Bit9

In this pre-election season, we seldom step back and think about potential threats to our democracy. All eyes are on picking the best candidate. Yet, we need to be very concerned about the influx of Internet into our election process. For one, most candidates fundraise on the web today. They also heavily use their web sites and email as communication vehicles and as means to mobilize the party faithful.

Internet opens up a great opportunity for a qualitative electoral advantage, but it also opens gates to serious fraud and a potential for significant campaign disruption. We have seen heavy usage of technology in the past elections. Democrats may have seemed technologically challenged (curious with so many young and Silicon Valley pundits). Republicans seemed savvier with their palmtops and electronic lists of party faithful.

2004 Election was a watershed election bringing a number of firsts:

• - First use of E-mail solicitation
•       • 45% of Democrat donors received Email daily Organizing of supporters on web
• – Political BLOGs - Online fund raising with Kerry campaign taking a lead
•      • 70% of Online Donors forwarded emails to others
• - Candidates raised:

•      John Kerry - $82MM 
•      Howard Dean - $20MM
•      George Bush - $14MM
  
Serious concerns were raised by Oliver Friedrichs at Black Hat 2008 in talk titled "Threats to the 2008 Presidential Election".

Key takeaways are the following:

Online campaign donations can be tampered with.

Given the significant amounts being raised online, phishing attacks could defraud donors, dampen enthusiasm & seriously shortchange candidates. Opponents or foreign elements could easily be behind these effort. It all stems from the adhoc structure of campaign web sites.

  Political Campaign SPAM

We should worry about campaign SPAM, that may lead to phishing attacks, or simply could spread misinformation, false rumors or could be generating artificial scandals. Successful attacks against your support base could pollute email as a communications medium, intimidate potential voters, and hurt those grassroots efforts. Imagine fake scandals, subtle suggestions of legal or health trouble or of a position change.

Vulnerable campaign web sites & blogs

Ease of SQL Injection attacks has demonstrated that the best way to infect a large number of users is to go where they are. Infecting a campaign web site is a perfect way to get to the most trusted campaign volunteers or staff. They could be tagged with stealthy (rootkitted) and bespoke malware undetected by anti-malware solutions. Potential criminal elements could own your campaign. Being owned could mean sensitive data leakage, redirection of campaign funds, and more, all by forces that are not necessarily U.S. based.

Given the speed of Internet, these attacks could be perpetrated few days before the election, thus influencing the election outcome.

Should we worry now?