Odds of hacker 'shenanigans' during the presidential primaries are high
Forget electronic voting machines; there are other ways to manipulate ballots, security analysts and former hackers say.
Expect hackers to try to disgrace presidential candidates with electronic extortion and other forms of digital deception during the upcoming primaries, say some former hackers and computer security specialists.
The surge in social networking has coincided with the rise of social engineering, or tricking a computer user into revealing personal data -- perhaps the answer to a password recovery question -- by posing as a trusted acquaintance. Hacker collectives Anonymous and LulzSec, and presumably China, have exploited this tactic, and other online gambits, to filch law enforcement authorities' personal data, and to gain access to the Gmail accounts of senior federal officials and military email addresses.
Now, perpetrators with a variety of motives are likely to apply the technique for infiltrating campaign email accounts, publishing falsehoods that go viral or knocking out candidate websites with denial-of-service attacks that inundate them with useless traffic, say cybersecurity experts.
"There's a pretty high probability of shenanigans," said Jennifer Emick, a security consultant who shed her affiliation with Anonymous after growing concerned about stunts she said verge on criminal. "With all the social networking -- they call it open source intelligence -- you can impersonate people the targets know on Facebook and have access to photos or personal information."
Some individuals apparently have attempted to pay hackers to shutdown sites that cast shadows over their favored candidate.
According to a 2011 chat room log obtained by Nextgov, one Internet user nicknamed "M" entered the room - a meeting place for hackers -- and asked if a member named "Jester" was "helping out with Rick Santorum's problem." The Jester is a prominent hacker known for attacking pro-jihad sites. M, an apparent supporter of former Pennsylvania senator and current GOP presidential candidate Santorum, then explained that "Jester is generally targeting liberal sites so I thought he might be in on this."
A chat room member clarified for M that The Jester typically attacks extremist sites. M replied that "this is an extremist gay site" -- likely a reference to SpreadingSantorum.com, a satirical, widely-visited site created by a gay columnist in retaliation against the conservative politician's arguably anti-homosexual views. After several in the room reiterated that M was looking in the wrong forum, the individual signed off.
Santorum's campaign staff did not respond to a request for comment.
Emick priced a job like taking out that site at $1,000 to $2,000, due to the risk and hour or two of work involved - enough for a hacker to pay rent for a couple of months, she said.
Other hackers have their own political leanings, as evidenced by a college student who in 2008 commandeered then vice presidential candidate Sarah Palin's personal Yahoo! mailbox reportedly to find content that could undermine her campaign. According to federal prosecutors, David C. Kernell reset Palin's account password by accurately guessing the answers to her security questions, read her messages and then posted screenshots of the emails online.
"We had Watergate 40 years ago, but maybe today the therapists' email would simply be hacked, or the computer where they stored all of their clients' records would be hacked into," said Jack Lerner, a technology law professor at the University of Southern California.
This election season, "I don't think it is beyond the realm of possibility that hackers could execute denial-of-service attacks to disrupt a campaign's online operations, or, say, break into campaign email accounts to spread disinformation or damaging information about the candidate or the candidate's opponent -- if that kind of thing hasn't happened already," he added.
A glance through the biographical information in publicly available social network profiles can provide clues to a person's password recovery answers, experts point out. "And yet people still do dumb things: they give honest answers to security questions," Emick said. Chris K. Ridder, a San Francisco-based attorney and former resident fellow at Stanford Law School's Center for Internet and Society, said, "People might want to think more about their password reset questions. You don't put the real name of your cat in there, if you're going to find that on Facebook."
Elsewhere in the world, oppressive governments might be manipulating the Web to influence voting outcomes, as was probably the case in Russia where alleged Kremlin-sponsored denial of service attacks interfered with independent news and election monitoring websites.
Unlike government agencies, some campaign groups do not have the resources or know-how to prepare for data breaches. "Training your people to resist social engineering is a really good investment," Ridder said. "All you need is one person who is convinced by whoever is requesting the personal information."
Once information is compromised, it can be difficult to identify intruders, let alone prosecute them. Only a handful of hacktivists have been arrested and some culprits are not afraid of going to jail, said a former federal official who asked to remain anonymous. For every one or two criminals the government is catching, there are probably dozens slipping through the cracks, he said.
"In any cat and mouse game you're going to be playing a little bit of catch-up," former Justice Department computer crime investigator Mark Rasch said. "You can't just throw technology at the problem. You can't just say we need more people . . . you have to think like a hacker."
Nathan J. Hochman, a former assistant attorney general for Justice's tax division, said, "the fact that someone can get punished six months later might not be a deterrent when they can disrupt an election." Hochman, now partner at law firm Bingham McCutchen LLP, suggested campaign organizers devise a plan for how they will notify supporters and volunteers if there is a data breach or a viral spread of disinformation.
Campaign officials for Republican presidential front-runners Mitt Romney, Newt Gingrich and Michele Bachmann, as well as President Obama, did not respond to inquiries. The deputy press secretary for Texas governor and presidential hopeful Rick Perry said, "We don't discuss our internal security procedures."
"If I was running for president, I would delete my Gmail account," Ridder said.
NEXT STORY: IG finds flawed IT security program at USDA