • 90.0% of New Hampshire’s county websites lack .GOV validation
  • Minnesota ranked lowest in .GOV validation with 95.4% of counties lacking certification
  • 46.6% of battleground state counties fail to protect voters visiting their websites with HTTPS encryption
  • Inconsistent standards, easy-to-remember naming formats are likely a security liability versus an advantage
February 04, 2020 12:01 AM Eastern Standard Time

SANTA CLARA, Calif.--(BUSINESS WIRE)--New survey findings released today by McAfee, the device-to-cloud cybersecurity company, revealed a severe lack of U.S. government .GOV validation and HTTPS encryption among county election websites in 13 states projected to be critical in the 2020 U.S. Presidential Election. The January 2020 survey found that as many as 83.3% of these county websites lacked .GOV validation across these states, and 88.9% and 90.0% of websites lacked such certification in Iowa and New Hampshire respectively. Such shortcomings could make it possible for malicious actors to establish false government websites and use them to spread false election information that could influence voter behavior and even impact final election results.

“Without a governing body validating whether websites truly belong to the government entities they claim, it’s possible to spoof legitimate government sites with fraudulent ones,” said Steve Grobman, McAfee Senior Vice President and Chief Technology Officer. “An adversary can use fake election websites for misinformation and voter suppression by targeting specific voters in swing states with misleading information on candidates, or inaccurate information on the voting process such as poll location and times. In this way, this malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.”

Government entities purchasing .GOV web domains have submitted evidence to the U.S. government that they truly are the legitimate local, county, or state governments they claimed to be. Websites using .COM, .NET, .ORG, and .US domain names can be purchased without such validation, meaning that there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains.

The HTTPS encryption measure assures citizens that any voter registration information shared with the site is encrypted, and that they can give greater confidence in the entity with which they are sharing that information. Websites lacking .GOV and encryption cannot assure voters seeking election information that they are visiting legitimate county and county election websites, leaving malicious actors an opening to set up disinformation schemes.

“In many cases, these websites have been set up to provide a strong user experience versus a focus on the implications that they could be spoofed to exploit the communities they serve,” Grobman continued. “Malicious actors can pass off fake election websites and mislead large numbers of voters before detection by government organizations. A campaign close to election day could confuse voters and prevent votes from being cast, resulting in missing votes or overall loss of confidence in the democratic system.”

January 2020 Survey Findings

McAfee’s January 2020 survey researched states projected by U.S. election prognosticators to be pivotal in determining the victor in the 2020 Presidential Elections. States surveyed include Arizona, Florida, Georgia, Iowa, Michigan, Minnesota, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania, Texas, and Wisconsin. Together, these states account for 201 of the 270 electoral votes required to win the U.S. presidential election.

State counties lacking .GOV validation. Of the 1,117 counties in the survey group, 83.3% of their websites lack .GOV validation. Minnesota ranked the lowest among the surveyed states in terms of .GOV website validation with 95.4% of counties lacking U.S. government certification. Other states severely lacking in .GOV coverage included Texas (94.9%), New Hampshire (90.0%), Michigan (89.2%), Iowa (88.9%), Nevada (87.5%), and Pennsylvania (83.6%).

Arizona had the highest percentage of main county websites validated by .GOV with 66.7% coverage, but even this percentage suggests that a third of the Grand Canyon State’s county websites are unvalidated and that hundreds of thousands of voters could still be subjected to disinformation schemes.

State counties lacking HTTPS protection. McAfee’s survey found that 46.6% of county websites lack HTTPS encryption. Texas ranked the lowest in terms of encryption with 77.2% of its county websites failing to protect citizens visiting these web properties. Other states with counties lacking in encryption included Pennsylvania (46.3%), Minnesota (42.5%), and Georgia (38.4%).

Assessment of Iowa and New Hampshire. In Iowa, 88.9% of county websites lack .GOV validation, and as many as 29.3% lack HTTPS encryption. Ninety percent of New Hampshire’s county websites lack .GOV validation, and as many as 30% of the Granite State’s counties lack encryption.

Inconsistent naming standards. McAfee’s research found that some states attempted to establish standard naming standards, such as www.co.[county name].[two-letter state abbreviation].us. Unfortunately, these formats were followed so inconsistently that a voter seeking election information from her county website cannot be confident that a web domain following such a standard is indeed a legitimate site.

Easy-to-remember naming formats. McAfee found 103 cases in which counties set up easy-to-remember, user-friendly domain names to make their election information easier to remember and access for the broadest possible audience of citizens. Examples include www.votedenton.comwww.votestanlycounty.comwww.carrollcountyohioelections.govwww.voteseminole.org, and www.worthelections.com. While 93 of these counties (90.2%) protected voters visiting these sites with encryption, only two validated these special domains and websites with .GOV. This suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.

Strategies for transitioning to .GOV. While only 19.3% of Ohio’s 88 county main websites have .GOV validation, the state leads McAfee’s survey with 75% of county election websites and webpages validated by .GOV certification. This leadership position appears to be the result of a state-led initiative to transition county election-related content to .GOV validated web properties. A majority of counties have subsequently transitioned their main county websites to .GOV domains, their election-specific websites to .GOV domains, or their election-specific webpages to Ohio’s own .GOV-validated https://ohio.gov/ domain (i.e. https://www.boe.ohio.gov/vanwert/).

Such a .GOV transition strategy constitutes an interim solution until more comprehensive efforts are made at the state and federal government level through initiatives such as The DOTGOV Act of 2020. This legislation would require the Department of Homeland Security (DHS) to support .GOV adoption for local governments with technical guidance and financial support.

“Ohio has made a commendable effort to lead in driving election websites to .GOV, either directly or by using the state run ohio.gov domain,” said Grobman. “While main county websites still largely lack .GOV validation, Ohio does provide a mechanism for voters to quickly assess if the main election website is real or potentially fake. Other states should consider such interim strategies until all county and local websites with election functions can be fully transitioned to .GOV.”

Resources:

About McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. www.mcafee.com

About McAfee Labs and Advanced Threat Research

McAfee Labs and McAfee Advanced Threat Research are a leading source for threat research, threat intelligence, and cybersecurity thought leadership. With data from over a billion sensors across key threats vectors—file, web, message, and network—McAfee Labs and McAfee Advanced Threat Research deliver real-time threat intelligence, critical analysis, and expert thinking to improve protection and reduce risks.

McAfee® and the McAfee logo are trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5537
PUBLISHED: 2020-05-25
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
CVE-2020-13438
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.
CVE-2020-13439
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.
CVE-2020-13440
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.
CVE-2020-13433
PUBLISHED: 2020-05-24
Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter.