In a study of US and European political parties’ security postures, researchers at the security-monitoring company SecurityScorecard found that while the Democratic National Committee had made “significant investments” in security since being hacked in 2016, the Democrats still lagged behind the Republican National Committee’s defenses. And both parties have problems that could still leak personally identifying information about voters.
According to the report, one major US political party was “programmatically leaking” personal information about voters through a voting validation application “which enumerates voter name, date of birth and address via search terms,” the researchers noted. The vulnerability was disclosed to the party involved and other “appropriate parties.”
SecurityScorecard’s team looked at the DNC, RNC, Green Party and Libertarian party in the US. The Green Party had the best overall scores for security measures, while the Libertarian Party had a more laissez-faire approach to information security than the others—with a failing grade for its management of its domain name records, specifically for a total absence of Sender Protection Framework (SPF) records. The lack of SPF records means that it’s more likely Libertarian Party domains could be spoofed in spear-phishing campaigns like those that were used to target the DNC in 2016. The Libertarians did come out ahead on network security scores, however.
The researchers found a number of problems in the DNC’s implementation of its security “improvements.” First, while the DNC has implemented two-factor authentication (2FA) using Okta, “the initial URL of a calendar application utilizing 2FA is served unencrypted over HTTP,” SecurityScorecard reported. That means that it’s possible for an attacker to perform a man-in-the-middle attack against the DNC’s calendar users, directing them to a spoofed instance of Okta and harvesting the user’s credentials, while passing them through to Okta to get the 2FA code delivered. “It is very possible the end user would have no indication their credentials were just taken from them,” the researchers noted.
The RNC had some weaknesses in how the party had implemented use of Fastly’s content-delivery and Internet-security services with its DNS. The researchers also found that the RNC’s DNS was leaking “administrative subdomains” associated with the ArcGIS geospatial data tool “where projects for a certain state can seemingly be gleaned,” and an RNC API (Application Programming Interface) server was using unencrypted login credentials for authentication. And the RNC had the slowest “patch cadence” of the four parties—the speed with which security updates were applied to visible IT infrastructure.
In comparison to European countries, the US’ parties did relatively well. In fact, the researchers discovered active malware running on infrastructure associated with the European Union, which is in the midst of parliamentary elections. The malware, identified as Gamarue (also known as Andromeda), is Windows-based malware that acts as a backdoor to infected systems, allowing keystroke logging, data theft, and remote control of PCs. The Gamarue/Andromeda botnet network was disrupted by Microsoft, ESET, and law enforcement organizations in 2017, and one of the operators of the network was arrested in Belarus. But the malware is still present and beaconing from EU-associated IP addresses.