Black Hatters say hackers can wreak havoc on election


Something as subtle as a typo in the name Baraak Obama could undermine the next election.

That's because when stakes are the highest, computer hackers have an incentive to exploit even the slightest mistake, such as the extra 'a' in the first name of presumptive Democratic nominee Barack Obama in the previous sentence.

Even though election fraud is as old as democracy itself, the ubiquity of e-mail, campaign and voter Web sites and online donations to candidates has opened the political process to countless new categories of mischief.

Recognizing high-tech attacks and thwarting them before they upend an important election isn't something many campaign staffers and government officials are trained to do, which is what makes work by people such as Oliver Friedrichs so important.

"Some of these things are very, very easy for an attacker to instigate," Friedrichs, a computer security expert, told an audience at the Black Hat Briefings and Training conference in Caesars Palace. "Today, campaigns haven't really done very much to protect themselves from these types of attacks."

The 11-year-old conference is an annual gathering of computer hackers and other technology experts interested in identifying and exposing security flaws that threaten everything from online purchases to corporate and government security and even confidence in the democratic process.

In 2005, security researcher Michael Lynn made headlines at Black Hat by exposing a flaw in servers built by his former employer, Cisco Systems. He had to quit his job at Cisco because a corporate policy prohibited talking publicly about the company.

This year Seattle-based security expert Dan Kaminsky exposed a flaw in critical Internet infrastructure that makes it easy for malicious hackers to direct people to Web sites they didn't intend to visit.

And a presentation planned by security experts at Apple was scuttled when the company's marketing department got wind of the plan and had it stopped, conference organizer Jeff Moss said.

"It sucks," Moss said about companies suppressing information that could help make technology more secure. "We all know there are problems there, but we don't know what they are."

The potential for election fraud Friedrichs outlined ranged from simple mischief to opportunities for widespread scams.

While working for computer security firm Symantec of Cupertino, Calif., Friedrichs and other employees sought to investigate vulnerabilities on campaign and election-related Web sites.

One study was to test how easy it would be to register Web site names similar to candidates' names in an effort to see if they could capture viewers who mistakenly type the wrong letters while seeking information.

They registered 124 variations on "Barack Obama," "Hillary Clinton" and "Mitt Romney" and set the bogus sites to automatically direct users to the legitimate candidates' sites, so no one would actually be tricked.

But they did keep track of traffic as it passed through the phony addresses. In two months they attracted 21,000 hits and counted more than 1,000 attempted e-mails.

"This is a serious problem," Friedrichs said. "These are e-mails intended for the actual campaign Web site."

Had the Symantec team had malicious intent, they could have solicited donations for themselves, redirected donations intended for one candidate to another, disseminated false information or intercepted private communications between campaign workers.

"It provides a way for attackers or thieves to disrupt the campaigns," Friedrichs said.

It isn't just a theory.

Friedrichs said in November thieves used 500 credit card numbers to make small donations to a Ron Paul Web site, possibly as a way to test the validity of stolen credit card data.

The scam was caught, but the Paul campaign had to refund $3,000 in donations, Friedrichs said.

Smarter thieves could have caused more damage.

"There are certainly ways this could be made more effective," Friedrichs said of the scam.

Malicious hackers go well beyond politics.

The types of scams that target campaigns can just as easily target major sporting events, rock concerts or even events in the news that generate lots of Web traffic by people looking for more information, such as Hurricane Katrina or the tsunami that killed hundreds of thousands of people in Southeast Asia in late 2004.

Hackers can also target vulnerable hardware, such as FasTrak devices in California that use radio signals to capture information from vehicles and use it to automatically apply toll charges to drivers.

The devices save people time but are easy for hackers to manipulate, said Nate Lawson, a security expert who figured out how to tamper with the device but hasn't been able to get the attention of transportation officials with the power to fix the problem.

"People can clone these transponders and charge someone else for their tolls," Lawson said.

The device Lawson cracked is used in San Francisco. But jurisdictions across the country, including Nevada, are studying the idea of driver tolls to raise money for roads.

Knowing about potential flaws in advance could help transportation officials use safer technology to prevent problems.

"They have the IDs of every car that is driving on the freeway," Lawson said. "That information isn't trustworthy if someone can write a (phony) ID."

Contact reporter Benjamin Spillman at bspillman@reviewjournal.com or 702-477-3861.

 

Rules for posting comments

Comments posted below are from readers. In no way do they represent the view of Stephens Media LLC or this newspaper. This is a public forum. Read our guidelines for posting. If you believe that a commenter has not followed these guidelines, please click the FLAG icon next to the comment.