Cybercrime and the Electoral System

Last Friday I had the opportunity tomoderate a panel - Political Phishing – A Threat to the 2008 Campaign?- held as part of the Anti-Phishing Working Group eCrime Researchers Summit hosted by Carnegie Mellon CyLabin Pittsburgh, PA. Our panelists were Rachna Dhamija from HarvardUniversity, Chris Soghoian from Indiana University , and Pat Clarke ofJackson/Clark Partners. We had some great discussion on the potentialimpact of Internet-borne threats to the upcoming US PresidentialElection. The timing could not have been more appropriate. As theprimaries get closer, and the Internet continues play a central role infundraising and communication, the likelihood of Internet-borne threatsimpacting the election increases.

It also happens that this subject is one that I had myself beenresearching as part of another effort – a soon to be released book –Cybercrime, by Professor Markus Jakobsson of the Indiana UniversitySchool of Informatics and Dr. Zulfikar Ramzan, Senior PrincipalSecurity Researcher with Symantec. I’m confident that this book isgoing to being a hit, with contributions from numerous well known highprofile industry researchers covering a variety of unique subjectsranging from Click Fraud to Bot Networks. The book itself will bereleased in February of 2008, but you can pre-order it from Amazon today.

Given the timeliness of this topic, the authors and publisher (whohappens to be Symantec Press) have allowed me to release this chapterearly. A sample chapter, available here,discusses a number of risks and threats that may manifest themselves inthe process of an election campaign. Focus was placed on the upcoming2008 Presidential Election, however these risks may impact any futureelection. Here are some of the highlights of this paper:

Abuse of Candidates’ Internet Domain Names and Typo Squatting
In order to determine the current level of domain name speculation andtypo squatting in the 2008 federal U.S. election, we performed ananalysis of 17 well known candidate domain names in order to seek outdomain speculators and typo squatters. Our results were interesting tosay the least. Candidates have not done a good job at protectingthemselves.

Phishing
When considering the 2004 election as a whole, phishing presented onlya marginal risk. At the time, phishing itself was still in its infancy,and had yet to grow into the epidemic that can be observed today. Whenwe revisit the potential risk of phishing to the 2008 federal election,we find ourselves in a much different position. Candidates have flockedto the Internet in order to communicate with constituents, as well asto raise campaign contributions online. We performed an analysis ofcampaign web sites in order to determine to what degree they allowcontributions to be made online. The most concerning attack may involvethe diversion of online campaign donations intended for one candidate,to another, entirely different candidate, entirely undermining voterconfidence in online donations.

Adware
There are a variety of ways in which adware may be used in order toinfluence or manipulate users during the course of an election. Wediscuss those in this chapter as well.

Spyware
Spyware poses a new risk to the mass accumulation of election-relatedstatistics used to track election trends. Spyware has the ability tocapture and record user behavior (including Web browsing, partyaffiliation, online campaign contributions and email traffic) withoutvoters’ knowledge or consent. This changes the landscape dramaticallywhen it comes to election-related data collection.

Keyloggers and Crimeware
Crimeware can collect personal, potentially sensitive, or legallyquestionable information about individuals that malicious actors canuse either to intimidate voters or hold for ransom to sway votes. Acarefully placed, targeted key logger has the potential to causematerial damage to a candidate in the process of an election. Such codemay also be targeted towards campaign staff, family members, or otherswho may be deemed material to the candidate’s efforts.

Campaign Web Site Security
The breach of a legitimate candidate’s Web site would allow an attackerto have direct control over all content viewed by visitors to thatsite. This may allow for the posting of misinformation, or worse, thedeployment of malicious code to unsecured visitors.

Public Voter Information Sources
The Federal Election Commission (FEC) maintains a publicly availablerecord of all campaign contributions. The database containscontributors’ personal information.

Intercepting Voice Communications
With the evolution of smart-phone spyware, the infection of acandidate, campaign staff, or candidate’s family’s cell phone with sucha freely available application could have dire consequences. Now, allback-room and hallway conversations partaken by the candidate can bemonitored at all times and intercepted by the attacker. Worse, opinionsthat were perhaps not shared with the public or outsiders are recordedand available for later playback, introducing the potential forwidespread exposure and damage.