April 21, 2014

avatar

Oak Ridge, spear phishing, and i-voting

Oak Ridge National Labs (one of the US national energy labs, along with Sandia, Livermore, Los Alamos, etc) had a bunch of people fall for a spear phishing attack (see articles in Computerworld and many other descriptions). For those not familiar with the term, spear phishing is sending targeted emails at specific recipients, designed to have them do an action (e.g., click on a link) that will install some form of software (e.g., to allow stealing information from their computers). This is distinct from spam, where the goal is primarily to get you to purchase pharmaceuticals, or maybe install software, but in any case is widespread and not targeted at particular victims. Spear phishing is the same technique used in the Google Aurora (and related) cases last year, the RSA case earlier this year, Epsilon a few weeks ago, and doubtless many others that we haven’t heard about. Targets of spear phishing might be particular people within an organization (e.g., executives, or people on a particular project).

In this posting, I’m going to connect this attack to Internet voting (i-voting), by which I mean casting a ballot from the comfort of your home using your personal computer (i.e., not a dedicated machine in a precinct or government office). My contention is that in addition to all the other risks of i-voting, one of the problems is that people will click links targeted at them by political parties, and will try to cast their vote on fake web sites. The scenario is that operatives of the Orange party send messages to voters who belong to the Purple party claiming to be from the Purple party’s candidate for president and giving a link to a look-alike web site for i-voting, encouraging voters to cast their votes early. The goal of the Orange party is to either prevent Purple voters from voting at all, or to convince them that their vote has been cast and then use their credentials (i.e., username and password) to have software cast their vote for Orange candidates, without the voter ever knowing.

The percentage of users who fall prey to targeted attacks has been a subject of some controversy. While the percentage of users who click on spam emails has fallen significantly over the years as more people are aware of them (and as spam filtering has improved and mail programs have improved to no longer fetch images by default), spear phishing attacks have been assumed to be more effective. The result from Oak Ridge is one of the most significant pieces of hard data in that regard.

According to an article in The Register, of the 530 Oak Ridge employees who received the spear phishing email, 57 fell for the attack by clicking on a link (which silently installed software in their computers using to a security vulnerability in Internet Explorer which was patched earlier this week – but presumably the patch wasn’t installed yet on their computers). Oak Ridge employees are likely to be well-educated scientists (but not necessarily computer scientists) – and hence not representative of the population as a whole. The fact that this was a spear phishing attack means that it was probably targeted at people with access to sensitive information, whether administrative staff, senior scientists, or executives (but probably not the person running the cafeteria, for example). Whether the level of education and access to sensitive information makes them more or less likely to click on links is something for social scientists to assess – I’m going to take it as a data point and assume a range of 5% to 20% of victims will click on a link in a spear phishing attack (i.e., that it’s not off by more than a factor of two).

So as a working hypothesis based on this actual result, I propose that a spear phishing attack designed to draw voters to a fake web site to cast their votes will succeed with 5-20% of the targeted voters. With UOCAVA (military and overseas voters) representing around 5% of the electorate, I propose that a target of impacting 0.25% to 1% of the votes is not an unreasonable assumption. Now if we presume that the race is close and half of them would have voted for the “preferred” candidate anyway, this allows a spear phishing attack to capture an additional 0.12% to 0.50% of the vote.

If i-voting were to become more widespread – for example, to be available to any absentee voter – then these numbers double, because absentee voters are typically 10% of all voters. If i-voting becomes available to all voters, then we can guess that 5% to 20% of ALL votes can be coerced this way. At that point, we might as well give up elections, and go to coin tossing.

Considering the vast sums spent on advertising to influence voters, even for the very limited UOCAVA population, spear phishing seems like a very worthwhile investment for a candidate in a close race.

Comments

  1. David Jefferson says:

    I think it is may be easier to succeed in targeting the general population of voters with email spear phishing attacks than it is national lab employees, at least at the national security labs like Oak Ridge.

    1) Email entering our laboratory (Livermore,where I work–I am not completely sure this happens at the others) is “cleaned” before it ever gets to the recipient. There is a list of file types that are stripped as attachments to incoming mail. The attachments can come in using some other file types (e.g. a .zip file can come in if it is first renamed as .zzz) but then a deliberate action is required to open it. No one will idly or accidentally open a dangerous attached file.

    Likewise, URLs in incoming email are modified to have asterisks inserted into them so that clicking on the URL directly from the email program does not work. One has to copy the URL and edit out the asterisks. Again, no one will idly click on a URL in email that entered our lab from the outside–it takes a deliberate action.

    2) There is, of course, heavier spam filtering than in most environments.

    3) Unlike most other environments, there is no expectation of email privacy. All email, incoming and outgoing, is recorded and subject to analysis.

    4) All DOE national laboratory employees are generally well educated, as you point out, but they also get constant, required training in security and cyber security, with more training as their jobs are closer to sensitive subject matter. It is hard to say how effective the training is, but it does make you constantly aware.

    Yet even under these circumstances Oak Ridge was hit by this spear phishing attack, and this is not the first time something like this has happened. Thus, I think if anything you may be being conservative and underestimating the likely success rate of spear phishing attacks on the general population. I even have some personal experience as well: my mother was a victim of a spear phishing attack when she clicked on a link in email that was forged to look like it came from me. And my wife gets so much spam purportedly from me that I created a filter to sidetrack it.

  2. Michael says:

    Excellent article! Every time I have heard someone mention the possibility of Internet voting, I generally go apopleptic on them. The ramifications are far too great to just jump into such a scheme.

    I did an internship at ORNL, and was fairly impressed at the emphasis on security. Sure, there were some aspects that I felt could be improved, but I felt that ORNL’s setup is certainly better than what I’ve seen in private settings. However, I just do not understand why, despite the frequent trainings on spear phishing (they have teams that send such emails trying to lure employees as part of the education process), they do not employee any sort of public key crypto signatures for their email. I’m not advocating crypto as a panacea (it’s never that easy), but it’s a start that raises the bar and it’s pretty easy to do.

  3. pete.d says:

    “If i-voting were to become more widespread – for example, to be available to any absentee voter – then these numbers double, because absentee voters are typically 10% of all voters.”

    Note that in the state of Washington, _all_ voting is absentee voting now, due to the 100% mail-in ballot elections state-wide.

    So if we make your reasonable assumption that i-voting would be made available to any absentee voter, in WA that means to _all_ voters (per your follow-up assumption).

    Scary.

    • jeremy.epstein says:

      Pete, you’re absolutely right – I had intended to mention that and forgot.

      There are other states besides Washington that would be impacted in the short run. Oregon is also 100% Vote by Mail. California has a high percentage of Vote by Mail, as voters can choose to be “permanent absentee”, and if enough voters choose to do that then precincts are closed and everyone in that precinct becomes permanent absentee VBM.

      One of the advantages to living in a slow-moving state like Virginia (where I live) is that voting absentee is still hard (you have to claim one of about a dozen excuses, but “convenience” is not one of them), and moves towards Internet voting are slow.

  4. rp says:

    A sophisticated attack along these lines wouldn’t target the act of voting directly, because that’s probably the point of highest suspicion. If instead an attacker too the same approach as ORNL, perhaps by forging mail from a campaign organization offering information about local events or a petition to sign, they could get malware installed on a user’s computer that would intervene invisibly at the point of voting. The malware could also propagate itself by phishing other people in the initial recipient’s address book, who could be presumed to share political interests.

    This kind of attack could be difficult to detect because a lot of political organizations employee third parties for bulk email service and processing of donations, so simple URL inspection wouldn’t reveal anything out of the ordinary.

  5. William J. Kelleher, Ph.D. says:

    Hi Jeremy! Here’s a question for you: Does fantasy + fantasy = fact?

    Lets pretend that one tiny event involving 530 people is “hard data” upon which to support the conclusion that ‘Internet voting = coin tossing.’ Is that the kind of “science” they do at Oak Ridge?

    One of your fantasy assumptions is that the percentage of folks who would be fooled by spear phishing would remain constant as Internet voting became more widely, even universally, used. But people would have to be real numbskulls for that to be true. In fact, as you point out regarding spam, people learn to protect themselves from tricks. That alone renders your conclusion untenable.

    If Internet voting is introduced to the population with a program of public education about all the tricks and traps that can be used against voters, most of it will fail. If you add strict law enforcement into the equation, most would-be tricksters and hackers will control their anti-social impulses.

    The facts are that voter fraud is very rare in the US (see Hall and Alvarez, Election Fraud). With voters educated on how to protect themselves, and law enforcement inhibiting criminal activity, the rates of voter fraud are more likely to remain low (as they are in Washington state, CA and OR), if not become even lower. David Jefferson could do a service for Internet voting by preparing a comprehensive public education program for voters. The beginnings of such are program are in his comment of 4-20-11.

    William J. Kelleher, Ph.D.
    Author: ‘Internet Voting Now!’
    On Kindle: http://tinyurl.com/IntV-Now
    Internetvoting@gmail.com
    Blog: http://tinyurl.com/IV4All

    • RonK says:

      Hi William! Is the fact that your post is stuffed to the hilt with logical fallacies indicative that we should enjoy debunking it?

      “fantasy + fantasy” : argument via name calling? Not very convincing. You have to actually give a real argument why this is fantasy, not just call it that.

      “tiny” : again, you call an event with 530 people “tiny”, without actually giving any real argument why we should consider it so. If we can assume that the people targeted at Oak Ridge are no more likely to be fooled by a spear phishing attack than the general public (this seems like a pretty safe assumption), then the probability of getting a result of 57 people being fooled if the actual probability of success per person is only 0.05 is less than 1 in 50000 (using a gross approximation for the binomial distribution involved). So I’d say that Jeremy has given a good argument that at least 5% of the voters could be fooled in this fashion.

      The scare quotes around “hard data”, and the rest of that paragraph: again, argumentation via name calling.

      “One of your fantasy assumptions …” : Your argument in this paragraph (ignoring the “fantasy” name-calling again), is that people will learn to protect themselves from being attacked. To some extent you are correct, but there are several problems with this. First of all, it discriminates against voters based on how well they can learn to protect themselves. Some people might find this attractive, but unfortunately, many people do not believe that democracy allows us to do this. (In the end, the courts will decide that.) Secondly, no matter how well people learn to protect themselves, some percentage of the attacks will succeed. Otherwise, by analogy, street crime would have disappeared long ago. You assume that only the defender (the public) can learn, but anyone with a background in security is acutely aware that the attackers learn also and this is a game of “cat-and-mouse”.

      “If Internet voting is introduced…” : this paragraph restates your thesis about voter education solving the problem and then suggests that law enforcement will be able to further help to discourage attacks like this. You are correct that law enforcement will help somewhat, but you do not give any evidence that it will succeed well enough to prevent distortions of the voting process. Currently, millions of dollars are being stolen from American businesses via computer crime. Please back up your thesis here with hard statistics on incidents of computer crime.

      “The facts are that voter fraud … ” : Here you make the same assumption that you berate Jeremy for with respect to the public’s ability to defend itself against attack — you assume that current levels of voter fraud are inherent and unchanging and would not change, even if reality changed in a way which could make voter fraud much easier and at the same time much harder to detect!