This week, Gizmodo reported that a government program that’s designed to tamp down on election fraud has been putting the personal data and financial well-being of American voters at risk. Known as the “Interstate Crosscheck System,” the program currently has 28 states enrolled and has processed almost 100 million voter records in 2017. According to the article, Gizmodo enlisted the help of penetration testing companies and researchers to pinpoint vulnerabilities in a Crosscheck server in Arkansas that was reportedly “operating on a network rife with security flaws.” This investigation surfaced a variety of unreported weaknesses in the network. One researcher claimed that even a novice hacker could breach the system.
This is an interesting story, but there’s one major caveat to all this: “None of the researchers actually accessed the Arkansas network. Instead, they conducted what’s called “passive reconnaissance,” meaning there was no hacking, testing, or offensive work being done.”
It’s important to note that passive tests like these will not show the true results of an attack. While they can help to identify potential weaknesses in certain services, until those weaknesses are actually “triggered,” researchers have no way of knowing if the victim might have additional controls like IPS, SIEM, malware detection, etc. in place to block the attack. Passive analysis certainly has merit, but true vulnerabilities can only be confirmed with active tests.
The report goes on to say, “The portion of the network on which the Crosscheck system exists is somewhat better protected. For example, it does appear to restrict access to a particular range of IP addresses used only by public officials, as internal documents suggest. But as ProPublica reported, a determined hacker would likely find ways to bypass this defense—the easiest route being to trick Crosscheck’s administrators into adding a different IP by spoofing the email account of a state authority.”
This is a very important statement. The article then highlights the fact that the server in question is protected by a WatchGuard security appliance. If the organization is using a Firebox to create an IP-restricted access policy, it would be anything but trivial for an attacker to successfully “trick Crosscheck administrators into adding a new IP” to bypass security controls. If these administrators are going to the trouble of implementing policies to restrict certain addresses, it’s likely that they’re hyper-skeptical about adding any new IPs. In my opinion, it would take an incredibly convincing spear phishing email to dupe a true security professional into adding a malicious address.
The logic we see within this investigation is largely predicated on the assumption that passive scans are foolproof and that spear phishing always works. While spear phishing is a hugely popular and effective tactic for cybercriminals, it works best for stealing credentials from normal employees, and is not nearly as successful against security administrators who are highly aware of even the slightest warning signs. The investigation appears to lean heavily on oversimplifications for other security threats as well, like man-in-the-middle attacks, which require more than rudimentary hacking skills to accomplish in a real-world setting.
Additionally, the WatchGuard management interface isn’t exposed to the outside network by default. Even if an attacker had the necessary credentials, they wouldn’t be able to reach the management login unless a user intentionally altered the default settings. And although it’s up to users to enable at this time, WatchGuard Fireboxes do support multi-factor authentication (MFA) for management, VPN, and user authentication, via Radius and other MFA partner integrations.
Ultimately, many of the conclusions that appeared through these passive reconnaissance exercises are compelling, but inconclusive. The findings in this report are certainly possible. Anything is possible. That said, until Crosscheck’s systems undergo active tests, any conjecture that novice hackers could easily breach this organization seems hyperbolic. –Marc Laliberte